Multiserver clarifications

[jmhoms]

root@srv20:/var/log# netstat -tap | grep dns
tcp 0 0 srv20.amalteahos:domain *:* LISTEN 26447/mydns
tcp 0 0 localhost.locald:domain *:* LISTEN 26447/mydns
tcp6 0 0 ip6-localhost:domain [::]:* LISTEN 26447/mydns



and using the password in mydns.conf i can connect :
root@srv20:/var/log# mysql -u ispconfig -h localhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1307
Server version: 5.0.51a-24+lenny3 (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

[till]

Please post the contents of the mydns.conf file (remove the password please).

[jmhoms]

possibly a server_id problem ? , i see that mydns sql filters it ...



## AUTOMATICALLY GENERATED BY DEBCONF. DO NOT MODIFY DATABASE
## INFORMATION (database, db-*)...
## PLEASE RUN 'dpkg-reconfigure mydns-mysql' INSTEAD.
## CHANGES TO THE FOLLOWING DIRECTIVES ARE NOT PRESERVED, BUT REPLACED,
## ON UPGRADE:
## user, group, pidfile, db-*, database

##
## /etc/mydns.conf
## Thu Aug 2 16:36:26 2007
## For more information, see mydns.conf(5).
##


# DATABASE INFORMATION

db-host = localhost # SQL server hostname
db-user = ispconfig # SQL server username
db-password = XXXXXXXXXXXXXXXXXXXXXXXXXX # SQL server password
database = dbispconfig # MyDNS database name


# GENERAL OPTIONS

user = nobody # Run with the permissions of this user
group = nogroup # Run with the permissions of this group
listen = * # Listen on these addresses ('*' for all)
no-listen = # Do not listen on these addresses


# CACHE OPTIONS

zone-cache-size = 2048 # Maximum number of elements stored in the zone cache
zone-cache-expire = 60 # Number of seconds after which cached zones expires
reply-cache-size = 2048 # Maximum number of elements stored in the reply cache
reply-cache-expire = 30 # Number of seconds after which cached replies expire


# ESOTERICA

log = LOG_DAEMON # Facility to use for program output (LOG_*/stdout/stderr)
pidfile = /var/run/mydns.pid # Path to PID file
timeout = 120 # Number of seconds after which queries time out
multicpu = 1 # Number of CPUs installed on your system
recursive = # Location of recursive resolver
allow-axfr = yes # Should AXFR be enabled?
allow-tcp = yes # Should TCP be enabled?
allow-update = no # Should DNS UPDATE be enabled?
ignore-minimum = no # Ignore minimum TTL for zone?
soa-table = dns_soa # Name of table containing SOA records
rr-table = dns_rr # Name of table containing RR data
soa-where = server_id = 2 # Extra WHERE clause for SOA queries
rr-where = server_id = 2 # Extra WHERE clause for RR queries
use-soa-active = yes # To fix bug 295 where active or inactive status is ignored.
use-rr-active = yes# To fix bug 295 where active or inactive status is ignored.

[till]

Please change the lines:

soa-where = server_id = 2 # Extra WHERE clause for SOA queries
rr-where = server_id = 2 # Extra WHERE clause for RR queries

to:

soa-where = server_id = 1 # Extra WHERE clause for SOA queries
rr-where = server_id = 1 # Extra WHERE clause for RR queries

and restart mydns.

[jmhoms]

is working now ... thank you very much !!

do you think installation should have taken care of this change, or its a manual step ? i ask myself because of install/uninstall/install, and im unsure if there may be other issues ... anyway seems logical to be a manual change because its only appliable if mirroring is selected ...

[till]

Currently it is a manual step. But I will see if it is not possible to remove these two lines at all in future versions of ISPConfig.

[jmhoms]

Okey,

so returning to the original topic, with this setup :

-We can add services to master, and the configuration (db) will be replicated to slave, but not the information, like php files or mails. So as it is, is only usefull for dns (because all info is in db).

-We can add services directly to slave (vi master cp), and in this case the configuration will only be in the slave db. True ?

If it work that way, i see the inconvenient that accounts (www,mail) created in master, are less secure, because a security problem in a slave can compromise credentials in master.

That way, maybe the functionalities not pay the risk, so i guess there is a way to setup a dns zone in a slave that works like a traditional bind secondary zone, being notified from changes from master. Is there any way to implement this scenario with isconfig/mydns ?

[till]

Quote:

-We can add services to master, and the configuration (db) will be replicated to slave, but not the information, like php files or mails. So as it is, is only usefull for dns (because all info is in db).

No, thats not the case. You use a san, clusterfilesystem or shared NFS server for /var/www and /var/vmail for such setups.

Quote:

-We can add services directly to slave (vi master cp), and in this case the configuration will only be in the slave db. True ?

Yes. Or you combine it with a mirror. You can manage as many servers as you need and mirror some or all of them as needed for a specific setup.

Quote:

If it work that way, i see the inconvenient that accounts (www,mail) created in master, are less secure, because a security problem in a slave can compromise credentials in master.

No, thats not the case. As the slave servers dont have access to these tables on the master.

[jmhoms]

Quote:

Originally Posted by till

No, thats not the case. You use a san, clusterfilesystem or shared NFS server for /var/www and /var/vmail for such setups.

Ok, i understand. This kind of setup is useful when fs is replicated also via any method.

Quote:

Yes. Or you combine it with a mirror. You can manage as many servers as you need and mirror some or all of them as needed for a specific setup.

Now that i have the mirroring activated from master to slave, when i try to add a site or mail domain, cp only let me choose the master server. So i cant add a service only in slave. I guess that in a replicated relationship it makes no sense to create services only in slave. Then that setup is not worth to have dns replicated.

Quote:

No, thats not the case. As the slave servers dont have access to these tables on the master.

Actually, as all db is mirrored, per definition, all info is available also in slaves (for example accounts hashed passwords). My needs are two servers, that when one is a main mail server, the other one acts as a relay, the web sites can be in both to load balance, and for dns one must be primary and the other one secondary. That way, the mirrored setup doesnt work for that setup, and i will be better with two standalone servers, if i can manage how to configure one dns zone to act as secondary.

[till]

Quote:

Actually, as all db is mirrored, per definition

Thats the case only in your setup. Normally you use other server layouts in multiserver enviroments, these can also be vservers. Example:

1) One controlpanel server that does not run any services.
2) 2 DNS Servers, were each server mirros the other one.
3) One or more mailservers. Mailservers can also be used in form of one or more mirrored clusters were every cluster uses a shared network drive.
4) One or more webservers. Webservsers can also be used in form of one or more mirrored clusters were every cluster uses a shared network drive.