The DHCP and DNS Maintenance System
I have developed a system for maintaining DHCP and DNS. The user interface is an Excel spreadsheet. We used this in the Department of Electrical and Communications Engineering, and also in the Department of Computing and Mathematics. The Computer Centre also uses part of this system for maintaining DHCP in the campus. It runs on Linux. It is implemented in Perl and a number of shell scripts.
Executive Summary
- The system uses fixed addresses for each host.
- Each host is registered in one row in an Excel spreadsheet which is shared out using samba.
- For each host, at least this minimum information is kept:
- The MAC address
- A permanent IP address
- A hostname
- The system has a
cronjob to check every two minutes whether the spreadsheet is newer than the DHCP configuration file, /etc/dhcpd.conf - If the spreadsheet is newer, then it has been modified by
a technician, so the following happens:
- A Perl program reads each row of the spreadsheet,
- generates a new DHCP configuration file
- copies the new configuration file to /etc/dhcpd.conf
- restarts the DHCP server
- Another Perl program reads the spreadsheet again
- generates DNS records using the h2n program (O'Reilly DNS and BIND examples site)
- restarts the DNS server.
Background
When I first moved to the Department of Computing and Mathematics (as it was then called), I found the following situation:
- All IP addresses and network configuration was done by technicians sitting in front of each computer and configuring it manually
- Many computers in many laboratories had incorrect network configurations.
- An Excel spreadsheet was maintained of all the computers, but the IP addresses on that spreadsheet did not match what was actually used in practice on all machines.
- There was no name server.
- The students all shared one account on the Novell server.
- The accounts on the DEC Alpha server were made manually, by a technician re-typing student names and other details from an Excel spreadsheet, which itself had been typed by the departmental typist.
- The technician who did this made multiple mistakes in each laboratory class, and took days to complete this manual task.
- The effect of these errors was that the first couple of laboratory classes in many subjects were disrupted by students being unable to log in.
I saw this “blue collar” approach to network management, and decided to do something about it. This is one of the things that I did.
How It Works:
- An Excel
spreadsheet is stored in the directory
/var/ipsetup. (Here is an
old copy of the spreadsheet). It contains information
about the computers; as a minimum, it includes:
- computer name (with aliases)
- Ethernet address
- IP address (if using fixed IP addresses).
- location
- data point identifier
- operating system
- equipment type
- brand and model number
- responsible person
- whether fixed or dynamic address
- the serial number
- expiry date
- The permissions on the directory are drwxrws---. Note the set group id bit is there.
- A group dhcpadm is made, and accounts are made for administrators that belong to this group.
- The directory is shared out using Samba. In CM, we had an NT PDC used as the password server.
- the administrator logs into the samba server (in CM, by logging into the NT domain) and edits the spreadsheet using Excel, adding or changing data about computers.
- The administrator saves the spreadsheet.
- The administrator then saves the spreadsheet as "Text (tab delimited)"
- A cron job runs every two minutes:
# The time and date fields are: # # field allowed values # ----- -------------- # minute 0-59 # hour 0-23 # day of month 0-31 # month 0-12 (or names, see below) # day of week 0-7 (0 or 7 is Sun, or use names) */2 * * * * /root/bin/update-dhcpd-dns */15 * * * * /root/bin/check-raid > /dev/nullThe firstcrontabentry runs /root/bin/update-dhcpd-dns every two minutes. (The second sends email if either of the disks in the RAID 1 system fail). - To change the
crontab, type crontab -e - The shell script /root/bin/update-dhcpd-dns checks the timestamp on the /etc/dhcpd.conf file and compares that with the newest file ending in .txt in the directory /var/ipsetup. The /var/ipsetup/*.txt should have been created by Excel.
- If the timestamp of any of /var/ipsetup/*.txt is
newer than that of /etc/dhcpd.conf, then:
- /root/bin/update-dhcpd-dns will execute /root/bin/make-dhcpd-conf
- /root/bin/make-dhcpd-conf in turn will execute /usr/bin/make-dhcpd.conf
- /usr/bin/make-dhcpd.conf generates the DHCP configuration file /etc/dhcpd.conf.
- /root/bin/update-dhcpd-dns then restarts the DHCP server so that it will read its new configuration.
- Next, /root/bin/update-dhcpd-dns executes /root/bin/make-dns-db which executes /usr/local/bin/h2n-nick
- /usr/local/bin/h2n-nick generates all the DNS files
- finally /root/bin/update-dhcpd-dns restarts the name server so that it re-reads its configuration.
Issues When Using BIND 9.x
The system need a small modification when the DNS is BIND 9.x. The DNS creates journal files with the extension .jnl in the /var/named directory. named assumes that these binary files match the text resource record files. If you update the text files, they will not match the journal files, and the server will not start. The workaround is simple; adjust the scripts to delete /var/named/*.jnl before restarting named, but after generating the new text resource records. named will recreate the journal files when necessary.
Limitations Of The System
- For the campus-wide system (not the departmental system), the main problem is that if a person wants to connect their computer to the network, they need to fill in a long form, which must be signed by a number of people, including the head of department. This paper must spend some days sitting in trays, waiting to reach its destination, which is in the hands of the person who will log into their Samba account, edit the spreadsheet, and type in a new entry for the new computer. This may be too long for some people. For example. suppose that a visitor needs to use their notebook to present a seminar. They may need Internet access in five minutes, rather than in five days.
- Some people who get desperate may invent their own IP address, causing network problems through address conflicts.
- There are many ways to automate this further, such as the scheme described in the last slides of the lecture notes. This scheme depends on DHCP providing short leases to unregistered hosts, and normal leases to registered hosts.
- The short lease provides the IP address of a special DNS server, configured to map all names to one IP address, the address of a server running a web application to register computers. So when the user plugs in their notebook, opens a web browser, they find themselves at the simple registration page, where they need enter their user name and password. The application determines their MAC address from the DHCP server automatically, and then creates the registration immediately.
- The result is a valid, normal long term lease with normal network access in less than three minutes instead of five days. The computer has been registered, and the person who registered it has authenticated themselves, so there is no need for the head of department to sign any form to verify their identity.
The system has a number of other limitations that can be solved by a bit of hacking.
- The program that generates the DHCP configuration is fairly forgiving (I spent more time writing it!) but the program that generates the DNS records is rather inflexible: it expects quite a rigid format from the Excel spreadsheet. Check your own copy of make-dns-db to see exactly what columns are required, and in what order.
- I wrote the system with the intention of supporting many Excel spreadsheets, but in fact make-dns-db is not designed to handle more than one. If there is more than one .txt file in the directory /var/ipsetup, then whatever happens will not be what you expected. (Note Computer Centre: don't worry; your system does not use make-dns-db so your system can work well with more than one .txt file there.
- There are many other limitations that I intend to work on when I have time (Oh dear, when will I ever have time?)
How Do We Troubleshoot This System?
The main place is the system logs. These are in /var/log. The main log file is /var/log/messages. To watch the log as things happen, do:
tail -f /var/log/messages
Another useful technique is to temporarily turn on email in the cron table. Make sure that you filter this to its own mailbox; cron will fill that mailbox very quickly (one email every two minutes.)
Other Documentation
There is documentation for:
- Samba: Using Samba, Other Samba documentation.
- dhcpd.conf(5), dhcpd(8), dhcp-eval(5), make-dhcpd.conf(1): see the manual pages.
- named.conf(5), named(8), rndc(8): see the manual pages.
- BIND Online documentation
-
crontab(5): type
man 5 crontab
- perl(1): man pages (many!)
- bash(1): a very long manual page.
- "DNS and BIND", Paul Albitz & Cricket Liu, Fifth edition, O'Reilly, May 2006.
- "Linux DNS Server Administration", Craig Hunt, Sybex, 2000.
- "The DHCP Handbook", Ralph Droms and Ted Lemon, Pearson Education, October 2002.
- "Perl for System Administration", David N. Blank-Edelman, O'Reilly, July 2000.
Mailing Lists
The dhcp-server and dhcp-client mailing lists are very active and are very helpful. See the Internet Software Consortium (ISC) site.
Any Questions?
If you have any questions about this, please contact me.
Licensing
All the software written by me is licensed under the GPL version 2 or later. This includes all the software linked to from this page to this same server, except for /usr/local/bin/h2n-nick, which is a slightly modified version of h2n provided with DNS and BIND.
Queries welcome: Nick Urbanik nicku@nicku.org