wiki:SystemNotesUbuntuOneiric

Ubuntu 11.10 (Oneiric Ocelot) Install Notes

Introduction and System Description

This page describes a setup of bind10-devel-20120301 on Ubuntu 11.10. The starting point is a text-based installation of Ubuntu Server 64-bit with no additional software packages added. I am running a virtualized environment on VMware vSphere 5.0 with the VMware Tools installed on each virtual machine.

Insofar as practical, I built the bind10 prerequisites from downloaded source using the development tools provided by Ubuntu. The source downloads were the current versions as of March 3, 2012.

Setup of Packaged Prerequisites

The first step is to install a basic Ubuntu development environment.

# apt-get install build-essential autoconf libtool pkg-config

Note that pkg-config is specified as a prerequisite for bind10, and autoconf is required to run autoreconf if bind10 patches are applied.

The packages zlib1g, libssl, and libexpat1 are part of the standard Ubuntu installation. The development versions of these packages are required to build Python 3 with the cryptographic and XML support required by bind10. For the sake of simplicity and error avoidance, I installed these with the Ubuntu package manager.

# apt-get install zlib1g-dev libssl-dev libexpat1-dev

Setup of Other Prerequisites

I installed the remaining bind10 prerequisites from downloaded source. The installation order is important only in that Python 3 must be built last so that it can incorporate the packages above and Sqlite 3 as Python modules. The use of --prefix=/usr in below is typical of Ubuntu package installations, but this choice is arbitrary. If omitted, the default is /usr/local.

Boost

Boost C++ Libraries version 1.35 or greater is required. Version 1.49.0 is current.

# wget http://downloads.sourceforge.net/project/boost/boost/1.49.0/boost_1_49_0.tar.bz2 
# tar xjf boost_1_49_0.tar.bz2
# cd boost_1_49_0
# ./bootstrap.sh –-prefix=/usr --with-libraries=thread
# ./b2 install
# cd ..

The Boost thread library is optional, but likely to be required in the future. Threading for bind10 is just beginning to be developed. The other Boost libraries requiring separate compilation are not needed. To install Boost without the thread library, substitute ./b2 install-headers above. In this case leave the bootstrap parameter --with-libraries=thread as is. Without this, all the libraries are compiled, and that takes a long time. Apparently there is no simple way to make Boost not compile any libraries at all.

Botan

Botan version 1.8 or greater is required. Version 1.10.1 is current.

# wget http://botan.randombit.net/files/Botan-1.10.1.tbz
# tar xjf Botan-1.10.1.tbz
# cd Botan-1.10.1
# ./configure.py --prefix=/usr
# make
# make check
# make install
# ./check --validate
# cd ..

None of the Botan modules requiring external libraries is required. Note that the Botan configuration script configure.py requires Python 2, which is a standard component of Ubuntu. It will not run with Python 3 without taking extra steps, and Python 3 is not installed at this point anyway. Note also that the bind10 configuration script will fail checking for the presence of Botan 1.10 unless the pkg-config module is installed. See ticket:1640.

Log4cplus

Log4cplus version 1.0.3 or greater is required. Version 1.0.4 is current.

# wget http://downloads.sourceforge.net/project/log4cplus/log4cplus-stable/1.0.4/log4cplus-1.0.4.tar.bz2
# tar xjf log4cplus-1.0.4.tar.bz2
# cd log4cplus-1.0.4
# ./configure --prefix=/usr
# make
# make install
# cd ..

SQLite

Sqlite version 3.3.9 or greater is required. Version 3.7.10 is current.

# wget http://www.sqlite.org/sqlite-autoconf-3071000.tar.gz
# tar xzf sqlite-autoconf-3071000.tar.gz
# cd sqlite-autoconf-3071000
# ./configure --prefix=/usr
# make
# make install
# cd ..

Python 3

Python version 3.1 or greater is required. Version 3.2.2 is current.

If you want to use command-line editing and history in the bindctl command-line tool (which you probably do), you need to install libreadline6-dev prior to building Python:

# apt-get install libreadline6-dev

The installation of Python itself looks like this:

# wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tar.xz
# tar xJf Python-3.2.2.tar.xz
# cd Python-3.2.2
# ./configure --prefix=/usr
# make
# make test
# make install
# cd ..

Note that with Python make test, certain module tests will fail since the software packages that they require have not been installed. In general those modules are not required for bind10’s use of Python 3, so the failures can be ignored. Do pay attention to any failure of the _hashlib or _ssl module. These are required by bind10. Be sure that the zlib1g-dev and libssl-dev packages have been installed as described above.

Using Ubuntu Packages Instead of Compiling Prerequisites

With the exception of Log4cplus, for which a standard Ubuntu package does not exist, some or all of the bind10 prerequisites can be installed using the Ubuntu package manager instead of building them from downloaded source. Software versions in Ubuntu packages are typically not the most recent, but are possibly more stable. The package liblog4cplus-dev is included in the next Ubuntu release, 12.04LTS due in April 2012.

# apt-get install libboost-all-dev libbotan1.8-dev libsqlite3-dev python3-dev

Building and Installing

In the configuration of any of the prerequisites, if you set --prefix to anything other than /usr, including omitting this option, which makes it default to /usr/local, you must execute ldconfig prior to building bind10. Otherwise certain bind10 compilation steps will fail because various library files cannot be found.

# ldconfig

The bind10 configuration parameter --enable-silent-rules=no (the default is yes) can be a useful troubleshooting tool when there are build problems. It causes make to echo every g++ command that it issues, rather than outputting a summary message listing only the file being built.

Now to configure, compile, and install bind10:

# wget http://ftp.isc.org/isc/bind10/devel-20120119/bind10-devel-20120119.tar.gz
# tar xzf bind10-devel-20120119.tar.gz
# cd bind10-devel-20120119
# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
# make
# make install
# cd ..

Note: The configuration parameter --enable-boost-threads is deprecated, as building with it causes b10-resolver to fail (ticket:1672).

Notes on Running

Bind10 can be made to run as non-root user bind with the following additional configuration.

# addgroup --system bind
# adduser --system --home /var/bind10-devel --no-create-home --disabled-password --ingroup bind bind
# chown -R bind:bind /etc/bind10-devel
# chmod -R g+w /etc/bind10-devel
# chown -R bind:bind /var/bind10-devel
# chmod -R g+w /var/bind10-devel

Bind10 can be made to start and stop automatically using Ubuntu Upstart, which is a standard Ubuntu component.

First create the file bind10.conf as follows:

# bind10 - bind10 job file
description "bind10 Domain Name Server"

start on runlevel [2345]                                
stop on runlevel [!2345]         

exec /usr/sbin/bind10 --user=bind

Then install this file into the Upstart configuration directory, and finally start the bind10 service.

# install --mode=644 bind10.conf /etc/init
# start bind10

Verify that the bind10 processes are running and submit a sample query to the bind10 authoritative server, which is enabled by default.

# ps -aef | egrep 'bind|b10'
# dig @localhost ch txt authors.bind

See the Bind10 Guide to reconfigure your server to meet your specific needs.

Cryptographic Verification of Source Files

Since bind10 is a cryptographic application in the sense that it supports, or will support, DNSSEC, it is a good idea to verify that the source files from which you are installing are authentic. The bind10 source distribution and some of the prerequisites are digitally signed. Other prerequisites have published message digests. Following are some basic verification procedures using gpg and sha1sum. Your own standards for establishing trust may lead you to do more to verify the authenticity of any public keys on which you will rely. To learn more, see the GnuPG User Guides page.

Boost

Boost SHA1 message digests are published here. Click the gray circular information icon to see the digests related to the file you are downloading. MD5 message digests are given as well but are now deprecated.

# sha1sum boost_1_49_0.tar.bz2 
26a52840e9d12f829e3008589abf0a925ce88524  boost_1_49_0.tar.bz2

Botan

Botan is digitally signed with detached signatures located here. Botan’s public key is located here along with its serial number and fingerprint. You will need to copy and paste the ASCII-armored key into a file for import it into your gpg public key ring. Check the key serial number on import and the key fingerprint on verification.

# wget http://botan.randombit.net/files/Botan-1.10.1.tbz.asc
# gpg --import BotanKey.asc 
gpg: key EFBADFBC: public key "Botan Distribution Key" imported
# gpg --verify Botan-1.10.1.tbz.asc Botan-1.10.1.tbz
gpg: Signature made Mon 11 Jul 2011 01:32:33 PM EDT using RSA key ID EFBADFBC
gpg: Good signature from "Botan Distribution Key"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 621D AF64 11E1 851C 4CF9  A2E1 6211 EBF1 EFBA DFBC

Log4cplus

Log4cplus SHA1 message digests are published here. Click the gray circular information icon to see the digests related to the file you are downloading. MD5 message digests are given as well but are now deprecated.

# sha1sum log4cplus-1.0.4.tar.bz2 
b8ca1b01b23788ac04f25a7bdaaaca7e366c7312  log4cplus-1.0.4.tar.bz2

SQLite

SQLite SHA1 message digests are published here in the body of the web page.

# sha1sum sqlite-autoconf-3071000.tar.gz 
0442d5a1bff50153039951b09db649864d8af0bb  sqlite-autoconf-3071000.tar.gz

Python 3

Python3 is digitally signed with detached signatures located here. The text of the web page indicates which key is used to sign which file, and the serial number and fingerprint are given. MD5 message digests are also listed on the web page but are now deprecated. Python’s public keys are located here along with serial numbers. The ASCII armored key files are directly downloadable. Check the key serial number on import and the key fingerprint on verification.

# wget http://www.python.org/~gbrandl/gbrandlpub.asc
# wget http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tar.xz.asc
# gpg --import gbrandlpub.asc
gpg: key 36580288: public key "Georg Brandl (Python release signing key) <georg@python.org>" imported
# gpg --verify Python-3.2.2.tar.xz.asc Python-3.2.2.tar.xz
gpg: Signature made Sat 03 Sep 2011 12:42:37 PM EDT using DSA key ID 36580288
gpg: Good signature from "Georg Brandl (Python release signing key) <georg@python.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 26DE A9D4 6133 91EF 3E25  C9FF 0A5B 1018 3658 0288

Bind10

Bind10 is digitally signed with detached signatures located here. ISC’s public key is located here along with its serial number. From the link pgpkey2012.txt you will need to copy and paste the ASCII-armored key into a file for import it into your gpg public key ring. Check the key serial number on import and the key fingerprint on verification.

# wget http://ftp.isc.org/isc/bind10/devel-20120119/bind10-devel-20120119.tar.gz.sha512.asc
# gpg --import pgpkey2012.txt
gpg: unknown armor header:  Version: GnuPG v1.4.11 (FreeBSD)
gpg: key C96B350A: public key "Internet Systems Consortium, Inc. (Signing key, 2012) (http://www.isc.org/) <codesign@isc.org>" imported
# gpg --verify bind10-devel-20120119.tar.gz.sha512.asc bind10-devel-20120119.tar.gz
gpg: Signature made Thu 19 Jan 2012 08:12:08 AM EST using RSA key ID C96B350A
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2012) (http://www.isc.org/) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 841D DC20 BB67 F34F B6E6  9426 ABF9 5AA7 C96B 350A
Last modified 6 years ago Last modified on May 21, 2012, 9:02:54 AM