2. Installation

2.1. Hardware Requirements

Akira provides Loop packages for a set of supported operating system platforms (see Supported Platforms). Any machine (real or virtual) that support one of these platforms can be used to run Loop. Most supported platforms require a 64-bit CPU architecture. There may be some exceptions.

DNS hardware requirements have traditionally been quite modest. For many installations, servers that have been pensioned off from active duty can perform admirably as DNS servers. For serving a handful of static zones with low traffic, even low-performance machines may be sufficient. If the server's operational duties are larger, then a suitably performant machine can be selected.

Loop's nameserver is multi-threaded, allowing utilization of multiprocessor systems for installations that need it.

The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size option of named.conf(5) can be used to limit the amount of memory used by the cache, at the expense of reducing cache hit rates and causing more DNS traffic. It is still good practice to have enough memory to load all zone and cache data into memory --- the best way to determine this for a given installation is to watch the nameserver in operation. After a few weeks the nameserver process should reach a relatively stable size where entries are expiring from the cache as fast as they are being inserted.

We aren't able to recommend specifications in this document as it would be outdated quickly. It is best to profile the usage patterns and prepare a hardware configuration accordingly.

Error

TODOMUKS: Add a link to Akira support for help with hardware configuration.

Error

TODOMUKS: Add a link to a tuning section.

2.2. Supported Platforms

Loop is written to run on POSIX operating systems. The following platforms are supported by this release of Loop:

  • Red Hat Enterprise Linux 7 (x86_64)
  • Red Hat Enterprise Linux 7 (aarch64)
  • CentOS 7 (x86_64)
  • CentOS 7 (aarch64)
  • Fedora 30 (x86_64)
  • Fedora 30 (aarch64)
  • Fedora 29 (x86_64)
  • Fedora 29 (aarch64)

Packages for current versions of FreeBSD, Debian, and Ubuntu will be added in the future.

Installation instructions will be available soon. For now, if you know how to install RPMs using yum or dnf, please look at: https://download.akira.org/packages/loop/1.1-HEAD/

E.g., for CentOS 7 (x86_64), you may run the following commands as root user to install Loop:

# yum install https://download.akira.org/packages/loop/1.1-HEAD/epel/7/x86_64/loop-release-1.1.1.20190815031507.9fef5ffe6-1.el7.noarch.rpm
# yum install loop
# yum update

2.2.1. Problems with SELinux

On some distributions that have SELinux enabled, you may notice errors when running the named service such as:

Aug 10 07:59:06 rpi3 audit[14591]: AVC avc:  denied  { create } for  pid=14591 comm="loop-worker-0" name="tmp-dW3tOeMfdD" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
Aug 10 07:59:06 rpi3 audit[14591]: AVC avc:  denied  { read write open } for  pid=14591 comm="loop-worker-0" path="/var/lib/loop/tmp-dW3tOeMfdD" dev="mmcblk0p3" ino=258270 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
Aug 10 07:59:07 rpi3 audit[14591]: AVC avc:  denied  { rename } for  pid=14591 comm="loop-worker-0" name="tmp-dW3tOeMfdD" dev="mmcblk0p3" ino=258270 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
Aug 10 07:59:07 rpi3 audit[14591]: AVC avc:  denied  { unlink } for  pid=14591 comm="loop-worker-0" name="managed-keys.loop" dev="mmcblk0p3" ino=258227 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

These errors occur because SELinux, when using the targeted policy, runs the program with path /usr/sbin/named confined in the named_t security context. It limits the directories where the named process can write to. This can be verified by running the command:

$ ps axZ | grep named
system_u:system_r:named_t:s0    14591 ?        Ssl    0:01 /usr/sbin/named -u loop

The Loop package doesn't (and shouldn't) do anything to solve this issue automatically as it would be a hack. The SELinux policies for programs such as /usr/sbin/named are installed by a different package called selinux-policy-targeted, and are not handled by the Loop package.

You can workaround this issue by either configuring SELinux to run in permissive mode, or by editing the targeted policy to remove the Loop programs from it.

We will rename named to loopd in a future build upon which this issue should not occur anymore.