acts_as_audited gains parent record tracking 3

Posted by Kenneth Kalmer on September 24, 2008

As part of our current line of improvements on PowerDNS on Rails, we needed to start auditing changes made through the interface to the DNS data. This is a logical step to opening the system up for more API based interaction, and implementing neat features like macros and temporary authentication tokens.

Auditing in Rails is not for the faint hearted. The Rails Recipes book has an example on how to do this with sweepers, and using the new ActiveRecord dirty object tracking can help ease the problem too. So after some investigation I found the brilliant acts_as_audited plugin by Brendon Keepers.

After playing with it, I realised one short coming. This is very much a problem specifically for PowerDNS on Rails, but after some thought I realized it could be applied to other auditing challenges as well.

Enter parent record tracking

I forked the original project on github, and started hacking. Not too long after I came up with this:

class Author < ActiveRecord::Base
  has_many :books
end
class Book < ActiveRecord::Base
  belongs_to :author
  acts_as_audited :parent => :author
end

Using the sweepers is also possible, like this:

class Application < ApplicationController::Base
  audit Author, Book, :parents => { Book= > :author }
end

As contrived as it can be, it allows us to track all the changes to books by a specific author. In the DNS world this allows us to easily access all changes made to the records of a particular domain, and it becomes very valuable. It becomes even more valuable when you need to start tracking deleted records.

Pull requests were sent to the network, hopefully they get accepted and I can remove my repo again.

Looking forward?

This was a relatively small step forward for the plugin, but opens a lot of possiblities for the host applications, like PowerDNS on Rails. In any ISP environment audits are extremely important, especially when clients start gaining limited access to the backend systems…

MySQL Replication Client with SSL, gotcha

Posted by Kenneth Kalmer on September 08, 2008

As part of the PowerDNS on Rails project, and improving our own DNS infrastructure, I sat out today to configure 4 new DNS servers around the world. This will move a lot of our DNS traffic out of South Africa, while keeping some servers locally on the main networks (Internet Solutions & SAIX).

I rolled out MySQL replication with SSL enabled, you can Google for some good howto’s on the topic and I’ll give some posts below. Basically we have secure replication, and each DNS server is isolated in case of a disaster.

The gotcha then?

The MySQL docs, and some other howto’s indicate you should set the SSL client certificate details in your my.cnf file, under the [client] section. It makes sense, the slave is a client of the master. Appears not so with Gentoo’s mysql-5.0.60-r1 ebuild. It appears even less so with PowerDNS, who rightfully reads the my.cnf file as client.

Cause and effect

PowerDNS now tries to connect to the slave using the SSL details specified in the [client] section of the my.cnf file. This breaks, since you probably never configured your MySQL slave to have PowerDNS connect via SSL.

Secondly, it appears MySQL blatantly ignores the settings when used with replication, and you actually need to specify the client certificates in the CHANGE MASTER TO statement.

Aftermath

Nothing serious, was quick to piece together what was going on. Now I’ll have double digit DNS servers scattered around the globe near pearing point, with SSL encryption for the replication data. Brilliant, that really is resillient DNS!

More reading

Hope this prevents any future missery for someone else.

PowerDNS on Rails, the saga continues 2

Posted by Kenneth Kalmer on July 27, 2008

After a misrable production implementation of BIND on a MySQL backend, we were forced to re-evaluate our use of PowerDNS, and what happens to the BIND DLZ on Rails project.

I’m glad to announce that PowerDNS on Rails will be taking over where BIND DLZ on Rails left off.

It’s been a crazy three days of refactoring, but the code is now fully operational and we have our first production implementation (complete with clients using the REST interface). It’s an exciting time for the project, over the next couple of weeks I’ll be ironing out some grey areas of PowerDNS with its users and I’ll be improving the UI significantly (as well as sneaking in new features).

This time I’ll hold back on promises of release candidates, instead I’ll just tag them and announce them afterwards.

I’ll also be posting some interesting Rails tips, especially since I had to bend ActiveRecord in ways I didn’t thought possible to cope with the PowerDNS schema. Thanks to everyone who made RSpec, without it this refactoring job would have been a disaster from the word go.

Here is to the future!

BIND DLZ on Rails RC1 tagged and iced

Posted by Kenneth Kalmer on July 27, 2008

It is with great excitement, and sadness that I announce the tag of BIND DLZ on Rails RC1.

We were very motivated as a team to get this product, and the accompanying infrastructure in place so would could continue to enhance and expand our DNS infrastructure. We made two fatal mistakes in trying to achieve this goal:

Understand your existing infrastructure

We used the easy way out and blamed PowerDNS for some of our DNS does, where it ended up being out woes with TUPA, not PowerDNS. Typical I guess, since everyone else uses BIND, we’ll use BIND as well. We never went out to fully understand the problems not the solutions. We just decided to blindly drop an entire stack of services for a new one. Thats bad.

Understand your new infrastructure

Same goes for this. We checked out the BIND-DLZ patches, heard it was accepted into BIND itsef, and got excited. We could run everyone’s dream DNS server with a flexible MySQL 5 backend. Boy, what a mistake. We should have evaluated BIND DLZ first, before building an entire UI for it and then only testing it.

The whole of last week was spent trying to get BIND to behave. It would random crash without warning. I discussed this with the bind-dlz-testers list over at SourceForge, who argued I should downgrade the MySQL client libraries to MySQL 4. For us this was easily possible since the MySQL slaves and DNS servers were different boxes, for others this might not be the case. As part of this excercise I had to learn how to update Gentoo ebuild’s, so I could submit a fix to Gentoo as well for their net-dns/bind-9.5.1-p1 ebuild.

Who’s to blame? Well, us. Not BIND, or the guys who developed the DLZ patches. There are plenty reports out there of issues with the MySQL client libs, but some very clever people have found ingenious ways of working around it. I personally think we have an odd combination of Hardened Gentoo & BIND issues.

What happens next?

Well, we’ll be sticking to PowerDNS for the time being, or maybe permanently. We’ll be planning our DNS offerings out in full, and then start to see how PowerDNS can accomodate us. If, and only if, it cannot, we’ll dive into the alternatives.

All the work is not lost, I’ve basically made a copy (not a fork) of the git repo and modified the entire application to run on the PowerDNS schema. So keep an eye out for PowerDNS on Rails.

I won’t try to juggle branches, the differences are too big. However, I’ll be porting changes implemented in PowerDNS on Rails back to BIND DLZ on Rails. My hope is that someone picks up BIND DLZ on Rails and runs with it further.

Thanks to everyone for their interest in the project.

Next Entries »
  • Powered by Postrank

  • Tags

    activerecord air amqp analytics audits bash bind capistrano cheat convert couchdb daemon-kit dlz dns elsewhere gentoo gist git hoptoad linux macros mercurial messaging mysql nginx olympics plugins postfix postini powerdns presentations projects quickies rails rake review ruby ruby19 ruote security shoes sitemap ssl svn webby

  • Recent Posts

  • Archives

  • Alltop. Seriously?! I got in?