Re: [CentOS] Script not running correctly as cronjob
In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
Daniel Reich wrote:
> Hi
>
> I have a script to resign all DNS zones every two weeks. When i run the
> script from bash, it works like it should. But
> when it is executed in cron not. Its starting normal as cronjob:
> Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh
> /opt/dnssec/resign_dnssec_zones.sh)
>
> But after i get a mail that everything is finsihed, but it isn't.
> 03:04:28 DNSSEC-Signierung abgeschlossen
>
> The script deletes the old signed zones, but don't resign it. The mail is
> also sent.
> Below the script.
>
> Anybody an idea why it doesn't work in cron?^
> I cannot find any error in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help
you to see how far it is getting.
Further comments below.
Cheers
Tony
> Best regards
> Daniel
>
>
> #!/bin/bash
> KSKDIR="/etc/named/KSK"
> ZSKDIR="/etc/named/ZSK"
> ZONEDIR="/var/named/chroot/var/named"
> LOG="/var/named/chroot/var/log/dnssec_resign.log"
> MAILREC="monitor@xx"
>
> #delete old signed files
> rm -rf $ZONEDIR/*.signed
>
> #delete the old log
> rm -rf $LOG
>
> #read the zonefiles
> ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
>
> for FILES in $ZONEFILES; do
> #remove the .zone at the end
> ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
> #remove the old signed zone
> rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
> #Sign the zone
> cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
> dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f
> $ZONE.signed $ZONEDIR/$ZONE.zone
> $ZSKDIR/K$ZONE.*.key >> $LOG
>
> #Set the correct permissions
> chown named.named $ZONEDIR/*.signed
> chmod 755 $ZONEDIR/*.signed
> sleep 5
> done
> rm -rf $ZONEDIR/named.zone
>
> echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >>
> $LOG
> echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx"
> $MAILREC
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
--
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Script not running correctly as cronjob
Do not forget that cron does not use the root environment, such as
$PATH. You need to set up the exect environment you need in the
beginning of the crontab file. It would be helpful to see your crontab
file to know what environment it has set up.
Also the /var/log/cron log file should contain error information that
might be helpful.
On 02/01/2017 05:04 AM, Tony Mountifield wrote:
In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
Daniel Reich wrote:
Hi
I have a script to resign all DNS zones every two weeks. When i run the script
from bash, it works like it should. But
when it is executed in cron not. Its starting normal as cronjob:
Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh
/opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't.
03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also
sent.
Below the script.
Anybody an idea why it doesn't work in cron?^
I cannot find any error in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help
you to see how far it is getting.
Further comments below.
Cheers
Tony
Best regards
Daniel
#!/bin/bash
KSKDIR="/etc/named/KSK"
ZSKDIR="/etc/named/ZSK"
ZONEDIR="/var/named/chroot/var/named"
LOG="/var/named/chroot/var/log/dnssec_resign.log"
MAILREC="monitor@xx"
#delete old signed files
rm -rf $ZONEDIR/*.signed
#delete the old log
rm -rf $LOG
#read the zonefiles
ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do
#remove the .zone at the end
ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
#remove the old signed zone
rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
#Sign the zone
cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f
$ZONE.signed $ZONEDIR/$ZONE.zone
$ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions
chown named.named $ZONEDIR/*.signed
chmod 755 $ZONEDIR/*.signed
sleep 5
done
rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >>
$LOG
echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
--
*
David P. Both, RHCE
Millennium Technology Consulting LLC
Raleigh, NC, USA
919-389-8678
db...@millennium-technology.com
www.millennium-technology.com
www.databook.bz - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
*
This communication may be unlawfully collected and stored by the National
Security Agency (NSA) in secret. The parties to this email do not consent to the
retrieving or storing of this communication and any related metadata, as well as
printing, copying, re-transmitting, disseminating, or otherwise using it. If you
believe you have received this communication in error, please delete it
immediately.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Script not running correctly as cronjob
Thank you for the hints
I modified like you described.
I also moved the permission part out of the loop (once at the end of the script
is enough).
Now with the "set -x" the script is working also in cron.
Best regards
Daniel
-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Tony Mountifield
Sent: Wednesday, February 1, 2017 11:04 AM
To: centos@centos.org
Subject: Re: [CentOS] Script not running correctly as cronjob
In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
Daniel Reich wrote:
> Hi
>
> I have a script to resign all DNS zones every two weeks. When i run
> the script from bash, it works like it should. But when it is executed in
> cron not. Its starting normal as cronjob:
> Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh
> /opt/dnssec/resign_dnssec_zones.sh)
>
> But after i get a mail that everything is finsihed, but it isn't.
> 03:04:28 DNSSEC-Signierung abgeschlossen
>
> The script deletes the old signed zones, but don't resign it. The mail is
> also sent.
> Below the script.
>
> Anybody an idea why it doesn't work in cron?^ I cannot find any error
> in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help you
to see how far it is getting.
Further comments below.
Cheers
Tony
> Best regards
> Daniel
>
>
> #!/bin/bash
> KSKDIR="/etc/named/KSK"
> ZSKDIR="/etc/named/ZSK"
> ZONEDIR="/var/named/chroot/var/named"
> LOG="/var/named/chroot/var/log/dnssec_resign.log"
> MAILREC="monitor@xx"
>
> #delete old signed files
> rm -rf $ZONEDIR/*.signed
>
> #delete the old log
> rm -rf $LOG
>
> #read the zonefiles
> ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
>
> for FILES in $ZONEFILES; do
> #remove the .zone at the end
> ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
> #remove the old signed zone
> rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
> #Sign the zone
> cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
> dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000
> -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
>
> #Set the correct permissions
> chown named.named $ZONEDIR/*.signed
> chmod 755 $ZONEDIR/*.signed
> sleep 5
> done
> rm -rf $ZONEDIR/named.zone
>
> echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des
> Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung
> abgeschlossen auf xxx" $MAILREC
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
--
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Script not running correctly as cronjob
On 02/01/2017 01:02 AM, Daniel Reich wrote: I have a script to resign all DNS zones every two weeks. I don't think I can answer the question about why your script is failing per se, but I can say that there are some flaws in the approach that your script is taking. Primarily, if you delete your old key when you create a new one, any external host that has any record from your zone in its cache will consider your zone to be invalid and will be unable to resolve new records (or any records? I'm unclear on that, actually) for the duration of your TTL. Key rotation is not instantaneous. I'm actually working on a key rotation management job, myself: https://bitbucket.org/gordonmessmer/update-dns-keys/src I've been running it for a while, and I'm comfortable with the ZSK rotation segment. I have not yet tested the KSK rotation. If you'd like to help, please send patches. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Script not running correctly as cronjob
In article <9f43c460b0374ac3951c18dd2d477...@2sic.com>,
Daniel Reich wrote:
> Thank you for the hints
>
> I modified like you described.
> I also moved the permission part out of the loop (once at the end of the
> script is enough).
>
> Now with the "set -x" the script is working also in cron.
The "set -x" would not be not what made it work - it is a debugging aid only.
If it now works, then that is due to one of your other changes and you can
remove the "set -x" again if you wish.
Cheers
Tony
> Best regards
> Daniel
>
>
>
> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Tony Mountifield
> Sent: Wednesday, February 1, 2017 11:04 AM
> To: centos@centos.org
> Subject: Re: [CentOS] Script not running correctly as cronjob
>
> In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
> Daniel Reich wrote:
> > Hi
> >
> > I have a script to resign all DNS zones every two weeks. When i run
> > the script from bash, it works like it should. But when it is executed in
> > cron not. Its starting normal as cronjob:
> > Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh
> > /opt/dnssec/resign_dnssec_zones.sh)
> >
> > But after i get a mail that everything is finsihed, but it isn't.
> > 03:04:28 DNSSEC-Signierung abgeschlossen
> >
> > The script deletes the old signed zones, but don't resign it. The mail is
> > also sent.
> > Below the script.
> >
> > Anybody an idea why it doesn't work in cron?^ I cannot find any error
> > in any log.
>
> After the first line, add a line saying: set -x
>
> Then set cron to run it and examine the output that gets mailed to you.
>
> The -x tells it to echo each command it is about to execute. That will help
> you to see how far it is getting.
>
> Further comments below.
>
> Cheers
> Tony
>
> > Best regards
> > Daniel
> >
> >
> > #!/bin/bash
> > KSKDIR="/etc/named/KSK"
> > ZSKDIR="/etc/named/ZSK"
> > ZONEDIR="/var/named/chroot/var/named"
> > LOG="/var/named/chroot/var/log/dnssec_resign.log"
> > MAILREC="monitor@xx"
> >
> > #delete old signed files
> > rm -rf $ZONEDIR/*.signed
> >
> > #delete the old log
> > rm -rf $LOG
> >
> > #read the zonefiles
> > ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
> >
> > for FILES in $ZONEFILES; do
> > #remove the .zone at the end
> > ZONE=$(echo "${FILES%.*}")
>
> Why not just: ZONE=${FILES%.*}
>
> > #remove the old signed zone
> > rm -rf $ZONEDIR/$ZONE.signed
>
> You deleted them all further up.
>
> > #Sign the zone
> > cd $ZONEDIR
>
> Why not do this before the loop? Then you also don't need $ZONEDIR/
> everywhere.
>
> > dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000
> > -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
> >
> > #Set the correct permissions
> > chown named.named $ZONEDIR/*.signed
> > chmod 755 $ZONEDIR/*.signed
> > sleep 5
> > done
> > rm -rf $ZONEDIR/named.zone
> >
> > echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des
> > Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung
> > abgeschlossen auf xxx" $MAILREC
> >
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
> --
> Tony Mountifield
> Work: t...@softins.co.uk - http://www.softins.co.uk
> Play: t...@mountifield.org - http://tony.mountifield.org
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
--
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
