Big review of role Bind, sync with https://wiki.evolix.org/HowtoBind
This commit is contained in:
parent
bbb0e579a6
commit
3b78613b2e
13 changed files with 256 additions and 241 deletions
|
@ -9,3 +9,5 @@ Minimal configuration is in `tasks/main.yml`
|
|||
## Available variables
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
waening : sync chroot-bind.sh
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
bind_recursive_server: False
|
||||
bind_authoritative_server: True
|
||||
bind_chroot_set: True
|
||||
bind_chroot_path: /var/chroot-bind
|
||||
bind_systemd_service_path: /etc/systemd/system/bind9.service
|
||||
bind_chroot_root: /var/chroot-bind
|
||||
bind_statistics_file: /var/run/named.stats
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/query.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
|
|
76
bind/files/chroot-bind.sh
Normal file
76
bind/files/chroot-bind.sh
Normal file
|
@ -0,0 +1,76 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Gregory Colpart <reg@debian.org>
|
||||
# chroot (or re-chroot) script for bind9
|
||||
|
||||
# tested on Debian Wheezy/Jessie/Stretch
|
||||
# Exec this script after `(apt-get|aptitude|apt) install bind9`
|
||||
# and after *each* bind9 upgrade
|
||||
|
||||
# When the script is finished, ensure you have
|
||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
|
||||
# and /etc/init.d/bind9 (re)start
|
||||
#
|
||||
# for Jessie/systemd only:
|
||||
# cp -a /lib/systemd/system/bind9.service /etc/systemd/system/
|
||||
# and modify section [Service] to have :
|
||||
# EnvironmentFile=-/etc/default/bind9
|
||||
# ExecStart=/usr/sbin/named -f $OPTIONS
|
||||
|
||||
# essential dirs
|
||||
mkdir -p /var/chroot-bind
|
||||
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
|
||||
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
|
||||
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
|
||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
|
||||
/var/chroot-bind/run/named/
|
||||
|
||||
# for conf
|
||||
if [ ! -h "/etc/bind" ]; then
|
||||
mv /etc/bind/ /var/chroot-bind/etc/
|
||||
ln -s /var/chroot-bind/etc/bind/ /etc/bind
|
||||
fi
|
||||
|
||||
# for logs
|
||||
touch /var/chroot-bind/var/log/bind.log
|
||||
if [ ! -h "/var/log/bind.log" ]; then
|
||||
ln -s /var/chroot-bind/var/log/bind.log /var/log/bind.log
|
||||
fi
|
||||
|
||||
# for pid
|
||||
if [ -f "/var/run/named/named.pid" ]; then
|
||||
cat /var/run/named/named.pid > /var/chroot-bind/var/run/named/named.pid
|
||||
rm -f /var/run/named/named.pid
|
||||
fi
|
||||
|
||||
if [ ! -e "/var/chroot-bind/dev/random" ]; then
|
||||
mknod /var/chroot-bind/dev/random c 1 8
|
||||
chmod 666 /var/chroot-bind/dev/random
|
||||
fi
|
||||
|
||||
if [ ! -e "/var/chroot-bind/dev/urandom" ]; then
|
||||
mknod /var/chroot-bind/dev/urandom c 1 9
|
||||
chmod 666 /var/chroot-bind/dev/urandom
|
||||
fi
|
||||
|
||||
# essential dev (hum, null is required ??)
|
||||
#mknod /var/chroot-bind/dev/null c 1 3
|
||||
#chmod 666 /var/chroot-bind/dev/{null,random}
|
||||
|
||||
# essential libs
|
||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
|
||||
/usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
|
||||
install -D $i /var/chroot-bind/${i##/}
|
||||
done
|
||||
|
||||
# essential (hum, bash is required ??)
|
||||
#cp /bin/bash /var/chroot-bind/bin/
|
||||
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
|
||||
|
||||
# minimal passwd & group file (hum, is required ??)
|
||||
#grep "bind\|root" /etc/passwd > /var/chroot-bind/etc/passwd
|
||||
#grep "bind\|root" /etc/group > /var/chroot-bind/etc/group
|
||||
|
||||
# just bind
|
||||
chown -R bind.bind /var/chroot-bind/
|
||||
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
|
||||
- name: restart bind
|
||||
service:
|
||||
name: bind9
|
||||
|
@ -9,4 +12,3 @@
|
|||
name: munin-node
|
||||
state: restarted
|
||||
|
||||
|
||||
|
|
|
@ -1,24 +1,40 @@
|
|||
- name: Ensure bind9 installed
|
||||
- name: package are installed
|
||||
apt:
|
||||
name: bind9
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- bind9
|
||||
- dnstop
|
||||
|
||||
- name: Set bind configuration
|
||||
- name: Set bind configuration for recursive server
|
||||
template:
|
||||
src: named.conf.options.j2
|
||||
src: named.conf.options_recursive.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_recursive_server
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/bind9
|
||||
replace:
|
||||
dest: /etc/default/bind9
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_root }}"'
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
lineinfile:
|
||||
dest: /etc/bind/named.conf.local
|
||||
line: 'include "/etc/bind/zones.rfc1918";'
|
||||
regexp: "zones.rfc1918"
|
||||
notify: restart bind
|
||||
when: bind_recursive_server
|
||||
|
||||
- name: Set bind configuration for authoritative server
|
||||
template:
|
||||
src: named.conf.options_authoritative.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_authoritative_server
|
||||
|
||||
- name: Create systemd service
|
||||
template:
|
||||
|
@ -28,174 +44,78 @@
|
|||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart bind
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: Create directories
|
||||
- name: touch /var/log/bind.log if non chroot
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/{{ item }}"
|
||||
state: directory
|
||||
path: /var/log/bind.log
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0700"
|
||||
recurse: no
|
||||
with_items:
|
||||
- bin
|
||||
- dev
|
||||
- etc
|
||||
- lib
|
||||
- usr/lib
|
||||
- usr/sbin
|
||||
- var/cache/bind
|
||||
- var/log
|
||||
- var/run/bind/run
|
||||
register: create_bind_dir
|
||||
notify: restart bind
|
||||
|
||||
- name: Stat /etc/bind
|
||||
stat:
|
||||
path: "/etc/bind"
|
||||
check_mode: no
|
||||
register: etc_bind
|
||||
|
||||
- name: Move /etc/bind in chroot
|
||||
command: "mv /etc/bind/ {{ bind_chroot_root }}/etc/"
|
||||
when: etc_bind.stat.exists and not etc_bind.stat.islnk
|
||||
notify: restart bind
|
||||
|
||||
- name: Create symlink
|
||||
file:
|
||||
src: "{{ bind_chroot_root }}/etc/bind"
|
||||
dest: "/etc/bind"
|
||||
state: link
|
||||
notify: restart bind
|
||||
|
||||
- name: is there a log file?
|
||||
stat:
|
||||
path: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
register: bind_log
|
||||
|
||||
- name: create log file
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
state: touch
|
||||
when: not bind_log.stat.exists
|
||||
|
||||
- name: verify log file permissions
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
owner: bind
|
||||
group: bind
|
||||
group: adm
|
||||
mode: "0640"
|
||||
state: file
|
||||
state: touch
|
||||
when: bind_chroot_set == False
|
||||
|
||||
- name: Create log symlink
|
||||
- name: touch /var/log/bind_queries.log if non chroot
|
||||
file:
|
||||
src: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
dest: "/var/log/bind.log"
|
||||
state: link
|
||||
notify: restart bind
|
||||
|
||||
- name: Create run directory
|
||||
file:
|
||||
path: "/var/run/bind/run"
|
||||
state: directory
|
||||
owner: root
|
||||
group: bind
|
||||
mode: "0770"
|
||||
recurse: yes
|
||||
notify: restart bind
|
||||
|
||||
- name: "Stat var/run/bind/run/named in chroot"
|
||||
stat:
|
||||
path: "{{ bind_chroot_root }}/var/run/bind/run/named"
|
||||
check_mode: no
|
||||
register: named_run
|
||||
|
||||
- name: "Clean var/run/bind/run/named in chroot"
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/var/run/bind/run/named"
|
||||
state: absent
|
||||
when: named_run.stat.exists and named_run.stat.isdir
|
||||
|
||||
- name: Clean /var/run/bind/run/named.pid
|
||||
file:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
state: absent
|
||||
when: named_run.stat.exists and named_run.stat.isdir
|
||||
|
||||
- name: Stat /var/run/bind/run/named.pid
|
||||
stat:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
check_mode: no
|
||||
register: named_pid
|
||||
|
||||
- name: Cat pid content
|
||||
command: "cat /var/run/bind/run/named.pid > {{ bind_chroot_root }}/var/run/bind/run/named.pid"
|
||||
when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk
|
||||
|
||||
- name: Clean /var/run/bind/run/named.pid
|
||||
file:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
state: absent
|
||||
when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk
|
||||
|
||||
- name: Clean /var/run/bind/run/named.pid
|
||||
file:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
state: absent
|
||||
when: named_pid.stat.exists and not named_pid.stat.islnk
|
||||
|
||||
- name: Create pid symlink in chroot
|
||||
file:
|
||||
src: "{{ bind_chroot_root }}/var/run/bind/run/named.pid"
|
||||
dest: "/var/run/bind/run/named.pid"
|
||||
state: link
|
||||
when: named_pid.stat.exists and not named_pid.stat.islnk
|
||||
notify: restart bind
|
||||
|
||||
- name: "Stat dev/random in chroot"
|
||||
stat:
|
||||
path: "{{ bind_chroot_root }}/dev/random"
|
||||
check_mode: no
|
||||
register: named_random
|
||||
|
||||
- name: clean dev/random in chroot
|
||||
shell: "mv {{ bind_chroot_root }}/dev/random {{ bind_chroot_root }}/dev/random.$(date +%s)"
|
||||
when: named_random.stat.exists and not named_random.stat.ischr
|
||||
|
||||
- name: mknod dev/random in chroot
|
||||
command: "mknod -m 666 {{ bind_chroot_root }}/dev/random c 1 3"
|
||||
args:
|
||||
creates: "{{ bind_chroot_root }}/dev/random"
|
||||
notify: restart bind
|
||||
|
||||
- name: get essential libraries
|
||||
shell: 'ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1 | grep -oE "\S+"'
|
||||
register: bind_ldd
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
|
||||
- name: copy essential libs
|
||||
command: "install -D {{ item }} {{ bind_chroot_root }}{{ item }}"
|
||||
args:
|
||||
creates: "{{ bind_chroot_root }}{{ item }}"
|
||||
with_items:
|
||||
- "{{ bind_ldd.stdout_lines }}"
|
||||
- /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
|
||||
register: install_libraries
|
||||
notify: restart bind
|
||||
|
||||
- name: Copy bind
|
||||
copy:
|
||||
src: /usr/sbin/named
|
||||
dest: "{{ bind_chroot_root }}/usr/sbin/"
|
||||
remote_src: True
|
||||
notify: restart bind
|
||||
|
||||
- name: Set the good rights
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}"
|
||||
path: /var/log/bind_queries.log
|
||||
owner: bind
|
||||
group: bind
|
||||
recurse: yes
|
||||
group: adm
|
||||
mode: "0640"
|
||||
state: touch
|
||||
when: bind_authoritative_server and bind_chroot_set == False
|
||||
|
||||
- name: send chroot-bind.sh in /root
|
||||
copy:
|
||||
src: chroot-bind.sh
|
||||
dest: /root/chroot-bind.sh
|
||||
mode: "0700"
|
||||
owner: root
|
||||
force: yes
|
||||
backup: yes
|
||||
when: bind_chroot_set
|
||||
|
||||
- name: exec chroot-bind.sh
|
||||
command: "/root/chroot-bind.sh"
|
||||
register: chrootbind_run
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
when: bind_chroot_set
|
||||
|
||||
- debug:
|
||||
var: chrootbind_run.stdout_lines
|
||||
when: bind_chroot_set and chrootbind_run.stdout != ""
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
||||
replace:
|
||||
dest: /etc/default/bind9
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||
notify: restart bind
|
||||
when: bind_chroot_set
|
||||
|
||||
- name: logrotate for non chroot bind
|
||||
template:
|
||||
src: logrotate_bind
|
||||
dest: /etc/logrotate.d/bind
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_chroot_set == False
|
||||
|
||||
- name: logrotate for chroot bind
|
||||
template:
|
||||
src: logrotate_bind_chroot.j2
|
||||
dest: /etc/logrotate.d/bind
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_chroot_set
|
||||
|
||||
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
tags:
|
||||
- bind
|
||||
- munin
|
||||
when: bind_authoritative_server
|
||||
|
||||
- name: Enable munin plugins
|
||||
file:
|
||||
|
@ -17,22 +18,22 @@
|
|||
with_items:
|
||||
- bind9
|
||||
- bind9_rndc
|
||||
notify: restart munin
|
||||
when: munin_node_plugins_config.stat.exists
|
||||
notify: restart munin-node
|
||||
when: bind_authoritative_server and munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
- munin
|
||||
|
||||
- name: Add munin plugin configuration
|
||||
template:
|
||||
src: bind9.j2
|
||||
src: munin-env_bind9.j2
|
||||
dest: /etc/munin/plugin-conf.d/bind9
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart munin
|
||||
when: munin_node_plugins_config.stat.exists
|
||||
notify: restart munin-node
|
||||
when: bind_authoritative_server and munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
- munin
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=BIND Domain Name Server
|
||||
Documentation=man:named(8)
|
||||
|
|
10
bind/templates/logrotate_bind
Normal file
10
bind/templates/logrotate_bind
Normal file
|
@ -0,0 +1,10 @@
|
|||
/var/log/bind.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 8
|
||||
create 640 bind bind
|
||||
sharedscripts
|
||||
postrotate
|
||||
rndc reload > /dev/null
|
||||
endscript
|
||||
}
|
10
bind/templates/logrotate_bind_chroot.j2
Normal file
10
bind/templates/logrotate_bind_chroot.j2
Normal file
|
@ -0,0 +1,10 @@
|
|||
{{ bind_chroot_path }}/var/log/bind.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
create 640 bind bind
|
||||
sharedscripts
|
||||
postrotate
|
||||
rndc reload > /dev/null
|
||||
endscript
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
[bind*]
|
||||
user root
|
||||
env.logfile {{ bind_query_file }}
|
||||
env.querystats {{ bind_chroot_root }}{{ bind_statistics_file }}
|
||||
env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }}
|
||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||
timeout 120
|
|
@ -1,58 +0,0 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
// forwarders {
|
||||
// 0.0.0.0;
|
||||
// };
|
||||
|
||||
version "Bingo";
|
||||
|
||||
auth-nxdomain no; # conform to RFC1035
|
||||
//listen-on-v6 { ::1; };
|
||||
//listen-on { 127.0.0.1; };
|
||||
|
||||
allow-query { localhost;};
|
||||
allow-transfer { localhost; };
|
||||
allow-recursion { localhost; };
|
||||
|
||||
statistics-file "/var/run/named.stats";
|
||||
};
|
||||
|
||||
logging {
|
||||
//category default { default_syslog; default_debug; };
|
||||
category default { default_debug; };
|
||||
|
||||
channel default_syslog {
|
||||
syslog daemon;
|
||||
severity info;
|
||||
};
|
||||
|
||||
channel default_debug {
|
||||
file "/var/log/bind.log";
|
||||
severity debug;
|
||||
};
|
||||
channel query {
|
||||
file "/var/log/query.log" versions 2 size 1m;
|
||||
print-time yes;
|
||||
severity info;
|
||||
};
|
||||
category queries { query; };
|
||||
};
|
||||
|
||||
//key "external" {
|
||||
// algorithm hmac-md5;
|
||||
// secret "UOQfHEoBzBSC6sD4mwfxLw==";
|
||||
//};
|
||||
//
|
||||
//server 85.118.59.1 { keys external; };
|
35
bind/templates/named.conf.options_authoritative.j2
Normal file
35
bind/templates/named.conf.options_authoritative.j2
Normal file
|
@ -0,0 +1,35 @@
|
|||
acl "foo" {
|
||||
::ffff:192.0.2.21; 192.0.2.21;
|
||||
2001:db8::21;
|
||||
};
|
||||
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
version "Bingo";
|
||||
auth-nxdomain no;
|
||||
masterfile-format text;
|
||||
statistics-file "/var/run/named.stats";
|
||||
|
||||
listen-on-v6 { any; };
|
||||
listen-on { any; };
|
||||
|
||||
allow-query { localhost; };
|
||||
allow-recursion { localhost; };
|
||||
allow-transfer { localhost; };
|
||||
};
|
||||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
category queries { query_logging; };
|
||||
|
||||
channel default_file {
|
||||
file "/var/log/bind.log";
|
||||
severity info;
|
||||
};
|
||||
channel query_logging {
|
||||
file "/var/log/bind_queries.log" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
};
|
16
bind/templates/named.conf.options_recursive.j2
Normal file
16
bind/templates/named.conf.options_recursive.j2
Normal file
|
@ -0,0 +1,16 @@
|
|||
options {
|
||||
directory "/var/cache/bind";
|
||||
version "Bingo";
|
||||
auth-nxdomain no;
|
||||
listen-on-v6 { ::1; };
|
||||
listen-on { 127.0.0.1; };
|
||||
allow-recursion { ::1; 127.0.0.1; };
|
||||
};
|
||||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
channel default_file {
|
||||
file "/var/log/bind.log";
|
||||
severity info;
|
||||
};
|
||||
};
|
Loading…
Reference in a new issue