Big review of role Bind, sync with https://wiki.evolix.org/HowtoBind

This commit is contained in:
Gregory Colpart 2017-07-22 18:40:00 +02:00
parent bbb0e579a6
commit 3b78613b2e
13 changed files with 256 additions and 241 deletions

View file

@ -9,3 +9,5 @@ Minimal configuration is in `tasks/main.yml`
## Available variables
The full list of variables (with default values) can be found in `defaults/main.yml`.
waening : sync chroot-bind.sh

View file

@ -1,6 +1,9 @@
---
bind_recursive_server: False
bind_authoritative_server: True
bind_chroot_set: True
bind_chroot_path: /var/chroot-bind
bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_chroot_root: /var/chroot-bind
bind_statistics_file: /var/run/named.stats
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/query.log
bind_query_file: /var/log/bind_queries.log

76
bind/files/chroot-bind.sh Normal file
View file

@ -0,0 +1,76 @@
#!/bin/sh
# Gregory Colpart <reg@debian.org>
# chroot (or re-chroot) script for bind9
# tested on Debian Wheezy/Jessie/Stretch
# Exec this script after `(apt-get|aptitude|apt) install bind9`
# and after *each* bind9 upgrade
# When the script is finished, ensure you have
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
# and /etc/init.d/bind9 (re)start
#
# for Jessie/systemd only:
# cp -a /lib/systemd/system/bind9.service /etc/systemd/system/
# and modify section [Service] to have :
# EnvironmentFile=-/etc/default/bind9
# ExecStart=/usr/sbin/named -f $OPTIONS
# essential dirs
mkdir -p /var/chroot-bind
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
/var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
/var/chroot-bind/run/named/
# for conf
if [ ! -h "/etc/bind" ]; then
mv /etc/bind/ /var/chroot-bind/etc/
ln -s /var/chroot-bind/etc/bind/ /etc/bind
fi
# for logs
touch /var/chroot-bind/var/log/bind.log
if [ ! -h "/var/log/bind.log" ]; then
ln -s /var/chroot-bind/var/log/bind.log /var/log/bind.log
fi
# for pid
if [ -f "/var/run/named/named.pid" ]; then
cat /var/run/named/named.pid > /var/chroot-bind/var/run/named/named.pid
rm -f /var/run/named/named.pid
fi
if [ ! -e "/var/chroot-bind/dev/random" ]; then
mknod /var/chroot-bind/dev/random c 1 8
chmod 666 /var/chroot-bind/dev/random
fi
if [ ! -e "/var/chroot-bind/dev/urandom" ]; then
mknod /var/chroot-bind/dev/urandom c 1 9
chmod 666 /var/chroot-bind/dev/urandom
fi
# essential dev (hum, null is required ??)
#mknod /var/chroot-bind/dev/null c 1 3
#chmod 666 /var/chroot-bind/dev/{null,random}
# essential libs
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
/usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
install -D $i /var/chroot-bind/${i##/}
done
# essential (hum, bash is required ??)
#cp /bin/bash /var/chroot-bind/bin/
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
# minimal passwd & group file (hum, is required ??)
#grep "bind\|root" /etc/passwd > /var/chroot-bind/etc/passwd
#grep "bind\|root" /etc/group > /var/chroot-bind/etc/group
# just bind
chown -R bind.bind /var/chroot-bind/

View file

@ -1,4 +1,7 @@
---
- name: reload systemd
command: systemctl daemon-reload
- name: restart bind
service:
name: bind9
@ -9,4 +12,3 @@
name: munin-node
state: restarted

View file

@ -1,24 +1,40 @@
- name: Ensure bind9 installed
- name: package are installed
apt:
name: bind9
name: '{{ item }}'
state: present
with_items:
- bind9
- dnstop
- name: Set bind configuration
- name: Set bind configuration for recursive server
template:
src: named.conf.options.j2
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
when: bind_recursive_server
- name: Modify OPTIONS in /etc/default/bind9
replace:
dest: /etc/default/bind9
regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_root }}"'
- name: enable zones.rfc1918 for recursive server
lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind
when: bind_recursive_server
- name: Set bind configuration for authoritative server
template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
when: bind_authoritative_server
- name: Create systemd service
template:
@ -28,174 +44,78 @@
group: root
mode: "0644"
force: yes
notify: restart bind
notify:
- reload systemd
- restart bind
when: ansible_distribution_release == "jessie"
- name: Create directories
- name: touch /var/log/bind.log if non chroot
file:
path: "{{ bind_chroot_root }}/{{ item }}"
state: directory
path: /var/log/bind.log
owner: bind
group: bind
mode: "0700"
recurse: no
with_items:
- bin
- dev
- etc
- lib
- usr/lib
- usr/sbin
- var/cache/bind
- var/log
- var/run/bind/run
register: create_bind_dir
notify: restart bind
- name: Stat /etc/bind
stat:
path: "/etc/bind"
check_mode: no
register: etc_bind
- name: Move /etc/bind in chroot
command: "mv /etc/bind/ {{ bind_chroot_root }}/etc/"
when: etc_bind.stat.exists and not etc_bind.stat.islnk
notify: restart bind
- name: Create symlink
file:
src: "{{ bind_chroot_root }}/etc/bind"
dest: "/etc/bind"
state: link
notify: restart bind
- name: is there a log file?
stat:
path: "{{ bind_chroot_root }}/var/log/bind.log"
register: bind_log
- name: create log file
file:
path: "{{ bind_chroot_root }}/var/log/bind.log"
state: touch
when: not bind_log.stat.exists
- name: verify log file permissions
file:
path: "{{ bind_chroot_root }}/var/log/bind.log"
owner: bind
group: bind
group: adm
mode: "0640"
state: file
state: touch
when: bind_chroot_set == False
- name: Create log symlink
- name: touch /var/log/bind_queries.log if non chroot
file:
src: "{{ bind_chroot_root }}/var/log/bind.log"
dest: "/var/log/bind.log"
state: link
notify: restart bind
- name: Create run directory
file:
path: "/var/run/bind/run"
state: directory
owner: root
group: bind
mode: "0770"
recurse: yes
notify: restart bind
- name: "Stat var/run/bind/run/named in chroot"
stat:
path: "{{ bind_chroot_root }}/var/run/bind/run/named"
check_mode: no
register: named_run
- name: "Clean var/run/bind/run/named in chroot"
file:
path: "{{ bind_chroot_root }}/var/run/bind/run/named"
state: absent
when: named_run.stat.exists and named_run.stat.isdir
- name: Clean /var/run/bind/run/named.pid
file:
path: "/var/run/bind/run/named.pid"
state: absent
when: named_run.stat.exists and named_run.stat.isdir
- name: Stat /var/run/bind/run/named.pid
stat:
path: "/var/run/bind/run/named.pid"
check_mode: no
register: named_pid
- name: Cat pid content
command: "cat /var/run/bind/run/named.pid > {{ bind_chroot_root }}/var/run/bind/run/named.pid"
when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk
- name: Clean /var/run/bind/run/named.pid
file:
path: "/var/run/bind/run/named.pid"
state: absent
when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk
- name: Clean /var/run/bind/run/named.pid
file:
path: "/var/run/bind/run/named.pid"
state: absent
when: named_pid.stat.exists and not named_pid.stat.islnk
- name: Create pid symlink in chroot
file:
src: "{{ bind_chroot_root }}/var/run/bind/run/named.pid"
dest: "/var/run/bind/run/named.pid"
state: link
when: named_pid.stat.exists and not named_pid.stat.islnk
notify: restart bind
- name: "Stat dev/random in chroot"
stat:
path: "{{ bind_chroot_root }}/dev/random"
check_mode: no
register: named_random
- name: clean dev/random in chroot
shell: "mv {{ bind_chroot_root }}/dev/random {{ bind_chroot_root }}/dev/random.$(date +%s)"
when: named_random.stat.exists and not named_random.stat.ischr
- name: mknod dev/random in chroot
command: "mknod -m 666 {{ bind_chroot_root }}/dev/random c 1 3"
args:
creates: "{{ bind_chroot_root }}/dev/random"
notify: restart bind
- name: get essential libraries
shell: 'ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1 | grep -oE "\S+"'
register: bind_ldd
check_mode: no
changed_when: False
- name: copy essential libs
command: "install -D {{ item }} {{ bind_chroot_root }}{{ item }}"
args:
creates: "{{ bind_chroot_root }}{{ item }}"
with_items:
- "{{ bind_ldd.stdout_lines }}"
- /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
register: install_libraries
notify: restart bind
- name: Copy bind
copy:
src: /usr/sbin/named
dest: "{{ bind_chroot_root }}/usr/sbin/"
remote_src: True
notify: restart bind
- name: Set the good rights
file:
path: "{{ bind_chroot_root }}"
path: /var/log/bind_queries.log
owner: bind
group: bind
recurse: yes
group: adm
mode: "0640"
state: touch
when: bind_authoritative_server and bind_chroot_set == False
- name: send chroot-bind.sh in /root
copy:
src: chroot-bind.sh
dest: /root/chroot-bind.sh
mode: "0700"
owner: root
force: yes
backup: yes
when: bind_chroot_set
- name: exec chroot-bind.sh
command: "/root/chroot-bind.sh"
register: chrootbind_run
changed_when: False
check_mode: no
when: bind_chroot_set
- debug:
var: chrootbind_run.stdout_lines
when: bind_chroot_set and chrootbind_run.stdout != ""
- name: Modify OPTIONS in /etc/default/bind9 for chroot
replace:
dest: /etc/default/bind9
regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
notify: restart bind
when: bind_chroot_set
- name: logrotate for non chroot bind
template:
src: logrotate_bind
dest: /etc/logrotate.d/bind
owner: root
group: root
mode: "0644"
force: yes
notify: restart bind
when: bind_chroot_set == False
- name: logrotate for chroot bind
template:
src: logrotate_bind_chroot.j2
dest: /etc/logrotate.d/bind
owner: root
group: root
mode: "0644"
force: yes
notify: restart bind
when: bind_chroot_set

View file

@ -8,6 +8,7 @@
tags:
- bind
- munin
when: bind_authoritative_server
- name: Enable munin plugins
file:
@ -17,22 +18,22 @@
with_items:
- bind9
- bind9_rndc
notify: restart munin
when: munin_node_plugins_config.stat.exists
notify: restart munin-node
when: bind_authoritative_server and munin_node_plugins_config.stat.exists
tags:
- bind
- munin
- name: Add munin plugin configuration
template:
src: bind9.j2
src: munin-env_bind9.j2
dest: /etc/munin/plugin-conf.d/bind9
owner: root
group: root
mode: "0644"
force: yes
notify: restart munin
when: munin_node_plugins_config.stat.exists
notify: restart munin-node
when: bind_authoritative_server and munin_node_plugins_config.stat.exists
tags:
- bind
- munin

View file

@ -1,5 +1,3 @@
# {{ ansible_managed }}
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)

View file

@ -0,0 +1,10 @@
/var/log/bind.log {
weekly
missingok
rotate 8
create 640 bind bind
sharedscripts
postrotate
rndc reload > /dev/null
endscript
}

View file

@ -0,0 +1,10 @@
{{ bind_chroot_path }}/var/log/bind.log {
weekly
missingok
rotate 52
create 640 bind bind
sharedscripts
postrotate
rndc reload > /dev/null
endscript
}

View file

@ -1,6 +1,6 @@
[bind*]
user root
env.logfile {{ bind_query_file }}
env.querystats {{ bind_chroot_root }}{{ bind_statistics_file }}
env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }}
env.MUNIN_PLUGSTATE /var/lib/munin
timeout 120

View file

@ -1,58 +0,0 @@
// {{ ansible_managed }}
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
version "Bingo";
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { ::1; };
//listen-on { 127.0.0.1; };
allow-query { localhost;};
allow-transfer { localhost; };
allow-recursion { localhost; };
statistics-file "/var/run/named.stats";
};
logging {
//category default { default_syslog; default_debug; };
category default { default_debug; };
channel default_syslog {
syslog daemon;
severity info;
};
channel default_debug {
file "/var/log/bind.log";
severity debug;
};
channel query {
file "/var/log/query.log" versions 2 size 1m;
print-time yes;
severity info;
};
category queries { query; };
};
//key "external" {
// algorithm hmac-md5;
// secret "UOQfHEoBzBSC6sD4mwfxLw==";
//};
//
//server 85.118.59.1 { keys external; };

View file

@ -0,0 +1,35 @@
acl "foo" {
::ffff:192.0.2.21; 192.0.2.21;
2001:db8::21;
};
options {
directory "/var/cache/bind";
version "Bingo";
auth-nxdomain no;
masterfile-format text;
statistics-file "/var/run/named.stats";
listen-on-v6 { any; };
listen-on { any; };
allow-query { localhost; };
allow-recursion { localhost; };
allow-transfer { localhost; };
};
logging {
category default { default_file; };
category queries { query_logging; };
channel default_file {
file "/var/log/bind.log";
severity info;
};
channel query_logging {
file "/var/log/bind_queries.log" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
};

View file

@ -0,0 +1,16 @@
options {
directory "/var/cache/bind";
version "Bingo";
auth-nxdomain no;
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
allow-recursion { ::1; 127.0.0.1; };
};
logging {
category default { default_file; };
channel default_file {
file "/var/log/bind.log";
severity info;
};
};