diff --git a/bind/README.md b/bind/README.md index a802498e..53f693a8 100644 --- a/bind/README.md +++ b/bind/README.md @@ -9,3 +9,5 @@ Minimal configuration is in `tasks/main.yml` ## Available variables The full list of variables (with default values) can be found in `defaults/main.yml`. + +waening : sync chroot-bind.sh diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index 52c6ac66..b7bc2090 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -1,6 +1,9 @@ --- +bind_recursive_server: False +bind_authoritative_server: True +bind_chroot_set: True +bind_chroot_path: /var/chroot-bind bind_systemd_service_path: /etc/systemd/system/bind9.service -bind_chroot_root: /var/chroot-bind bind_statistics_file: /var/run/named.stats bind_log_file: /var/log/bind.log -bind_query_file: /var/log/query.log +bind_query_file: /var/log/bind_queries.log diff --git a/bind/files/chroot-bind.sh b/bind/files/chroot-bind.sh new file mode 100644 index 00000000..08c665e8 --- /dev/null +++ b/bind/files/chroot-bind.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +# Gregory Colpart +# chroot (or re-chroot) script for bind9 + +# tested on Debian Wheezy/Jessie/Stretch +# Exec this script after `(apt-get|aptitude|apt) install bind9` +# and after *each* bind9 upgrade + +# When the script is finished, ensure you have +# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9 +# and /etc/init.d/bind9 (re)start +# +# for Jessie/systemd only: +# cp -a /lib/systemd/system/bind9.service /etc/systemd/system/ +# and modify section [Service] to have : +# EnvironmentFile=-/etc/default/bind9 +# ExecStart=/usr/sbin/named -f $OPTIONS + +# essential dirs +mkdir -p /var/chroot-bind +mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \ + /var/chroot-bind/lib /var/chroot-bind/usr/lib \ + /var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \ + /var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \ + /var/chroot-bind/run/named/ + +# for conf +if [ ! -h "/etc/bind" ]; then + mv /etc/bind/ /var/chroot-bind/etc/ + ln -s /var/chroot-bind/etc/bind/ /etc/bind +fi + +# for logs +touch /var/chroot-bind/var/log/bind.log +if [ ! -h "/var/log/bind.log" ]; then + ln -s /var/chroot-bind/var/log/bind.log /var/log/bind.log +fi + +# for pid +if [ -f "/var/run/named/named.pid" ]; then + cat /var/run/named/named.pid > /var/chroot-bind/var/run/named/named.pid + rm -f /var/run/named/named.pid +fi + +if [ ! -e "/var/chroot-bind/dev/random" ]; then + mknod /var/chroot-bind/dev/random c 1 8 + chmod 666 /var/chroot-bind/dev/random +fi + +if [ ! -e "/var/chroot-bind/dev/urandom" ]; then + mknod /var/chroot-bind/dev/urandom c 1 9 + chmod 666 /var/chroot-bind/dev/urandom +fi + +# essential dev (hum, null is required ??) +#mknod /var/chroot-bind/dev/null c 1 3 +#chmod 666 /var/chroot-bind/dev/{null,random} + +# essential libs +for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \ + /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do + install -D $i /var/chroot-bind/${i##/} +done + +# essential (hum, bash is required ??) +#cp /bin/bash /var/chroot-bind/bin/ +cp /usr/sbin/named /var/chroot-bind/usr/sbin/ + +# minimal passwd & group file (hum, is required ??) +#grep "bind\|root" /etc/passwd > /var/chroot-bind/etc/passwd +#grep "bind\|root" /etc/group > /var/chroot-bind/etc/group + +# just bind +chown -R bind.bind /var/chroot-bind/ + diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 4bc9719f..1eee71f6 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: reload systemd + command: systemctl daemon-reload + - name: restart bind service: name: bind9 @@ -9,4 +12,3 @@ name: munin-node state: restarted - diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index dc74029f..1d190135 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,24 +1,40 @@ -- name: Ensure bind9 installed +- name: package are installed apt: - name: bind9 + name: '{{ item }}' state: present + with_items: + - bind9 + - dnstop -- name: Set bind configuration +- name: Set bind configuration for recursive server template: - src: named.conf.options.j2 + src: named.conf.options_recursive.j2 dest: /etc/bind/named.conf.options owner: bind group: bind mode: "0644" force: yes notify: restart bind + when: bind_recursive_server -- name: Modify OPTIONS in /etc/default/bind9 - replace: - dest: /etc/default/bind9 - regexp: '^OPTIONS=.*' - replace: 'OPTIONS="-u bind -t {{ bind_chroot_root }}"' +- name: enable zones.rfc1918 for recursive server + lineinfile: + dest: /etc/bind/named.conf.local + line: 'include "/etc/bind/zones.rfc1918";' + regexp: "zones.rfc1918" notify: restart bind + when: bind_recursive_server + +- name: Set bind configuration for authoritative server + template: + src: named.conf.options_authoritative.j2 + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: "0644" + force: yes + notify: restart bind + when: bind_authoritative_server - name: Create systemd service template: @@ -28,174 +44,78 @@ group: root mode: "0644" force: yes - notify: restart bind + notify: + - reload systemd + - restart bind + when: ansible_distribution_release == "jessie" -- name: Create directories +- name: touch /var/log/bind.log if non chroot file: - path: "{{ bind_chroot_root }}/{{ item }}" - state: directory + path: /var/log/bind.log owner: bind - group: bind - mode: "0700" - recurse: no - with_items: - - bin - - dev - - etc - - lib - - usr/lib - - usr/sbin - - var/cache/bind - - var/log - - var/run/bind/run - register: create_bind_dir - notify: restart bind - -- name: Stat /etc/bind - stat: - path: "/etc/bind" - check_mode: no - register: etc_bind - -- name: Move /etc/bind in chroot - command: "mv /etc/bind/ {{ bind_chroot_root }}/etc/" - when: etc_bind.stat.exists and not etc_bind.stat.islnk - notify: restart bind - -- name: Create symlink - file: - src: "{{ bind_chroot_root }}/etc/bind" - dest: "/etc/bind" - state: link - notify: restart bind - -- name: is there a log file? - stat: - path: "{{ bind_chroot_root }}/var/log/bind.log" - register: bind_log - -- name: create log file - file: - path: "{{ bind_chroot_root }}/var/log/bind.log" - state: touch - when: not bind_log.stat.exists - -- name: verify log file permissions - file: - path: "{{ bind_chroot_root }}/var/log/bind.log" - owner: bind - group: bind + group: adm mode: "0640" - state: file + state: touch + when: bind_chroot_set == False -- name: Create log symlink +- name: touch /var/log/bind_queries.log if non chroot file: - src: "{{ bind_chroot_root }}/var/log/bind.log" - dest: "/var/log/bind.log" - state: link - notify: restart bind - -- name: Create run directory - file: - path: "/var/run/bind/run" - state: directory - owner: root - group: bind - mode: "0770" - recurse: yes - notify: restart bind - -- name: "Stat var/run/bind/run/named in chroot" - stat: - path: "{{ bind_chroot_root }}/var/run/bind/run/named" - check_mode: no - register: named_run - -- name: "Clean var/run/bind/run/named in chroot" - file: - path: "{{ bind_chroot_root }}/var/run/bind/run/named" - state: absent - when: named_run.stat.exists and named_run.stat.isdir - -- name: Clean /var/run/bind/run/named.pid - file: - path: "/var/run/bind/run/named.pid" - state: absent - when: named_run.stat.exists and named_run.stat.isdir - -- name: Stat /var/run/bind/run/named.pid - stat: - path: "/var/run/bind/run/named.pid" - check_mode: no - register: named_pid - -- name: Cat pid content - command: "cat /var/run/bind/run/named.pid > {{ bind_chroot_root }}/var/run/bind/run/named.pid" - when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk - -- name: Clean /var/run/bind/run/named.pid - file: - path: "/var/run/bind/run/named.pid" - state: absent - when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk - -- name: Clean /var/run/bind/run/named.pid - file: - path: "/var/run/bind/run/named.pid" - state: absent - when: named_pid.stat.exists and not named_pid.stat.islnk - -- name: Create pid symlink in chroot - file: - src: "{{ bind_chroot_root }}/var/run/bind/run/named.pid" - dest: "/var/run/bind/run/named.pid" - state: link - when: named_pid.stat.exists and not named_pid.stat.islnk - notify: restart bind - -- name: "Stat dev/random in chroot" - stat: - path: "{{ bind_chroot_root }}/dev/random" - check_mode: no - register: named_random - -- name: clean dev/random in chroot - shell: "mv {{ bind_chroot_root }}/dev/random {{ bind_chroot_root }}/dev/random.$(date +%s)" - when: named_random.stat.exists and not named_random.stat.ischr - -- name: mknod dev/random in chroot - command: "mknod -m 666 {{ bind_chroot_root }}/dev/random c 1 3" - args: - creates: "{{ bind_chroot_root }}/dev/random" - notify: restart bind - -- name: get essential libraries - shell: 'ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1 | grep -oE "\S+"' - register: bind_ldd - check_mode: no - changed_when: False - -- name: copy essential libs - command: "install -D {{ item }} {{ bind_chroot_root }}{{ item }}" - args: - creates: "{{ bind_chroot_root }}{{ item }}" - with_items: - - "{{ bind_ldd.stdout_lines }}" - - /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so - register: install_libraries - notify: restart bind - -- name: Copy bind - copy: - src: /usr/sbin/named - dest: "{{ bind_chroot_root }}/usr/sbin/" - remote_src: True - notify: restart bind - -- name: Set the good rights - file: - path: "{{ bind_chroot_root }}" + path: /var/log/bind_queries.log owner: bind - group: bind - recurse: yes + group: adm + mode: "0640" + state: touch + when: bind_authoritative_server and bind_chroot_set == False + +- name: send chroot-bind.sh in /root + copy: + src: chroot-bind.sh + dest: /root/chroot-bind.sh + mode: "0700" + owner: root + force: yes + backup: yes + when: bind_chroot_set + +- name: exec chroot-bind.sh + command: "/root/chroot-bind.sh" + register: chrootbind_run + changed_when: False + check_mode: no + when: bind_chroot_set + +- debug: + var: chrootbind_run.stdout_lines + when: bind_chroot_set and chrootbind_run.stdout != "" + +- name: Modify OPTIONS in /etc/default/bind9 for chroot + replace: + dest: /etc/default/bind9 + regexp: '^OPTIONS=.*' + replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' notify: restart bind + when: bind_chroot_set + +- name: logrotate for non chroot bind + template: + src: logrotate_bind + dest: /etc/logrotate.d/bind + owner: root + group: root + mode: "0644" + force: yes + notify: restart bind + when: bind_chroot_set == False + +- name: logrotate for chroot bind + template: + src: logrotate_bind_chroot.j2 + dest: /etc/logrotate.d/bind + owner: root + group: root + mode: "0644" + force: yes + notify: restart bind + when: bind_chroot_set + + diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 98f275cf..a31e6b06 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -8,6 +8,7 @@ tags: - bind - munin + when: bind_authoritative_server - name: Enable munin plugins file: @@ -17,22 +18,22 @@ with_items: - bind9 - bind9_rndc - notify: restart munin - when: munin_node_plugins_config.stat.exists + notify: restart munin-node + when: bind_authoritative_server and munin_node_plugins_config.stat.exists tags: - bind - munin - name: Add munin plugin configuration template: - src: bind9.j2 + src: munin-env_bind9.j2 dest: /etc/munin/plugin-conf.d/bind9 owner: root group: root mode: "0644" force: yes - notify: restart munin - when: munin_node_plugins_config.stat.exists + notify: restart munin-node + when: bind_authoritative_server and munin_node_plugins_config.stat.exists tags: - bind - munin diff --git a/bind/templates/bind9.service.j2 b/bind/templates/bind9.service.j2 index e0906300..f43d448b 100644 --- a/bind/templates/bind9.service.j2 +++ b/bind/templates/bind9.service.j2 @@ -1,5 +1,3 @@ -# {{ ansible_managed }} - [Unit] Description=BIND Domain Name Server Documentation=man:named(8) diff --git a/bind/templates/logrotate_bind b/bind/templates/logrotate_bind new file mode 100644 index 00000000..d1471fcb --- /dev/null +++ b/bind/templates/logrotate_bind @@ -0,0 +1,10 @@ +/var/log/bind.log { + weekly + missingok + rotate 8 + create 640 bind bind + sharedscripts + postrotate + rndc reload > /dev/null + endscript +} diff --git a/bind/templates/logrotate_bind_chroot.j2 b/bind/templates/logrotate_bind_chroot.j2 new file mode 100644 index 00000000..5db5d494 --- /dev/null +++ b/bind/templates/logrotate_bind_chroot.j2 @@ -0,0 +1,10 @@ +{{ bind_chroot_path }}/var/log/bind.log { + weekly + missingok + rotate 52 + create 640 bind bind + sharedscripts + postrotate + rndc reload > /dev/null + endscript +} diff --git a/bind/templates/bind9.j2 b/bind/templates/munin-env_bind9.j2 similarity index 60% rename from bind/templates/bind9.j2 rename to bind/templates/munin-env_bind9.j2 index 9c62388d..f1d4b41e 100644 --- a/bind/templates/bind9.j2 +++ b/bind/templates/munin-env_bind9.j2 @@ -1,6 +1,6 @@ [bind*] user root env.logfile {{ bind_query_file }} -env.querystats {{ bind_chroot_root }}{{ bind_statistics_file }} +env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }} env.MUNIN_PLUGSTATE /var/lib/munin timeout 120 diff --git a/bind/templates/named.conf.options.j2 b/bind/templates/named.conf.options.j2 deleted file mode 100644 index 79969a9d..00000000 --- a/bind/templates/named.conf.options.j2 +++ /dev/null @@ -1,58 +0,0 @@ -// {{ ansible_managed }} - -options { - directory "/var/cache/bind"; - - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing - // the all-0's placeholder. - - // forwarders { - // 0.0.0.0; - // }; - - version "Bingo"; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { ::1; }; - //listen-on { 127.0.0.1; }; - - allow-query { localhost;}; - allow-transfer { localhost; }; - allow-recursion { localhost; }; - - statistics-file "/var/run/named.stats"; -}; - -logging { - //category default { default_syslog; default_debug; }; - category default { default_debug; }; - - channel default_syslog { - syslog daemon; - severity info; - }; - - channel default_debug { - file "/var/log/bind.log"; - severity debug; - }; - channel query { - file "/var/log/query.log" versions 2 size 1m; - print-time yes; - severity info; - }; - category queries { query; }; -}; - -//key "external" { -// algorithm hmac-md5; -// secret "UOQfHEoBzBSC6sD4mwfxLw=="; -//}; -// -//server 85.118.59.1 { keys external; }; diff --git a/bind/templates/named.conf.options_authoritative.j2 b/bind/templates/named.conf.options_authoritative.j2 new file mode 100644 index 00000000..04ab2551 --- /dev/null +++ b/bind/templates/named.conf.options_authoritative.j2 @@ -0,0 +1,35 @@ +acl "foo" { + ::ffff:192.0.2.21; 192.0.2.21; + 2001:db8::21; +}; + +options { + directory "/var/cache/bind"; + version "Bingo"; + auth-nxdomain no; + masterfile-format text; + statistics-file "/var/run/named.stats"; + + listen-on-v6 { any; }; + listen-on { any; }; + + allow-query { localhost; }; + allow-recursion { localhost; }; + allow-transfer { localhost; }; +}; + +logging { + category default { default_file; }; + category queries { query_logging; }; + + channel default_file { + file "/var/log/bind.log"; + severity info; + }; + channel query_logging { + file "/var/log/bind_queries.log" versions 2 size 128M; + print-category yes; + print-severity yes; + print-time yes; + }; +}; diff --git a/bind/templates/named.conf.options_recursive.j2 b/bind/templates/named.conf.options_recursive.j2 new file mode 100644 index 00000000..555230d0 --- /dev/null +++ b/bind/templates/named.conf.options_recursive.j2 @@ -0,0 +1,16 @@ +options { + directory "/var/cache/bind"; + version "Bingo"; + auth-nxdomain no; + listen-on-v6 { ::1; }; + listen-on { 127.0.0.1; }; + allow-recursion { ::1; 127.0.0.1; }; +}; + +logging { + category default { default_file; }; + channel default_file { + file "/var/log/bind.log"; + severity info; + }; +};