Adapted the bind role to respect the evocheck warnings

The required munin plugins and the logging necessary for them to work is now activated depending on the type of resolver and the logrotate file is changed from bind to bind9.
2019-10-09 11:47:07 -04:00 · 2019-10-09 11:47:07 -04:00 · c6804e73e7
parent 569ad4d38a
commit c6804e73e7
5 changed files with 47 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -26,6 +26,9 @@ The **patch** part changes incrementally at each release.
 * redis: rewrite of the role (separate instances, better systemd units…)
 * webapps/evoadmin-web Overload templates if needed
 * webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
+* bind: enable query logging for recursive resolvers
+* bind: enable logrotate for recursive resolvers
+* bind: enable bind9 munin plugin for recursive resolvers

 ### Changed
 * elasticsearch: listen on local interface only by default
@ -41,6 +44,8 @@ The **patch** part changes incrementally at each release.
 * lxc: remove useless loop in apt execution
 * lxc: update our default template to be compatible with Debian 10
 * lxc: rely on lxc_container module instead of command module
+* bind: the munin task was present, but not included
+* bind: change name of logrotate file to bind9

 ### Fixed
 * lxc-php: Don't remove the default pool
@ -49,6 +54,7 @@ The **patch** part changes incrementally at each release.
 * tomcat: fix typo for default tomcat_version
 * evoadmin-web: Put the php config at the right place for Buster

+
 ### Security

 ## [9.10.1] - 2019-06-21
--- a/bind/tasks/main.yml
+++ b/bind/tasks/main.yml
@ -65,7 +65,7 @@
    group: adm
    mode: "0640"
    state: touch
-  when: bind_authoritative_server and bind_chroot_set == False
+  when: bind_chroot_set == False

 - name: send chroot-bind.sh in /root
  copy:
@ -98,7 +98,7 @@
 - name: logrotate for non chroot bind
  template:
    src: logrotate_bind
-    dest: /etc/logrotate.d/bind
+    dest: /etc/logrotate.d/bind9
    owner: root
    group: root
    mode: "0644"
@ -109,10 +109,12 @@
 - name: logrotate for chroot bind
  template:
    src: logrotate_bind_chroot.j2
-    dest: /etc/logrotate.d/bind
+    dest: /etc/logrotate.d/bind9
    owner: root
    group: root
    mode: "0644"
    force: yes
  notify: restart bind
  when: bind_chroot_set
+
+- include: munin.yml
--- a/bind/tasks/munin.yml
+++ b/bind/tasks/munin.yml
@ -8,9 +8,8 @@
  tags:
    - bind
    - munin
-  when: bind_authoritative_server

- name: Enable munin plugins
+- name: Enable munin plugins for authoritative server
  file:
    src: "/usr/share/munin/plugins/{{ item }}"
    dest: "/etc/munin/plugins/{{ item }}"
@ -19,7 +18,25 @@
    - bind9
    - bind9_rndc
  notify: restart munin-node
-  when: bind_authoritative_server and munin_node_plugins_config.stat.exists
+  when:
+    - bind_authoritative_server
+    - munin_node_plugins_config.stat.exists
+  tags:
+    - bind
+    - munin
+
+- name: Enable munin plugins for recursive server
+  file:
+    src: "/usr/share/munin/plugins/{{ item }}"
+    dest: "/etc/munin/plugins/{{ item }}"
+    state: link
+  with_items:
+    - bind9
+    - bind9_rndc
+  notify: restart munin-node
+  when:
+    - bind_recursive_server
+    - munin_node_plugins_config.stat.exists
  tags:
    - bind
    - munin
@ -33,7 +50,7 @@
    mode: "0644"
    force: yes
  notify: restart munin-node
-  when: bind_authoritative_server and munin_node_plugins_config.stat.exists
+  when: munin_node_plugins_config.stat.exists
  tags:
    - bind
    - munin
--- a/bind/templates/munin-env_bind9.j2
+++ b/bind/templates/munin-env_bind9.j2
@ -1,6 +1,8 @@
 [bind*]
 user root
 env.logfile {{ bind_query_file }}
+{% if bind_authoritative_server %}
 env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }}
+{% endif %}
 env.MUNIN_PLUGSTATE /var/lib/munin
 timeout 120
--- a/bind/templates/named.conf.options_recursive.j2
+++ b/bind/templates/named.conf.options_recursive.j2
@ -8,9 +8,17 @@ options {
 };

 logging {
-        category default { default_file; };
-        channel default_file {
-                file "/var/log/bind.log";
-                severity info;
-        };
+    category default { default_file; };
+    category queries { query_logging; };
+
+    channel default_file {
+        file "/var/log/bind.log";
+        severity info;
+    };
+    channel query_logging {
+        file "/var/log/bind_queries.log" versions 2 size 128M;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
 };