evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 34 Wiki Activity

Adapted the bind role to respect the evocheck warnings

Browse source 
The required munin plugins and the logging necessary for them to work is
now activated depending on the type of resolver and the logrotate file is
changed from bind to bind9.
This commit is contained in:
Patrick Marchand 2019-10-09 11:47:07 -04:00
parent 569ad4d38a
commit c6804e73e7
5 changed files with 47 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
CHANGELOG.md
View file

@ -26,6 +26,9 @@ The **patch** part changes incrementally at each release.
* redis: rewrite of the role (separate instances, better systemd units…) * redis: rewrite of the role (separate instances, better systemd units…)
* webapps/evoadmin-web Overload templates if needed * webapps/evoadmin-web Overload templates if needed
* webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist * webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
* bind: enable query logging for recursive resolvers
* bind: enable logrotate for recursive resolvers
* bind: enable bind9 munin plugin for recursive resolvers
### Changed ### Changed
* elasticsearch: listen on local interface only by default * elasticsearch: listen on local interface only by default
@ -41,6 +44,8 @@ The **patch** part changes incrementally at each release.
* lxc: remove useless loop in apt execution * lxc: remove useless loop in apt execution
* lxc: update our default template to be compatible with Debian 10 * lxc: update our default template to be compatible with Debian 10
* lxc: rely on lxc_container module instead of command module * lxc: rely on lxc_container module instead of command module
* bind: the munin task was present, but not included
* bind: change name of logrotate file to bind9
### Fixed ### Fixed
* lxc-php: Don't remove the default pool * lxc-php: Don't remove the default pool
@ -49,6 +54,7 @@ The **patch** part changes incrementally at each release.
* tomcat: fix typo for default tomcat_version * tomcat: fix typo for default tomcat_version
* evoadmin-web: Put the php config at the right place for Buster * evoadmin-web: Put the php config at the right place for Buster
### Security ### Security
## [9.10.1] - 2019-06-21 ## [9.10.1] - 2019-06-21

8
bind/tasks/main.yml
View file

@ -65,7 +65,7 @@
group: adm group: adm
mode: "0640" mode: "0640"
state: touch state: touch
when: bind_authoritative_server and bind_chroot_set == False when: bind_chroot_set == False
- name: send chroot-bind.sh in /root - name: send chroot-bind.sh in /root
copy: copy:
@ -98,7 +98,7 @@
- name: logrotate for non chroot bind - name: logrotate for non chroot bind
template: template:
src: logrotate_bind src: logrotate_bind
dest: /etc/logrotate.d/bind dest: /etc/logrotate.d/bind9
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
@ -109,10 +109,12 @@
- name: logrotate for chroot bind - name: logrotate for chroot bind
template: template:
src: logrotate_bind_chroot.j2 src: logrotate_bind_chroot.j2
dest: /etc/logrotate.d/bind dest: /etc/logrotate.d/bind9
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
force: yes force: yes
notify: restart bind notify: restart bind
when: bind_chroot_set when: bind_chroot_set
- include: munin.yml

25
bind/tasks/munin.yml
View file

@ -8,9 +8,8 @@
tags: tags:
- bind - bind
- munin - munin
when: bind_authoritative_server
- name: Enable munin plugins - name: Enable munin plugins for authoritative server
file: file:
src: "/usr/share/munin/plugins/{{ item }}" src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}"
@ -19,7 +18,25 @@
- bind9 - bind9
- bind9_rndc - bind9_rndc
notify: restart munin-node notify: restart munin-node
when: bind_authoritative_server and munin_node_plugins_config.stat.exists when:
- bind_authoritative_server
- munin_node_plugins_config.stat.exists
tags:
- bind
- munin
- name: Enable munin plugins for recursive server
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
with_items:
- bind9
- bind9_rndc
notify: restart munin-node
when:
- bind_recursive_server
- munin_node_plugins_config.stat.exists
tags: tags:
- bind - bind
- munin - munin
@ -33,7 +50,7 @@
mode: "0644" mode: "0644"
force: yes force: yes
notify: restart munin-node notify: restart munin-node
when: bind_authoritative_server and munin_node_plugins_config.stat.exists when: munin_node_plugins_config.stat.exists
tags: tags:
- bind - bind
- munin - munin

2
bind/templates/munin-env_bind9.j2
View file

@ -1,6 +1,8 @@
[bind*] [bind*]
user root user root
env.logfile {{ bind_query_file }} env.logfile {{ bind_query_file }}
{% if bind_authoritative_server %}
env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }} env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }}
{% endif %}
env.MUNIN_PLUGSTATE /var/lib/munin env.MUNIN_PLUGSTATE /var/lib/munin
timeout 120 timeout 120

18
bind/templates/named.conf.options_recursive.j2
View file

@ -8,9 +8,17 @@ options {
}; };
logging { logging {
category default { default_file; }; category default { default_file; };
channel default_file { category queries { query_logging; };
file "/var/log/bind.log";
severity info; channel default_file {
}; file "/var/log/bind.log";
severity info;
};
channel query_logging {
file "/var/log/bind_queries.log" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
}; };