From c6804e73e78737bb5ea98ae23f76b2c37ec20988 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 9 Oct 2019 11:47:07 -0400 Subject: [PATCH 01/10] Adapted the bind role to respect the evocheck warnings The required munin plugins and the logging necessary for them to work is now activated depending on the type of resolver and the logrotate file is changed from bind to bind9. --- CHANGELOG.md | 6 +++++ bind/tasks/main.yml | 8 +++--- bind/tasks/munin.yml | 25 ++++++++++++++++--- bind/templates/munin-env_bind9.j2 | 2 ++ .../templates/named.conf.options_recursive.j2 | 18 +++++++++---- 5 files changed, 47 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9454b37c..dcec3d69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,9 @@ The **patch** part changes incrementally at each release. * redis: rewrite of the role (separate instances, better systemd units…) * webapps/evoadmin-web Overload templates if needed * webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist +* bind: enable query logging for recursive resolvers +* bind: enable logrotate for recursive resolvers +* bind: enable bind9 munin plugin for recursive resolvers ### Changed * elasticsearch: listen on local interface only by default @@ -41,6 +44,8 @@ The **patch** part changes incrementally at each release. * lxc: remove useless loop in apt execution * lxc: update our default template to be compatible with Debian 10 * lxc: rely on lxc_container module instead of command module +* bind: the munin task was present, but not included +* bind: change name of logrotate file to bind9 ### Fixed * lxc-php: Don't remove the default pool @@ -49,6 +54,7 @@ The **patch** part changes incrementally at each release. * tomcat: fix typo for default tomcat_version * evoadmin-web: Put the php config at the right place for Buster + ### Security ## [9.10.1] - 2019-06-21 diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 8fdf1692..03780435 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -65,7 +65,7 @@ group: adm mode: "0640" state: touch - when: bind_authoritative_server and bind_chroot_set == False + when: bind_chroot_set == False - name: send chroot-bind.sh in /root copy: @@ -98,7 +98,7 @@ - name: logrotate for non chroot bind template: src: logrotate_bind - dest: /etc/logrotate.d/bind + dest: /etc/logrotate.d/bind9 owner: root group: root mode: "0644" @@ -109,10 +109,12 @@ - name: logrotate for chroot bind template: src: logrotate_bind_chroot.j2 - dest: /etc/logrotate.d/bind + dest: /etc/logrotate.d/bind9 owner: root group: root mode: "0644" force: yes notify: restart bind when: bind_chroot_set + +- include: munin.yml diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index a31e6b06..5f9da280 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -8,9 +8,8 @@ tags: - bind - munin - when: bind_authoritative_server -- name: Enable munin plugins +- name: Enable munin plugins for authoritative server file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" @@ -19,7 +18,25 @@ - bind9 - bind9_rndc notify: restart munin-node - when: bind_authoritative_server and munin_node_plugins_config.stat.exists + when: + - bind_authoritative_server + - munin_node_plugins_config.stat.exists + tags: + - bind + - munin + +- name: Enable munin plugins for recursive server + file: + src: "/usr/share/munin/plugins/{{ item }}" + dest: "/etc/munin/plugins/{{ item }}" + state: link + with_items: + - bind9 + - bind9_rndc + notify: restart munin-node + when: + - bind_recursive_server + - munin_node_plugins_config.stat.exists tags: - bind - munin @@ -33,7 +50,7 @@ mode: "0644" force: yes notify: restart munin-node - when: bind_authoritative_server and munin_node_plugins_config.stat.exists + when: munin_node_plugins_config.stat.exists tags: - bind - munin diff --git a/bind/templates/munin-env_bind9.j2 b/bind/templates/munin-env_bind9.j2 index f1d4b41e..5783f889 100644 --- a/bind/templates/munin-env_bind9.j2 +++ b/bind/templates/munin-env_bind9.j2 @@ -1,6 +1,8 @@ [bind*] user root env.logfile {{ bind_query_file }} +{% if bind_authoritative_server %} env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }} +{% endif %} env.MUNIN_PLUGSTATE /var/lib/munin timeout 120 diff --git a/bind/templates/named.conf.options_recursive.j2 b/bind/templates/named.conf.options_recursive.j2 index 555230d0..748f19b2 100644 --- a/bind/templates/named.conf.options_recursive.j2 +++ b/bind/templates/named.conf.options_recursive.j2 @@ -8,9 +8,17 @@ options { }; logging { - category default { default_file; }; - channel default_file { - file "/var/log/bind.log"; - severity info; - }; + category default { default_file; }; + category queries { query_logging; }; + + channel default_file { + file "/var/log/bind.log"; + severity info; + }; + channel query_logging { + file "/var/log/bind_queries.log" versions 2 size 128M; + print-category yes; + print-severity yes; + print-time yes; + }; }; From 2bbebded9e42675a812d4a77fc5442489c4db8f5 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 9 Oct 2019 12:07:14 -0400 Subject: [PATCH 02/10] Migrated bind role to python booleans --- bind/defaults/main.yml | 6 +++--- bind/tasks/main.yml | 22 +++++++++++----------- bind/tasks/munin.yml | 4 ++-- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index b7bc2090..9338d847 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -1,7 +1,7 @@ --- -bind_recursive_server: False -bind_authoritative_server: True -bind_chroot_set: True +bind_recursive_server: false +bind_authoritative_server: true +bind_chroot_set: true bind_chroot_path: /var/chroot-bind bind_systemd_service_path: /etc/systemd/system/bind9.service bind_statistics_file: /var/run/named.stats diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 03780435..5c28887c 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -13,7 +13,7 @@ owner: bind group: bind mode: "0644" - force: yes + force: true notify: restart bind when: bind_recursive_server @@ -32,7 +32,7 @@ owner: bind group: bind mode: "0644" - force: yes + force: true notify: restart bind when: bind_authoritative_server @@ -43,7 +43,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: - reload systemd - restart bind @@ -56,7 +56,7 @@ group: adm mode: "0640" state: touch - when: bind_chroot_set == False + when: not bind_chroot_set - name: touch /var/log/bind_queries.log if non chroot file: @@ -65,7 +65,7 @@ group: adm mode: "0640" state: touch - when: bind_chroot_set == False + when: not bind_chroot_set - name: send chroot-bind.sh in /root copy: @@ -73,14 +73,14 @@ dest: /root/chroot-bind.sh mode: "0700" owner: root - force: yes - backup: yes + force: true + backup: true when: bind_chroot_set - name: exec chroot-bind.sh command: "/root/chroot-bind.sh" register: chrootbind_run - changed_when: False + changed_when: false when: bind_chroot_set - debug: @@ -102,9 +102,9 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart bind - when: bind_chroot_set == False + when: not bind_chroot_set - name: logrotate for chroot bind template: @@ -113,7 +113,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart bind when: bind_chroot_set diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 5f9da280..751f8093 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -3,7 +3,7 @@ - name: is Munin present ? stat: path: /etc/munin/plugin-conf.d/munin-node - check_mode: no + check_mode: false register: munin_node_plugins_config tags: - bind @@ -48,7 +48,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart munin-node when: munin_node_plugins_config.stat.exists tags: From 6118dda7c9cd42ed75aea4541754a89161f91175 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 9 Oct 2019 12:15:55 -0400 Subject: [PATCH 03/10] yaml lint and quoting standardisation for bind role --- bind/defaults/main.yml | 10 +-- bind/handlers/main.yml | 17 +++--- bind/tasks/main.yml | 134 +++++++++++++++++++++-------------------- bind/tasks/munin.yml | 38 ++++++------ 4 files changed, 100 insertions(+), 99 deletions(-) diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index 9338d847..beba84ee 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -2,8 +2,8 @@ bind_recursive_server: false bind_authoritative_server: true bind_chroot_set: true -bind_chroot_path: /var/chroot-bind -bind_systemd_service_path: /etc/systemd/system/bind9.service -bind_statistics_file: /var/run/named.stats -bind_log_file: /var/log/bind.log -bind_query_file: /var/log/bind_queries.log +bind_chroot_path: '/var/chroot-bind' +bind_systemd_service_path: '/etc/systemd/system/bind9.service' +bind_statistics_file: '/var/run/named.stats' +bind_log_file: '/var/log/bind.log' +bind_query_file: '/var/log/bind_queries.log' diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 1eee71f6..01cec607 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,14 +1,13 @@ --- -- name: reload systemd - command: systemctl daemon-reload +- name: 'reload systemd' + command: 'systemctl daemon-reload' -- name: restart bind +- name: 'restart bind' service: - name: bind9 - state: restarted + name: 'bind9' + state: 'restarted' -- name: restart munin-node +- name: 'restart munin-node' service: - name: munin-node - state: restarted - + name: 'munin-node' + state: 'restarted' diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 5c28887c..d7ce09b3 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,84 +1,86 @@ -- name: package are installed +--- + +- name: 'packages are installed' apt: name: '{{ item }}' - state: present + state: 'present' with_items: - - bind9 - - dnstop + - 'bind9' + - 'dnstop' -- name: Set bind configuration for recursive server +- name: 'Set bind configuration for recursive server' template: - src: named.conf.options_recursive.j2 - dest: /etc/bind/named.conf.options - owner: bind - group: bind - mode: "0644" + src: 'named.conf.options_recursive.j2' + dest: '/etc/bind/named.conf.options' + owner: 'bind' + group: 'bind' + mode: '0644' force: true - notify: restart bind + notify: 'restart bind' when: bind_recursive_server -- name: enable zones.rfc1918 for recursive server +- name: 'enable zones.rfc1918 for recursive server' lineinfile: - dest: /etc/bind/named.conf.local + dest: '/etc/bind/named.conf.local' line: 'include "/etc/bind/zones.rfc1918";' - regexp: "zones.rfc1918" - notify: restart bind + regexp: 'zones.rfc1918' + notify: 'restart bind' when: bind_recursive_server -- name: Set bind configuration for authoritative server +- name: 'Set bind configuration for authoritative server' template: - src: named.conf.options_authoritative.j2 - dest: /etc/bind/named.conf.options - owner: bind - group: bind - mode: "0644" + src: 'named.conf.options_authoritative.j2' + dest: '/etc/bind/named.conf.options' + owner: 'bind' + group: 'bind' + mode: '0644' force: true - notify: restart bind + notify: 'restart bind' when: bind_authoritative_server -- name: Create systemd service +- name: 'Create systemd service' template: - src: bind9.service.j2 + src: 'bind9.service.j2' dest: "{{ bind_systemd_service_path }}" - owner: root - group: root - mode: "0644" + owner: 'root' + group: 'root' + mode: '0644' force: true notify: - - reload systemd - - restart bind + - 'reload systemd' + - 'restart bind' when: ansible_distribution_release == "jessie" -- name: touch /var/log/bind.log if non chroot +- name: 'touch /var/log/bind.log if non chroot' file: - path: /var/log/bind.log - owner: bind - group: adm - mode: "0640" - state: touch + path: '/var/log/bind.log' + owner: 'bind' + group: 'adm' + mode: '0640' + state: 'touch' when: not bind_chroot_set -- name: touch /var/log/bind_queries.log if non chroot +- name: 'touch /var/log/bind_queries.log if non chroot' file: - path: /var/log/bind_queries.log - owner: bind - group: adm - mode: "0640" - state: touch + path: '/var/log/bind_queries.log' + owner: 'bind' + group: 'adm' + mode: '0640' + state: 'touch' when: not bind_chroot_set -- name: send chroot-bind.sh in /root +- name: 'send chroot-bind.sh in /root' copy: - src: chroot-bind.sh - dest: /root/chroot-bind.sh - mode: "0700" - owner: root + src: 'chroot-bind.sh' + dest: '/root/chroot-bind.sh' + mode: '0700' + owner: 'root' force: true backup: true when: bind_chroot_set -- name: exec chroot-bind.sh - command: "/root/chroot-bind.sh" +- name: 'exec chroot-bind.sh' + command: '/root/chroot-bind.sh' register: chrootbind_run changed_when: false when: bind_chroot_set @@ -87,34 +89,34 @@ var: chrootbind_run.stdout_lines when: bind_chroot_set and chrootbind_run.stdout != "" -- name: Modify OPTIONS in /etc/default/bind9 for chroot +- name: 'Modify OPTIONS in /etc/default/bind9 for chroot' replace: - dest: /etc/default/bind9 + dest: '/etc/default/bind9' regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' - notify: restart bind + notify: 'restart bind' when: bind_chroot_set -- name: logrotate for non chroot bind +- name: 'logrotate for non chroot bind' template: - src: logrotate_bind - dest: /etc/logrotate.d/bind9 - owner: root - group: root - mode: "0644" + src: 'logrotate_bind' + dest: '/etc/logrotate.d/bind9' + owner: 'root' + group: 'root' + mode: '0644' force: true - notify: restart bind + notify: 'restart bind' when: not bind_chroot_set -- name: logrotate for chroot bind +- name: 'logrotate for chroot bind' template: - src: logrotate_bind_chroot.j2 - dest: /etc/logrotate.d/bind9 - owner: root - group: root - mode: "0644" + src: 'logrotate_bind_chroot.j2' + dest: '/etc/logrotate.d/bind9' + owner: 'root' + group: 'root' + mode: '0644' force: true - notify: restart bind + notify: 'restart bind' when: bind_chroot_set -- include: munin.yml +- include: 'munin.yml' diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 751f8093..4fe04072 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -1,23 +1,23 @@ --- -- name: is Munin present ? +- name: 'is Munin present ?' stat: - path: /etc/munin/plugin-conf.d/munin-node + path: '/etc/munin/plugin-conf.d/munin-node' check_mode: false register: munin_node_plugins_config tags: - bind - munin -- name: Enable munin plugins for authoritative server +- name: 'Enable munin plugins for authoritative server' file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" - state: link + state: 'link' with_items: - - bind9 - - bind9_rndc - notify: restart munin-node + - 'bind9' + - 'bind9_rndc' + notify: 'restart munin-node' when: - bind_authoritative_server - munin_node_plugins_config.stat.exists @@ -25,15 +25,15 @@ - bind - munin -- name: Enable munin plugins for recursive server +- name: 'Enable munin plugins for recursive server' file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" - state: link + state: 'link' with_items: - - bind9 - - bind9_rndc - notify: restart munin-node + - 'bind9' + - 'bind9_rndc' + notify: 'restart munin-node' when: - bind_recursive_server - munin_node_plugins_config.stat.exists @@ -41,15 +41,15 @@ - bind - munin -- name: Add munin plugin configuration +- name: 'Add munin plugin configuration' template: - src: munin-env_bind9.j2 - dest: /etc/munin/plugin-conf.d/bind9 - owner: root - group: root - mode: "0644" + src: 'munin-env_bind9.j2' + dest: '/etc/munin/plugin-conf.d/bind9' + owner: 'root' + group: 'root' + mode: '0644' force: true - notify: restart munin-node + notify: 'restart munin-node' when: munin_node_plugins_config.stat.exists tags: - bind From 839db42c811dc28bde0c2c5e9e72ac1e6d84fbca Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 26 Nov 2019 11:48:21 -0500 Subject: [PATCH 04/10] Revert "yaml lint and quoting standardisation for bind role" This reverts commit 6118dda7c9cd42ed75aea4541754a89161f91175. --- bind/defaults/main.yml | 10 +-- bind/handlers/main.yml | 17 +++--- bind/tasks/main.yml | 134 ++++++++++++++++++++--------------------- bind/tasks/munin.yml | 38 ++++++------ 4 files changed, 99 insertions(+), 100 deletions(-) diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index beba84ee..9338d847 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -2,8 +2,8 @@ bind_recursive_server: false bind_authoritative_server: true bind_chroot_set: true -bind_chroot_path: '/var/chroot-bind' -bind_systemd_service_path: '/etc/systemd/system/bind9.service' -bind_statistics_file: '/var/run/named.stats' -bind_log_file: '/var/log/bind.log' -bind_query_file: '/var/log/bind_queries.log' +bind_chroot_path: /var/chroot-bind +bind_systemd_service_path: /etc/systemd/system/bind9.service +bind_statistics_file: /var/run/named.stats +bind_log_file: /var/log/bind.log +bind_query_file: /var/log/bind_queries.log diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 01cec607..1eee71f6 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,13 +1,14 @@ --- -- name: 'reload systemd' - command: 'systemctl daemon-reload' +- name: reload systemd + command: systemctl daemon-reload -- name: 'restart bind' +- name: restart bind service: - name: 'bind9' - state: 'restarted' + name: bind9 + state: restarted -- name: 'restart munin-node' +- name: restart munin-node service: - name: 'munin-node' - state: 'restarted' + name: munin-node + state: restarted + diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index d7ce09b3..5c28887c 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,86 +1,84 @@ ---- - -- name: 'packages are installed' +- name: package are installed apt: name: '{{ item }}' - state: 'present' + state: present with_items: - - 'bind9' - - 'dnstop' + - bind9 + - dnstop -- name: 'Set bind configuration for recursive server' +- name: Set bind configuration for recursive server template: - src: 'named.conf.options_recursive.j2' - dest: '/etc/bind/named.conf.options' - owner: 'bind' - group: 'bind' - mode: '0644' + src: named.conf.options_recursive.j2 + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: "0644" force: true - notify: 'restart bind' + notify: restart bind when: bind_recursive_server -- name: 'enable zones.rfc1918 for recursive server' +- name: enable zones.rfc1918 for recursive server lineinfile: - dest: '/etc/bind/named.conf.local' + dest: /etc/bind/named.conf.local line: 'include "/etc/bind/zones.rfc1918";' - regexp: 'zones.rfc1918' - notify: 'restart bind' + regexp: "zones.rfc1918" + notify: restart bind when: bind_recursive_server -- name: 'Set bind configuration for authoritative server' +- name: Set bind configuration for authoritative server template: - src: 'named.conf.options_authoritative.j2' - dest: '/etc/bind/named.conf.options' - owner: 'bind' - group: 'bind' - mode: '0644' + src: named.conf.options_authoritative.j2 + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: "0644" force: true - notify: 'restart bind' + notify: restart bind when: bind_authoritative_server -- name: 'Create systemd service' +- name: Create systemd service template: - src: 'bind9.service.j2' + src: bind9.service.j2 dest: "{{ bind_systemd_service_path }}" - owner: 'root' - group: 'root' - mode: '0644' + owner: root + group: root + mode: "0644" force: true notify: - - 'reload systemd' - - 'restart bind' + - reload systemd + - restart bind when: ansible_distribution_release == "jessie" -- name: 'touch /var/log/bind.log if non chroot' +- name: touch /var/log/bind.log if non chroot file: - path: '/var/log/bind.log' - owner: 'bind' - group: 'adm' - mode: '0640' - state: 'touch' + path: /var/log/bind.log + owner: bind + group: adm + mode: "0640" + state: touch when: not bind_chroot_set -- name: 'touch /var/log/bind_queries.log if non chroot' +- name: touch /var/log/bind_queries.log if non chroot file: - path: '/var/log/bind_queries.log' - owner: 'bind' - group: 'adm' - mode: '0640' - state: 'touch' + path: /var/log/bind_queries.log + owner: bind + group: adm + mode: "0640" + state: touch when: not bind_chroot_set -- name: 'send chroot-bind.sh in /root' +- name: send chroot-bind.sh in /root copy: - src: 'chroot-bind.sh' - dest: '/root/chroot-bind.sh' - mode: '0700' - owner: 'root' + src: chroot-bind.sh + dest: /root/chroot-bind.sh + mode: "0700" + owner: root force: true backup: true when: bind_chroot_set -- name: 'exec chroot-bind.sh' - command: '/root/chroot-bind.sh' +- name: exec chroot-bind.sh + command: "/root/chroot-bind.sh" register: chrootbind_run changed_when: false when: bind_chroot_set @@ -89,34 +87,34 @@ var: chrootbind_run.stdout_lines when: bind_chroot_set and chrootbind_run.stdout != "" -- name: 'Modify OPTIONS in /etc/default/bind9 for chroot' +- name: Modify OPTIONS in /etc/default/bind9 for chroot replace: - dest: '/etc/default/bind9' + dest: /etc/default/bind9 regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' - notify: 'restart bind' + notify: restart bind when: bind_chroot_set -- name: 'logrotate for non chroot bind' +- name: logrotate for non chroot bind template: - src: 'logrotate_bind' - dest: '/etc/logrotate.d/bind9' - owner: 'root' - group: 'root' - mode: '0644' + src: logrotate_bind + dest: /etc/logrotate.d/bind9 + owner: root + group: root + mode: "0644" force: true - notify: 'restart bind' + notify: restart bind when: not bind_chroot_set -- name: 'logrotate for chroot bind' +- name: logrotate for chroot bind template: - src: 'logrotate_bind_chroot.j2' - dest: '/etc/logrotate.d/bind9' - owner: 'root' - group: 'root' - mode: '0644' + src: logrotate_bind_chroot.j2 + dest: /etc/logrotate.d/bind9 + owner: root + group: root + mode: "0644" force: true - notify: 'restart bind' + notify: restart bind when: bind_chroot_set -- include: 'munin.yml' +- include: munin.yml diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 4fe04072..751f8093 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -1,23 +1,23 @@ --- -- name: 'is Munin present ?' +- name: is Munin present ? stat: - path: '/etc/munin/plugin-conf.d/munin-node' + path: /etc/munin/plugin-conf.d/munin-node check_mode: false register: munin_node_plugins_config tags: - bind - munin -- name: 'Enable munin plugins for authoritative server' +- name: Enable munin plugins for authoritative server file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" - state: 'link' + state: link with_items: - - 'bind9' - - 'bind9_rndc' - notify: 'restart munin-node' + - bind9 + - bind9_rndc + notify: restart munin-node when: - bind_authoritative_server - munin_node_plugins_config.stat.exists @@ -25,15 +25,15 @@ - bind - munin -- name: 'Enable munin plugins for recursive server' +- name: Enable munin plugins for recursive server file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" - state: 'link' + state: link with_items: - - 'bind9' - - 'bind9_rndc' - notify: 'restart munin-node' + - bind9 + - bind9_rndc + notify: restart munin-node when: - bind_recursive_server - munin_node_plugins_config.stat.exists @@ -41,15 +41,15 @@ - bind - munin -- name: 'Add munin plugin configuration' +- name: Add munin plugin configuration template: - src: 'munin-env_bind9.j2' - dest: '/etc/munin/plugin-conf.d/bind9' - owner: 'root' - group: 'root' - mode: '0644' + src: munin-env_bind9.j2 + dest: /etc/munin/plugin-conf.d/bind9 + owner: root + group: root + mode: "0644" force: true - notify: 'restart munin-node' + notify: restart munin-node when: munin_node_plugins_config.stat.exists tags: - bind From 3ede48424220bc18f2c3f95d4563efc7b3685f42 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 26 Nov 2019 11:53:05 -0500 Subject: [PATCH 05/10] Standardization of booleans for bind role --- bind/defaults/main.yml | 6 +++--- bind/tasks/main.yml | 16 ++++++++-------- bind/tasks/munin.yml | 4 ++-- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index 9338d847..b7bc2090 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -1,7 +1,7 @@ --- -bind_recursive_server: false -bind_authoritative_server: true -bind_chroot_set: true +bind_recursive_server: False +bind_authoritative_server: True +bind_chroot_set: True bind_chroot_path: /var/chroot-bind bind_systemd_service_path: /etc/systemd/system/bind9.service bind_statistics_file: /var/run/named.stats diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 5c28887c..061d0459 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -13,7 +13,7 @@ owner: bind group: bind mode: "0644" - force: true + force: True notify: restart bind when: bind_recursive_server @@ -32,7 +32,7 @@ owner: bind group: bind mode: "0644" - force: true + force: True notify: restart bind when: bind_authoritative_server @@ -43,7 +43,7 @@ owner: root group: root mode: "0644" - force: true + force: True notify: - reload systemd - restart bind @@ -73,14 +73,14 @@ dest: /root/chroot-bind.sh mode: "0700" owner: root - force: true - backup: true + force: True + backup: True when: bind_chroot_set - name: exec chroot-bind.sh command: "/root/chroot-bind.sh" register: chrootbind_run - changed_when: false + changed_when: False when: bind_chroot_set - debug: @@ -102,7 +102,7 @@ owner: root group: root mode: "0644" - force: true + force: True notify: restart bind when: not bind_chroot_set @@ -113,7 +113,7 @@ owner: root group: root mode: "0644" - force: true + force: True notify: restart bind when: bind_chroot_set diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 751f8093..5dcaa247 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -3,7 +3,7 @@ - name: is Munin present ? stat: path: /etc/munin/plugin-conf.d/munin-node - check_mode: false + check_mode: False register: munin_node_plugins_config tags: - bind @@ -48,7 +48,7 @@ owner: root group: root mode: "0644" - force: true + force: True notify: restart munin-node when: munin_node_plugins_config.stat.exists tags: From b7a223dbdd69122c44107b31b593c118e446016e Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 26 Nov 2019 11:58:42 -0500 Subject: [PATCH 06/10] use yes / no instead of True / False for certain flags in bind role --- bind/tasks/main.yml | 14 +++++++------- bind/tasks/munin.yml | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 061d0459..dd1ad18d 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -13,7 +13,7 @@ owner: bind group: bind mode: "0644" - force: True + force: yes notify: restart bind when: bind_recursive_server @@ -32,7 +32,7 @@ owner: bind group: bind mode: "0644" - force: True + force: yes notify: restart bind when: bind_authoritative_server @@ -43,7 +43,7 @@ owner: root group: root mode: "0644" - force: True + force: yes notify: - reload systemd - restart bind @@ -73,8 +73,8 @@ dest: /root/chroot-bind.sh mode: "0700" owner: root - force: True - backup: True + force: yes + backup: yes when: bind_chroot_set - name: exec chroot-bind.sh @@ -102,7 +102,7 @@ owner: root group: root mode: "0644" - force: True + force: yes notify: restart bind when: not bind_chroot_set @@ -113,7 +113,7 @@ owner: root group: root mode: "0644" - force: True + force: yes notify: restart bind when: bind_chroot_set diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 5dcaa247..5f9da280 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -3,7 +3,7 @@ - name: is Munin present ? stat: path: /etc/munin/plugin-conf.d/munin-node - check_mode: False + check_mode: no register: munin_node_plugins_config tags: - bind @@ -48,7 +48,7 @@ owner: root group: root mode: "0644" - force: True + force: yes notify: restart munin-node when: munin_node_plugins_config.stat.exists tags: From 7728f5f0c58003a12e9fb9498b7345918f01dccd Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 26 Nov 2019 14:02:28 -0500 Subject: [PATCH 07/10] Made sure munin and logrotate use the proper path for bind logs Not all code paths made sure that the chroot was taken into account. --- bind/tasks/main.yml | 22 +++++-------------- .../{logrotate_bind => logrotate_bind.j2} | 6 ++++- bind/templates/logrotate_bind_chroot.j2 | 10 --------- bind/templates/munin-env_bind9.j2 | 5 +++-- 4 files changed, 13 insertions(+), 30 deletions(-) rename bind/templates/{logrotate_bind => logrotate_bind.j2} (56%) delete mode 100644 bind/templates/logrotate_bind_chroot.j2 diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index dd1ad18d..b7a0f6bd 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -49,18 +49,18 @@ - restart bind when: ansible_distribution_release == "jessie" -- name: touch /var/log/bind.log if non chroot +- name: "touch {{ bind_log_file }} if non chroot" file: - path: /var/log/bind.log + path: "{{ bind_log_file }}" owner: bind group: adm mode: "0640" state: touch when: not bind_chroot_set -- name: touch /var/log/bind_queries.log if non chroot +- name: "touch {{ bind_query_file }} if non chroot" file: - path: /var/log/bind_queries.log + path: "{{ bind_query_file }}" owner: bind group: adm mode: "0640" @@ -95,7 +95,7 @@ notify: restart bind when: bind_chroot_set -- name: logrotate for non chroot bind +- name: logrotate for bind template: src: logrotate_bind dest: /etc/logrotate.d/bind9 @@ -104,17 +104,5 @@ mode: "0644" force: yes notify: restart bind - when: not bind_chroot_set - -- name: logrotate for chroot bind - template: - src: logrotate_bind_chroot.j2 - dest: /etc/logrotate.d/bind9 - owner: root - group: root - mode: "0644" - force: yes - notify: restart bind - when: bind_chroot_set - include: munin.yml diff --git a/bind/templates/logrotate_bind b/bind/templates/logrotate_bind.j2 similarity index 56% rename from bind/templates/logrotate_bind rename to bind/templates/logrotate_bind.j2 index ee53df95..3fe1589e 100644 --- a/bind/templates/logrotate_bind +++ b/bind/templates/logrotate_bind.j2 @@ -1,4 +1,8 @@ -/var/log/bind.log { +{% if bind_chroot_set %} +{{ bind_chroot_path }}{{bind_log_file}} { +{% else %} +{{bind_log_file}} { +{% endif %} weekly missingok rotate 52 diff --git a/bind/templates/logrotate_bind_chroot.j2 b/bind/templates/logrotate_bind_chroot.j2 deleted file mode 100644 index 5db5d494..00000000 --- a/bind/templates/logrotate_bind_chroot.j2 +++ /dev/null @@ -1,10 +0,0 @@ -{{ bind_chroot_path }}/var/log/bind.log { - weekly - missingok - rotate 52 - create 640 bind bind - sharedscripts - postrotate - rndc reload > /dev/null - endscript -} diff --git a/bind/templates/munin-env_bind9.j2 b/bind/templates/munin-env_bind9.j2 index 5783f889..de88b27a 100644 --- a/bind/templates/munin-env_bind9.j2 +++ b/bind/templates/munin-env_bind9.j2 @@ -1,8 +1,9 @@ [bind*] user root -env.logfile {{ bind_query_file }} + +env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }} {% if bind_authoritative_server %} -env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }} +env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }} {% endif %} env.MUNIN_PLUGSTATE /var/lib/munin timeout 120 From 5008b79ef5a908d3aa7e66410c51e925d93408d7 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 26 Nov 2019 14:04:20 -0500 Subject: [PATCH 08/10] Remove remaining hardcoded log paths from bind role We had variables for the log paths, but these were not being used by all templates. --- bind/defaults/main.yml | 1 + bind/templates/named.conf.options_authoritative.j2 | 8 ++++---- bind/templates/named.conf.options_recursive.j2 | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index b7bc2090..4008b394 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -7,3 +7,4 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service bind_statistics_file: /var/run/named.stats bind_log_file: /var/log/bind.log bind_query_file: /var/log/bind_queries.log +bind_cache_dir: /var/cache/bind \ No newline at end of file diff --git a/bind/templates/named.conf.options_authoritative.j2 b/bind/templates/named.conf.options_authoritative.j2 index 04ab2551..8f48cbb5 100644 --- a/bind/templates/named.conf.options_authoritative.j2 +++ b/bind/templates/named.conf.options_authoritative.j2 @@ -4,11 +4,11 @@ acl "foo" { }; options { - directory "/var/cache/bind"; + directory "{{ bind_cache_dir }}"; version "Bingo"; auth-nxdomain no; masterfile-format text; - statistics-file "/var/run/named.stats"; + statistics-file "{{ bind_statistics_file }}"; listen-on-v6 { any; }; listen-on { any; }; @@ -23,11 +23,11 @@ logging { category queries { query_logging; }; channel default_file { - file "/var/log/bind.log"; + file "{{ bind_log_file }}"; severity info; }; channel query_logging { - file "/var/log/bind_queries.log" versions 2 size 128M; + file "{{ bind_query_file }}" versions 2 size 128M; print-category yes; print-severity yes; print-time yes; diff --git a/bind/templates/named.conf.options_recursive.j2 b/bind/templates/named.conf.options_recursive.j2 index 748f19b2..27246d13 100644 --- a/bind/templates/named.conf.options_recursive.j2 +++ b/bind/templates/named.conf.options_recursive.j2 @@ -1,5 +1,5 @@ options { - directory "/var/cache/bind"; + directory "{{ bind_cache_dir }}"; version "Bingo"; auth-nxdomain no; listen-on-v6 { ::1; }; @@ -12,11 +12,11 @@ logging { category queries { query_logging; }; channel default_file { - file "/var/log/bind.log"; + file "{{ bind_log_file }}"; severity info; }; channel query_logging { - file "/var/log/bind_queries.log" versions 2 size 128M; + file "{{ bind_query_file }}" versions 2 size 128M; print-category yes; print-severity yes; print-time yes; From cf8cca745edd2c6e8d8d53be66735322aca988c6 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 26 Nov 2019 17:17:48 -0500 Subject: [PATCH 09/10] hardcode chrooted bind variables The current chroot-bind.sh is legacy code that cannot be migrated without a proper understanding of it's historical context. This context might still apply and this script is still used on a variety of new and old machines. By hardcoding the paths when the user requests a chroot, we limit possible breakage. --- bind/defaults/main.yml | 5 +++-- bind/tasks/main.yml | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index 4008b394..99b33e13 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -2,9 +2,10 @@ bind_recursive_server: False bind_authoritative_server: True bind_chroot_set: True -bind_chroot_path: /var/chroot-bind +# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. +#bind_chroot_path: /var/chroot-bind bind_systemd_service_path: /etc/systemd/system/bind9.service bind_statistics_file: /var/run/named.stats bind_log_file: /var/log/bind.log bind_query_file: /var/log/bind_queries.log -bind_cache_dir: /var/cache/bind \ No newline at end of file +bind_cache_dir: /var/cache/bind diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index b7a0f6bd..59291143 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,3 +1,13 @@ +# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. +- name: set chroot variables + set_fact: + bind_log_file: /var/log/bind.log + bind_query_file: /var/log/bind_queries.log + bind_cache_dir: /var/cache/bind + bind_statistics_file: /var/run/named.stats + bind_chroot_path: /var/chroot-bind + when: bind_chroot_set + - name: package are installed apt: name: '{{ item }}' From 131004136eeeb56234e2aa583c2ac8246d01aaeb Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 14 Jan 2020 15:15:58 +0100 Subject: [PATCH 10/10] Fix mistake in bind logrotate template name Just a minor typo, but stops it from running. --- bind/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 59291143..bc49d129 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -107,7 +107,7 @@ - name: logrotate for bind template: - src: logrotate_bind + src: logrotate_bind.j2 dest: /etc/logrotate.d/bind9 owner: root group: root