Changelog entry for bind changes

Since Bullseye (Debian 11)

CHANGELOG.md

@@ -410,16 +410,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
-* docker : Introduce new default settings + allow to change the docker data directory
-* docker : Introduce new variables to tweak daemon settings
+* docker: Introduce new default settings + allow to change the docker data directory
+* docker: Introduce new variables to tweak daemon settings
 
 ### Changed
 
-* evocheck: upstream release 22.05
+* evocheck: Upstream release 22.05
+* bind: Update role for Buster, Bullseye and Bookworm support
 
 ### Removed
 
-* docker : Removed Debian Jessie support
+* docker: Removed Debian Jessie support
 
 ## [22.05] 2022-05-10
 

bind/README.md

@@ -10,4 +10,4 @@ Minimal configuration is in `tasks/main.yml`
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
 
-waening : sync chroot-bind.sh
+warning : sync chroot-bind.sh

bind/files/apparmor.usr.sbin.named

@@ -0,0 +1,5 @@
+/var/chroot-bind/etc/bind/** r,
+/var/chroot-bind/var/** rw,
+/var/chroot-bind/dev/** rw,
+/var/chroot-bind/run/** rw,
+/var/chroot-bind/usr/** r,

bind/files/chroot-bind.sh

@@ -3,12 +3,17 @@
 # Gregory Colpart <reg@debian.org>
 # chroot (or re-chroot) script for bind9
 
-# tested on Debian Wheezy/Jessie/Stretch
+# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye/Bookworm
 # Exec this script after `(apt-get|aptitude|apt) install bind9`
 # and after *each* bind9 upgrade
 
 # When the script is finished, ensure you have
-# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
+# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named
+# (since Bullseye) or, until Buster, in /etc/default/bind9
+#
+# Since Bookmworm, one also needs to handle bind mount points
+# https://wiki.evolix.org/HowtoBind#bind-mount-%C3%A0-partir-de-bookworm-debian-12
+#
 # and /etc/init.d/bind9 (re)start
 #
 # for Jessie/systemd only:
@@ -22,8 +27,10 @@ mkdir -p /var/chroot-bind
 mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
         /var/chroot-bind/lib /var/chroot-bind/usr/lib                   \
         /var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind       \
-        /var/chroot-bind/var/log /var/chroot-bind/var/run/named/        \
-        /var/chroot-bind/run/named/
+        /var/chroot-bind/var/log /var/chroot-bind/var/run/named         \
+        /var/chroot-bind/run/named /var/chroot-bind/usr/share/dns
+
+chmod 750 /var/chroot-bind
 
 # for conf
 if [ ! -h "/etc/bind" ]; then
@@ -31,6 +38,11 @@ if [ ! -h "/etc/bind" ]; then
     ln -s /var/chroot-bind/etc/bind/ /etc/bind
 fi
 
+# for dns
+if [ -d "/usr/share/dns" ]; then
+    cp -a /usr/share/dns/* /var/chroot-bind/usr/share/dns/
+fi
+
 # for logs
 touch /var/chroot-bind/var/log/bind.log
 if [ ! -h "/var/log/bind.log" ]; then
@@ -58,11 +70,16 @@ fi
 #chmod 666 /var/chroot-bind/dev/{null,random}
 
 # essential libs
-for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
-         /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
-    install -D $i /var/chroot-bind/${i##/}
+for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1`
+    do install -D $i /var/chroot-bind/${i##/}
 done
 
+if [ ls /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so 1>/dev/null 2>&1 ]; then
+    for i in /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so
+        do install -D $i /var/chroot-bind/${i##/}
+    done
+fi
+
 # essential (hum, bash is required ??)
 #cp /bin/bash /var/chroot-bind/bin/
 cp /usr/sbin/named /var/chroot-bind/usr/sbin/

bind/tasks/main.yml

@@ -17,13 +17,13 @@
   register: check_apparmor
 
 - name: configure apparmor
-  ansible.builtin.template:
-    src: apparmor.usr.sbin.named.j2
-    dest: /etc/apparmor.d/usr.sbin.named
-    owner: root
-    group: root
+  ansible.builtin.copy:
+    src: apparmor.usr.sbin.named
+    dest: /etc/apparmor.d/local/usr.sbin.named
     mode: "0644"
+    owner: root
     force: true
+    backup: yes
   notify: restart apparmor
   when: check_apparmor.rc == 0
 
@@ -94,13 +94,67 @@
     - bind_chroot_set | bool
     - chrootbind_run.stdout | length > 0
 
-- name: Modify OPTIONS in /etc/default/bind9 for chroot
+- name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster)
   ansible.builtin.replace:
     dest: /etc/default/bind9
     regexp: '^OPTIONS=.*'
     replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
   notify: restart bind
-  when: bind_chroot_set | bool
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('11', '<')
+
+- name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye)
+  ansible.builtin.replace:
+    dest: /etc/default/named
+    regexp: '^OPTIONS=.*'
+    replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('11', '>=')
+
+- name: Create mount target directory for chroot (since Bookworm)
+  ansible.builtin.file:
+    path: /var/chroot-bind/run/systemd/journal
+    state: directory
+    owner: bind
+    group: bind
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
+- name: Create mount targets for chroot (since Bookworm)
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: touch
+    owner: bind
+    group: bind
+  loop:
+    - /var/chroot-bind/run/systemd/journal/socket
+    - /var/chroot-bind/run/systemd/journal/stdout
+    - /var/chroot-bind/run/systemd/notify
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
+- name: Set up bind mount for chroot (since Bookworm)
+  ansible.posix.mount:
+    src: "{{ item }}"
+    path: "/var/chroot-bind{{ item }}"
+    opts: bind
+    state: mounted
+    fstype: none
+  loop:
+    - /run/systemd/journal/socket
+    - /run/systemd/journal/stdout
+    - /run/systemd/notify
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('12', '>=')
 
 - name: logrotate for bind
   ansible.builtin.template:

bind/templates/apparmor.usr.sbin.named.j2

@@ -1,97 +0,0 @@
-# vim:syntax=apparmor
-# Last Modified: Tue Mar  9 14:17:50 EST 2021
-#include <tunables/global>
-
-/usr/sbin/named flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-
-  capability net_bind_service,
-  capability setgid,
-  capability setuid,
-  capability sys_chroot,
-  capability sys_resource,
-
-  # /etc/bind should be read-only for bind
-  # /var/lib/bind is for dynamically updated zone (and journal) files.
-  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
-  # See /usr/share/doc/bind9/README.Debian.gz
-  /etc/bind/** r,
-  /var/lib/bind/** rw,
-  /var/lib/bind/ rw,
-  /var/cache/bind/** lrw,
-  /var/cache/bind/ rw,
-
-  # Database file used by allow-new-zones
-  /var/cache/bind/_default.nzd-lock rwk,
-
-  # gssapi
-  /etc/krb5.keytab kr,
-  /etc/bind/krb5.keytab kr,
-
-  # ssl
-  /etc/ssl/openssl.cnf r,
-
-  # root hints from dns-data-root
-  /usr/share/dns/root.* r,
-
-  # GeoIP data files for GeoIP ACLs
-  /usr/share/GeoIP/** r,
-
-  # dnscvsutil package
-  /var/lib/dnscvsutil/compiled/** rw,
-
-  # Allow changing worker thread names
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-
-  @{PROC}/net/if_inet6 r,
-  @{PROC}/*/net/if_inet6 r,
-  @{PROC}/sys/net/ipv4/ip_local_port_range r,
-  /usr/sbin/named mr,
-  /{,var/}run/named/named.pid w,
-  /{,var/}run/named/session.key w,
-  # support for resolvconf
-  /{,var/}run/named/named.options r,
-
-  # some people like to put logs in /var/log/named/ instead of having
-  # syslog do the heavy lifting.
-  {{ bind_log_file }} rw,
-{% if bind_query_file_enabled | bool %}
-  {{ bind_query_file }} rw,
-{% endif %}
-
-  # gssapi
-  /var/lib/sss/pubconf/krb5.include.d/** r,
-  /var/lib/sss/pubconf/krb5.include.d/ r,
-  /var/lib/sss/mc/initgroups r,
-  /etc/gss/mech.d/ r,
-
-  # ldap
-  /etc/ldap/ldap.conf r,
-  /{,var/}run/slapd-*.socket rw,
-
-  # dynamic updates
-  /var/tmp/DNS_* rw,
-
-  # dyndb backends
-  /usr/lib/bind/*.so rm,
-
-  # Samba DLZ
-  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
-  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
-  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
-  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
-  /var/lib/samba/bind-dns/dns.keytab rk,
-  /var/lib/samba/bind-dns/named.conf r,
-  /var/lib/samba/bind-dns/dns/** rwk,
-  /var/lib/samba/private/dns.keytab rk,
-  /var/lib/samba/private/named.conf r,
-  /var/lib/samba/private/dns/** rwk,
-  /etc/samba/smb.conf r,
-  /dev/urandom rwmk,
-  owner /var/tmp/krb5_* rwk,
-
-  # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.named>
-}
-