Compare commits
7 commits
4cba25d8fc
...
96d15eb5aa
Author | SHA1 | Date | |
---|---|---|---|
96d15eb5aa | |||
33d22b2614 | |||
3bd87906ce | |||
9cedf84dae | |||
7ad55027da | |||
c71521acc3 | |||
8993242b2c |
|
@ -410,16 +410,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Added
|
||||
|
||||
* docker : Introduce new default settings + allow to change the docker data directory
|
||||
* docker : Introduce new variables to tweak daemon settings
|
||||
* docker: Introduce new default settings + allow to change the docker data directory
|
||||
* docker: Introduce new variables to tweak daemon settings
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.05
|
||||
* evocheck: Upstream release 22.05
|
||||
* bind: Update role for Buster, Bullseye and Bookworm support
|
||||
|
||||
### Removed
|
||||
|
||||
* docker : Removed Debian Jessie support
|
||||
* docker: Removed Debian Jessie support
|
||||
|
||||
## [22.05] 2022-05-10
|
||||
|
||||
|
|
|
@ -10,4 +10,4 @@ Minimal configuration is in `tasks/main.yml`
|
|||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
waening : sync chroot-bind.sh
|
||||
warning : sync chroot-bind.sh
|
||||
|
|
5
bind/files/apparmor.usr.sbin.named
Normal file
5
bind/files/apparmor.usr.sbin.named
Normal file
|
@ -0,0 +1,5 @@
|
|||
/var/chroot-bind/etc/bind/** r,
|
||||
/var/chroot-bind/var/** rw,
|
||||
/var/chroot-bind/dev/** rw,
|
||||
/var/chroot-bind/run/** rw,
|
||||
/var/chroot-bind/usr/** r,
|
|
@ -3,12 +3,17 @@
|
|||
# Gregory Colpart <reg@debian.org>
|
||||
# chroot (or re-chroot) script for bind9
|
||||
|
||||
# tested on Debian Wheezy/Jessie/Stretch
|
||||
# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye/Bookworm
|
||||
# Exec this script after `(apt-get|aptitude|apt) install bind9`
|
||||
# and after *each* bind9 upgrade
|
||||
|
||||
# When the script is finished, ensure you have
|
||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
|
||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named
|
||||
# (since Bullseye) or, until Buster, in /etc/default/bind9
|
||||
#
|
||||
# Since Bookmworm, one also needs to handle bind mount points
|
||||
# https://wiki.evolix.org/HowtoBind#bind-mount-%C3%A0-partir-de-bookworm-debian-12
|
||||
#
|
||||
# and /etc/init.d/bind9 (re)start
|
||||
#
|
||||
# for Jessie/systemd only:
|
||||
|
@ -22,8 +27,10 @@ mkdir -p /var/chroot-bind
|
|||
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
|
||||
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
|
||||
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
|
||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
|
||||
/var/chroot-bind/run/named/
|
||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named \
|
||||
/var/chroot-bind/run/named /var/chroot-bind/usr/share/dns
|
||||
|
||||
chmod 750 /var/chroot-bind
|
||||
|
||||
# for conf
|
||||
if [ ! -h "/etc/bind" ]; then
|
||||
|
@ -31,6 +38,11 @@ if [ ! -h "/etc/bind" ]; then
|
|||
ln -s /var/chroot-bind/etc/bind/ /etc/bind
|
||||
fi
|
||||
|
||||
# for dns
|
||||
if [ -d "/usr/share/dns" ]; then
|
||||
cp -a /usr/share/dns/* /var/chroot-bind/usr/share/dns/
|
||||
fi
|
||||
|
||||
# for logs
|
||||
touch /var/chroot-bind/var/log/bind.log
|
||||
if [ ! -h "/var/log/bind.log" ]; then
|
||||
|
@ -58,11 +70,16 @@ fi
|
|||
#chmod 666 /var/chroot-bind/dev/{null,random}
|
||||
|
||||
# essential libs
|
||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
|
||||
/usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
|
||||
install -D $i /var/chroot-bind/${i##/}
|
||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1`
|
||||
do install -D $i /var/chroot-bind/${i##/}
|
||||
done
|
||||
|
||||
if [ ls /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so 1>/dev/null 2>&1 ]; then
|
||||
for i in /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so
|
||||
do install -D $i /var/chroot-bind/${i##/}
|
||||
done
|
||||
fi
|
||||
|
||||
# essential (hum, bash is required ??)
|
||||
#cp /bin/bash /var/chroot-bind/bin/
|
||||
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
|
||||
|
|
|
@ -17,13 +17,13 @@
|
|||
register: check_apparmor
|
||||
|
||||
- name: configure apparmor
|
||||
ansible.builtin.template:
|
||||
src: apparmor.usr.sbin.named.j2
|
||||
dest: /etc/apparmor.d/usr.sbin.named
|
||||
owner: root
|
||||
group: root
|
||||
ansible.builtin.copy:
|
||||
src: apparmor.usr.sbin.named
|
||||
dest: /etc/apparmor.d/local/usr.sbin.named
|
||||
mode: "0644"
|
||||
owner: root
|
||||
force: true
|
||||
backup: yes
|
||||
notify: restart apparmor
|
||||
when: check_apparmor.rc == 0
|
||||
|
||||
|
@ -94,13 +94,67 @@
|
|||
- bind_chroot_set | bool
|
||||
- chrootbind_run.stdout | length > 0
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/default/bind9
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||
notify: restart bind
|
||||
when: bind_chroot_set | bool
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('11', '<')
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/default/named
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('11', '>=')
|
||||
|
||||
- name: Create mount target directory for chroot (since Bookworm)
|
||||
ansible.builtin.file:
|
||||
path: /var/chroot-bind/run/systemd/journal
|
||||
state: directory
|
||||
owner: bind
|
||||
group: bind
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: Create mount targets for chroot (since Bookworm)
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
state: touch
|
||||
owner: bind
|
||||
group: bind
|
||||
loop:
|
||||
- /var/chroot-bind/run/systemd/journal/socket
|
||||
- /var/chroot-bind/run/systemd/journal/stdout
|
||||
- /var/chroot-bind/run/systemd/notify
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: Set up bind mount for chroot (since Bookworm)
|
||||
ansible.posix.mount:
|
||||
src: "{{ item }}"
|
||||
path: "/var/chroot-bind{{ item }}"
|
||||
opts: bind
|
||||
state: mounted
|
||||
fstype: none
|
||||
loop:
|
||||
- /run/systemd/journal/socket
|
||||
- /run/systemd/journal/stdout
|
||||
- /run/systemd/notify
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: logrotate for bind
|
||||
ansible.builtin.template:
|
||||
|
|
|
@ -1,97 +0,0 @@
|
|||
# vim:syntax=apparmor
|
||||
# Last Modified: Tue Mar 9 14:17:50 EST 2021
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/named flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
|
||||
# /etc/bind should be read-only for bind
|
||||
# /var/lib/bind is for dynamically updated zone (and journal) files.
|
||||
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
|
||||
# See /usr/share/doc/bind9/README.Debian.gz
|
||||
/etc/bind/** r,
|
||||
/var/lib/bind/** rw,
|
||||
/var/lib/bind/ rw,
|
||||
/var/cache/bind/** lrw,
|
||||
/var/cache/bind/ rw,
|
||||
|
||||
# Database file used by allow-new-zones
|
||||
/var/cache/bind/_default.nzd-lock rwk,
|
||||
|
||||
# gssapi
|
||||
/etc/krb5.keytab kr,
|
||||
/etc/bind/krb5.keytab kr,
|
||||
|
||||
# ssl
|
||||
/etc/ssl/openssl.cnf r,
|
||||
|
||||
# root hints from dns-data-root
|
||||
/usr/share/dns/root.* r,
|
||||
|
||||
# GeoIP data files for GeoIP ACLs
|
||||
/usr/share/GeoIP/** r,
|
||||
|
||||
# dnscvsutil package
|
||||
/var/lib/dnscvsutil/compiled/** rw,
|
||||
|
||||
# Allow changing worker thread names
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
@{PROC}/net/if_inet6 r,
|
||||
@{PROC}/*/net/if_inet6 r,
|
||||
@{PROC}/sys/net/ipv4/ip_local_port_range r,
|
||||
/usr/sbin/named mr,
|
||||
/{,var/}run/named/named.pid w,
|
||||
/{,var/}run/named/session.key w,
|
||||
# support for resolvconf
|
||||
/{,var/}run/named/named.options r,
|
||||
|
||||
# some people like to put logs in /var/log/named/ instead of having
|
||||
# syslog do the heavy lifting.
|
||||
{{ bind_log_file }} rw,
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
{{ bind_query_file }} rw,
|
||||
{% endif %}
|
||||
|
||||
# gssapi
|
||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||
/var/lib/sss/pubconf/krb5.include.d/ r,
|
||||
/var/lib/sss/mc/initgroups r,
|
||||
/etc/gss/mech.d/ r,
|
||||
|
||||
# ldap
|
||||
/etc/ldap/ldap.conf r,
|
||||
/{,var/}run/slapd-*.socket rw,
|
||||
|
||||
# dynamic updates
|
||||
/var/tmp/DNS_* rw,
|
||||
|
||||
# dyndb backends
|
||||
/usr/lib/bind/*.so rm,
|
||||
|
||||
# Samba DLZ
|
||||
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
|
||||
/var/lib/samba/bind-dns/dns.keytab rk,
|
||||
/var/lib/samba/bind-dns/named.conf r,
|
||||
/var/lib/samba/bind-dns/dns/** rwk,
|
||||
/var/lib/samba/private/dns.keytab rk,
|
||||
/var/lib/samba/private/named.conf r,
|
||||
/var/lib/samba/private/dns/** rwk,
|
||||
/etc/samba/smb.conf r,
|
||||
/dev/urandom rwmk,
|
||||
owner /var/tmp/krb5_* rwk,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.named>
|
||||
}
|
||||
|
Loading…
Reference in a new issue