From 1ffc0849f2141fa626305b34d947e97a2ccfcde0 Mon Sep 17 00:00:00 2001 From: Tatsuya Kawano Date: Thu, 11 Jul 2013 12:56:14 +0800 Subject: [PATCH 1/6] Apply pull request #2 from @wohali to the upstream: Support SmartOS, lists in attributes --- README.md | 26 +++++-- attributes/default.rb | 36 ++++++---- metadata.rb | 2 +- recipes/default.rb | 20 +++++- templates/default/named.conf.erb | 3 + templates/default/named.conf.local.erb | 2 +- templates/default/named.conf.options.erb | 90 ++++++++++++++---------- 7 files changed, 115 insertions(+), 64 deletions(-) create mode 100644 templates/default/named.conf.erb diff --git a/README.md b/README.md index c8601e0..919f759 100644 --- a/README.md +++ b/README.md @@ -17,18 +17,19 @@ Platform: * Debian * Ubuntu -* Centos +* CentOS +* SmartOS Attributes ========== * **node[:bind9][:enable_ipv6]** - Enables BIND to listen on an IPv6 address. Default is: On -* **node[:bind9][:allow_query]** - Allow clients to query the nameserver. Default is: anyone -* **node[:bind9][:allow_recursion]** - Allow recursive name resolution. Default is: none (to prevent DNS cache poisoning) -* **node[:bind9][:allow_update]** - Allow dynamic DNS updates. Default is: none -* **node[:bind9][:allow_transfer]** - Allow zone transfers globally. Default is: none +* **node[:bind9][:allow_query]** - Array of clients allowed to query the nameserver. Default is: anyone +* **node[:bind9][:allow_recursion]** - Array of clients allowed to make recursive name resolution queries. Default is: none (to prevent DNS cache poisoning) +* **node[:bind9][:allow_update]** - Array of clients allowed to make dynamic DNS updates. Default is: none +* **node[:bind9][:allow_transfer]** - Array of clients allowed to make zone transfers. Default is: none * **node[:bind9][:enable_forwarding]** - Enables forwarding of requests. Default is: No forwarding -* **node[:bind9][:forwarders]** - Array for forwarding DNS. Default is: 4.4.4.4 and 8.8.8.8 (Google DNS) +* **node[:bind9][:forwarders]** - Array for forwarding DNS. Default is: 8.8.8.8 and 8.8.4.4 (Google DNS) Usage ===== @@ -40,7 +41,18 @@ Please note that the data bag's structure is mandatory except: * autodomain for the zone (if you include this, automatic records will be added for chef nodes whose "domain" matches this) -Examples +Example attributes for a caching-only setup +===== + + default[:bind9][:allow_query] = ["localnets", "localhost"] + default[:bind9][:allow_recursion] = ["localnets", "localhost"] + default[:bind9][:allow_transfer] = ["none"] + default[:bind9][:allow_update] = nil + default[:bind9][:enable_forwarding] = true + default[:bind9][:forwarders] = ["8.8.8.8", "8.8.4.4"] + + +Example zone setup ===== $ knife data bag create zones diff --git a/attributes/default.rb b/attributes/default.rb index e80690e..8c7be7d 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,28 +1,38 @@ default[:bind9][:enable_ipv6] = true -# Allow all clients to query the nameserver, no recursion -default[:bind9][:allow_query] = nil -default[:bind9][:allow_recursion] = "none" +# Allow only local clients to query the nameserver, with recursion +default[:bind9][:allow_query] = ["localnets", "localhost"] +default[:bind9][:allow_recursion] = ["localnets", "localhost"] # Don:t allow to mess with zone files by default -default[:bind9][:allow_transfer] = "none" +default[:bind9][:allow_transfer] = ["none"] default[:bind9][:allow_update] = nil -default[:bind9][:enable_forwarding] = false -default[:bind9][:forwarders] = [ "4.4.4.4", "8.8.8.8" ] +# default forwarders @ Google +default[:bind9][:enable_forwarding] = true +default[:bind9][:forwarders] = ["8.8.8.8", "8.8.4.4"] case platform when "centos","redhat","fedora","scientific","amazon" default[:bind9][:config_path] = "/etc/named" - default[:bind9][:config_file] = "/etc/named.conf" - default[:bind9][:options_file] = "/etc/named/named.conf.options" - default[:bind9][:local_file] = "/etc/named/named.conf.local" - default[:bind9][:data_path] = "/var/named" + default[:bind9][:config_file] = "/etc/named.conf" + default[:bind9][:options_file] = "/etc/named/named.conf.options" + default[:bind9][:local_file] = "/etc/named/named.conf.local" + default[:bind9][:data_path] = "/var/named" + default[:bind9][:log_path] = "/var/log/bind" default[:bind9][:user] = "named" +when "smartos" + default[:bind9][:config_path] = "/opt/local/etc" + default[:bind9][:options_file] = "/opt/local/etc/named.conf.options" + default[:bind9][:local_file] = "/opt/local/etc/named.conf.local" + default[:bind9][:data_path] = "/var/named" + default[:bind9][:log_path] = "/var/log/named" + default[:bind9][:user] = "root" else default[:bind9][:config_path] = "/etc/bind" - default[:bind9][:options_file] = "/etc/bind/named.conf.options" - default[:bind9][:local_file] = "/etc/bind/named.conf.local" - default[:bind9][:data_path] = "/var/cache/bind" + default[:bind9][:options_file] = "/etc/bind/named.conf.options" + default[:bind9][:local_file] = "/etc/bind/named.conf.local" + default[:bind9][:data_path] = "/var/cache/bind" + default[:bind9][:log_path] = "/var/log/named" default[:bind9][:user] = "bind" end diff --git a/metadata.rb b/metadata.rb index 8ef079b..4128e67 100644 --- a/metadata.rb +++ b/metadata.rb @@ -5,6 +5,6 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version "0.1.9" -%w{ ubuntu debian centos }.each do |os| +%w{ ubuntu debian centos smartos }.each do |os| supports os end diff --git a/recipes/default.rb b/recipes/default.rb index 5c749ce..a5082c2 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -19,27 +19,41 @@ package "bind9" do case node[:platform] - when "centos", "redhat", "suse", "fedora" + when "centos", "redhat", "suse", "fedora", "smartos" package_name "bind" end action :install end -directory "/var/log/bind/" do +directory node[:bind9][:log_path] do owner node[:bind9][:user] group node[:bind9][:user] - mode 0755 + mode 0775 + recursive true + action :create end service "bind9" do case node[:platform] when "centos", "redhat" service_name "named" + when "smartos" + service_name "dns/server:default" end supports :status => true, :reload => true, :restart => true action [ :enable ] end +if node[:platform] == "smartos" + template "#{node[:bind9][:config_path]}/named.conf" do + source "named.conf.erb" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "bind9") + end +end + template node[:bind9][:options_file] do source "named.conf.options.erb" owner "root" diff --git a/templates/default/named.conf.erb b/templates/default/named.conf.erb new file mode 100644 index 0000000..c8ac28e --- /dev/null +++ b/templates/default/named.conf.erb @@ -0,0 +1,3 @@ +include "<%= node[:bind9][:config_path] %>/named.conf.options"; +include "<%= node[:bind9][:config_path] %>/named.conf.local"; +// include "<%= node[:bind9][:config_path] %>/named.conf.default-zones"; diff --git a/templates/default/named.conf.local.erb b/templates/default/named.conf.local.erb index c35456b..7773d6e 100644 --- a/templates/default/named.conf.local.erb +++ b/templates/default/named.conf.local.erb @@ -9,7 +9,7 @@ <% @zonefiles.each do |conf| -%> zone "<%= conf["domain"] %>" IN { type <%= conf["type"] %>; - file "<%= node[:bind9][:config_path] %>/<%= conf["domain"] %>"; + file "<%= conf["domain"] %>"; allow-transfer { <% conf["allow_transfer"].each do |ip| -%> <%= ip %>; diff --git a/templates/default/named.conf.options.erb b/templates/default/named.conf.options.erb index 1d536a9..37b27bc 100644 --- a/templates/default/named.conf.options.erb +++ b/templates/default/named.conf.options.erb @@ -1,47 +1,59 @@ options { - directory "<%= node[:bind9][:data_path] %>"; - - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - - <% if node[:bind9][:allow_query] %> - allow-query { - "<%= node[:bind9][:allow_query] %>"; - }; - - <% end %> - allow-recursion { - <%= node[:bind9][:allow_recursion] %>; - }; - - allow-transfer { - "<%= node[:bind9][:allow_transfer] %>"; - }; - - <% if node[:bind9][:allow_update] %> - allow-update { - "<%= node[:bind9][:allow_update] %>"; - }; - - <% end %> - <% if node[:bind9][:enable_forwarding] %> - forwarders { - <% node[:bind9][:forwarders].each do |forwarder| -%> - <%= forwarder %>; - <% end %> - }; - - <% end %> - auth-nxdomain no; # conform to RFC1035 - <% if node[:bind9][:enable_ipv6] %> - listen-on-v6 { any; }; - <% end %> + directory "<%= node[:bind9][:data_path] %>"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + <% if node[:bind9][:allow_query] %> + allow-query { + <% node[:bind9][:allow_query].each do |allow_query| -%> + <%= allow_query %>; + <% end %> + }; + + <% end %> + <% if node[:bind9][:allow_recursion] %> + allow-recursion { + <% node[:bind9][:allow_recursion].each do |allow_recursion| -%> + <%= allow_recursion %>; + <% end %> + }; + + <% end %> + <% if node[:bind9][:allow_transfer] %> + allow-transfer { + <% node[:bind9][:allow_transfer].each do |allow_transfer| -%> + <%= allow_transfer %>; + <% end %> + }; + + <% end %> + <% if node[:bind9][:allow_update] %> + allow-update { + <% node[:bind9][:allow_update].each do |allow_update| -%> + <%= allow_update %>; + <% end %> + }; + + <% end %> + <% if node[:bind9][:enable_forwarding] %> + forwarders { + <% node[:bind9][:forwarders].each do |forwarder| -%> + <%= forwarder %>; + <% end %> + }; + + <% end %> + auth-nxdomain no; # conform to RFC1035 + <% if node[:bind9][:enable_ipv6] %> + listen-on-v6 { any; }; + <% end %> }; logging { channel default_log { - file "/var/log/bind/bind.log" versions 5 size 128M; + file "<%= node[:bind9][:log_path] %>/named.log" versions 5 size 128M; print-time yes; print-severity yes; print-category yes; From d9fb4d9bdca51d1fbc550c427f6d27c6201e0608 Mon Sep 17 00:00:00 2001 From: Tatsuya Kawano Date: Thu, 11 Jul 2013 13:08:05 +0800 Subject: [PATCH 2/6] Apply pull request #7 from cdoughty77 for the upstream: - Add support for DDNS keys --- README.md | 10 ++++++---- attributes/default.rb | 5 +++++ templates/default/named.conf.local.erb | 18 ++++++++++++------ 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c8601e0..91de830 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Description This cookbook takes care of the installation and configuration of BIND9. At the moment you're able to define some global variables and to manage your zonefiles via data bags (json example below). It currently also supports automatic serial number generation and automatic resource records for chef nodes (see optional json in example below) -Besides that there's not much to see, e.g. no DNSSEC, no configurable logging, no rndc shell operations or other safety checks (named-checkconf, etc.). +Besides that there's not much to see, e.g. no configurable logging, no rndc shell operations or other safety checks (named-checkconf, etc.). It's my intention to round its edges over time. If you want to help feel free to contribute! @@ -15,9 +15,7 @@ Requirements Platform: -* Debian -* Ubuntu -* Centos +* Ubuntu (Tested on) Attributes ========== @@ -30,6 +28,10 @@ Attributes * **node[:bind9][:enable_forwarding]** - Enables forwarding of requests. Default is: No forwarding * **node[:bind9][:forwarders]** - Array for forwarding DNS. Default is: 4.4.4.4 and 8.8.8.8 (Google DNS) +* **node[:bind9][:enable_ddns]** - Allows Dynamic DNS (DDNS) to be enabled. Default is: false +* **node[:bind9][:ddns_algorithm]** - If DDNS is enabled, a algorithm can be specified. Default is: nil +* **node[:bind9][:ddns_secret]** - If DDNS is enabled, a key can be specified. Default is: nil + Usage ===== diff --git a/attributes/default.rb b/attributes/default.rb index e80690e..77edfc1 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -11,6 +11,11 @@ default[:bind9][:enable_forwarding] = false default[:bind9][:forwarders] = [ "4.4.4.4", "8.8.8.8" ] +# Allow user to enable DDNS +default[:bind9][:enable_ddns] = false +default[:bind9][:ddns_algorithm] = nil +default[:bind9][:ddns_secret] = nil + case platform when "centos","redhat","fedora","scientific","amazon" default[:bind9][:config_path] = "/etc/named" diff --git a/templates/default/named.conf.local.erb b/templates/default/named.conf.local.erb index c35456b..47a7751 100644 --- a/templates/default/named.conf.local.erb +++ b/templates/default/named.conf.local.erb @@ -1,20 +1,26 @@ // -// Do any local configuration here +// MANAGED BY CHEF : Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; +<% if node[:bind9][:enable_ddns] %> +key DDNS_UPDATE { + algorithm <%= node[:bind9][:ddns_algorithm] %>; + secret "<%= node[:bind9][:ddns_secret] %>"; +}; +<% end %> + <% @zonefiles.each do |conf| -%> zone "<%= conf["domain"] %>" IN { type <%= conf["type"] %>; - file "<%= node[:bind9][:config_path] %>/<%= conf["domain"] %>"; - allow-transfer { - <% conf["allow_transfer"].each do |ip| -%> - <%= ip %>; + file "<%= node[:bind9][:data_path] %>/<%= conf["domain"] %>"; + notify no; + <% if node[:bind9][:enable_ddns] %> + allow-update { key DDNS_UPDATE; }; <% end %> - }; }; <% end %> From 1c0daad48ef84d26928a54614190982fd2e81f6c Mon Sep 17 00:00:00 2001 From: Tatsuya Kawano Date: Thu, 11 Jul 2013 14:57:22 +0800 Subject: [PATCH 3/6] Fix a merge error. --- templates/default/named.conf.local.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/default/named.conf.local.erb b/templates/default/named.conf.local.erb index ec1b76b..cfecb10 100644 --- a/templates/default/named.conf.local.erb +++ b/templates/default/named.conf.local.erb @@ -22,6 +22,7 @@ zone "<%= conf["domain"] %>" IN { <% conf["allow_transfer"].each do |ip| -%> <%= ip %>; <% end %> + }; <% if node[:bind9][:enable_ddns] %> allow-update { key DDNS_UPDATE; }; <% end %> From 263ba18c12e7769e21d1efca155cb90e90fcaf19 Mon Sep 17 00:00:00 2001 From: Tatsuya Kawano Date: Thu, 11 Jul 2013 16:37:20 +0800 Subject: [PATCH 4/6] Fix errors in the default recipe for RHEL family: - Now it overrides the config_file "/etc/named.conf" so that the options_file and local_files are no longer ignored. - The zone files are now placed under the data_path - Set a SELinux attribute to avoid errors when DDNS is enabled. --- attributes/default.rb | 37 ++++++++++++++++---------------- recipes/default.rb | 33 +++++++++++++++------------- templates/default/named.conf.erb | 4 ++-- templates/default/zonefile.erb | 3 ++- 4 files changed, 41 insertions(+), 36 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 9f7e863..cb66a78 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -18,26 +18,27 @@ default[:bind9][:ddns_secret] = nil case platform -when "centos","redhat","fedora","scientific","amazon" - default[:bind9][:config_path] = "/etc/named" - default[:bind9][:config_file] = "/etc/named.conf" - default[:bind9][:options_file] = "/etc/named/named.conf.options" - default[:bind9][:local_file] = "/etc/named/named.conf.local" - default[:bind9][:data_path] = "/var/named" - default[:bind9][:log_path] = "/var/log/bind" - default[:bind9][:user] = "named" +when "centos", "redhat", "fedora", "scientific", "amazon" + default[:bind9][:config_path] = "/etc/" + default[:bind9][:config_file] = "/etc/named.conf" + default[:bind9][:options_file] = "/etc/named.conf.options" + default[:bind9][:local_file] = "/etc/named.conf.local" + default[:bind9][:data_path] = "/var/named" + default[:bind9][:log_path] = "/var/log/bind" + default[:bind9][:user] = "named" when "smartos" - default[:bind9][:config_path] = "/opt/local/etc" + default[:bind9][:config_path] = "/opt/local/etc" + default[:bind9][:config_file] = "/opt/local/etc/named.conf" default[:bind9][:options_file] = "/opt/local/etc/named.conf.options" - default[:bind9][:local_file] = "/opt/local/etc/named.conf.local" - default[:bind9][:data_path] = "/var/named" - default[:bind9][:log_path] = "/var/log/named" - default[:bind9][:user] = "root" + default[:bind9][:local_file] = "/opt/local/etc/named.conf.local" + default[:bind9][:data_path] = "/var/named" + default[:bind9][:log_path] = "/var/log/named" + default[:bind9][:user] = "root" else - default[:bind9][:config_path] = "/etc/bind" + default[:bind9][:config_path] = "/etc/bind" default[:bind9][:options_file] = "/etc/bind/named.conf.options" - default[:bind9][:local_file] = "/etc/bind/named.conf.local" - default[:bind9][:data_path] = "/var/cache/bind" - default[:bind9][:log_path] = "/var/log/named" - default[:bind9][:user] = "bind" + default[:bind9][:local_file] = "/etc/bind/named.conf.local" + default[:bind9][:data_path] = "/var/cache/bind" + default[:bind9][:log_path] = "/var/log/named" + default[:bind9][:user] = "bind" end diff --git a/recipes/default.rb b/recipes/default.rb index a5082c2..e7596d5 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -35,7 +35,7 @@ service "bind9" do case node[:platform] - when "centos", "redhat" + when "centos", "redhat", "fedora", "scientific", "amazon" service_name "named" when "smartos" service_name "dns/server:default" @@ -44,14 +44,13 @@ action [ :enable ] end -if node[:platform] == "smartos" - template "#{node[:bind9][:config_path]}/named.conf" do - source "named.conf.erb" - owner "root" - group "root" - mode 0644 - notifies :restart, resources(:service => "bind9") - end +template node[:bind9][:config_file] do + only_if { %w{centos redhat fedora scientific amazon smartos}.member? node[:platform] } + source "named.conf.erb" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "bind9") end template node[:bind9][:options_file] do @@ -73,12 +72,11 @@ notifies :restart, resources(:service => "bind9") end - search(:zones).each do |zone| unless zone['autodomain'].nil? || zone['autodomain'] == '' search(:node, "domain:#{zone['autodomain']}").each do |host| next if host['ipaddress'] == '' || host['ipaddress'].nil? - zone['zone_info']['records'].push( { + zone['zone_info']['records'].push({ "name" => host['hostname'], "type" => "A", "ip" => host['ipaddress'] @@ -86,8 +84,8 @@ end end - template "#{node[:bind9][:config_path]}/#{zone['domain']}" do - source "#{node[:bind9][:config_path]}/#{zone['domain']}.erb" + template "#{node[:bind9][:data_path]}/#{zone['domain']}" do + source "#{node[:bind9][:data_path]}/#{zone['domain']}.erb" local true owner "root" group "root" @@ -99,7 +97,7 @@ action :nothing end - template "#{node[:bind9][:config_path]}/#{zone['domain']}.erb" do + template "#{node[:bind9][:data_path]}/#{zone['domain']}.erb" do source "zonefile.erb" owner "root" group "root" @@ -113,10 +111,15 @@ :mail_exchange => zone['zone_info']['mail_exchange'], :records => zone['zone_info']['records'] }) - notifies :create, resources(:template => "#{node[:bind9][:config_path]}/#{zone['domain']}"), :immediately + notifies :create, resources(:template => "#{node[:bind9][:data_path]}/#{zone['domain']}"), :immediately end end service "bind9" do action [ :start ] end + +bash "selinux" do + only_if { %w{centos redhat fedora scientific amazon}.member? node[:platform] } + code "(sudo setsebool named_write_master_zones true) || true" +end diff --git a/templates/default/named.conf.erb b/templates/default/named.conf.erb index c8ac28e..a206141 100644 --- a/templates/default/named.conf.erb +++ b/templates/default/named.conf.erb @@ -1,3 +1,3 @@ -include "<%= node[:bind9][:config_path] %>/named.conf.options"; -include "<%= node[:bind9][:config_path] %>/named.conf.local"; +include "<%= node[:bind9][:options_file] %>"; +include "<%= node[:bind9][:local_file] %>"; // include "<%= node[:bind9][:config_path] %>/named.conf.default-zones"; diff --git a/templates/default/zonefile.erb b/templates/default/zonefile.erb index 5861fd3..d24f06d 100644 --- a/templates/default/zonefile.erb +++ b/templates/default/zonefile.erb @@ -20,6 +20,7 @@ $TTL <%= @global_ttl %> ns IN A <%= node['ipaddress'] %> <% @records.each do |record| -%> -<%= "%-20s %5s IN %5s %s" % [record['name'],record['ttl'],record['type'],record['ip']] %> +<% ip = record['ip'] == ":ipaddress" ? @ipaddress : record['ip'] %> +<%= "%-20s %5s IN %5s %s" % [record['name'],record['ttl'],record['type'],ip] %> <% end %> From 1220ea3845954c339a1c6dddfcaad3b205f23309 Mon Sep 17 00:00:00 2001 From: Tatsuya Kawano Date: Thu, 11 Jul 2013 17:00:20 +0800 Subject: [PATCH 5/6] Revert a change in the zonefile template. --- templates/default/zonefile.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/default/zonefile.erb b/templates/default/zonefile.erb index d24f06d..5861fd3 100644 --- a/templates/default/zonefile.erb +++ b/templates/default/zonefile.erb @@ -20,7 +20,6 @@ $TTL <%= @global_ttl %> ns IN A <%= node['ipaddress'] %> <% @records.each do |record| -%> -<% ip = record['ip'] == ":ipaddress" ? @ipaddress : record['ip'] %> -<%= "%-20s %5s IN %5s %s" % [record['name'],record['ttl'],record['type'],ip] %> +<%= "%-20s %5s IN %5s %s" % [record['name'],record['ttl'],record['type'],record['ip']] %> <% end %> From 4a9bd6550f4f509bfa5a24105c7392067ed1bc6f Mon Sep 17 00:00:00 2001 From: Tatsuya Kawano Date: Fri, 12 Jul 2013 12:16:48 +0800 Subject: [PATCH 6/6] Add chmod g+w to data_path on RHEL variants when ddns is enabled. --- recipes/default.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/recipes/default.rb b/recipes/default.rb index e7596d5..d367763 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -25,6 +25,18 @@ action :install end +directory node[:bind9][:data_path] do + only_if { + node[:bind9][:enable_ddns] and + %w{centos redhat fedora scientific amazon}.member? node[:platform] + } + owner node[:bind9][:user] + group node[:bind9][:user] + mode 0774 + recursive false + action :create +end + directory node[:bind9][:log_path] do owner node[:bind9][:user] group node[:bind9][:user]