diff --git a/ChangeLog b/CHANGELOG.md similarity index 57% rename from ChangeLog rename to CHANGELOG.md index 572f96056..826723028 100644 --- a/ChangeLog +++ b/CHANGELOG.md @@ -1,55 +1,79 @@ -2014-05-12 - 0.5.1 +#### 2023-09-07 - 0.5.6 +* Change zone dirmode from 750 to 770 because recent bind 9 requires write. + +#### 2021-06-30 - 0.5.5 +* Improve zone validation (#110, @osgpcq). +* Support $replace on bind::server::file, useful for ddns base zones. +* Fix bindkeys-file on RHEL8. + +#### 2019-01-21 - 0.5.4 +* Add zone file validation (#91, @forgodssake). +* Fix hint and rfc1912 zones on Debian (#61, #83). +* Add support for configuring forward mode (#73, @warrenpnz). +* Fix server::conf and package ordering (#71, @skrivy). +* Make sure zonedir gets created after bind::package (#55, @jamesbouressa). + +#### 2017-02-02 - 0.5.3 +* Fix undefined variable warning. + +#### 2016-02-02 - 0.5.2 +* Fix service name on RHEL7+ with chroot (#56, @arrjay). +* Fix named.conf template bug related to views (#59, @imerali). +* Add TSIG keys support (#54, @b4ldr). +* Replace Modulefile with metadata.json. + +#### 2014-05-12 - 0.5.1 * Add FreeBSD support (#26, @fessoga5). -2014-03-14 - 0.5.0 +#### 2014-03-14 - 0.5.0 * Manage zonedir from server::file, for parent directory (#23, Dougal Scott). * Add support for extra_options (#22, Joseph Swick). * Add support for $hostname, $server_id (#21, @b4ldr). * Disable root hint and rfc1912 zones when not recursive (#21, @b4ldr). -2013-11-26 - 0.4.2 +#### 2013-11-26 - 0.4.2 * Add support for managed-keys-directory (#19, Sean Edge). * Add support for full service restart instead of reload (#19, Sean Edge). -2013-10-15 - 0.4.1 +#### 2013-10-15 - 0.4.1 * Add support for views (thanks to Sean Edge). -2013-07-17 - 0.4.0 +#### 2013-07-17 - 0.4.0 * Merge changes by Sebastian Cole. * Move parameters into a new bind::params class. * Make the service and package classes possible to use separately. * Cosmetic cleanups. * Update README examples. -2013-04-19 - 0.3.2 +#### 2013-04-19 - 0.3.2 * Use @varname syntax in templates to silence puppet 3.2 warnings. -2013-04-10 - 0.3.1 +#### 2013-04-10 - 0.3.1 * Add support for $allow_transfer. * Add support for $ensure on server::file, enabling clean zone file removal. -2013-03-08 - 0.3.0 +#### 2013-03-08 - 0.3.0 * Change to 2 space indent. * Major update to the README and use markdown. * Minor cosmetic cleanups. * Change default for $chroot to false, SELinux is sufficient on RHEL5+. -2012-12-18 - 0.2.5 +#### 2012-12-18 - 0.2.5 * Change the SELinux type of the log directory back to the original. -2012-09-19 - 0.2.4 +#### 2012-09-19 - 0.2.4 * Update README to make the main example more useful. * Support $source_base for easy inclusion of multiple zone files as-is. -2012-07-17 - 0.2.3 +#### 2012-07-17 - 0.2.3 * Add support for "include" lines in named.conf. -2012-06-22 - 0.2.2 +#### 2012-06-22 - 0.2.2 * Add support for a few new configuration values in the main template. * Require package for files, for the usual parent directory to exist. * Minot updates to the README. -2012-04-23 - 0.2.1 +#### 2012-04-23 - 0.2.1 * Clean up the module to match current puppetlabs guidelines. * Force hash sorting in the template for puppet 2.7+ compatibility. diff --git a/LICENSE b/LICENSE index 49a6e5c40..374dc484d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (C) 2011-2013 Matthias Saou +Copyright (C) 2011-2016 Matthias Saou Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/Modulefile b/Modulefile deleted file mode 100644 index 2ea17128d..000000000 --- a/Modulefile +++ /dev/null @@ -1,8 +0,0 @@ -name 'thias-bind' -version '0.5.1' -source 'git://github.com/thias/puppet-bind' -author 'Matthias Saou' -license 'Apache 2.0' -summary 'BIND DNS server module' -description "Install and enable a BIND DNS server, create and manage DNS zone files." -project_page 'https://github.com/thias/puppet-bind' diff --git a/README.md b/README.md index 9f7f9690e..62c5613cd 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,15 @@ # puppet-bind +## Disclaimer + +This module has been created when Puppet classes did not support parameters. +It shows. Tests and Debian/Ubuntu support are external contributions and are +not as actively maintained as they should be. + +The primary focus of this module has always been Enterprise Linux (RHEL, CentOS +and other clones), and it works fine on releases as far back as RHEL5, although +the latest RHEL release is always recommended. + ## Overview Install and enable a BIND DNS server, manage its main configuration and install diff --git a/manifests/init.pp b/manifests/init.pp index 1753b2dd7..12a45581b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -18,37 +18,48 @@ class bind ( $chroot = false, $service_reload = true, + $servicename = $::bind::params::servicename, $packagenameprefix = $::bind::params::packagenameprefix, + $binduser = $::bind::params::binduser, + $bindgroup = $::bind::params::bindgroup, ) inherits ::bind::params { - # Main package and service - $packagenamesuffix = $chroot ? { - true => '-chroot', - false => '', + # Chroot differences + if $chroot == true { + $packagenamesuffix = '-chroot' + # Different service name with chroot on RHEL7+) + if $::osfamily == 'RedHat' and + versioncmp($::operatingsystemrelease, '7') >= 0 { + $servicenamesuffix = '-chroot' + } else { + $servicenamesuffix = '' + } + $bindlogdir = '/var/named/chroot/var/log/named' + } else { + $packagenamesuffix = '' + $servicenamesuffix = '' + $bindlogdir = '/var/log/named' } - class { 'bind::package': + + # Main package and service + class { '::bind::package': packagenameprefix => $packagenameprefix, packagenamesuffix => $packagenamesuffix, } - class { 'bind::service': - servicename => $servicename, + class { '::bind::service': + servicename => "${servicename}${servicenamesuffix}", service_reload => $service_reload, } # We want a nice log file which the package doesn't provide a location for - $bindlogdir = $chroot ? { - true => '/var/named/chroot/var/log/named', - false => '/var/log/named', - } file { $bindlogdir: - require => Class['bind::package'], - ensure => directory, - owner => $::bind::params::binduser, - group => $::bind::params::bindgroup, + ensure => 'directory', + owner => $binduser, + group => $bindgroup, mode => '0770', seltype => 'var_log_t', - before => Class['bind::service'], + require => Class['::bind::package'], + before => Class['::bind::service'], } } - diff --git a/manifests/package.pp b/manifests/package.pp index af145c7c6..a7a23457f 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -5,7 +5,6 @@ $packagenamesuffix = '', ) inherits ::bind::params { - package { "${packagenameprefix}${packagenamesuffix}": ensure => installed } + package { "${packagenameprefix}${packagenamesuffix}": ensure => 'installed' } } - diff --git a/manifests/params.pp b/manifests/params.pp index 58f9b0bc4..b0b1d65a8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -8,24 +8,44 @@ $servicename = 'named' $binduser = 'root' $bindgroup = 'named' + $file_hint = 'named.ca' + $file_rfc1912 = '/etc/named.rfc1912.zones' + if versioncmp($::operatingsystemrelease, '8') >= 0 { + $file_bindkeys = '/etc/named.root.key' + } else { + $file_bindkeys = '/etc/named.iscdlv.key' + } } 'Debian': { $packagenameprefix = 'bind9' $servicename = 'bind9' $binduser = 'bind' $bindgroup = 'bind' + $file_rfc1912 = '/etc/bind/named.conf.default-zones' + if $::operatingsystem == 'Ubuntu' { + $file_hint = false + } else { + $file_hint = '/etc/bind/db.root' + } + $file_bindkeys = '/etc/named.iscdlv.key' } 'Freebsd': { $packagenameprefix = 'bind910' $servicename = 'named' $binduser = 'bind' $bindgroup = 'bind' + $file_hint = 'named.ca' + $file_rfc1912 = '/etc/named.rfc1912.zones' + $file_bindkeys = '/etc/named.iscdlv.key' } default: { $packagenameprefix = 'bind' $servicename = 'named' $binduser = 'root' $bindgroup = 'named' + $file_hint = 'named.ca' + $file_rfc1912 = '/etc/named.rfc1912.zones' + $file_bindkeys = '/etc/named.iscdlv.key' } } diff --git a/manifests/server.pp b/manifests/server.pp index 3cee8041b..3c1b5a1e8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -4,11 +4,12 @@ # class bind::server ( $chroot = false, - $packagenameprefix = $bind::params::packagenameprefix -) inherits bind::params { - class { 'bind': + $packagenameprefix = $::bind::params::packagenameprefix, +) inherits ::bind::params { + + class { '::bind': chroot => $chroot, packagenameprefix => $packagenameprefix, } -} +} diff --git a/manifests/server/conf.pp b/manifests/server/conf.pp index f771e948f..f9767c018 100644 --- a/manifests/server/conf.pp +++ b/manifests/server/conf.pp @@ -15,6 +15,8 @@ # IPv6 port to listen on. Set to false to disable. Default: '53' # $listen_on_v6_addr: # Array of IPv6 addresses to listen on. Default: [ '::1' ] +# $forward_only: +# Only forward requests, do not attempt recursion # $forwarders: # Array of forwarders IP addresses. Default: empty # $directory: @@ -22,6 +24,8 @@ # $hostname: # Hostname returned for hostname.bind TXT in CHAOS. Set to 'none' to disable. # Default: undef, bind internal default +# $forward: +# Specific forwarding mode forward ( first | only );. Default: undef, empty # $server_id: # ID returned for id.server TXT in CHAOS. Default: undef, empty # $version: @@ -44,7 +48,8 @@ # $check_names: # Array of check-names strings. Example: [ 'master ignore' ]. Default: empty # $extra_options: -# Hash for any additional options that must go in the 'options' declaration. Default: empty +# Hash for any additional options that must go in the 'options' declaration. +# Default: empty # $dnssec_enable: # Enable DNSSEC support. Default: 'yes' # $dnssec_validation: @@ -54,6 +59,9 @@ # $zones: # Hash of managed zones and their configuration. The key is the zone name # and the value is an array of config lines. Default: empty +# $keys: +# Hash of managed tsig keys and their configuration. The key is the tsig keys name +# and the value is an array of config lines. Default: empty # $includes: # Array of absolute paths to named.conf include files. Default: empty # @@ -76,6 +84,12 @@ # 'masters { mymasters; }', # ], # } +# keys => { +# 'example.org-tsig' => [ +# 'algorithm hmac-md5', +# 'secret "aaabbbcccddd"', +# ], +# } # } # define bind::server::conf ( @@ -85,10 +99,12 @@ $listen_on_addr = [ '127.0.0.1' ], $listen_on_v6_port = '53', $listen_on_v6_addr = [ '::1' ], + $forward_only = undef, $forwarders = [], $directory = '/var/named', $managed_keys_directory = undef, $hostname = undef, + $forward = undef, $server_id = undef, $version = undef, $dump_file = '/var/named/data/cache_dump.db', @@ -101,47 +117,23 @@ $allow_transfer = [], $check_names = [], $extra_options = {}, - $dnssec_enable = 'yes', - $dnssec_validation = 'yes', - $dnssec_lookaside = 'auto', + $dnssec_validation = 'no', $zones = {}, + $keys = {}, $includes = [], $views = {}, ) { - file { '/var/named': - ensure => directory, - } - - file { '/var/named/named.ca': - ensure => file, - content => template('bind/named.ca.erb'), - owner => 'root', - group => 'bind', - mode => 'u=rw,go=r', - } - - file { '/etc/bind/named.rfc1912.zones': - ensure => file, - content => template('bind/named.rfc1912.zones.erb'), - owner => 'root', - group => 'bind', - mode => 'ug=rw,o=r', - } - - service { 'apparmor': - ensure => 'running', - enable => 'true', - } - - file { '/etc/apparmor.d/usr.sbin.named': - notify => Service['apparmor'], - content => template('bind/usr.sbin.named.erb'), - } + # OS Defaults + include '::bind::params' + $file_hint = $::bind::params::file_hint + $file_rfc1912 = $::bind::params::file_rfc1912 + $file_bindkeys = $::bind::params::file_bindkeys + # Everything is inside a single template file { $title: - notify => Class['bind::service'], + notify => Class['::bind::service'], content => template('bind/named.conf.erb'), + require => Class['::bind::package'], } } - diff --git a/manifests/server/file.pp b/manifests/server/file.pp index e84cb922d..f58bb3d4e 100644 --- a/manifests/server/file.pp +++ b/manifests/server/file.pp @@ -6,6 +6,8 @@ # Parameters: # $zonedir: # Directory where to store the zone file. Default: '/var/named' +# $zonename: +# Zone name to be used when validating the zone. Default: same as title # $owner: # Zone file user owner. Default: 'root' # $group: @@ -30,14 +32,16 @@ # define bind::server::file ( $zonedir = '/var/named', + $zonename = $title, $owner = 'root', $group = undef, $mode = '0640', - $dirmode = '0750', + $dirmode = '0770', $source = undef, $source_base = undef, $content = undef, $ensure = undef, + $replace = undef, ) { include '::bind::params' @@ -48,32 +52,39 @@ $bindgroup = $::bind::params::bindgroup } - if $source { $zone_source = $source } - if $source_base { $zone_source = "${source_base}${title}" } + if $source { + $zone_source = $source + } elsif $source_base { + $zone_source = "${source_base}${title}" + } else { + $zone_source = undef + } if ! defined(File[$zonedir]) { file { $zonedir: - ensure => directory, - owner => $owner, - group => $bindgroup, - mode => $dirmode, + ensure => 'directory', + owner => $owner, + group => $bindgroup, + mode => $dirmode, + require => Class['::bind::package'], } } file { "${zonedir}/${title}": - ensure => $ensure, - owner => $owner, - group => $bindgroup, - mode => $mode, - source => $zone_source, - content => $content, - notify => Class['::bind::service'], + ensure => $ensure, + owner => $owner, + group => $bindgroup, + mode => $mode, + source => $zone_source, + content => $content, + replace => $replace, + validate_cmd => "/usr/sbin/named-checkzone -k fail -m fail -M fail -n fail -r fail -S fail -T warn -W warn ${zonename} %", + notify => Class['::bind::service'], # For the parent directory - require => [ + require => [ Class['::bind::package'], File[$zonedir], ], } } - diff --git a/manifests/service.pp b/manifests/service.pp index f85fdf146..db91cb70c 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,8 +1,8 @@ # Class: bind::service # class bind::service ( - $servicename = $::bind::params::servicename, - $service_reload = true, + $servicename, + $service_reload, ) inherits ::bind::params { if $service_reload { @@ -11,11 +11,11 @@ } } - service { $servicename : - require => Class['bind::package'], - hasstatus => true, + service { $servicename: + ensure => 'running', enable => true, - ensure => running, + hasstatus => true, + require => Class['bind::package'], } } diff --git a/metadata.json b/metadata.json new file mode 100644 index 000000000..1bd80c7a9 --- /dev/null +++ b/metadata.json @@ -0,0 +1,36 @@ +{ + "name": "thias-bind", + "version": "0.5.6", + "author": "Matthias Saou", + "license": "Apache-2.0", + "summary": "BIND DNS server module", + "source": "git://github.com/thias/puppet-bind", + "project_page": "https://github.com/thias/puppet-bind", + "issues_url": "https://github.com/thias/puppet-bind/issues", + "tags": [ "bind", "named", "dns" ], + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ "5", "6", "7", "8", "9" ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ "5", "6", "7", "8", "9" ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ "6", "7", "8" ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ "12", "14" ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">=2.7.20 <8.0.0" + } + ], + "dependencies": [] +} diff --git a/templates/named.conf.erb b/templates/named.conf.erb index c04436717..81ff7224f 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -11,6 +11,16 @@ acl <%= key %> { <% end -%> }; +<% end -%> +<% end -%> +<% if !@keys.empty? -%> +<% @keys.sort_by {|key, value| key}.each do |key,value| -%> +key "<%= key %>" { +<% value.each do |line| -%> + <%= line %>; +<% end -%> +}; + <% end -%> <% end -%> <% if !@masters.empty? -%> @@ -38,7 +48,13 @@ options { listen-on-v6 port <%= @listen_on_v6_port %> { <%= @listen_on_v6_addr.join("; ") %>; }; <% end -%> <% if !@forwarders.empty? -%> + <% if @forward_only -%> + forward only; + <% end -%> forwarders { <%= @forwarders.join("; ") %>; }; +<% end -%> +<% if @forward -%> + forward <%= @forward %>; <% end -%> directory "<%= @directory %>"; <% if @managed_keys_directory -%> @@ -87,12 +103,14 @@ options { <% end -%> <% end -%> - dnssec-enable <%= @dnssec_enable %>; dnssec-validation <%= @dnssec_validation %>; - dnssec-lookaside <%= @dnssec_lookaside %>; /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; + bindkeys-file "<%= @file_bindkeys %>"; +}; + +statistics-channels { + inet 127.0.0.1 port 8053 allow { 127.0.0.1; }; }; statistics-channels { @@ -155,11 +173,6 @@ logging { severity dynamic; print-time yes; }; - channel queries_file { - file "/var/log/named/queries.log" versions 3 size 5m; - severity dynamic; - print-time yes; - }; channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; @@ -185,6 +198,13 @@ logging { severity dynamic; print-time yes; }; + channel queries_file { + file "/var/log/named/queries.log" versions 8 size 200m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; category default { default_file; }; category general { general_file; }; @@ -207,7 +227,7 @@ logging { <% if !@views.empty? -%> <% @views.sort_by {|key,value| key}.each do |key,value| -%> -<% valid_keys = %w(allow-notify allow-query allow-recursion allow-transfer allow-update-forwarding forwarders match-clients match-destinations match-recursive-only) -%> +<% valid_keys = %w(allow-notify allow-query allow-recursion allow-transfer allow-update-forwarding forward forwarders match-clients match-destinations match-recursive-only) -%> view "<%= key %>" { <% valid_keys.sort.each do |valid_key| -%> <% if value[valid_key] and !value[valid_key].empty? -%> @@ -228,6 +248,7 @@ view "<%= key %>" { <% end -%> }; +<% end -%> <% end -%> <% if !@zones.empty? -%> /* Global zones */ @@ -238,17 +259,16 @@ view "<%= key %>" { <% end -%> }; -<% end -%> <% end -%> <% end -%> }; <% end -%> <% else -%><%# end views, start no views -%> -<% if @recursion == 'yes' -%> +<% if @recursion == 'yes' && @file_hint -%> zone "." IN { type hint; - file "db.root"; + file "<%= @file_hint %>"; }; <% end -%> @@ -263,7 +283,7 @@ zone "<%= key %>" IN { <% end -%> <% end -%> <% if @recursion == 'yes' -%> -include "/etc/bind/named.rfc1912.zones"; +include "<%= @file_rfc1912 %>"; <% end -%> <% end -%><%# end no views -%> <% if !@includes.empty? -%>