Disable ipv6 for bind9 named service

* Allow any recursion and cache queries for named svc
 * Bump maas v3 to the actual version

Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918
This commit is contained in:
Ruslan Aliev 2023-07-11 18:06:23 -05:00
parent 565d20ee18
commit eaabbb2722
14 changed files with 97 additions and 13 deletions

View File

@ -36,7 +36,7 @@ data:
{{- if .Values.conf.bind.append -}} {{- if .Values.conf.bind.append -}}
{{ .Values.conf.bind.append | indent 4 }} {{ .Values.conf.bind.append | indent 4 }}
{{- end }} {{- end }}
bind9: | named: |
{{ tuple "etc/_bind9.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "etc/_bind9.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
nginx.conf: | nginx.conf: |
{{ tuple "etc/_nginx.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "etc/_nginx.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}

View File

@ -1,8 +1,8 @@
{{/* file location: /etc/default/bind9 */}} {{/* file location: /etc/default/named */}}
{{- $cpus := index .Values.conf.bind "cpus" -}} {{- $cpus := index .Values.conf.bind "cpus" -}}
# #
# run resolvconf? # run resolvconf?
RESOLVCONF=no RESOLVCONF=no
# startup options for the server # startup options for the server
OPTIONS="-u bind {{- if $cpus }} -n {{ $cpus }}{{ end }}" OPTIONS="-4 -u bind {{- if $cpus }} -n {{ $cpus }}{{ end }}"

View File

@ -14,5 +14,5 @@
options { directory "/var/cache/bind"; options { directory "/var/cache/bind";
auth-nxdomain no; auth-nxdomain no;
listen-on-v6 { any; }; listen-on-v6 { none; };
include "/etc/bind/maas/named.conf.options.inside.maas"; }; include "/etc/bind/maas/named.conf.options.inside.maas"; };

View File

@ -142,9 +142,17 @@ spec:
mountPath: /var/lib/maas/http/nginx.conf mountPath: /var/lib/maas/http/nginx.conf
subPath: nginx.conf subPath: nginx.conf
readOnly: true readOnly: true
- name: maas-etc
mountPath: /etc/default/named
subPath: named
readOnly: true
- name: maas-etc - name: maas-etc
mountPath: /etc/default/bind9 mountPath: /etc/default/bind9
subPath: bind9 subPath: named
readOnly: true
- name: maas-etc
mountPath: /etc/bind/named.conf.options
subPath: named.conf.options
readOnly: true readOnly: true
{{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:

View File

@ -169,9 +169,13 @@ spec:
subPath: curtin subPath: curtin
readOnly: true readOnly: true
{{- end }} {{- end }}
- name: maas-etc
mountPath: /etc/default/named
subPath: named
readOnly: true
- name: maas-etc - name: maas-etc
mountPath: /etc/default/bind9 mountPath: /etc/default/bind9
subPath: bind9 subPath: named
readOnly: true readOnly: true
{{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:

View File

@ -0,0 +1,15 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no;
allow-query { any; };
{{endif}}
{{if not upstream_allow_recursion}}
-allow-recursion { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -18,7 +18,7 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
ENV container docker ENV container docker
ENV MAAS_VERSION 1:3.0.0-10029-g.986ea3e45-0ubuntu1~20.04.1 ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1
RUN apt-get -qq update \ RUN apt-get -qq update \
&& apt-get install -y \ && apt-get install -y \
@ -62,11 +62,14 @@ COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch
COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch
# Patch to allow any recursion and cache queries
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
@ -76,7 +79,7 @@ RUN systemctl enable journalctl-to-tty.service
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug # avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# initalize systemd # initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

View File

@ -0,0 +1,15 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index ba1aee316..ab5766210 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}};
allow-query { any; };
{{endif}}
{{if not upstream_allow_recursion}}
-allow-recursion { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -61,11 +61,14 @@ COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch
COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch
# Patch to allow any recursion and cache queries
COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
@ -75,7 +78,7 @@ RUN systemctl enable journalctl-to-tty.service
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug # avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# initalize systemd # initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

View File

@ -0,0 +1,15 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no;
allow-query { any; };
{{endif}}
{{if not upstream_allow_recursion}}
-allow-recursion { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -18,7 +18,7 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
ENV container docker ENV container docker
ENV MAAS_VERSION 1:3.0.0-10029-g.986ea3e45-0ubuntu1~20.04.1 ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1
RUN apt-get -qq update \ RUN apt-get -qq update \
&& apt-get install -y \ && apt-get install -y \
@ -65,6 +65,8 @@ COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch
COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch
# Allow tags with '/' symbols # Allow tags with '/' symbols
COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch
# Patch to allow any recursion and cache queries
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch
@ -75,6 +77,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
@ -84,7 +87,7 @@ RUN systemctl enable journalctl-to-tty.service
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug # avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# initalize systemd # initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

View File

@ -0,0 +1,15 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index ba1aee316..ab5766210 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}};
allow-query { any; };
{{endif}}
{{if not upstream_allow_recursion}}
-allow-recursion { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -64,6 +64,8 @@ COPY 2.8_region_secret_rotate.patch /tmp/2.8_region_secret_rotate.patch
COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch
# Avoid enlistment failures due to exceptions during moonshot detect attempts # Avoid enlistment failures due to exceptions during moonshot detect attempts
COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch
# Patch to allow any recursion and cache queries
COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch
@ -74,6 +76,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
@ -83,7 +86,7 @@ RUN systemctl enable journalctl-to-tty.service
RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log
# avoid triggering bind9 high cpu utilization bug # avoid triggering bind9 high cpu utilization bug
RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns
# initalize systemd # initalize systemd
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]