opendev/system-config
Code Issues Proposed changes

Always make /etc/resolv.conf immutable

Browse Source 
Maybe, just maybe, it will stop the rax file injection.

Change-Id: I4258fa52e43b0a93f30319630291e5ae0f37a548
This commit is contained in:
James E. Blair 2014-04-25 09:56:17 -07:00
parent 9de8df3508
commit 2e0a4beb13
1 changed files with 21 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
modules/unbound/manifests/init.pp
View File

@ -40,15 +40,6 @@ class unbound (
require => File['/etc/default/unbound'], require => File['/etc/default/unbound'],
} }
# Rackspace uses static config files
file { '/etc/resolv.conf':
content => "nameserver 127.0.0.1\n",
owner => 'root',
group => 'root',
mode => '0444',
require => Service['unbound'],
}
# Tripleo uses dhcp # Tripleo uses dhcp
file { '/etc/dhcp/dhclient.conf': file { '/etc/dhcp/dhclient.conf':
source => 'puppet:///modules/unbound/dhclient.conf.debian', source => 'puppet:///modules/unbound/dhclient.conf.debian',
@ -65,33 +56,33 @@ class unbound (
ensure => present, ensure => present,
} }
# Rackspace uses static config files
file { '/etc/resolv.conf':
content => "nameserver 127.0.0.1\n",
owner => 'root',
group => 'root',
mode => '0444',
require => Service['unbound'],
notify => Exec['make-resolv-conf-immutable'],
}
# Rackspace uses file injection to configure networking which
# overwrites all of the files on disk where we could set the env
# variable to disable the resolv.conf update on network-up.
# Instead, make that file immutable so that the update will fail
# (harmlessly). Of course this means Puppet won't be able to
# update it either after this, but we don't plan on changing it.
exec { 'make-resolv-conf-immutable':
command => '/usr/bin/chattr +i /etc/resolv.conf',
refreshonly => true,
}
# HPCloud uses dhclient; tell dhclient to use our nameserver instead. # HPCloud uses dhclient; tell dhclient to use our nameserver instead.
exec { '/usr/bin/printf "\nsupersede domain-name-servers 127.0.0.1;\n" >> /etc/dhcp/dhclient-eth0.conf': exec { '/usr/bin/printf "\nsupersede domain-name-servers 127.0.0.1;\n" >> /etc/dhcp/dhclient-eth0.conf':
unless => '/bin/grep -q "supersede domain-name-servers" /etc/dhcp/dhclient-eth0.conf' unless => '/bin/grep -q "supersede domain-name-servers" /etc/dhcp/dhclient-eth0.conf'
} }
} }
# Rackspace uses static config files
file { '/etc/resolv.conf':
content => "nameserver 127.0.0.1\n",
owner => 'root',
group => 'root',
mode => '0444',
require => Service['unbound'],
notify => Exec['make-resolv-conf-immutable'],
}
# Rackspace uses file injection to configure networking which
# overwrites all of the files on disk where we could set the env
# variable to disable the resolv.conf update on network-up.
# Instead, make that file immutable so that the update will fail
# (harmlessly). Of course this means Puppet won't be able to
# update it either after this, but we don't plan on changing it.
exec { 'make-resolv-conf-immutable':
command => '/usr/bin/chattr +i /etc/resolv.conf',
refreshonly => true,
}
service { 'unbound': service { 'unbound':
ensure => running, ensure => running,
name => 'unbound', name => 'unbound',