From 9c361ef2e5c43103f11029606d1049b4fa0f9dcd Mon Sep 17 00:00:00 2001 From: "Mosher, Jaymes (jm616v)" Date: Thu, 28 Mar 2024 15:44:08 -0600 Subject: [PATCH] Revert recursion/cache back to "trusted" Revert recursion/cache back to "trusted" Also restrict zone transfers to "trusted" Change-Id: I172eb8c5e0f9cca1d977878b87c3d0467c33a8a7 --- ....patch => 3.0_transfer_trusted_only.patch} | 24 +++++++------------ images/maas-rack-controller-focal/Dockerfile | 6 ++--- .../2.8_transfer_trusted_only.patch} | 24 +++++++------------ images/maas-rack-controller/Dockerfile | 6 ++--- .../3.0_transfer_trusted_only.patch} | 24 +++++++------------ .../maas-region-controller-focal/Dockerfile | 6 ++--- ....patch => 2.8_transfer_trusted_only.patch} | 24 +++++++------------ images/maas-region-controller/Dockerfile | 6 ++--- 8 files changed, 48 insertions(+), 72 deletions(-) rename images/maas-rack-controller-focal/{3.0_allow_query.patch => 3.0_transfer_trusted_only.patch} (58%) rename images/{maas-region-controller-focal/3.0_allow_query.patch => maas-rack-controller/2.8_transfer_trusted_only.patch} (58%) rename images/{maas-rack-controller/2.8_allow_query.patch => maas-region-controller-focal/3.0_transfer_trusted_only.patch} (56%) rename images/maas-region-controller/{2.8_allow_query.patch => 2.8_transfer_trusted_only.patch} (56%) diff --git a/images/maas-rack-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller-focal/3.0_transfer_trusted_only.patch similarity index 58% rename from images/maas-rack-controller-focal/3.0_allow_query.patch rename to images/maas-rack-controller-focal/3.0_transfer_trusted_only.patch index bbff6a9..f772e79 100644 --- a/images/maas-rack-controller-focal/3.0_allow_query.patch +++ b/images/maas-rack-controller-focal/3.0_transfer_trusted_only.patch @@ -1,15 +1,9 @@ -diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index d76fcfa9a..d198e90b9 100644 ---- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -@@ -13,8 +13,8 @@ empty-zones-enable no; - allow-query { any; }; - {{endif}} - {{if not upstream_allow_recursion}} --allow-recursion { trusted; }; -+allow-recursion { any; }; - {{endif}} - {{if not upstream_allow_query_cache}} --allow-query-cache { trusted; }; -+allow-query-cache { any; }; - {{endif}} +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa9a..0cca0fe8d 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -18,3 +18,4 @@ allow-recursion { trusted; }; + {{if not upstream_allow_query_cache}} + allow-query-cache { trusted; }; + {{endif}} ++allow-transfer { trusted; }; diff --git a/images/maas-rack-controller-focal/Dockerfile b/images/maas-rack-controller-focal/Dockerfile index b4b826a..e83f86d 100644 --- a/images/maas-rack-controller-focal/Dockerfile +++ b/images/maas-rack-controller-focal/Dockerfile @@ -62,14 +62,14 @@ COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch -# Patch to allow any recursion and cache queries -COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch +# Patch to restrict access to zone transfers +COPY 3.0_transfer_trusted_only.patch /tmp/3.0_transfer_trusted_only.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_transfer_trusted_only.patch # echo journalctl logs to the container's stdout COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-region-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller/2.8_transfer_trusted_only.patch similarity index 58% rename from images/maas-region-controller-focal/3.0_allow_query.patch rename to images/maas-rack-controller/2.8_transfer_trusted_only.patch index bbff6a9..3a728e2 100644 --- a/images/maas-region-controller-focal/3.0_allow_query.patch +++ b/images/maas-rack-controller/2.8_transfer_trusted_only.patch @@ -1,15 +1,9 @@ -diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index d76fcfa9a..d198e90b9 100644 ---- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -@@ -13,8 +13,8 @@ empty-zones-enable no; - allow-query { any; }; - {{endif}} - {{if not upstream_allow_recursion}} --allow-recursion { trusted; }; -+allow-recursion { any; }; - {{endif}} - {{if not upstream_allow_query_cache}} --allow-query-cache { trusted; }; -+allow-query-cache { any; }; - {{endif}} +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index ba1aee316..6eda771b0 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -18,3 +18,4 @@ allow-recursion { trusted; }; + {{if not upstream_allow_query_cache}} + allow-query-cache { trusted; }; + {{endif}} ++allow-transfer { trusted; }; diff --git a/images/maas-rack-controller/Dockerfile b/images/maas-rack-controller/Dockerfile index 24e5ed5..bb2d0db 100644 --- a/images/maas-rack-controller/Dockerfile +++ b/images/maas-rack-controller/Dockerfile @@ -61,14 +61,14 @@ COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch -# Patch to allow any recursion and cache queries -COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch +# Patch to restrict access to zone transfers +COPY 2.8_transfer_trusted_only.patch /tmp/2.8_transfer_trusted_only.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_transfer_trusted_only.patch # echo journalctl logs to the container's stdout COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-rack-controller/2.8_allow_query.patch b/images/maas-region-controller-focal/3.0_transfer_trusted_only.patch similarity index 56% rename from images/maas-rack-controller/2.8_allow_query.patch rename to images/maas-region-controller-focal/3.0_transfer_trusted_only.patch index d55e76d..f772e79 100644 --- a/images/maas-rack-controller/2.8_allow_query.patch +++ b/images/maas-region-controller-focal/3.0_transfer_trusted_only.patch @@ -1,15 +1,9 @@ -diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index ba1aee316..ab5766210 100644 ---- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}}; - allow-query { any; }; - {{endif}} - {{if not upstream_allow_recursion}} --allow-recursion { trusted; }; -+allow-recursion { any; }; - {{endif}} - {{if not upstream_allow_query_cache}} --allow-query-cache { trusted; }; -+allow-query-cache { any; }; - {{endif}} +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa9a..0cca0fe8d 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -18,3 +18,4 @@ allow-recursion { trusted; }; + {{if not upstream_allow_query_cache}} + allow-query-cache { trusted; }; + {{endif}} ++allow-transfer { trusted; }; diff --git a/images/maas-region-controller-focal/Dockerfile b/images/maas-region-controller-focal/Dockerfile index 2d9a463..003a759 100644 --- a/images/maas-region-controller-focal/Dockerfile +++ b/images/maas-region-controller-focal/Dockerfile @@ -65,8 +65,8 @@ COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch # Allow tags with '/' symbols COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch -# Patch to allow any recursion and cache queries -COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch +# Patch to restrict access to zone transfers +COPY 3.0_transfer_trusted_only.patch /tmp/3.0_transfer_trusted_only.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch @@ -77,7 +77,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_transfer_trusted_only.patch # echo journalctl logs to the container's stdout COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service diff --git a/images/maas-region-controller/2.8_allow_query.patch b/images/maas-region-controller/2.8_transfer_trusted_only.patch similarity index 56% rename from images/maas-region-controller/2.8_allow_query.patch rename to images/maas-region-controller/2.8_transfer_trusted_only.patch index d55e76d..3a728e2 100644 --- a/images/maas-region-controller/2.8_allow_query.patch +++ b/images/maas-region-controller/2.8_transfer_trusted_only.patch @@ -1,15 +1,9 @@ -diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -index ba1aee316..ab5766210 100644 ---- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template -@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}}; - allow-query { any; }; - {{endif}} - {{if not upstream_allow_recursion}} --allow-recursion { trusted; }; -+allow-recursion { any; }; - {{endif}} - {{if not upstream_allow_query_cache}} --allow-query-cache { trusted; }; -+allow-query-cache { any; }; - {{endif}} +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index ba1aee316..6eda771b0 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -18,3 +18,4 @@ allow-recursion { trusted; }; + {{if not upstream_allow_query_cache}} + allow-query-cache { trusted; }; + {{endif}} ++allow-transfer { trusted; }; diff --git a/images/maas-region-controller/Dockerfile b/images/maas-region-controller/Dockerfile index 955b33d..46e51c8 100644 --- a/images/maas-region-controller/Dockerfile +++ b/images/maas-region-controller/Dockerfile @@ -64,8 +64,8 @@ COPY 2.8_region_secret_rotate.patch /tmp/2.8_region_secret_rotate.patch COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch # Avoid enlistment failures due to exceptions during moonshot detect attempts COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch -# Patch to allow any recursion and cache queries -COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch +# Patch to restrict access to zone transfers +COPY 2.8_transfer_trusted_only.patch /tmp/2.8_transfer_trusted_only.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch @@ -76,7 +76,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch -RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_transfer_trusted_only.patch # echo journalctl logs to the container's stdout COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service