From eaabbb27228aeeb777597f03496fcd2777a980ab Mon Sep 17 00:00:00 2001 From: Ruslan Aliev Date: Tue, 11 Jul 2023 18:06:23 -0500 Subject: [PATCH] Disable ipv6 for bind9 named service * Allow any recursion and cache queries for named svc * Bump maas v3 to the actual version Signed-off-by: Ruslan Aliev Change-Id: I16a4ec843dc73a2349e8603d4200920599eab918 --- .../templates/bin/_import-boot-resources.sh.tpl | 2 +- charts/maas/templates/configmap-etc.yaml | 2 +- charts/maas/templates/etc/_bind9.tpl | 4 ++-- charts/maas/templates/etc/_region-dns-config.tpl | 2 +- charts/maas/templates/statefulset-rack.yaml | 10 +++++++++- charts/maas/templates/statefulset-region.yaml | 6 +++++- .../3.0_allow_query.patch | 15 +++++++++++++++ images/maas-rack-controller-focal/Dockerfile | 7 +++++-- images/maas-rack-controller/2.8_allow_query.patch | 15 +++++++++++++++ images/maas-rack-controller/Dockerfile | 5 ++++- .../3.0_allow_query.patch | 15 +++++++++++++++ images/maas-region-controller-focal/Dockerfile | 7 +++++-- .../maas-region-controller/2.8_allow_query.patch | 15 +++++++++++++++ images/maas-region-controller/Dockerfile | 5 ++++- 14 files changed, 97 insertions(+), 13 deletions(-) create mode 100644 images/maas-rack-controller-focal/3.0_allow_query.patch create mode 100644 images/maas-rack-controller/2.8_allow_query.patch create mode 100644 images/maas-region-controller-focal/3.0_allow_query.patch create mode 100644 images/maas-region-controller/2.8_allow_query.patch diff --git a/charts/maas/templates/bin/_import-boot-resources.sh.tpl b/charts/maas/templates/bin/_import-boot-resources.sh.tpl index 9aff060..7ca5999 100644 --- a/charts/maas/templates/bin/_import-boot-resources.sh.tpl +++ b/charts/maas/templates/bin/_import-boot-resources.sh.tpl @@ -251,4 +251,4 @@ then else echo "Image import FAILED!" exit 1 -fi \ No newline at end of file +fi diff --git a/charts/maas/templates/configmap-etc.yaml b/charts/maas/templates/configmap-etc.yaml index 04d2bf0..823743d 100644 --- a/charts/maas/templates/configmap-etc.yaml +++ b/charts/maas/templates/configmap-etc.yaml @@ -36,7 +36,7 @@ data: {{- if .Values.conf.bind.append -}} {{ .Values.conf.bind.append | indent 4 }} {{- end }} - bind9: | + named: | {{ tuple "etc/_bind9.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} nginx.conf: | {{ tuple "etc/_nginx.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/charts/maas/templates/etc/_bind9.tpl b/charts/maas/templates/etc/_bind9.tpl index 52679f3..6fe804a 100644 --- a/charts/maas/templates/etc/_bind9.tpl +++ b/charts/maas/templates/etc/_bind9.tpl @@ -1,8 +1,8 @@ -{{/* file location: /etc/default/bind9 */}} +{{/* file location: /etc/default/named */}} {{- $cpus := index .Values.conf.bind "cpus" -}} # # run resolvconf? RESOLVCONF=no # startup options for the server -OPTIONS="-u bind {{- if $cpus }} -n {{ $cpus }}{{ end }}" +OPTIONS="-4 -u bind {{- if $cpus }} -n {{ $cpus }}{{ end }}" diff --git a/charts/maas/templates/etc/_region-dns-config.tpl b/charts/maas/templates/etc/_region-dns-config.tpl index 262abde..e984930 100644 --- a/charts/maas/templates/etc/_region-dns-config.tpl +++ b/charts/maas/templates/etc/_region-dns-config.tpl @@ -14,5 +14,5 @@ options { directory "/var/cache/bind"; auth-nxdomain no; -listen-on-v6 { any; }; +listen-on-v6 { none; }; include "/etc/bind/maas/named.conf.options.inside.maas"; }; diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml index 08178ef..f8ce48f 100644 --- a/charts/maas/templates/statefulset-rack.yaml +++ b/charts/maas/templates/statefulset-rack.yaml @@ -142,9 +142,17 @@ spec: mountPath: /var/lib/maas/http/nginx.conf subPath: nginx.conf readOnly: true + - name: maas-etc + mountPath: /etc/default/named + subPath: named + readOnly: true - name: maas-etc mountPath: /etc/default/bind9 - subPath: bind9 + subPath: named + readOnly: true + - name: maas-etc + mountPath: /etc/bind/named.conf.options + subPath: named.conf.options readOnly: true {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }} volumes: diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index 9dda50d..b91c50d 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -169,9 +169,13 @@ spec: subPath: curtin readOnly: true {{- end }} + - name: maas-etc + mountPath: /etc/default/named + subPath: named + readOnly: true - name: maas-etc mountPath: /etc/default/bind9 - subPath: bind9 + subPath: named readOnly: true {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} volumes: diff --git a/images/maas-rack-controller-focal/3.0_allow_query.patch b/images/maas-rack-controller-focal/3.0_allow_query.patch new file mode 100644 index 0000000..bbff6a9 --- /dev/null +++ b/images/maas-rack-controller-focal/3.0_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa9a..d198e90b9 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ empty-zones-enable no; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-rack-controller-focal/Dockerfile b/images/maas-rack-controller-focal/Dockerfile index 4fc927f..4005574 100644 --- a/images/maas-rack-controller-focal/Dockerfile +++ b/images/maas-rack-controller-focal/Dockerfile @@ -18,7 +18,7 @@ ARG no_proxy ENV DEBIAN_FRONTEND noninteractive ENV container docker -ENV MAAS_VERSION 1:3.0.0-10029-g.986ea3e45-0ubuntu1~20.04.1 +ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 RUN apt-get -qq update \ && apt-get install -y \ @@ -62,11 +62,14 @@ COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch +# Patch to allow any recursion and cache queries +COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch # echo journalctl logs to the container's stdout COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service @@ -76,7 +79,7 @@ RUN systemctl enable journalctl-to-tty.service RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log # avoid triggering bind9 high cpu utilization bug -RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns # initalize systemd CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-rack-controller/2.8_allow_query.patch b/images/maas-rack-controller/2.8_allow_query.patch new file mode 100644 index 0000000..d55e76d --- /dev/null +++ b/images/maas-rack-controller/2.8_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index ba1aee316..ab5766210 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}}; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-rack-controller/Dockerfile b/images/maas-rack-controller/Dockerfile index 059071d..24e5ed5 100644 --- a/images/maas-rack-controller/Dockerfile +++ b/images/maas-rack-controller/Dockerfile @@ -61,11 +61,14 @@ COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch +# Patch to allow any recursion and cache queries +COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch # echo journalctl logs to the container's stdout COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service @@ -75,7 +78,7 @@ RUN systemctl enable journalctl-to-tty.service RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log # avoid triggering bind9 high cpu utilization bug -RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns # initalize systemd CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-region-controller-focal/3.0_allow_query.patch b/images/maas-region-controller-focal/3.0_allow_query.patch new file mode 100644 index 0000000..bbff6a9 --- /dev/null +++ b/images/maas-region-controller-focal/3.0_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index d76fcfa9a..d198e90b9 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ empty-zones-enable no; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-region-controller-focal/Dockerfile b/images/maas-region-controller-focal/Dockerfile index 8995d5a..59e2284 100644 --- a/images/maas-region-controller-focal/Dockerfile +++ b/images/maas-region-controller-focal/Dockerfile @@ -18,7 +18,7 @@ ARG no_proxy ENV DEBIAN_FRONTEND noninteractive ENV container docker -ENV MAAS_VERSION 1:3.0.0-10029-g.986ea3e45-0ubuntu1~20.04.1 +ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 RUN apt-get -qq update \ && apt-get install -y \ @@ -65,6 +65,8 @@ COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch # Allow tags with '/' symbols COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch +# Patch to allow any recursion and cache queries +COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch @@ -75,6 +77,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch # echo journalctl logs to the container's stdout COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service @@ -84,7 +87,7 @@ RUN systemctl enable journalctl-to-tty.service RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log # avoid triggering bind9 high cpu utilization bug -RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns # initalize systemd CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-region-controller/2.8_allow_query.patch b/images/maas-region-controller/2.8_allow_query.patch new file mode 100644 index 0000000..d55e76d --- /dev/null +++ b/images/maas-region-controller/2.8_allow_query.patch @@ -0,0 +1,15 @@ +diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +index ba1aee316..ab5766210 100644 +--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template ++++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}}; + allow-query { any; }; + {{endif}} + {{if not upstream_allow_recursion}} +-allow-recursion { trusted; }; ++allow-recursion { any; }; + {{endif}} + {{if not upstream_allow_query_cache}} +-allow-query-cache { trusted; }; ++allow-query-cache { any; }; + {{endif}} diff --git a/images/maas-region-controller/Dockerfile b/images/maas-region-controller/Dockerfile index 77d58b5..955b33d 100644 --- a/images/maas-region-controller/Dockerfile +++ b/images/maas-region-controller/Dockerfile @@ -64,6 +64,8 @@ COPY 2.8_region_secret_rotate.patch /tmp/2.8_region_secret_rotate.patch COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch # Avoid enlistment failures due to exceptions during moonshot detect attempts COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch +# Patch to allow any recursion and cache queries +COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch @@ -74,6 +76,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch +RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch # echo journalctl logs to the container's stdout COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service @@ -83,7 +86,7 @@ RUN systemctl enable journalctl-to-tty.service RUN umask 0337; echo 'Defaults:maas !pam_session, !syslog' > /etc/sudoers.d/99-maas-no-log # avoid triggering bind9 high cpu utilization bug -RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf +RUN sed -i -e '$a\include "/etc/bind/bind.keys";' /etc/bind/named.conf && /usr/lib/maas/maas-common setup-dns # initalize systemd CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]