[WIP] Revert recursion/cache back to trusted
Revert recursion/cache back to "trusted" Also restrict zone transfers to "trusted" Change-Id: I172eb8c5e0f9cca1d977878b87c3d0467c33a8a7
This commit is contained in:
parent
d00ea5f796
commit
dd0d9bfeb3
|
@ -0,0 +1,9 @@
|
||||||
|
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
index d76fcfa9a..0cca0fe8d 100644
|
||||||
|
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
|
||||||
|
{{if not upstream_allow_query_cache}}
|
||||||
|
allow-query-cache { trusted; };
|
||||||
|
{{endif}}
|
||||||
|
+allow-transfer { trusted; };
|
|
@ -63,13 +63,17 @@ COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch
|
||||||
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
|
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
|
||||||
COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch
|
COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch
|
||||||
# Patch to allow any recursion and cache queries
|
# Patch to allow any recursion and cache queries
|
||||||
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
|
#COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
|
||||||
|
COPY 3.0_transfer_trusted_only.patch /tmp/3.0_transfer_trusted_only.patch
|
||||||
|
COPY logging.patch /tmp/logging.patch
|
||||||
|
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
|
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
|
#RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
|
||||||
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_transfer_trusted_only.patch
|
||||||
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.template < /tmp/logging.patch
|
||||||
|
|
||||||
# echo journalctl logs to the container's stdout
|
# echo journalctl logs to the container's stdout
|
||||||
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
diff --git a/src/provisioningserver/templates/dns/named.conf.template b/src/provisioningserver/templates/dns/named.conf.template
|
||||||
|
index a9095600e..a58369546 100644
|
||||||
|
--- a/src/provisioningserver/templates/dns/named.conf.template
|
||||||
|
+++ b/src/provisioningserver/templates/dns/named.conf.template
|
||||||
|
@@ -36,3 +36,13 @@ acl "trusted" {
|
||||||
|
localnets;
|
||||||
|
localhost;
|
||||||
|
};
|
||||||
|
+
|
||||||
|
+logging {
|
||||||
|
+
|
||||||
|
+ category queries { default_syslog; };
|
||||||
|
+ category client { default_syslog; };
|
||||||
|
+ category notify { default_syslog; };
|
||||||
|
+ category query-errors { default_syslog; };
|
||||||
|
+ category security { default_syslog; };
|
||||||
|
+ category xfer-out { default_syslog; };
|
||||||
|
+};
|
|
@ -62,13 +62,13 @@ COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch
|
||||||
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
|
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
|
||||||
COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch
|
COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch
|
||||||
# Patch to allow any recursion and cache queries
|
# Patch to allow any recursion and cache queries
|
||||||
COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch
|
#COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch
|
||||||
|
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
|
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch
|
#RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch
|
||||||
|
|
||||||
# echo journalctl logs to the container's stdout
|
# echo journalctl logs to the container's stdout
|
||||||
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
index d76fcfa9a..0cca0fe8d 100644
|
||||||
|
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
|
||||||
|
{{if not upstream_allow_query_cache}}
|
||||||
|
allow-query-cache { trusted; };
|
||||||
|
{{endif}}
|
||||||
|
+allow-transfer { trusted; };
|
|
@ -66,7 +66,9 @@ COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_ex
|
||||||
# Allow tags with '/' symbols
|
# Allow tags with '/' symbols
|
||||||
COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch
|
COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch
|
||||||
# Patch to allow any recursion and cache queries
|
# Patch to allow any recursion and cache queries
|
||||||
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
|
#COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
|
||||||
|
COPY 3.0_transfer_trusted_only.patch /tmp/3.0_transfer_trusted_only.patch
|
||||||
|
COPY logging.patch /tmp/logging.patch
|
||||||
|
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch
|
||||||
|
@ -77,7 +79,9 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc
|
||||||
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
|
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
|
#RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
|
||||||
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_transfer_trusted_only.patch
|
||||||
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.template < /tmp/logging.patch
|
||||||
|
|
||||||
# echo journalctl logs to the container's stdout
|
# echo journalctl logs to the container's stdout
|
||||||
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
diff --git a/src/provisioningserver/templates/dns/named.conf.template b/src/provisioningserver/templates/dns/named.conf.template
|
||||||
|
index a9095600e..a58369546 100644
|
||||||
|
--- a/src/provisioningserver/templates/dns/named.conf.template
|
||||||
|
+++ b/src/provisioningserver/templates/dns/named.conf.template
|
||||||
|
@@ -36,3 +36,13 @@ acl "trusted" {
|
||||||
|
localnets;
|
||||||
|
localhost;
|
||||||
|
};
|
||||||
|
+
|
||||||
|
+logging {
|
||||||
|
+
|
||||||
|
+ category queries { default_syslog; };
|
||||||
|
+ category client { default_syslog; };
|
||||||
|
+ category notify { default_syslog; };
|
||||||
|
+ category query-errors { default_syslog; };
|
||||||
|
+ category security { default_syslog; };
|
||||||
|
+ category xfer-out { default_syslog; };
|
||||||
|
+};
|
|
@ -0,0 +1,9 @@
|
||||||
|
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
index ba1aee316..6eda771b0 100644
|
||||||
|
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
|
||||||
|
@@ -18,3 +18,4 @@ allow-recursion { trusted; };
|
||||||
|
{{if not upstream_allow_query_cache}}
|
||||||
|
allow-query-cache { trusted; };
|
||||||
|
{{endif}}
|
||||||
|
+allow-transfer { trusted; };
|
|
@ -65,7 +65,8 @@ COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_ex
|
||||||
# Avoid enlistment failures due to exceptions during moonshot detect attempts
|
# Avoid enlistment failures due to exceptions during moonshot detect attempts
|
||||||
COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch
|
COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch
|
||||||
# Patch to allow any recursion and cache queries
|
# Patch to allow any recursion and cache queries
|
||||||
COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch
|
#COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch
|
||||||
|
COPY 2.8_transfer_trusted_only.patch /tmp/2.8_transfer_trusted_only.patch
|
||||||
|
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch
|
||||||
|
@ -76,7 +77,8 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc
|
||||||
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
|
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch
|
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch
|
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch
|
||||||
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch
|
#RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch
|
||||||
|
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_transfer_trusted_only.patch
|
||||||
|
|
||||||
# echo journalctl logs to the container's stdout
|
# echo journalctl logs to the container's stdout
|
||||||
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
||||||
|
|
Loading…
Reference in New Issue