First draft of chroot implementation for Debian
- RHEL chroot code has been moved into a bind::chroot::package class - Debian family (and probably other families) can use the `bind::chroot::manual` class to enable chroot for bind using the method described here: https://wiki.debian.org/Bind9#Bind_Chroot
This commit is contained in:
committed by
Cedric DEFORTIS
parent
bcaafc05e1
commit
44bb1b0e0e
@@ -0,0 +1,60 @@
|
||||
class bind::chroot::manual(
|
||||
$chroot_dir = $::bind::defaults::chroot_dir,
|
||||
) inherits bind::defaults {
|
||||
exec { 'mkdir-p-$chroot_dir':
|
||||
command => "mkdir -p ${::bind::defaults::chroot_dir}",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
unless => "test -d ${::bind::defaults::chroot_dir}",
|
||||
}
|
||||
# Creating system dirs under chroot dir:
|
||||
file { ["${::bind::defaults::chroot_dir}",
|
||||
"${::bind::defaults::chroot_dir}/etc",
|
||||
"${::bind::defaults::chroot_dir}/dev",
|
||||
"${::bind::defaults::chroot_dir}/var",
|
||||
"${::bind::defaults::chroot_dir}/var/cache",
|
||||
"${::bind::defaults::chroot_dir}/var/run"]:
|
||||
ensure => directory,
|
||||
mode => '0660',
|
||||
require => Exec['mkdir-p-$chroot_dir'],
|
||||
}
|
||||
|
||||
file { ["${::bind::defaults::chroot_dir}/var/cache/bind",
|
||||
"${::bind::defaults::chroot_dir}/var/run/named"]:
|
||||
ensure => directory,
|
||||
mode => '0775',
|
||||
group => $::bind::defaults::bind_group,
|
||||
require => Exec['mkdir-p-$chroot_dir'],
|
||||
}
|
||||
|
||||
exec { 'mknod-dev-null':
|
||||
command => "mknod ${::bind::defaults::chroot_dir}/dev/null c 1 3",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
unless => "test -d ${::bind::defaults::chroot_dir}/dev/null",
|
||||
}
|
||||
exec { 'mknod-dev-random':
|
||||
command => "mknod ${::bind::defaults::chroot_dir}/dev/random c 1 8",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
unless => "test -d ${::bind::defaults::chroot_dir}/dev/random",
|
||||
}
|
||||
exec { 'mknod-dev-urandom':
|
||||
command => "mknod ${::bind::defaults::chroot_dir}/dev/urandom c 1 9",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
unless => "test -d ${::bind::defaults::chroot_dir}/dev/urandom",
|
||||
}
|
||||
file { [ "${::bind::defaults::chroot_dir}/dev/null",
|
||||
"${::bind::defaults::chroot_dir}/dev/random",
|
||||
"${::bind::defaults::chroot_dir}/dev/urandom"]:
|
||||
mode => '0660',
|
||||
require => [ Exec['mknod-dev-null'], Exec['mknod-dev-random'], Exec['mknod-dev-urandom'] ],
|
||||
}
|
||||
exec { 'mv-etc-bind-into-jailed-etc':
|
||||
command => "mv ${::bind::defaults::confdir} ${::bind::defaults::chroot_dir}",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
unless => "test -d ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
|
||||
require => [ File["${::bind::defaults::chroot_dir}/etc"] ]
|
||||
}
|
||||
#-> file { '/etc/bind':
|
||||
# ensure => link,
|
||||
# target => "${::bind::defaults::chroot_dir}/${::bind::defaults::confdir}",
|
||||
#}
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
class bind::chroot::package(
|
||||
$chroot_dir = $::bind::defaults::chroot_dir,
|
||||
) inherits bind::defaults {
|
||||
package { 'bind-chroot':
|
||||
ensure => latest,
|
||||
}
|
||||
service { 'bind':
|
||||
ensure => running,
|
||||
name => 'named-chroot',
|
||||
enable => true,
|
||||
hasrestart => true,
|
||||
hasstatus => true,
|
||||
}
|
||||
# On RHEL Family, there is a dedicated service named-chroot and we need
|
||||
# to stop/disable 'named' service:
|
||||
service { 'bind-without-chroot':
|
||||
ensure => stopped,
|
||||
name => $::bind::defaults::bind_service,
|
||||
enable => false,
|
||||
}
|
||||
}
|
||||
@@ -17,9 +17,13 @@ class bind::defaults (
|
||||
$bind_chroot_dir = undef,
|
||||
$nsupdate_package = undef,
|
||||
$managed_keys_directory = undef,
|
||||
# NOTE: we need to be able to override this parameter when declaring class,
|
||||
# especially when not using hiera (i.e. when using Foreman as ENC):
|
||||
$default_zones_include = undef,
|
||||
$default_zones_source = undef,
|
||||
$isc_bind_keys = undef,
|
||||
$chroot_class = undef,
|
||||
$chroot_dir = undef,
|
||||
) {
|
||||
unless is_bool($supported) {
|
||||
fail('Please ensure that the dependencies of the bind module are installed and working correctly')
|
||||
|
||||
+24
-46
@@ -1,40 +1,27 @@
|
||||
# ex: syntax=puppet si ts=4 sw=4 et
|
||||
|
||||
class bind (
|
||||
$forwarders = undef,
|
||||
$forward = undef,
|
||||
$dnssec = undef,
|
||||
$filter_ipv6 = undef,
|
||||
$version = undef,
|
||||
$statistics_port = undef,
|
||||
$auth_nxdomain = undef,
|
||||
$include_default_zones = true,
|
||||
$include_local = false,
|
||||
$tkey_gssapi_credential = undef,
|
||||
$tkey_domain = undef,
|
||||
$chroot = false,
|
||||
$chroot_supported = $::bind::defaults::chroot_supported,
|
||||
$chroot_dir = $::bind::defaults::bind_chroot_dir,
|
||||
$forwarders = undef,
|
||||
$forward = undef,
|
||||
$dnssec = undef,
|
||||
$filter_ipv6 = undef,
|
||||
$version = undef,
|
||||
$statistics_port = undef,
|
||||
$auth_nxdomain = undef,
|
||||
$include_default_zones = true,
|
||||
$include_local = false,
|
||||
$tkey_gssapi_credential = undef,
|
||||
$tkey_domain = undef,
|
||||
$chroot = false,
|
||||
$chroot_class = $::bind::defaults::chroot_class,
|
||||
$chroot_dir = $::bind::defaults::chroot_dir,
|
||||
# NOTE: we need to be able to override this parameter when declaring class,
|
||||
# especially when not using hiera (i.e. when using Foreman as ENC):
|
||||
$default_zones_include = $::bind::defaults::default_zones_include,
|
||||
$default_zones_include = $::bind::defaults::default_zones_include,
|
||||
) inherits bind::defaults {
|
||||
if $chroot and !$chroot_supported {
|
||||
fail('Chroot for bind is not supported on your OS')
|
||||
}
|
||||
|
||||
if $chroot {
|
||||
if $::bind::defaults::bind_chroot_service {
|
||||
$real_bind_service = $::bind::defaults::bind_chroot_service
|
||||
}
|
||||
if $::bind::defaults::bind_chroot_package {
|
||||
$real_bind_package = $::bind::defaults::bind_chroot_package
|
||||
}
|
||||
} else {
|
||||
$real_bind_service = $::bind::defaults::bind_service
|
||||
$real_bind_package = $::bind::defaults::bind_package
|
||||
}
|
||||
|
||||
File {
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
@@ -48,7 +35,7 @@ class bind (
|
||||
|
||||
package { 'bind':
|
||||
ensure => latest,
|
||||
name => $real_bind_package,
|
||||
name => $::bind::defaults::bind_package,
|
||||
}
|
||||
|
||||
if $dnssec {
|
||||
@@ -126,23 +113,14 @@ class bind (
|
||||
content => "};\n";
|
||||
}
|
||||
|
||||
if $chroot and $::bind::defaults::bind_chroot_service {
|
||||
service { 'bind':
|
||||
ensure => running,
|
||||
name => $::bind::defaults::bind_chroot_service,
|
||||
enable => true,
|
||||
hasrestart => true,
|
||||
hasstatus => true,
|
||||
}
|
||||
# On RHEL Family, there is a dedicated service named-chroot and we need
|
||||
# to stop/disable 'named' service:
|
||||
service { 'bind-no-chroot':
|
||||
ensure => stopped,
|
||||
name => $::bind::defaults::bind_service,
|
||||
enable => false,
|
||||
}
|
||||
|
||||
} else {
|
||||
if $chroot and $::bind::defaults::chroot_class {
|
||||
# When using a dedicated chroot class, service declaration is dedicated to this class
|
||||
class { $::bind::defaults::chroot_class : }
|
||||
}
|
||||
# DO NOT declare a bind service when chrooting bind with bind::chroot::package class,
|
||||
# because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL)
|
||||
# AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED.
|
||||
if !$chroot or ($chroot and $::bind::defaults::chroot_class == 'bind::chroot::manual') {
|
||||
service { 'bind':
|
||||
ensure => running,
|
||||
name => $::bind::defaults::bind_service,
|
||||
|
||||
Reference in New Issue
Block a user