First draft of chroot implementation for Debian

- RHEL chroot code has been moved into a bind::chroot::package class

- Debian family (and probably other families) can use the
  `bind::chroot::manual` class to enable chroot for bind using the method
  described here: https://wiki.debian.org/Bind9#Bind_Chroot
This commit is contained in:
Cédric Defortis
2017-08-16 11:19:48 +02:00
committed by Cedric DEFORTIS
parent bcaafc05e1
commit 44bb1b0e0e
14 changed files with 194 additions and 76 deletions
+60
View File
@@ -0,0 +1,60 @@
class bind::chroot::manual(
$chroot_dir = $::bind::defaults::chroot_dir,
) inherits bind::defaults {
exec { 'mkdir-p-$chroot_dir':
command => "mkdir -p ${::bind::defaults::chroot_dir}",
path => ['/bin', '/usr/bin'],
unless => "test -d ${::bind::defaults::chroot_dir}",
}
# Creating system dirs under chroot dir:
file { ["${::bind::defaults::chroot_dir}",
"${::bind::defaults::chroot_dir}/etc",
"${::bind::defaults::chroot_dir}/dev",
"${::bind::defaults::chroot_dir}/var",
"${::bind::defaults::chroot_dir}/var/cache",
"${::bind::defaults::chroot_dir}/var/run"]:
ensure => directory,
mode => '0660',
require => Exec['mkdir-p-$chroot_dir'],
}
file { ["${::bind::defaults::chroot_dir}/var/cache/bind",
"${::bind::defaults::chroot_dir}/var/run/named"]:
ensure => directory,
mode => '0775',
group => $::bind::defaults::bind_group,
require => Exec['mkdir-p-$chroot_dir'],
}
exec { 'mknod-dev-null':
command => "mknod ${::bind::defaults::chroot_dir}/dev/null c 1 3",
path => ['/bin', '/usr/bin'],
unless => "test -d ${::bind::defaults::chroot_dir}/dev/null",
}
exec { 'mknod-dev-random':
command => "mknod ${::bind::defaults::chroot_dir}/dev/random c 1 8",
path => ['/bin', '/usr/bin'],
unless => "test -d ${::bind::defaults::chroot_dir}/dev/random",
}
exec { 'mknod-dev-urandom':
command => "mknod ${::bind::defaults::chroot_dir}/dev/urandom c 1 9",
path => ['/bin', '/usr/bin'],
unless => "test -d ${::bind::defaults::chroot_dir}/dev/urandom",
}
file { [ "${::bind::defaults::chroot_dir}/dev/null",
"${::bind::defaults::chroot_dir}/dev/random",
"${::bind::defaults::chroot_dir}/dev/urandom"]:
mode => '0660',
require => [ Exec['mknod-dev-null'], Exec['mknod-dev-random'], Exec['mknod-dev-urandom'] ],
}
exec { 'mv-etc-bind-into-jailed-etc':
command => "mv ${::bind::defaults::confdir} ${::bind::defaults::chroot_dir}",
path => ['/bin', '/usr/bin'],
unless => "test -d ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
require => [ File["${::bind::defaults::chroot_dir}/etc"] ]
}
#-> file { '/etc/bind':
# ensure => link,
# target => "${::bind::defaults::chroot_dir}/${::bind::defaults::confdir}",
#}
}
+21
View File
@@ -0,0 +1,21 @@
class bind::chroot::package(
$chroot_dir = $::bind::defaults::chroot_dir,
) inherits bind::defaults {
package { 'bind-chroot':
ensure => latest,
}
service { 'bind':
ensure => running,
name => 'named-chroot',
enable => true,
hasrestart => true,
hasstatus => true,
}
# On RHEL Family, there is a dedicated service named-chroot and we need
# to stop/disable 'named' service:
service { 'bind-without-chroot':
ensure => stopped,
name => $::bind::defaults::bind_service,
enable => false,
}
}
+4
View File
@@ -17,9 +17,13 @@ class bind::defaults (
$bind_chroot_dir = undef,
$nsupdate_package = undef,
$managed_keys_directory = undef,
# NOTE: we need to be able to override this parameter when declaring class,
# especially when not using hiera (i.e. when using Foreman as ENC):
$default_zones_include = undef,
$default_zones_source = undef,
$isc_bind_keys = undef,
$chroot_class = undef,
$chroot_dir = undef,
) {
unless is_bool($supported) {
fail('Please ensure that the dependencies of the bind module are installed and working correctly')
+24 -46
View File
@@ -1,40 +1,27 @@
# ex: syntax=puppet si ts=4 sw=4 et
class bind (
$forwarders = undef,
$forward = undef,
$dnssec = undef,
$filter_ipv6 = undef,
$version = undef,
$statistics_port = undef,
$auth_nxdomain = undef,
$include_default_zones = true,
$include_local = false,
$tkey_gssapi_credential = undef,
$tkey_domain = undef,
$chroot = false,
$chroot_supported = $::bind::defaults::chroot_supported,
$chroot_dir = $::bind::defaults::bind_chroot_dir,
$forwarders = undef,
$forward = undef,
$dnssec = undef,
$filter_ipv6 = undef,
$version = undef,
$statistics_port = undef,
$auth_nxdomain = undef,
$include_default_zones = true,
$include_local = false,
$tkey_gssapi_credential = undef,
$tkey_domain = undef,
$chroot = false,
$chroot_class = $::bind::defaults::chroot_class,
$chroot_dir = $::bind::defaults::chroot_dir,
# NOTE: we need to be able to override this parameter when declaring class,
# especially when not using hiera (i.e. when using Foreman as ENC):
$default_zones_include = $::bind::defaults::default_zones_include,
$default_zones_include = $::bind::defaults::default_zones_include,
) inherits bind::defaults {
if $chroot and !$chroot_supported {
fail('Chroot for bind is not supported on your OS')
}
if $chroot {
if $::bind::defaults::bind_chroot_service {
$real_bind_service = $::bind::defaults::bind_chroot_service
}
if $::bind::defaults::bind_chroot_package {
$real_bind_package = $::bind::defaults::bind_chroot_package
}
} else {
$real_bind_service = $::bind::defaults::bind_service
$real_bind_package = $::bind::defaults::bind_package
}
File {
ensure => present,
owner => 'root',
@@ -48,7 +35,7 @@ class bind (
package { 'bind':
ensure => latest,
name => $real_bind_package,
name => $::bind::defaults::bind_package,
}
if $dnssec {
@@ -126,23 +113,14 @@ class bind (
content => "};\n";
}
if $chroot and $::bind::defaults::bind_chroot_service {
service { 'bind':
ensure => running,
name => $::bind::defaults::bind_chroot_service,
enable => true,
hasrestart => true,
hasstatus => true,
}
# On RHEL Family, there is a dedicated service named-chroot and we need
# to stop/disable 'named' service:
service { 'bind-no-chroot':
ensure => stopped,
name => $::bind::defaults::bind_service,
enable => false,
}
} else {
if $chroot and $::bind::defaults::chroot_class {
# When using a dedicated chroot class, service declaration is dedicated to this class
class { $::bind::defaults::chroot_class : }
}
# DO NOT declare a bind service when chrooting bind with bind::chroot::package class,
# because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL)
# AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED.
if !$chroot or ($chroot and $::bind::defaults::chroot_class == 'bind::chroot::manual') {
service { 'bind':
ensure => running,
name => $::bind::defaults::bind_service,