From de9578ac9794ab60a8eb004f8611af67e053a073 Mon Sep 17 00:00:00 2001 From: wohali Date: Mon, 19 Nov 2012 09:42:41 -0500 Subject: [PATCH 1/2] List-ify attributes, correct Google DNS server See https://developers.google.com/speed/public-dns/ --- README.md | 23 +++++-- attributes/default.rb | 29 +++++---- recipes/default.rb | 6 +- templates/default/named.conf.local.erb | 2 +- templates/default/named.conf.options.erb | 80 ++++++++++++++---------- 5 files changed, 84 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index c8601e0..20cfbab 100644 --- a/README.md +++ b/README.md @@ -23,12 +23,12 @@ Attributes ========== * **node[:bind9][:enable_ipv6]** - Enables BIND to listen on an IPv6 address. Default is: On -* **node[:bind9][:allow_query]** - Allow clients to query the nameserver. Default is: anyone -* **node[:bind9][:allow_recursion]** - Allow recursive name resolution. Default is: none (to prevent DNS cache poisoning) -* **node[:bind9][:allow_update]** - Allow dynamic DNS updates. Default is: none -* **node[:bind9][:allow_transfer]** - Allow zone transfers globally. Default is: none +* **node[:bind9][:allow_query]** - Array of clients allowed to query the nameserver. Default is: anyone +* **node[:bind9][:allow_recursion]** - Array of clients allowed to make recursive name resolution queries. Default is: none (to prevent DNS cache poisoning) +* **node[:bind9][:allow_update]** - Array of clients allowed to make dynamic DNS updates. Default is: none +* **node[:bind9][:allow_transfer]** - Array of clients allowed to make zone transfers. Default is: none * **node[:bind9][:enable_forwarding]** - Enables forwarding of requests. Default is: No forwarding -* **node[:bind9][:forwarders]** - Array for forwarding DNS. Default is: 4.4.4.4 and 8.8.8.8 (Google DNS) +* **node[:bind9][:forwarders]** - Array for forwarding DNS. Default is: 8.8.8.8 and 8.8.4.4 (Google DNS) Usage ===== @@ -40,7 +40,18 @@ Please note that the data bag's structure is mandatory except: * autodomain for the zone (if you include this, automatic records will be added for chef nodes whose "domain" matches this) -Examples +Example attributes for a caching-only setup +===== + + default[:bind9][:allow_query] = ["localnets", "localhost"] + default[:bind9][:allow_recursion] = ["localnets", "localhost"] + default[:bind9][:allow_transfer] = ["none"] + default[:bind9][:allow_update] = nil + default[:bind9][:enable_forwarding] = true + default[:bind9][:forwarders] = ["8.8.8.8", "8.8.4.4"] + + +Example zone setup ===== $ knife data bag create zones diff --git a/attributes/default.rb b/attributes/default.rb index e80690e..5db5c81 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,28 +1,31 @@ default[:bind9][:enable_ipv6] = true -# Allow all clients to query the nameserver, no recursion -default[:bind9][:allow_query] = nil -default[:bind9][:allow_recursion] = "none" +# Allow only local clients to query the nameserver, with recursion +default[:bind9][:allow_query] = ["localnets", "localhost"] +default[:bind9][:allow_recursion] = ["localnets", "localhost"] # Don:t allow to mess with zone files by default -default[:bind9][:allow_transfer] = "none" +default[:bind9][:allow_transfer] = ["none"] default[:bind9][:allow_update] = nil -default[:bind9][:enable_forwarding] = false -default[:bind9][:forwarders] = [ "4.4.4.4", "8.8.8.8" ] +# default forwarders @ Google +default[:bind9][:enable_forwarding] = true +default[:bind9][:forwarders] = ["8.8.8.8", "8.8.4.4"] case platform when "centos","redhat","fedora","scientific","amazon" default[:bind9][:config_path] = "/etc/named" - default[:bind9][:config_file] = "/etc/named.conf" - default[:bind9][:options_file] = "/etc/named/named.conf.options" - default[:bind9][:local_file] = "/etc/named/named.conf.local" - default[:bind9][:data_path] = "/var/named" + default[:bind9][:config_file] = "/etc/named.conf" + default[:bind9][:options_file] = "/etc/named/named.conf.options" + default[:bind9][:local_file] = "/etc/named/named.conf.local" + default[:bind9][:data_path] = "/var/named" + default[:bind9][:log_path] = "/var/log/bind" default[:bind9][:user] = "named" else default[:bind9][:config_path] = "/etc/bind" - default[:bind9][:options_file] = "/etc/bind/named.conf.options" - default[:bind9][:local_file] = "/etc/bind/named.conf.local" - default[:bind9][:data_path] = "/var/cache/bind" + default[:bind9][:options_file] = "/etc/bind/named.conf.options" + default[:bind9][:local_file] = "/etc/bind/named.conf.local" + default[:bind9][:data_path] = "/var/cache/bind" + default[:bind9][:log_path] = "/var/log/named" default[:bind9][:user] = "bind" end diff --git a/recipes/default.rb b/recipes/default.rb index 5c749ce..39f04c8 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -25,10 +25,12 @@ action :install end -directory "/var/log/bind/" do +directory node[:bind9][:log_path] do owner node[:bind9][:user] group node[:bind9][:user] - mode 0755 + mode 0775 + recursive true + action :create end service "bind9" do diff --git a/templates/default/named.conf.local.erb b/templates/default/named.conf.local.erb index c35456b..7773d6e 100644 --- a/templates/default/named.conf.local.erb +++ b/templates/default/named.conf.local.erb @@ -9,7 +9,7 @@ <% @zonefiles.each do |conf| -%> zone "<%= conf["domain"] %>" IN { type <%= conf["type"] %>; - file "<%= node[:bind9][:config_path] %>/<%= conf["domain"] %>"; + file "<%= conf["domain"] %>"; allow-transfer { <% conf["allow_transfer"].each do |ip| -%> <%= ip %>; diff --git a/templates/default/named.conf.options.erb b/templates/default/named.conf.options.erb index 1d536a9..321248f 100644 --- a/templates/default/named.conf.options.erb +++ b/templates/default/named.conf.options.erb @@ -1,47 +1,59 @@ options { - directory "<%= node[:bind9][:data_path] %>"; + directory "<%= node[:bind9][:data_path] %>"; - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - <% if node[:bind9][:allow_query] %> - allow-query { - "<%= node[:bind9][:allow_query] %>"; - }; + <% if node[:bind9][:allow_query] %> + allow-query { + <% node[:bind9][:allow_query].each do |allow_query| -%> + <%= allow_query %>; + <% end %> + }; - <% end %> - allow-recursion { - <%= node[:bind9][:allow_recursion] %>; - }; - - allow-transfer { - "<%= node[:bind9][:allow_transfer] %>"; - }; - - <% if node[:bind9][:allow_update] %> - allow-update { - "<%= node[:bind9][:allow_update] %>"; - }; + <% end %> + <% if node[:bind9][:allow_recursion] %> + allow-recursion { + <% node[:bind9][:allow_recursion].each do |allow_recursion| -%> + <%= allow_recursion %>; + <% end %> + }; + + <% end %> + <% if node[:bind9][:allow_transfer] %> + allow-transfer { + <% node[:bind9][:allow_transfer].each do |allow_transfer| -%> + <%= allow_transfer %>; + <% end %> + }; + + <% end %> + <% if node[:bind9][:allow_update] %> + allow-update { + <% node[:bind9][:allow_update].each do |allow_update| -%> + <%= allow_update %>; + <% end %> + }; - <% end %> - <% if node[:bind9][:enable_forwarding] %> - forwarders { - <% node[:bind9][:forwarders].each do |forwarder| -%> - <%= forwarder %>; - <% end %> - }; + <% end %> + <% if node[:bind9][:enable_forwarding] %> + forwarders { + <% node[:bind9][:forwarders].each do |forwarder| -%> + <%= forwarder %>; + <% end %> + }; - <% end %> - auth-nxdomain no; # conform to RFC1035 - <% if node[:bind9][:enable_ipv6] %> - listen-on-v6 { any; }; - <% end %> + <% end %> + auth-nxdomain no; # conform to RFC1035 + <% if node[:bind9][:enable_ipv6] %> + listen-on-v6 { any; }; + <% end %> }; logging { channel default_log { - file "/var/log/bind/bind.log" versions 5 size 128M; + file "<%= node[:bind9][:log_path] %>/named.log" versions 5 size 128M; print-time yes; print-severity yes; print-category yes; From f46aa6d53535609a9b6d41d35c7ab9d621388822 Mon Sep 17 00:00:00 2001 From: wohali Date: Mon, 19 Nov 2012 09:51:39 -0500 Subject: [PATCH 2/2] Support Joyent's SmartOS / SmartMachines --- README.md | 3 ++- attributes/default.rb | 7 +++++++ metadata.rb | 2 +- recipes/default.rb | 14 +++++++++++++- templates/default/named.conf.erb | 3 +++ 5 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 templates/default/named.conf.erb diff --git a/README.md b/README.md index 20cfbab..919f759 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,8 @@ Platform: * Debian * Ubuntu -* Centos +* CentOS +* SmartOS Attributes ========== diff --git a/attributes/default.rb b/attributes/default.rb index 5db5c81..8c7be7d 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -21,6 +21,13 @@ default[:bind9][:data_path] = "/var/named" default[:bind9][:log_path] = "/var/log/bind" default[:bind9][:user] = "named" +when "smartos" + default[:bind9][:config_path] = "/opt/local/etc" + default[:bind9][:options_file] = "/opt/local/etc/named.conf.options" + default[:bind9][:local_file] = "/opt/local/etc/named.conf.local" + default[:bind9][:data_path] = "/var/named" + default[:bind9][:log_path] = "/var/log/named" + default[:bind9][:user] = "root" else default[:bind9][:config_path] = "/etc/bind" default[:bind9][:options_file] = "/etc/bind/named.conf.options" diff --git a/metadata.rb b/metadata.rb index 8ef079b..4128e67 100644 --- a/metadata.rb +++ b/metadata.rb @@ -5,6 +5,6 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version "0.1.9" -%w{ ubuntu debian centos }.each do |os| +%w{ ubuntu debian centos smartos }.each do |os| supports os end diff --git a/recipes/default.rb b/recipes/default.rb index 39f04c8..a5082c2 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -19,7 +19,7 @@ package "bind9" do case node[:platform] - when "centos", "redhat", "suse", "fedora" + when "centos", "redhat", "suse", "fedora", "smartos" package_name "bind" end action :install @@ -37,11 +37,23 @@ case node[:platform] when "centos", "redhat" service_name "named" + when "smartos" + service_name "dns/server:default" end supports :status => true, :reload => true, :restart => true action [ :enable ] end +if node[:platform] == "smartos" + template "#{node[:bind9][:config_path]}/named.conf" do + source "named.conf.erb" + owner "root" + group "root" + mode 0644 + notifies :restart, resources(:service => "bind9") + end +end + template node[:bind9][:options_file] do source "named.conf.options.erb" owner "root" diff --git a/templates/default/named.conf.erb b/templates/default/named.conf.erb new file mode 100644 index 0000000..c8ac28e --- /dev/null +++ b/templates/default/named.conf.erb @@ -0,0 +1,3 @@ +include "<%= node[:bind9][:config_path] %>/named.conf.options"; +include "<%= node[:bind9][:config_path] %>/named.conf.local"; +// include "<%= node[:bind9][:config_path] %>/named.conf.default-zones";