Coder Social home page Coder Social logo

puppet-bind's Introduction

Bind module for Puppet

Puppet Forge Build Status

Manages bind configuration under Debian / Ubuntu and CentOS.

This module is provided by Camptocamp

Classes

  • bind

bind

This class must be declared before using the definitions in this module.

Definitions

  • bind::a
  • bind::acl
  • bind::generate
  • bind::mx
  • bind::record
  • bind::zone

bind::a

Creates an A record (or a series thereof).

bind::a { 'Hosts in example.com':
  ensure    => 'present',
  zone      => 'example.com',
  ptr       => false,
  hash_data => {
    'host1' => { owner => '192.168.0.1', },
    'host2' => { owner => '192.168.0.2', },
  },
}
$ensure = present

Ensure the A record is present.

$zone

Zone name.

$hash_data

Zone data.

$ptr = true

Pointer records (PTR) are used to map a network interface to a host name. Primarily used for reverse DNS.

$zone_arpa = undef

Needed if $ptr is true. For reverse DNS you will have to setup your reverse DNS domain. This is a special domain that ends with in-addr.arpa.

$content = undef

Zone content;

$content_template = undef

Zone content template.

bind::acl

Creates an ACL bloc

bind::acl {'my acl':
  ensure => present,
  acls   => [
    '!192.168.1.0/24',
    'any'
  ],
}

$ensure = present

Ensure the ACL is present (or absent if set to "absent")

acls = []

List of ACL directive

bind::generate

Creates a $GENERATE directive for a specific zone

bind::generate {'a-records':
  zone        => 'test.tld',
  range       => '2-100',
  record_type => 'A',
  lhs         => 'dhcp-$', # creates dhcp-2.test.tld, dhcp-3.test.tld …
  rhs         => '10.10.0.$', # creates IP 10.10.0.2, 10.10.0.3 …
}
$ensure = present

Ensure the generate is present.

$zone

Zone name. Must reflect a bind::zone resource.

$range

Range allocated to internal generate directive. Must be in the form 'first-last'.

$record_type

Record type. Must be one of PTR, CNAME, DNAME, A, AAAA and NS.

$lhs

Generated name.

$rhs

Record target.

$record_class = undef

Record class. Not compatible with pre-9.3 bind versions.

$ttl = undef

Time to live for generated records.

bind::mx

Creates an MX record.

bind::mx {'mx1':
  zone     => 'domain.ltd',
  owner    => '@',
  priority => 1,
  host     => 'mail.domain.ltd',
}
$ensure = present

Ensure the MX record is present.

$zone

Zone name.

$host

Target of the resource record.

$priority

MX record priority.

$owner = undef

Owner of the resource record.

$ttl = undef

Time to live for the resource record.

bind::record

Creates a generic record (or a series thereof).

bind::record {'CNAME foo.example.com':
  zone        => 'foo.example.com',
  record_type => 'CNAME',
  hash_data   => {
    'ldap'      => { owner => 'ldap.internal', },
    'voip'      => { owner => 'voip.internal', },
  }
}
$ensure = present

Ensure the record is present.

$zone

Zone name.

$hash_data

Hash containing data.

$record_type

Resource record type.

$content = undef

Record content.

$content_template = undef

Allows you to do your own template, letting you use your own hash_data content structure.

$ptr_zone = undef

PTR zone.

bind::zone

Creates a zone.

bind::zone {'test.tld':
  zone_contact => 'contact.test.tld',
  zone_ns      => ['ns0.test.tld'],
  zone_serial  => '2012112901',
  zone_ttl     => '604800',
  zone_origin  => 'test.tld',
}
$ensure = present

Ensure the zone is present.

$is_dynamic = false

Boolean to set if a zone is dynamic.

$allow_update = []

List of hosts that are allowed to submit dynamic updates for master zones.

$transfer_source = undef

Source IP to bind to when requesting a transfer (slave only).

$zone_type = master

Specify if the zone is master/slave/forward.

$zone_ttl = undef

Time to live for your zonefile (master only).

$zone_contact = undef

Valid contact record (master only).

$zone_serial = undef

Zone serial (master only).

$zone_refresh = 3h

Time between each slave refresh (master only).

$zone_retry = 1h

Time between each slave retry (master only).

$zone_expirancy = 1w

Slave expiracy time (master only).

$zone_ns = []

Valid NS for this zone (master only).

$zone_xfers = undef

Valid xfers for zone (master only).

$zone_masters = undef

Valid master for this zone (slave only).

$zone_forwarders = undef

Valid forwarders for this zone (forward only).

$zone_origin = undef

The origin of the zone.

$zone_notify = undef

IPs to use for also-notify entry.

$if_slave = false

Boolean to set if a zone is slave.

bind::key

Creates a key for dynamic zones. The 'secret' value is the key generated by dnssec-keygen.

bind::key { 'key_dyn.test.tld':
    ensure => present,
    secret => 'xUjDQqpBHao/o7mR2dza2/Tv2DQVo9pEuMfMwhdfzeaEFZAvwA='
}

bind::zone {'dyn.test.tld':
  zone_contact => 'contact.test.tld',
  zone_ns      => ['ns0.test.tld'],
  zone_serial  => '2012112901',
  zone_ttl     => '604800',
  zone_origin  => 'dyn.test.tld',
  is_dynamic   => true,
  allow_update => ['key_dyn.test.tld']
}
$ensure = present

Ensure the key is present.

$secret

Key content.

$algorithm = hmac-md5

Key algorithm.

Simple Example

bind::zone {'example.com':
  ensure       => 'present',
  zone_contact => 'contact.example.com',
  zone_ns      => ['ns0.example.com'],
  zone_serial  => '2012112901',
  zone_ttl     => '604800',
  zone_origin  => 'example.com',
}

bind::a { 'example.com':
  ensure    => 'present',
  zone      => 'example.com',
  ptr       => false,
  hash_data => {
    'host1' => { owner => '192.168.0.1', },
    'host2' => { owner => '192.168.0.2', },
  },
}

Contributing

Please report bugs and feature request using GitHub issue tracker.

For pull requests, it is very much appreciated to check your Puppet manifest with puppet-lint to follow the recommended Puppet style guidelines from the Puppet Labs style guide.

License

Copyright (c) 2013 mailto:[email protected] All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

puppet-bind's People

Contributors

braddeicide avatar cjeanneret avatar ckaenzig avatar dabelenda avatar duritong avatar felipe1982 avatar jbove avatar kburwieck avatar kenyon avatar luxflux avatar mbornoz avatar mcanevet avatar raphink avatar saimonn avatar syss avatar zyanklee avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

blinkinglight easel sarva tech-angels saikuanalytics osbi mbornoz mrintegrity jaclynfoutz vrachnis ckaenzig hitxiang jbove cloudisan dkeppler kburwieck mistertopor nathanielc braddeicide larrycorbin smarlow panaceya zyanklee coffeecoco inhumantsar trovitsys syss maxenced saimonn cyrus-mc ccin2p3 interlegis cloudbuy mcanevet mvisonneau duritong dabelenda nectar-rc stivesso ericbaum tampakrap psreed syldej dorg-kanderson mmogylenko haqa remyvb ro9ueadmin abraham1901 kenyon mariapredescu capsi-informatique

puppet-bind's Issues

'named-checkconf -jz /etc/bind/named.conf' is not qualified and no path was specified

I am using Ubuntu 12.04 LTS Server

Error: Failed to apply catalog: Parameter onlyif failed on Exec[reload bind9]: 'named-checkconf -jz /etc/bind/named.conf' is not qualified and no path was specified. Please qualify the command or specify a path. at /etc/puppet/modules/bind/manifests/base.pp:45
Wrapped exception:
'named-checkconf -jz /etc/bind/named.conf' is not qualified and no path was specified. Please qualify the command or specify a path.

I also tried after doing "apt-get install bind9" manually, same result

Any ideas?

Add support for forward zones

Hello

this module lacks support for forward zones, and I'm gonna implement it in my fork. The reason I'm opening this ticket is:

  • what about a little refactoring in zones.pp?? Right now there are nested IFs that IMO should be replaced by at least one case. This means removing some flags too ($is_slave at least) and implement a property with three (or more) values (master, slave, forward)
  • I guess you want unit testing covering for this new zone. Am I right?

Are you ok with this? Can I go on? would you like to implement it by yourself?

Thanks for the module anyway!

new features : view, acl, etc

TODO:

  • add ACL support in a convenient way (for now, we can add ACL with some static file, this isn't really clean)
  • add view support (based on acl and ranges)
  • better management for zone options
  • add $INCLUDE support (same kind as $GENERATE — manage included file basedir as well)

Dynamic zones how are they supposed to work ?

Hi,

I'm not fully sure to understand how dynamic zones are supposed to work without an A record. This issue might directly be linked to #76. The actual behavior is the following: when having a dynamic zone (at least configured the way I did it), bind is starting but is not loading the dynamic zone because of missing A record:
25-Jul-2017 14:20:04.632 general: error: zone foo.bar/IN/default: NS 'foo-bar' has no address records (A or AAAA).
Could you help me solve the issue ? Did anyone succeeded in having a dynamic zone working with this module ?

zone creation first puppet run failed

Hi,

I just create a zone with the module, and I get an error when the module tried to restart bind9 service.
It seems that there is a wrong ordering :

  • configure default.zones
  • restart bind
  • deploy the zone file

I assume the restart bind should not occur until we have the zone deployed right ?

$puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for server1.domain.fr
Info: Applying configuration version '1565267540'
Notice: /Stage[main]/Bind::Config/Bind::View[default]/Concat[/etc/bind/views/default.zones]/File[/etc/bind/views/default.zones]/content:
--- /etc/bind/views/default.zones       2019-08-08 13:19:19.248357155 +0200
+++ /tmp/puppet-file20190808-4913-1x0ex54       2019-08-08 14:28:58.000000000 +0200
@@ -0,0 +1 @@
+include "/etc/bind/zones/domain.fr.conf";

Info: Computing checksum on file /etc/bind/views/default.zones
Info: FileBucket got a duplicate file {md5}d41d8cd98f00b204e9800998ecf8427e
Info: /Stage[main]/Bind::Config/Bind::View[default]/Concat[/etc/bind/views/default.zones]/File[/etc/bind/views/default.zones]: Filebucketed /etc/bind/views/default.zones to puppet with sum d41d8cd98f00b204e9800998ecf8427e
Notice: /Stage[main]/Bind::Config/Bind::View[default]/Concat[/etc/bind/views/default.zones]/File[/etc/bind/views/default.zones]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}17a21777d698a6d01278f819cae51c3b'
Info: Class[Bind::Config]: Scheduling refresh of Class[Bind::Service]
Info: Class[Bind::Service]: Scheduling refresh of Service[bind9]
Error: /Stage[main]/Bind::Service/Service[bind9]: Failed to call refresh: Systemd restart for bind9 failed!
journalctl log for bind9:
-- Logs begin at Thu 2019-08-08 10:58:12 CEST, end at Thu 2019-08-08 14:28:58 CEST. --
Aug 08 14:28:58 server1 systemd[1]: Reloading BIND Domain Name Server.
Aug 08 14:28:58 server1 rndc[5543]: rndc: 'reload' failed: file not found
Aug 08 14:28:58 server1 systemd[1]: bind9.service: Control process exited, code=exited status=1
Aug 08 14:28:58 server1 systemd[1]: Reload failed for BIND Domain Name Server.

Error: /Stage[main]/Bind::Service/Service[bind9]: Systemd restart for bind9 failed!
journalctl log for bind9:
-- Logs begin at Thu 2019-08-08 10:58:12 CEST, end at Thu 2019-08-08 14:28:58 CEST. --
Aug 08 14:28:58 server1 systemd[1]: Reloading BIND Domain Name Server.
Aug 08 14:28:58 server1 rndc[5543]: rndc: 'reload' failed: file not found
Aug 08 14:28:58 server1 systemd[1]: bind9.service: Control process exited, code=exited status=1
Aug 08 14:28:58 server1 systemd[1]: Reload failed for BIND Domain Name Server.

Notice: /Stage[main]/Bind/Anchor[bind::end]: Dependency Service[bind9] has failures: true
Warning: /Stage[main]/Bind/Anchor[bind::end]: Skipping because of failed dependencies
Notice: /Stage[main]/Profiles::Bind/Bind::Zone[domain.fr]/Concat[/etc/bind/zones/domain.fr.conf]/File[/etc/bind/zones/domain.fr.conf]/ensure: defined content as '{md5}6459842b5ccc3b32914ae11aaa596399'
Info: Concat[/etc/bind/zones/domain.fr.conf]: Scheduling refresh of Exec[reload bind9]
Notice: /Stage[main]/Profiles::Bind/Bind::Zone[domain.fr]/Concat[/etc/bind/pri/domain.fr.conf]/File[/etc/bind/pri/domain.fr.conf]/ensure: defined content as '{md5}6239c63fac1df0f804f9d58d03c4bfb9'
Info: Concat[/etc/bind/pri/domain.fr.conf]: Scheduling refresh of Exec[reload bind9]
Warning: /Stage[main]/Bind/Exec[reload bind9]: Skipping because of failed dependencies
Info: /Stage[main]/Bind/Exec[reload bind9]: Unscheduling all events on Exec[reload bind9]
Info: Stage[main]: Unscheduling all events on Stage[main]

dependency on old concat module

This module has a dependency on puppet-concat < 2.0.0, which is very old. This conflicts with other modules which depend on newer versions of concat.
Please update to a newer version.

Cannot add A records

I'm currently having an issue adding A records to the configuration. I'm using Puppet 4, Hiera 3, and receive the error below. Also tried manually specifying this all in the Puppet code, no change in error. Configuration details are also listed, not sure what I'm doing wrong. If it's a case of improper use could there be an update issued to the README? Thanks much for your help.

"Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid relationship: File[/opt/puppetlabs/puppet/cache/concat/etc_bind_pri_somecompany.com.conf/fragments/10_somecompany.A.hosts] { notify => Exec[concat/etc/bind/pri/somecompany.com.conf] }, because Exec[concat/etc/bind/pri/somecompany.com.conf] doesn't seem to be in the catalog."_

hiera


---
ddnskeys:
  'dhcpupdate':
    secret:                     "XXXXXXXXXXXXXXXXXXXXXXXXXX"
ddnszones:
  'somecompany.com':
    zone_contact:               'hostmaster.somecompany.com'
    zone_ns:
      - 'dns.somecompany.com'
    zone_serial:                '2015121001'
    zone_ttl:                   '604800'
    is_dynamic:                 true
    allow_update:
      - 'dhcpupdate'
  '11.10.in-addr.arpa':
    zone_contact:               'hostmaster.somecompany.com'
    zone_ns:
      - 'dns.somecompany.com'
    zone_serial:                '2015121001'
    zone_ttl:                   '604800'
    is_dynamic:                 true
    allow_update:
      - 'dhcpupdate'
ddnsarecords:
  'hosts':
    zone:                       'somecompany.com'
    ptr:                        false
    zone_arpa:                  '168.192.in-addr.arpa'
    hash_data:
      dns:
        owner:                  '192.168.1.28'

puppet

class profile::bind {
  # Store hashes for resource realization
  $bindkeys = hiera_hash('ddnskeys')
  $zones    = hiera_hash('ddnszones')
  $arecords = hiera_hash('ddnsarecords')

  class { '::bind': }
  create_resources('bind::key', $bindkeys)
  create_resources('bind::a', $arecords, {})
  create_resources('bind::zone', $zones, {})
}

named-checkconf -jz /etc/named.conf' is not qualified

puppet 3.8 on Centos 6 with manifest

node 'test' {
  include bind
}

Gives this error

==> default: Error: Parameter onlyif failed on Exec[reload bind9]: 'named-checkconf -jz /etc/named.conf' is not qualified and no path was specified. Please qualify the command or specify a path. at /tmp/vagrant-puppet/modules-b3c8b8ed0d71478610d0a1236238b87e/bind/manifests/base.pp:44

Then I changed this:

  exec {'reload bind9':
    command     => $bind::params::service_restart,
    onlyif      => "named-checkconf -jz ${bind::params::config_base_dir}/${bind::params::named_conf_name}",
    refreshonly => true,
    require     => Package['bind9'],
  }

to this

exec {'reload bind9':
    command     => $bind::params::service_restart,
    onlyif      => "/usr/sbin/named-checkconf -jz ${bind::params::config_base_dir}/${bind::params::named_conf_name}",
    refreshonly => true,
    require     => Package['bind9'],
  }

Add static entries to dynamic zones

It would be interesting to have the capability of adding some static entries to zones configured as "dynamic". If we try to do it in the way things are right now we end up with a concat::fragment error as the concat was not initialized for the dynamic zone.

should allow forwarders in zone_type master

My master has

options {
        forwarders { 203.12.160.35; 203.12.160.36; };
       [......]

so that it can lookup stuff for the network which it does not control, or know about.

This should be configurable in puppet module. Thanks.

bind_check_hostname blocks dkim and srv records

dkim txt records use the format selector._domainkey.your_domain.com which is rejected as this modules uses stdlib is_domain_name which is rightly rejecting it as it's not a valid domain name character, it is valid for a bind record however.

/lib/puppet/parser/functions/bind_check_hostname.rb allows '@' to bypass for this reason, so I for the same reason I added

# Allow dkim keys by stripping domain invalid _ charactor
domain = record.sub(/._domainkey/, '')

There's also srv records which are not as easy to identify with the format
_service._proto.name
eg
_ts3._udp.yourdomain.tld.

We could just allow _ in general with

# Allow srv and dkim by stripping invalid _ character
domain = record.sub(/_/, '')

Or, change bind_check_hostname to get two arguments which includes the record_type. and only allow underscores for TXT and SRV?

Question: how to use `ptr=>true` ?

I'm trying to set up a zone and a couple of A records with reverse.
Here's basically what I came up with:

  bind::zone {'sp.example.com':
    zone_contact  => 'sysunix.example.com',
    zone_ns       => [
      $::clientcert
    ],
    zone_serial   => strftime('%s'),
    zone_ttl      => '60',
    zone_origin   => 'sp.example.com',
    zone_expiracy => '1w',
    zone_retry    => '15m',
    zone_refresh  => '5m',
  }
  bind::zone {'0.168.192.in-addr.arpa':
    zone_contact  => 'sysunix.example.com',
    zone_ns       => [
      $::clientcert
    ],
    zone_serial   => strftime('%s'),
    zone_ttl      => '60',
    zone_origin   => '0.168.192.in-addr.arpa',
    zone_expiracy => '1w',
    zone_retry    => '15m',
    zone_refresh  => '5m',
  }
  bind::a { 'hosts from smurf':
    ensure    => present,
    zone      => 'sp.example.com',
    ptr       => true,
    zone_arpa => '0.168.192.in-addr.arpa',
    hash_data => ...
  }

Now the problem is that bind complains about the zone file being invalid:

/etc/named/pri/0.168.192.in-addr.arpa.conf:3590: no TTL specified; zone rejected

I can see the file seems only to contain records, no header. If change a resources to ptr=>false the header is fine.

Missing path in Exec[reload bind9] in base.pp

Error: Failed to apply catalog: Parameter onlyif failed on Exec[reload bind9]: 'named-checkconf -jz /etc/bind/named.conf' is not qualified and no path was specified. Please qualify the command or specify a path.

This seems to solve the issue:

exec {'reload bind9':
command => 'service bind9 reload',
onlyif => 'named-checkconf -jz /etc/bind/named.conf',
path => ['/sbin', '/usr/sbin'],
refreshonly => true,
}

Error: Could not find dependent Exec[concat_/etc/named/pri/example.com.conf]

Error: Could not find dependent Exec[concat_/etc/named/pri/example.com.conf] for File[/var/lib/puppet/concat/_etc_named_pri_example.com.conf/fragments/10_example.com.A.example.com] at /etc/puppet/modules/concat/manifests/fragment.pp:123

site.pp

...
class bind {
    include bind::base
}

...      
        Exec {
            path => '/bin:/sbin:/usr/sbin:/usr/bin',
        }

...

node "x"{
       ...
        include bind

        bind::key { 'key_dyn.example.com':
            ensure => present,
            secret => 'x'
        }

        bind::zone {'example.com':
            zone_contact => 'contact.example.com',
            zone_ns      => 'ns0.example.com',
            zone_serial  => '1',
            zone_ttl     => '300',
            zone_origin  => 'example.com',
            is_dynamic   => true,
            allow_update => ['key_dyn.example.com']
        }

        bind::a { 'example.com':
            ensure    => present,
            zone      => 'example.com',
            ptr       => false,
            hash_data => {
                'host1' => { owner => '192.168.0.1', },
                'host2' => { owner => '192.168.0.2', },
            },
        }
}

Puppet v3.6.2, CentOS 7

Could not find dependent Exec[reload bind9]

As a result of one of the latest patches (suspected 913daa1) this error now occurs on my applying my puppet configuration.

It seems that the Exec[] is missing..... I've hacked around this - however, should these not be notify => Service calls?

I'll attempt to create a patch.

module is not compatible with stdlib >= 4.6.0

The bind_check_hostname function uses stdlib is_domain_name function for some part of the validation. Since 4.6.0 (exactly since commit ee13438d2a71cea8a07202eee1eeaa29553b2131), this function tries to validate that the last part of the domain (the tld) is alphabetic only (based on rfc 1123).

The issue is that bind::record type allows to declare RR without the full domain (which is good of course). So you can have something like :

   bind::zone { 'myzone-internal':
        zone_contact => 'hostmaster',
        zone_ns      => ['ns0.myzone.internal'],
        zone_serial  => '2013122208',
        zone_ttl     => '600',
        zone_origin  => 'myzone.internal'
    }

  bind::a { 'My hosts':
        ensure    => present,
        zone      => 'myzone-internal',
        hash_data => {
            'host1.dc1'           => { owner => '10.42.1.1' }
        }
   }

This will call bind_check_hostname('host1.dc1','a') which will then call is_domain_name('host1.dc1'). This will fail as 'dc1' is not alphabetic.

I think the best solution to be compatible with both old and new versions of stdlib is to validate the whole RR : <rr_part>. , ie host1.dc1.myzone.internal. The issue is that, right now, bind::record has no way to get the zone_origin as 'zone' parameter only takes the zone name. So it might have a few workaround :

  • don't rely on stdlib if the RR is not complete (does not end with a dot)
  • find some way to get the zone_origin in bind::record
  • pin version of stdlib in dependencies (as a short-term fix)

Maxence

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.