DNS improvements #407
Closed
DNS improvements #407
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
TODO: Create variable/task |
|
Thanks again! |
|
I'm not sure if the name of this variable ( |
|
need some conflicts resolved |
In this case, it wouldn't be just you who would be allowed to resolve:
|
|
Sure, otherwise you could rebase it |
- Changed format of variables `dns` and `fallback_dns` from string to list - Ensure that changes to `/etc/systemd/resolved.conf` only occur if `resolved` is enabled - Ensure that changes to `/etc/resolv.conf` only occur if `resolved` or `Network-Manager` is disabled or `Network-Manager` is properly configured with the `dns=none` parameter
cleberb
force-pushed
the
dns_improvements
branch
from
6d32337 to
e6e5858
Compare
|
Things are not working correctly with the below diff, but it works better. diff --git a/README.md b/README.md
index e6f45c1..1f928b7 100644
--- a/README.md
+++ b/README.md
@@ -213,16 +213,23 @@ dnssec: allow-downgrade
fallback_dns:
- 9.9.9.9
- 1.0.0.1
-network_manager_dns_none: true
+network_manager_dns: false
IPv4 and IPv6 addresses to use as system and fallback DNS servers.
-If `dnssec` is set to "allow-downgrade" DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled.
+If `dnssec` is set to "allow-downgrade" DNSSEC validation is attempted, but if
+the server does not support DNSSEC properly, DNSSEC mode is automatically
+disabled.
-If `dns_over_tls` is `true`, all connections to the server will be encrypted if the DNS server supports DNS-over-TLS and has a valid certificate.
+If `dns_over_tls` is `true`, all connections to the server will be encrypted if
+the DNS server supports DNS-over-TLS and has a valid certificate.
-If `network_manager_dns_none` is `true`, the Network-Manager will be prevented from modifying the `/etc/resolv.conf` file, ensuring a fixed DNS configuration, even using a DHCP client. This configuration will only be applied if there are addresses defined in the `dns` variable. This option will be more relevant for systems in the "RedHat" family, which do not enable `resolved` by default.
+If `network_manager_dns` is `false`, the Network-Manager will be prevented from
+modifying the `/etc/resolv.conf` file, ensuring a fixed DNS configuration, even
+when using a DHCP client. This configuration will only be applied if there are
+addresses defined in the `dns` variable. This option will be more relevant for
+systems in the "RedHat" family, which do not enable `resolved` by default.
[systemd](https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdresolvedconf)
option.
diff --git a/defaults/main/dns.yml b/defaults/main/dns.yml
index 5c1b64e..96e763a 100644
--- a/defaults/main/dns.yml
+++ b/defaults/main/dns.yml
@@ -7,4 +7,4 @@ dnssec: allow-downgrade
fallback_dns:
- 9.9.9.9
- 1.0.0.1
-network_manager_dns_none: true
+network_manager_dns: false
diff --git a/handlers/main.yml b/handlers/main.yml
index f0444bf..1ab531f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -169,7 +169,8 @@
register: update_grub2
changed_when: update_grub2.rc == 0
-- name: Restart Network-Manager
+- name: Restart NetworkManager
+ become: true
ansible.builtin.systemd:
name: NetworkManager
state: restarted
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index 0fb7d9f..6cd786d 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -45,6 +45,7 @@ provisioner:
block_blacklisted: true
disable_wireless: true
install_aide: false
+ network_manager_dns: true
sshd_admin_net:
- 0.0.0.0/0
sshd_allow_groups:
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index 7c64e40..156d6f0 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -665,6 +665,11 @@
loop_control:
label: "{{ item.path }}"
+ - name: Stat systemd resolved.conf
+ ansible.builtin.stat:
+ path: /etc/systemd/resolved.conf
+ register: resolved_conf
+
- name: Verify systemd resolved.conf
become: true
ansible.builtin.shell: grep "^{{ item }}$" /etc/systemd/resolved.conf
@@ -676,7 +681,7 @@
- FallbackDNS={{ fallback_dns | join(' ') }}
- DNSSEC={{ dnssec }}
- DNSOverTLS={{ dns_over_tls }}
- when: ansible_os_family != "RedHat"
+ when: resolved_conf.stat.exists
- name: Verify resolv.conf
become: true
@@ -685,8 +690,6 @@
failed_when: resolv_conf.rc != 0
changed_when: resolv_conf.rc != 0
loop: "{{ ['nameserver '] | product(dns) | map('join') | list }}"
- when:
- - ansible_os_family == "RedHat"
- name: Verify systemd timesyncd.conf
become: true
diff --git a/tasks/dns.yml b/tasks/dns.yml
index 4af2598..479e718 100644
--- a/tasks/dns.yml
+++ b/tasks/dns.yml
@@ -1,5 +1,4 @@
---
-
- name: Populate service facts
become: true
ansible.builtin.service_facts:
@@ -31,9 +30,6 @@
when:
- dns is defined and dns | length > 0
- '"systemd-resolved.service" in services'
- - services["systemd-resolved.service"]["status"] == "enabled"
- - resolv_conf.stat.islnk is defined and resolv_conf.stat.islnk | bool
- - resolv_conf.stat.lnk_source is defined and resolv_conf.stat.lnk_source == "/run/systemd/resolve/stub-resolv.conf"
tags:
- dns
- resolved
@@ -49,7 +45,8 @@
- dns
- networkmanager
-- name: Ensure Network-Manager not modify /etc/resolv.conf
+- name: Ensure Network-Manager do not modify /etc/resolv.conf
+ become: true
community.general.ini_file:
path: /etc/NetworkManager/NetworkManager.conf
section: main
@@ -58,11 +55,11 @@
no_extra_spaces: true
create: false
notify:
- - "Restart Network-Manager"
+ - "Restart NetworkManager"
when:
- dns is defined and dns | length > 0
- networkmanager_conf.stat.exists is defined and networkmanager_conf.stat.exists | bool
- - network_manager_dns_none is defined and network_manager_dns_none | bool
+ - not network_manager_dns | bool
tags:
- dns
- networkmanager
@@ -83,6 +80,7 @@
register: networkmanager_conf_content
when:
- '"NetworkManager.service" in services and services["NetworkManager.service"]["status"] not in ("disabled", "unknown")'
+ - networkmanager_conf.stat.exists
- name: Read /etc/resolv.conf
become: true |
|
I believe this change has to be redone, the initial objective of the task is to activate systemd resolved. The change I made, which was complex, aimed to define fixed DNS, through systemd or network-manager. As soon as possible I will simplify the changes. |
|
Perhaps just start switching the variables to lists, similar to your previous PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
dnsandfallback_dnsfrom string to list/etc/systemd/resolved.confonly occur ifresolvedis enabled/etc/resolv.confonly occur ifresolvedorNetwork-Manageris disabled orNetwork-Manageris properly configured with thedns=noneparameter