diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index 26c1599..239adad 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -13,7 +13,7 @@ else end ipaddr = run_command(cmd).stdout.chomp -cmd = 'grep nameserver /run/systemd/resolve/resolv.conf | grep -v 8.8.8.8 | grep -v 127.0.0.1 | perl -pe "s/nameserver //g" | perl -pe "s/\n/ /g"' +cmd = 'grep nameserver /run/systemd/resolve/resolv.conf | grep -v 8.8.8.8 | grep -v 127.0.0.1 | perl -pe "s/nameserver //g" | sort | uniq | perl -pe "s/\n/ /g"' dns = run_command(cmd).stdout.chomp node.reverse_merge!({ diff --git a/cookbooks/consul/dnsmasq.rb b/cookbooks/consul/dnsmasq.rb index 3e08fb1..d9f9e20 100644 --- a/cookbooks/consul/dnsmasq.rb +++ b/cookbooks/consul/dnsmasq.rb @@ -7,7 +7,27 @@ package 'dnsmasq' end case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04", "22.04" +when "22.04" + template '/etc/systemd/resolved.conf' do + owner 'root' + group 'root' + mode '644' + + source 'templates/etc/systemd/resolved.conf.2022.erb' + variables(dns: node['consul']['dns']) + + notifies :restart, 'service[systemd-resolved]', :immediately + end + + remote_file '/etc/dnsmasq.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[dnsmasq]', :immediately + end + +when "20.04" template '/etc/systemd/resolved.conf' do owner 'root' group 'root' diff --git a/cookbooks/consul/files/etc/dnsmasq.conf b/cookbooks/consul/files/etc/dnsmasq.conf index b1e342a..ee53ded 100644 --- a/cookbooks/consul/files/etc/dnsmasq.conf +++ b/cookbooks/consul/files/etc/dnsmasq.conf @@ -63,7 +63,6 @@ strict-order # Add other name servers here, with domain specs if they are for # non-public domains. -#server=/localnet/192.168.0.1 server=/consul/127.0.0.1#8600 # Example of routing PTR queries to nameservers: this will send all @@ -91,7 +90,7 @@ server=/consul/127.0.0.1#8600 # server=10.1.2.3@eth1 # and this sets the source (ie local) address used to talk to -# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that # IP on the machine, obviously). # server=10.1.2.3@192.168.1.1#55 @@ -190,7 +189,7 @@ server=/consul/127.0.0.1#8600 # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack # hosts. Use the DHCPv4 lease to derive the name, network segment and # MAC address and assume that the host will also have an -# IPv6 address calculated using the SLAAC alogrithm. +# IPv6 address calculated using the SLAAC algorithm. #dhcp-range=1234::, ra-names # Do Router Advertisements, BUT NOT DHCP for this subnet. @@ -211,7 +210,7 @@ server=/consul/127.0.0.1#8600 #dhcp-range=1234::, ra-stateless, ra-names # Do router advertisements for all subnets where we're doing DHCPv6 -# Unless overriden by ra-stateless, ra-names, et al, the router +# Unless overridden by ra-stateless, ra-names, et al, the router # advertisements will have the M and O bits set, so that the clients # get addresses and configuration from DHCPv6, and the A bit reset, so the # clients don't use SLAAC addresses. @@ -252,7 +251,7 @@ server=/consul/127.0.0.1#8600 # the IP address 192.168.0.60 #dhcp-host=id:01:02:02:04,192.168.0.60 -# Always give the Infiniband interface with hardware address +# Always give the InfiniBand interface with hardware address # 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the # ip address 192.168.0.61. The client id is derived from the prefix # ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of @@ -289,7 +288,7 @@ server=/consul/127.0.0.1#8600 # Give a fixed IPv6 address and name to client with # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients. -# Note also the they [] around the IPv6 address are obilgatory. +# Note also that the [] around the IPv6 address are obligatory. #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] # Ignore any clients which are not specified in dhcp-host lines @@ -355,11 +354,11 @@ server=/consul/127.0.0.1#8600 # Set option 58 client renewal time (T1). Defaults to half of the # lease time if not specified. (RFC2132) -#dhcp-option=option:T1:1m +#dhcp-option=option:T1,1m # Set option 59 rebinding time (T2). Defaults to 7/8 of the # lease time if not specified. (RFC2132) -#dhcp-option=option:T2:2m +#dhcp-option=option:T2,2m # Set the NTP time server address to be the same machine as # is running dnsmasq @@ -437,22 +436,22 @@ server=/consul/127.0.0.1#8600 #dhcp-option-force=211,30i # Set the boot filename for netboot/PXE. You will only need -# this is you want to boot machines over the network and you will need -# a TFTP server; either dnsmasq's built in TFTP server or an +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an # external one. (See below for how to enable the TFTP server.) #dhcp-boot=pxelinux.0 # The same as above, but use custom tftp-server instead machine running dnsmasq #dhcp-boot=pxelinux,server.name,192.168.1.100 -# Boot for Etherboot gPXE. The idea is to send two different -# filenames, the first loads gPXE, and the second tells gPXE what to -# load. The dhcp-match sets the gpxe tag for requests from gPXE. -#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. -#dhcp-boot=tag:!gpxe,undionly.kpxe -#dhcp-boot=mybootimage +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php -# Encapsulated options for Etherboot gPXE. All the options are +# Encapsulated options for iPXE. All the options are # encapsulated within option 175 #dhcp-option=encap:175, 1, 5b # priority code #dhcp-option=encap:175, 176, 1b # no-proxydhcp @@ -526,7 +525,7 @@ server=/consul/127.0.0.1#8600 # (using /etc/hosts) then that name can be specified as the # tftp_servername (the third option to dhcp-boot) and in that # case dnsmasq resolves this name and returns the resultant IP -# addresses in round robin fasion. This facility can be used to +# addresses in round robin fashion. This facility can be used to # load balance the tftp load among a set of servers. #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name @@ -548,6 +547,14 @@ server=/consul/127.0.0.1#8600 # http://www.isc.org/files/auth.html #dhcp-authoritative +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + # Run an executable when a DHCP lease is created or destroyed. # The arguments sent to the script are "add" or "del", # then the MAC address, the IP address and finally the hostname @@ -665,3 +672,8 @@ server=/consul/127.0.0.1#8600 # Include all files in a directory which end in .conf #conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore diff --git a/cookbooks/consul/templates/etc/systemd/resolved.conf.2204.erb b/cookbooks/consul/templates/etc/systemd/resolved.conf.2204.erb new file mode 100644 index 0000000..7679a22 --- /dev/null +++ b/cookbooks/consul/templates/etc/systemd/resolved.conf.2204.erb @@ -0,0 +1,34 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Entries in this file show the compile time defaults. Local configuration +# should be created by either modifying this file, or by creating "drop-ins" in +# the resolved.conf.d/ subdirectory. The latter is generally recommended. +# Defaults can be restored by simply deleting this file and all drop-ins. +# +# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. +# +# See resolved.conf(5) for details. + +[Resolve] +# Some examples of DNS servers which may be used for DNS= and FallbackDNS=: +# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com +# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google +# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net +DNS=127.0.0.1 <%= @dns %> 8.8.8.8 +#FallbackDNS= +#Domains= +#DNSSEC=no +#DNSOverTLS=no +#MulticastDNS=no +#LLMNR=no +#Cache=no-negative +#CacheFromLocalhost=no +DNSStubListener=no +#DNSStubListenerExtra= +#ReadEtcHosts=yes +#ResolveUnicastSingleLabel=no