Задачи:
- взять стенд https://github.com/erlong15/vagrant-bind
- добавить еще один сервер client2
- завести в зоне dns.lab имена:
- web1 - смотрит на клиент1
- web2 смотрит на клиент2
- завести еще одну зону newdns.lab
- завести в ней запись www - смотрит на обоих клиентов
- настроить split-dns:
- клиент1 видит обе зоны, но в зоне dns.lab только web1
- клиент2 видит только dns.lab
- настроить все без выключения selinux
- Формат сдачи ДЗ - vagrant + ansible
- Клонируем ропозиторий:
git clone https://github.com/mmmex/vagrant-bind.git
- Переходим в папку с проектом:
cd vagrant-bind
- Выполняем запуск:
vagrant up
-
В процессе доставки конфигурации ansible на ns01 у меня возникла ошибка. Решение:
vagrant provision ns01; vagrant up
-
Будет поднято 3 ВМ:
Имя хоста | IP-адрес | Роль |
---|---|---|
ns01 | 192.168.50.10 | master, recursive |
ns02 | 192.168.50.11 | slave, recursive |
client | 192.168.50.15 | client |
client2 | 192.168.15.16 | client |
- Имеются 3 зоны на master:
Зона | Ресурсные записи (hostname TYPE ip) |
---|---|
ddns.lab | ns01 A 192.168.50.10; ns02 A 192.168.50.11 |
dns.lab | ns01 A 192.168.50.10; ns02 A 192.168.50.11; web1 A 192.168.50.15; web2 A 192.168.50.16 |
newdns.lab | ns01 A 192.168.50.10; ns02 A 192.168.50.11; www A 192.168.50.15; www A 192.168.50.16 |
- client доступны зоны dns.lab и newdns.lab, но в зоне dns.lab представлены записи согласно настроенной для него ресурсной таблицы:
/etc/named.conf:
key "client-key" {
algorithm hmac-sha256;
secret "BcXAlSSl+HJTWTy0wC24hrFOKdadVy70oyKwiEqYG68=";
};
acl client { !key client2-key; key client-key; 192.168.50.15; };
view "client" {
match-clients { client; };
// dns.lab zone
zone "dns.lab" {
type master;
file "/etc/named/named.dns.lab.client";
also-notify { 192.168.50.11 key client-key; };
};
// newdns.lab zone
zone "newdns.lab" {
type master;
file "/etc/named/named.newdns.lab";
also-notify { 192.168.50.11 key client-key; };
};
};
- client2 доступна только одна зона dns.lab:
/etc/named.conf:
key "client2-key" {
algorithm hmac-sha256;
secret "tCNiBFlaheUuHW6FOa3DJC42BWhdszDhVW8eWgwLlYg=";
};
acl client2 { !key client-key; key client2-key; 192.168.50.16; };
view "client2" {
match-clients { client2; };
// dns.lab zone
zone "dns.lab" {
type master;
file "/etc/named/named.dns.lab";
also-notify { 192.168.50.11 key client2-key; };
};
// dns.lab zone reverse
zone "50.168.192.in-addr.arpa" {
type master;
file "/etc/named/named.dns.lab.rev";
also-notify { 192.168.50.11 key client2-key; };
};
};
Проверяем client:
[vagrant@client ~]$ ping www.newdns.lab
PING www.newdns.lab (192.168.50.15) 56(84) bytes of data.
64 bytes from client (192.168.50.15): icmp_seq=1 ttl=64 time=0.114 ms
64 bytes from client (192.168.50.15): icmp_seq=2 ttl=64 time=0.035 ms
^C
--- www.newdns.lab ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.035/0.074/0.114/0.040 ms
[vagrant@client ~]$ ping web2.dns.lab
ping: web2.dns.lab: Name or service not known
[vagrant@client ~]$ ping web1.dns.lab
PING web1.dns.lab (192.168.50.15) 56(84) bytes of data.
64 bytes from client (192.168.50.15): icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from client (192.168.50.15): icmp_seq=2 ttl=64 time=0.032 ms
^C
--- web1.dns.lab ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.013/0.022/0.032/0.010 ms
Проверяем client2:
[vagrant@client2 ~]$ ping web1.dns.lab
PING web1.dns.lab (192.168.50.15) 56(84) bytes of data.
64 bytes from 192.168.50.15 (192.168.50.15): icmp_seq=1 ttl=64 time=1.54 ms
^C
--- web1.dns.lab ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.542/1.542/1.542/0.000 ms
[vagrant@client2 ~]$ ping web2.dns.lab
PING web2.dns.lab (192.168.50.16) 56(84) bytes of data.
64 bytes from client2 (192.168.50.16): icmp_seq=1 ttl=64 time=0.060 ms
^C
--- web2.dns.lab ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.060/0.060/0.060/0.000 ms
[vagrant@client2 ~]$ ping www.newdns.lab
ping: www.newdns.lab: Name or service not known
В логах сервиса named на ВМ ns02 такие ошибки:
Jan 28 02:49:24 ns02 named[616]: dumping master file: /etc/named/tmp-oLRkyApU1s: open: permission denied
Jan 28 02:52:15 ns02 named[616]: dumping master file: /etc/named/tmp-HVOwFAlo37: open: permission denied
Jan 28 02:53:32 ns02 named[616]: dumping master file: /etc/named/tmp-DFhO6OH9QM: open: permission denied
Jan 28 02:54:16 ns02 named[616]: dumping master file: /etc/named/tmp-e37cg54tOV: open: permission denied
Jan 28 03:00:54 ns02 named[616]: dumping master file: /etc/named/tmp-ntupCSfOgY: open: permission denied
Jan 28 03:06:12 ns02 named[616]: dumping master file: /etc/named/tmp-bemFwpTzfo: open: permission denied
Jan 28 03:07:02 ns02 named[616]: dumping master file: /etc/named/tmp-KxpQ8THmqO: open: permission denied
Jan 28 03:08:31 ns02 named[616]: dumping master file: /etc/named/tmp-RKl4x8Qq6o: open: permission denied
Смотрим логи audit:
[root@ns02 ~]# cat /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1674875346.953:1548): avc: denied { create } for pid=4391 comm="isc-worker0000" name="tmp-irKLEjHg3j" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1674875346.982:1549): avc: denied { create } for pid=4391 comm="isc-worker0000" name="tmp-odzDs5dMSs" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1674875346.993:1550): avc: denied { create } for pid=4391 comm="isc-worker0000" name="tmp-sgIBANOJgS" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1674875347.001:1551): avc: denied { create } for pid=4391 comm="isc-worker0000" name="tmp-Gw0flFBPwe" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1674875971.631:1619): avc: denied { create } for pid=4391 comm="isc-worker0000" name="tmp-Wz70QZndHT" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
[root@ns02 ~]# cat /var/log/audit/audit.log | audit2allow
#============= named_t ==============
#!!!! WARNING: 'etc_t' is a base type.
allow named_t etc_t:file create;
Проверяю файлы зон, которые должны приехать с master:
[root@ns02 ~]# ls -alZ /etc/named
drw-rwx---. root named system_u:object_r:etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
Посмотреть в каком каталоге должны лежать файлы зон с типом named_zone_t
:
[root@ns02 ~]# semanage fcontext -l | grep named_zone_t
/var/named(/.*)? all files system_u:object_r:named_zone_t:s0
/var/named/chroot/var/named(/.*)? all files system_u:object_r:named_zone_t:s0
Файлы зон должны находится в каталоге /var/named
, и ранее я уже разбирал данную проблему. Есть два пути, в прошлый раз я перемещал каталог с зонами в /var/named, в данном примере изменю тип контекста безопаности для каталога /etc/named.
В playbook ansible добавил 3 задачи для ns01 и ns02:
- name: Setsebool for named_zone_t
seboolean:
name: named_write_master_zones
state: yes
persistent: yes
- name: SElinux the crutch for /etc/named
sefcontext:
target: "/etc/named(/.*)?"
setype: named_zone_t
state: present
- name: Apply context
command: restorecon -R -v /etc/named
Те-же действия с командной строки:
[root@ns01 ~]# setsebool -P named_write_master_zones 1
[root@ns01 ~]# semanage fcontext -a -t named_zone_t "/etc/named(/.*)?"
[root@ns01 ~]# restorecon -R -v /etc/named
restorecon reset /etc/named context system_u:object_r:etc_t:s0->system_u:object_r:named_zone_t:s0
restorecon reset /etc/named/named.ddns.lab context system_u:object_r:etc_t:s0->system_u:object_r:named_zone_t:s0
restorecon reset /etc/named/named.dns.lab context system_u:object_r:etc_t:s0->system_u:object_r:named_zone_t:s0
restorecon reset /etc/named/named.dns.lab.client context system_u:object_r:etc_t:s0->system_u:object_r:named_zone_t:s0
restorecon reset /etc/named/named.dns.lab.rev context system_u:object_r:etc_t:s0->system_u:object_r:named_zone_t:s0
restorecon reset /etc/named/named.newdns.lab context system_u:object_r:etc_t:s0->system_u:object_r:named_zone_t:s0
В каталоге на ns02 должы приехать зоны с мастера:
[root@ns02 ~]# ls -alZ /etc/named
drw-rwx---. root named system_u:object_r:named_zone_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 named.ddns.lab
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 named.dns.lab
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 named.dns.lab.rev
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 named.newdns.lab
Также посмотрим в каталог /etc/named на ns01:
[root@ns01 ~]# ls -alZ /etc/named
drw-rwx---. root named system_u:object_r:named_zone_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
-rw-rw----. root named system_u:object_r:named_zone_t:s0 named.ddns.lab
-rw-rw----. root named system_u:object_r:named_zone_t:s0 named.dns.lab
-rw-rw----. root named system_u:object_r:named_zone_t:s0 named.dns.lab.client
-rw-rw----. root named system_u:object_r:named_zone_t:s0 named.dns.lab.rev
-rw-rw----. root named system_u:object_r:named_zone_t:s0 named.newdns.lab
После запуска стенда vagrant up
, на сервере ns01 в процессе работы скрипта ansible возникает ошибка:
TASK [Setsebool for named_zone_t] **********************************************
fatal: [ns01]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "/bin/sh: line 1: 5017 Убито /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1674916369.157325-230713544677949/AnsiballZ_seboolean.py\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 137}
PLAY RECAP *********************************************************************
ns01 : ok=13 changed=11 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
После повторного применения скрипта командой vagrant provision ns01
все проходит удачно. В чем причина понять сразу не получилось.
Мое окружение:
test@test-virtual-machine:~/Otus/dns/vagrant-bind$ vagrant -v
Vagrant 2.3.0
test@test-virtual-machine:~/Otus/dns/vagrant-bind$ ansible --version
ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/test/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
test@test-virtual-machine:~/Otus/dns/vagrant-bind$ uname -a
Linux test-virtual-machine 5.15.0-58-generic #64~20.04.1-Ubuntu SMP Fri Jan 6 16:42:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux