named
Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-named', '6.4.0'
Learn more about managing modules with a PuppetfileDocumentation
named (BIND)
Table of Contents
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with named
- Usage - Configuration options and additional functionality
- Reference
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Acceptance Tests
Module Description
Installs, Configures and Manages a named service.
Options are available for caching and non-caching servers, and the choice between placing named in chroot or non_chroot with selinux enabled.
Caching
simp/named
allows both the building of a non-caching named server via the
named
class or a caching server utilizing the named::caching
class.
Chroot
This module will place named in a chroot at /var/named/chroot by default, but
can be overrided and selinux enforced by adding a selinux_enforced
variable to
true in hiera or at the global variable level in the Puppet Console.
Setup
Install simp/named
to your modulepath. A SIMP rsync server must also be in
place to use the named module.
What named affects
simp/named
manages the bind packages, named services, named user/group,
named.conf, and the named directory and contents.
Begging with named
To setup the basic named server in chroot:
class {'named':
rsync_server => 'my.rsync.server',
}
Usage
I want to use an selinux based named server not in chroot
Add the following to your Hiera File:
---
selinux_enforced: true
OR
Add selinux_enforced = true to the PE Console at the node or global level.
I want to make a caching named server
class {'named::caching':
rsync_server => 'my.rsync.server',
}
Reference
See REFERENCE.md for the full module reference.
Limitations
SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Acceptance tests
To run the system tests, you need Vagrant
installed.
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
named
: Configures named for execution on a system taking selinux into account.named::caching
: Configures a caching nameserver.named::caching::hints
: Determines what to add to the /var/named/named.ca root hints file.named::chroot
: Configures named in a chroot jail for execution on a system.named::install
: Installs the appropriate packages for BIND based on the chroot statusnamed::non_chroot
: Configures named for execution on a system taking selinux into account.named::service
: A helper class that serves to control the named service and has been
Defined types
named::caching::forwarders
: Adds forwarders entries to your caching nameserver configuration.
Classes
named
It pulls all config files from rsync.
You will need to ensure that rsync is serving out the appropriate space so that the configuration can be pulled.
The default SIMP configuration will do this for the 'default' space, but other spaces will need to be added as appropriate.
Examples
* Given 'default' configuration that you would like to serve
* Create a chroot pull from that domain on your DNS node
include 'named'
* Create the associated hieradata
---
named::bind_dns_rsync : 'default'
rsync::server : 'rsync.foo.bar'
* Ensure that the rsync space is being served out properly from the rsync
server (probably your puppet master)
include 'rsync::server'
# The word 'default' here is the equivalent of the
# named::bind_dns_rsync variable above.
rsync::server::section { "bind_dns_default_${environment}":
auth_users => ['bind_dns_default_rsync'],
comment => 'DNS "default" configuration',
path => "${rsync_base}/bind_dns/default",
hosts_allow => 127.0.0.1 # This is correct if using stunnel
Parameters
The following parameters are available in the named
class.
chroot_path
Data type: Stdlib::Absolutepath
If set, enables the chroot jailed version of named. Simply set to an empty string ("") if you want named outside of a chroot jail with SELinux disabled.
This is the default if you do not have SELinux enabled. Chroot jails for named are not compatible with SELinux and will be disabled if SELinux is enforcing.
- Value in module data
chroot
Data type: Boolean
Toggle the use of chroot and override the autodetected setting to be compatible with SELinux.
- WARNING: If you have an SELinux enabled system, forcing the chroot may cause named to become non-functional.
Default value: !
bind_dns_rsync
Data type: String
The target under "${rsync_base}/bind_dns" from which to fetch all BIND DNS content.
Default value: 'default'
firewall
Data type: Boolean
Enable SIMP firewall management
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
rsync_server
Data type: String
The rsync server from which to pull the named configuration.
Default value: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' })
rsync_timeout
Data type: Stdlib::Compat::Integer
The timeout when connecting to the rsync server.
Default value: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => '2' })
sebool_named_write_master_zones
Data type: Boolean
If you need to use dynamic DNS or zone transfers, and are using SELinux,
you will need to set this to true
Default value: false
named::caching
You will need to call named::caching::forwarders to make it useful.
There is also named::caching::root_hints which allows you to set the entire contents of the 'named.ca' hint file.
If you want something other than the defaults provided here, use the main named class.
Parameters
The following parameters are available in the named::caching
class.
chroot_path
Data type: Stdlib::Absolutepath
The path to the chroot location.
- Has no effect if SELinux is enforcing.
- Defaults to
named::chroot_path
per module Hiera data.
named::caching::hints
Determines what to add to the /var/named/named.ca root hints file.
Parameters
The following parameters are available in the named::caching::hints
class.
content
Data type: String
Can be set to arbitrary content of your choosing. This will be included verbatim in the named.ca file.
Default value: ''
use_defaults
Data type: Boolean
Set to true if you wish to use the default values for the root hints file. This is recommended if you are not running within an intranet.
Default value: false
named::chroot
It pulls all config files from rsync.
It is meant to be called from named directly.
Parameters
The following parameters are available in the named::chroot
class.
nchroot
Data type: Stdlib::Absolutepath
The Chroot jail for named. This should probably not be changed.
Default value: $::named::chroot_path
bind_dns_rsync
Data type: String
The target under the /var/simp/environments/{environment}/rsync/{os}/{maj_version}/bind_dns from which to fetch all BIND DNS content.
Default value: $::named::bind_dns_rsync
rsync_source
Data type: String
The source from which the module will pull its files on the rsync server
Default value: "binddns${::named::binddns_rsync}${::environment}${facts['os']['name']}${facts['os']['release']['major']}/named"
rsync_server
Data type: String
The rsync server from which to pull the named configuration.
Default value: $::named::rsync_server
rsync_timeout
Data type: Stdlib::Compat::Integer
The timeout when connecting to the rsync server.
Default value: $::named::rsync_timeout
named::install
Installs the appropriate packages for BIND based on the chroot status
Parameters
The following parameters are available in the named::install
class.
ensure
Data type: String
The package
ensure setting for installed packages
@see https://docs.puppet.com/puppet/latest/reference/type.html#package-attribute-ensure
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
chroot
Data type: Boolean
Whether or not to use a chroot jail
Default value: true
chroot_path
Data type: Stdlib::Absolutepath
The path to the chroot jail
Default value: $::named::chroot_path
named::non_chroot
It pulls all config files from rsync.
It is meant to be called from named directly.
Parameters
The following parameters are available in the named::non_chroot
class.
bind_dns_rsync
Data type: String
The target under # /var/simp/environments/{environment}/rsync/{os}/{maj_version}/bind_dns from which to fetch all BIND DNS content.
Default value: $::named::bind_dns_rsync
rsync_source
Data type: String
The source from which the module will pull its files on the rsync server
Default value: "binddns${::named::binddns_rsync}${::environment}${facts['os']['name']}${facts['os']['release']['major']}/named"
rsync_server
Data type: String
The rsync server from which to pull the named configuration.
Default value: $::named::rsync_server
rsync_timeout
Data type: Stdlib::Compat::Integer
The timeout when connecting to the rsync server.
Default value: $::named::rsync_timeout
named::service
isolated to make the overall logic more understandable.
Parameters
The following parameters are available in the named::service
class.
chroot
Data type: Boolean
Whether or not to run BIND in a chroot jail.
Default value: true
chroot_path
Data type: Stdlib::Absolutepath
@see named::chroot_path
Default value: $::named::chroot_path
Defined types
named::caching::forwarders
$name can be a whitespace delimited list of values to provide backward compatibility with the common::resolv format.
Examples
named::caching::forwarders { '1.2.3.4': ensure => 'present' }
named::caching::forwarders { '1.2.3.4 5.6.7.8 9.10.11.12':
ensure => 'present'
}
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 6.3.1
- Removed EL6 support
- Tue Dec 10 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0
- Add EL8 support
- Tue Aug 13 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.1-0
- Allow users to force enabling/disabling of the chroot settings
- Allow users to easily set the 'named_write_master_zones' SELinux boolean in case they need to support dynamic DNS or zone transfers.
- Added REFERENCE.md
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.2.1-0
- Support puppetlabs/concat 6.x.
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onyxpoint.com -6.2.0-0
- Add v2 compliance_markup data
- Mon Apr 01 2019 Jim Anderson thesemicolons@protonmail.com - 6.1.2-0
- Moved code for setting chroot directory from manifests/params.pp into data in modules
- Fri Mar 29 2019 Jeanne Greulich jeanne,greulich@onyxpoint.com - 6.1.2-0
- Replaced all simpcat resources with puppetlabs concat resources.
- Added support for Puppet 6
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.2-0
- Use simplib::validate_net_list in lieu of deprecated Puppet 3 validate_net_list
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Fri Jan 11 2019 Adam Yohrling adam.yohrling@onyxpoint.com - 6.1.1-0
- Remove references to
rsync::server::global
- Update version requirement for pupmod-simp-rsync
- Thu Nov 01 2018 Jeanne Greulich jeanne,greulich@onyxpoint.com - 6.1.0-0
- Static asset updates for puppet 5
- Update badges and contribution guide URL in README.md
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0
- Changed $named::install::ensure from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- It will also respect
- Wed Jul 11 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.1.0-0
- Support for Puppet5/OEL
- Resolved issue with chroot acceptance tests
- Fri Mar 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.0.3-0
- Provide override file for named-chroot.service instead of modifying the vendor-provided service file.
- Use simplib::assert_metadata() for OS validation
- Replace Puppet3 version of passgen() with simplib::passgen()
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0
- Confine puppet version in metadata.json
- Fri Apr 07 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.1-0
- Chroot rsync files are now globbed so they are placed directly inside of the specified chroot.
- Mon Dec 19 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated global catalysts and strong typed the module
- Made chrooting logic less complicated
- ALL of the spec tests
- Thu Dec 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Updated to use the environment-aware rsync in SIMP 6
- Fri Nov 18 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Thu Oct 13 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the deconflicted 'simpcat'
- Tue Oct 11 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 4.3.3-0
- This patch corrects the following shortcomings to ensure compatability
with Red Hat Enterprise Linux 7 and its clones:
- Ensures all required directories exist in the chroot
- Remove dependencies for the non-existent
named-chroot-setup.service
- Use new-style daemon invocation, executing in the foreground and logging to stderr. See daemon(7).
- Since new-style daemons don't require a PID file, nor does the binary generate one in foreground mode, remove it from the service file.
- Wed Jul 06 2016 Nick Miller nick.miller@onyxpoint.com - 4.3.1-0
- Changed the Exec['restart-systemd'] to Exec['systemctl-daemon-reload'] to avoid a conflict with puppetlabs-postgresql
- Fri Apr 15 2016 Nick Markowski nmarkowski@keywcorp.com - 4.3.0-0
- Created work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1278082
- Users can modify the chroot path in named-chroot.service
- Asserted service, chroot, and non-chroot as private classes
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.2.0-9
- Added compliance function support
- Thu Dec 03 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.0-8
named::non_chroot
will now intentionally fail (with an informative message) if included when selinux is not enforcing
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.2.0-7
- migration to simplib and simpcat (lib/ only)
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-6
- Changed puppet-server requirement to puppet
- Mon Sep 15 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-5
- Restricted the rsync of materials in /etc in non-chroot so that users can't accidentally destroy the permissions on /etc itself.
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-4
- Updated to provide the appropriate pointers to the new rsync layout.
- Wed Jul 02 2014 Kendall Moore kmoore@keywcorp.com - 4.2.0-3
- Updated caching nameserver to be SELinux compatible.
- Thu Jun 26 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-2
- Added additional compatiblity with RHEL7 given the new named service for chroot is called 'named-chroot'.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.2.0-1
- Removed MD5 file checksums for FIPS compliance.
- Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-1
- Ensure that $named::auth_users is an Array.
- Wed Apr 16 2014 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-0
- The caching-nameserver package has been rolled into bind; removing caching-nameserver removes the bind package. Caching-nameserver no longer ensured absent.
- Tue Apr 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Made several adjustments to make the rsync space more clear.
- The chroot and non_chroot spaces now reference rsync/default (by default), but 'default' can be changed in case you want a DNS server with a whole different configuration.
- Mon Mar 03 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1
- Refactored manifests to pass all lint tests.
- Added rspec tests for test coverage.
- Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Converted all boolean strings to true booleans for Puppet 3 migration.
- Fri Oct 25 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2
- Updated all 'source' File parameters to have 'modules' in their path for Puppet 3 compatibility.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com 4.0.0-1
- Updated all erb templates to properly scope variables.
- Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com 4.0.0-0
- Work done with Kendall Moore kmoore@keywcorp.com
- Modify the named module so that named does not install into a chroot jail if SELinux is enabled since these two states are incompatible (and unnecessary).
- Mon Feb 25 2013 Maintenance 2.0-6
- Added a call to $::rsync_timeout to the rsync call since it is now required.
- Wed Apr 11 2012 Maintenance 2.0.0-5
- Moved mit-tests to /usr/share/simp...
- Fixed an issue with the caching DNS server where requisite files were not being placed which was causing the DNS server to fail.
- Updated pp files to better meet Puppet's recommended style guide.
- Mon Mar 12 2012 Maintenance 2.0.0-4
- Updated tests for this module to work properly.
- Improved test stubs.
- Discovered that the DHCP caching nameserver was not putting the config file in the correct location. Fixed.
- Mon Jan 30 2012 Maintenance - 2.0.0-3
- Added test stubs.
- Mon Dec 19 2011 Maintenance - 2.0.0-2
- Updated the spec file to not require a separate file list.
- Updated the caching nameserver to work with the chrooted bind package since the caching-nameserver package is removed from RHEL6 and both work with the chrooted package.
- Fri Feb 11 2011 Maintenance - 2.0.0-1
- The named module now expects to have an associated rsync space that is password protected.
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Updated to use rsync native type
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-2
- Converting all spec files to check for directories prior to copy.
- Mon Oct 04 2010 Maintenance 1.0-1
- Addition of caching nameserver capability.
- Fri May 21 2010 Maintenance 1.0-0
- Code refactor and doc update.
Dependencies
- simp/iptables (>= 6.4.0 < 7.0.0)
- simp/rsync (>= 6.1.1 < 7.0.0)
- simp/simplib (>= 3.6.0 < 5.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
pupmod-simp-named - A Puppet Module for managing the BIND Name Server -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.