Merge branch 'drybjed-bookworm-support'

debops · Jun 15, 2023 · 8494e74 · 8494e74
2 parents 536972e + 3eff9f0
commit 8494e74
Show file tree

Hide file tree

Showing 9 changed files with 132 additions and 6 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -141,6 +141,11 @@ General
   This should improve the initial deployment experience, since users don't need
   to create basic host templates by hand before registering hosts in Icinga.
 
+:ref:`debops.ipxe` role
+'''''''''''''''''''''''
+
+- The Debian Installer Menu can now install Debian GNU/Linux 12 (Bookworm).
+
 :ref:`debops.java` role
 '''''''''''''''''''''''
 

diff --git a/ansible/roles/auth/defaults/main.yml b/ansible/roles/auth/defaults/main.yml
@@ -19,7 +19,10 @@
 # .. envvar:: auth_packages [[[
 #
 # List of Debian/Ubuntu packages installed by debops.auth
-auth_packages: [ 'libpam-cracklib' ]
+auth_packages:
+  - '{{ "libpam-cracklib"
+        if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+        else [] }}'
 
                                                                    # ]]]
 # Local user account configuration [[[
@@ -34,7 +37,9 @@ auth_pwhistory_remember: '5'
 # .. envvar:: auth_cracklib [[[
 #
 # Enable password checking via cracklib
-auth_cracklib: True
+auth_cracklib: '{{ True
+                   if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+                   else False }}'
                                                                    # ]]]
                                                                    # ]]]
                                                                    # ]]]
diff --git a/ansible/roles/ipxe/defaults/main.yml b/ansible/roles/ipxe/defaults/main.yml
@@ -103,7 +103,7 @@ ipxe__debian_netboot_firmware_mirror: 'https://cdimage.debian.org/cdimage/unoffi
 #
 # Specify which Debian releases will be prepared for iPXE boot on a given host.
 # The releases need to be defined in the OS release map below.
-ipxe__debian_netboot_releases: [ 'stretch', 'buster', 'bullseye' ]
+ipxe__debian_netboot_releases: [ 'stretch', 'buster', 'bullseye', 'bookworm' ]
 
                                                                    # ]]]
 # .. envvar:: ipxe__debian_netboot_architectures [[[
@@ -176,6 +176,23 @@ ipxe__debian_netboot_default_release_map:
     firmware_version: '20230429'
     firmware_checksum: 'sha256:af07b888fb8d5153b3448fa84c3a25307a7de9ec643196031dde975d6d8d9bce'  # firmware.cpio.gz
 
+  - name: 'bookworm-amd64'
+    release: 'bookworm'
+    architecture: 'amd64'
+    netboot_version: '20230607'
+    netboot_checksum: 'sha256:b41d766e5389b4e35bac3a664da84822e0990439c9c4df933ddbaff6847a0009'  # netboot.tar.gz
+    firmware_version: '20230612'
+    firmware_checksum: 'sha256:96c1b464eca0487e12fbf48634a5bb13f3a666b10e5ee23b05d0246a36ab423b'  # firmware.cpio.gz
+
+  - name: 'bookworm-amd64-gtk'
+    release: 'bookworm'
+    architecture: 'amd64'
+    netboot_subdir: '/gtk'
+    netboot_version: '20230607'
+    netboot_checksum: 'sha256:31fde25b04c50bf88fe163dc1eae75e831a1f6818c1df9ecdf26966e2af1029d'  # netboot.tar.gz
+    firmware_version: '20230612'
+    firmware_checksum: 'sha256:96c1b464eca0487e12fbf48634a5bb13f3a666b10e5ee23b05d0246a36ab423b'  # firmware.cpio.gz
+
                                                                    # ]]]
 # .. envvar:: ipxe__debian_netboot_release_map [[[
 #
@@ -415,11 +432,12 @@ ipxe__default_scripts:
 
       menu Install Debian GNU/Linux / ${arch_a}
       item --gap Select suite:
-      item --key e bullseye ${space} Debian Stable (Bullseye) [e]
-      # Enable this when Debian Bookworm gets an installer
-      #item bookworm ${space} Debian Testing (Bookworm)
+      item --key e bookworm ${space} Debian Stable (Bookworm) [e]
+      # Enable this when Debian Trixie gets an installer
+      #item trixie ${space} Debian Testing (Trixie)
       item
       item --gap Select release:
+      item bookworm ${space} Debian GNU/Linux 12 (Bookworm)
       item bullseye ${space} Debian GNU/Linux 11 (bullseye)
       item buster ${space} Debian GNU/Linux 10 (buster)
       item stretch ${space} Debian GNU/Linux 9 (stretch)

diff --git a/ansible/roles/ipxe/meta/watch-firmware-bookworm b/ansible/roles/ipxe/meta/watch-firmware-bookworm
@@ -0,0 +1,10 @@
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: firmware-bookworm
+# Version: 20230612
+
+version=4
+https://cdimage.debian.org/cdimage/unofficial/non-free/firmware/bookworm (20.+)/
diff --git a/ansible/roles/ipxe/meta/watch-netboot-bookworm b/ansible/roles/ipxe/meta/watch-netboot-bookworm
@@ -0,0 +1,10 @@
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: netboot-bookworm
+# Version: 20230607
+
+version=4
+https://deb.debian.org/debian/dists/bookworm/main/installer-amd64 (20.+)/
diff --git a/ansible/roles/resolved/defaults/main.yml b/ansible/roles/resolved/defaults/main.yml
@@ -50,6 +50,15 @@ resolved__deploy_state: 'absent'
 # To not make any changes, set this variable to ``/etc/resolv.conf``.
 resolved__resolv_conf: '/run/systemd/resolve/stub-resolv.conf'
 
+                                                                   # ]]]
+# .. envvar:: resolved__fallback_conf [[[
+#
+# Name of the :command:`systemd-resolved` configuration file stored in the
+# :file:`/etc/systemd/resolved.conf.d/` directory which will contain nameserver
+# and search domain configuration saved from Ansible facts before the service
+# is installed. If the name is empty, the file will not be created by the role.
+resolved__fallback_conf: '00fallback-dns.conf'
+
                                                                    # ]]]
 # .. envvar:: resolved__dnssd_enabled [[[
 #

diff --git a/ansible/roles/resolved/tasks/main.yml b/ansible/roles/resolved/tasks/main.yml
@@ -27,6 +27,28 @@
                                        if (not resolved__register_resolvers.stdout | d())
                                        else "absent" }}'
 
+- name: Create systemd-resolved configuration directory for fallback
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when:
+    - resolved__enabled | bool
+    - resolved__fallback_conf != ''
+    - resolved__resolv_conf != '/etc/resolv.conf'
+    - not (ansible_local.resolved.installed | d()) | bool
+
+- name: Save existing nameservers as fallback to ensure connectivity
+  ansible.builtin.template:
+    src: 'etc/systemd/resolved.conf.d/fallback-dns.conf.j2'
+    dest: '{{ "/etc/systemd/resolved.conf.d/" + resolved__fallback_conf }}'
+    mode: '0644'
+  when:
+    - resolved__enabled | bool
+    - resolved__fallback_conf != ''
+    - resolved__resolv_conf != '/etc/resolv.conf'
+    - not (ansible_local.resolved.installed | d()) | bool
+
 - name: Install required resolved packages
   ansible.builtin.package:
     name: '{{ resolved__base_packages + resolved__packages }}'

diff --git a/ansible/roles/resolved/templates/etc/systemd/resolved.conf.d/fallback-dns.conf.j2 b/ansible/roles/resolved/templates/etc/systemd/resolved.conf.d/fallback-dns.conf.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See resolved.conf(5) for details.
+
+# This file can be safely removed once nameserver configuration is defined in
+# systemd-resolved options.
+
+{% set fallback_dns = [] %}
+{% for element in ansible_facts['dns']['nameservers'] | d([]) %}
+{%   if element != '127.0.0.53' %}
+{%     set _ = fallback_dns.append(element) %}
+{%   endif %}
+{% endfor %}
+{% set domains = [] %}
+{% if ansible_facts['dns']['domain'] | d([]) %}
+{%   set _ = domains.append(ansible_facts['dns']['domain']) %}
+{% endif %}
+{% for element in ansible_facts['dns']['search'] | d([]) %}
+{%   set _ = domains.append(element) %}
+{% endfor %}
+[Resolve]
+{{ 'FallbackDNS={}'.format(fallback_dns | join(' ')) }}
+{{ 'Domains={}'.format(domains | join(' ')) }}
diff --git a/docs/ansible/roles/resolved/getting-started.rst b/docs/ansible/roles/resolved/getting-started.rst
@@ -20,6 +20,26 @@ before doing any modification on the system. If such package is detected, the
 role will skip further tasks to avoid messing up existing configuration.
 
 
+Fallback DNS configuration
+--------------------------
+
+Since Debian 12 (Bookworm), the :command:`systemd-resolved` service is provided
+via a separate package, which on installation automatically replaces the
+:file:`/etc/resolv.conf` file with a symlink. The default Debian installation
+still uses the ``ifupdown`` package to configure networking, which results in
+broken DNS resolution on :command:`systemd-resolved` installation because the
+service does not get the relevant nameserver information from ``ifupdown``
+scripts.
+
+To mitigate this, the :ref:`debops.resolved` role will get the current DNS
+configuration from Ansible facts and add it in the
+:file:`/etc/systemd/resolved.conf.d/00fallback-dns.conf` file as "Fallback DNS
+configuration" before installing the service itself. This should avoid issues
+with DNS before the actual configuration is defined. The file can be safely
+removed later, or its configuration will be overridden if specified in the
+subsequent configuration files.
+
+
 Management of the :file:`/etc/resolv.conf` config file
 ------------------------------------------------------