Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add systemd-resolved support #5125

Closed
wants to merge 5 commits into from
Closed

Add systemd-resolved support #5125

wants to merge 5 commits into from

Conversation

tiran
Copy link
Member

@tiran tiran commented Sep 22, 2020
edited

Fedora 33 switched to systemd-resolved

  • Add helpers to get forwarders from resolve1 D-BUS API
  • Configure NetworkManager to use systemd-resolved
  • Use new API for auto-forwarders
  • Configure systemd-resolved to use IPA's BIND server
  • Update DNS resolver configuration in ipa-server-upgrade

See: https://pagure.io/freeipa/issue/8275

@tiran tiran added WIP Work in progress - not ready yet for review ipa-4-8 Mark for backport to ipa 4.8 labels Sep 22, 2020
@tiran tiran force-pushed the issue8275_resolve1 branch 4 times, most recently from a7bf795 to 8f034c7 Compare September 22, 2020 14:38
@tiran tiran marked this pull request as ready for review September 22, 2020 14:39
@tiran tiran added needs review Pull Request is waiting for a review prioritized Pull Request has higher priority for PR-CI and removed WIP Work in progress - not ready yet for review labels Sep 22, 2020
@tiran
Copy link
Member Author

tiran commented Sep 22, 2020

I have successfully tested the PR on our test infrastructure:

# resolvectl 
Global
       LLMNR setting: resolve             
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
Fallback DNS Servers: 1.1.1.1             
                      8.8.8.8             
                      1.0.0.1             
                      8.8.4.4             
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844

Link 2 (eth0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: no                       
      DNSSEC setting: no                       
    DNSSEC supported: no                       
         DNS Servers: 10.11.5.19               
                      10.5.30.45               
          DNS Domain: ~.                       
                      openstacklocal

# ipa-server-install -p Secret123 -a Secret123 -r IPA.EXAMPLE -n ipa.example --no-ntp --setup-dns --auto-forwarders -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
Version 4.9.0.dev202009221449+git8f034c75d4

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

Excluded by options:
  * Configure the NTP client (chronyd)

Warning: skipping DNS resolution of host host-10-0-139-6.ipa.example
Checking DNS domain ipa.example., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       host-10-0-139-6.ipa.example
IP address(es): 10.0.139.6
Domain name:    ipa.example
Realm name:     IPA.EXAMPLE

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=IPA.EXAMPLE
Subject base: O=IPA.EXAMPLE
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.11.5.19, 10.5.30.45
Forward policy:   only
Reverse zone(s):  No reverse zone
...
The ipa-server-install command was successful

# resolvectl 
Global
       LLMNR setting: resolve             
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
  Current DNS Server: 127.0.0.1           
         DNS Servers: 127.0.0.1           
Fallback DNS Servers: 1.1.1.1             
                      8.8.8.8             
                      1.0.0.1             
                      8.8.4.4             
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844
          DNS Domain: ~.                  
                      ipa.example         

Link 2 (eth0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: no                       
      DNSSEC setting: no                       
    DNSSEC supported: no                       
  Current DNS Server: 10.11.5.19               
         DNS Servers: 10.11.5.19               
                      10.5.30.45               
          DNS Domain: ~.                       
                      openstacklocal

dig uses systemd-resolved stub resolver and gives correct answer:

# dig -t SRV _ldap._tcp.ipa.example

; <<>> DiG 9.11.22-RedHat-9.11.22-1.fc33 <<>> -t SRV _ldap._tcp.ipa.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62959
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_ldap._tcp.ipa.example.                IN      SRV

;; ANSWER SECTION:
_ldap._tcp.ipa.example. 86400   IN      SRV     0 100 389 host-10-0-139-6.ipa.example.

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Sep 22 11:02:28 EDT 2020
;; MSG SIZE  rcvd: 98

@tiran
Copy link
Member Author

tiran commented Sep 22, 2020 

# cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
...
nameserver 127.0.0.53
options edns0 trust-ad
search ipa.example openstacklocal

@abbra abbra added the re-run Trigger a new run of PR-CI label Sep 23, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Sep 23, 2020
@tiran
Add helpers for resolve1 and nameservers
23f86b5 
detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Configure NetworkManager to use systemd-resolved
f8f9ef9 
zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Use new API for auto-forwarders
a36674b 
Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Configure systemd-resolved to use IPA's BIND
d45b7ee 
IPA installer now instructs systemd-resolved to use IPA's BIND DNS
server as primary DNS server.

Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Create systemd-resolved configuration on update
61ec5de 
Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
@abbra abbra added the re-run Trigger a new run of PR-CI label Sep 23, 2020
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Sep 23, 2020
@abbra abbra added ack Pull Request approved, can be merged and removed needs review Pull Request is waiting for a review labels Sep 23, 2020
@abbra
Copy link
Contributor

abbra commented Sep 23, 2020

LGTM. Let's merge this part and see what needs to be done with DNSSEC.

@tiran tiran added the pushed Pull Request has already been pushed label Sep 23, 2020
@tiran
Copy link
Member Author

tiran commented Sep 23, 2020

master:

  • 96edff0 Add helpers for resolve1 and nameservers
  • e64f27f Configure NetworkManager to use systemd-resolved
  • 528c519 Use new API for auto-forwarders
  • d12f1b4 Configure systemd-resolved to use IPA's BIND
  • 79b9982 Create systemd-resolved configuration on update

@tiran tiran closed this Sep 23, 2020
@tiran tiran mentioned this pull request Sep 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-8 Mark for backport to ipa 4.8 prioritized Pull Request has higher priority for PR-CI pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@tiran @abbra @freeipa-pr-ci