Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:lunar-bind9-dyndb-ldap-dep8 into ubuntu/+source/bind9:ubuntu/lunar-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. lunar-bind9-dyndb-ldap-dep8
  4. Merge into ubuntu/lunar-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Andreas Hasenack
Merged at revision: 7a48082ff650ac1377775df1628cbef8078308c7
Proposed branch: ~ahasenack/ubuntu/+source/bind9:lunar-bind9-dyndb-ldap-dep8
Merge into: ubuntu/+source/bind9:ubuntu/lunar-devel
Diff against target: 317 lines (+295/-0)
3 files modified
debian/changelog (+6/-0)
debian/tests/control (+9/-0)
debian/tests/dyndb-ldap (+280/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+450698@code.launchpad.net

Description of the change

Add a bind-dyndb-ldap DEP8 test to bind9, to prevent a bug like https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849 from happening again.

The relationship between src:bind9 and src:bind-dyndb-ldap is such that a simple no-change rebuild of src:bind9 requires a rebuild of src:bind-dyndb-ldap. This DEP8 test will not only check that both can be installed together, which tests the dependency can be satisfied, but also that the ldap plugin from src:bind-dyndb-ldap works. Details in https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/comments/10 and later comments.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-dyndb-ldap/+packages
DEP8: green locally, will trigger in the ppa once all builds are finished

The same test is being added to src:bind-dyndb-ldap.

Note the bug has a block-proposed tag for lunar (and jammy), so that it only gets released together with another SRU that is not DEP8-only.

I will send this to debian as well.

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

LGTM, +1.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was released already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 1762576..a6084e6 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+bind9 (1:9.18.12-1ubuntu1.2) lunar; urgency=medium
7+
8+ * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)
9+
10+ -- Andreas Hasenack <andreas@canonical.com> Mon, 04 Sep 2023 14:34:19 -0300
11+
12 bind9 (1:9.18.12-1ubuntu1.1) lunar-security; urgency=medium
13
14 * SECURITY UPDATE: Configured cache size limit can be significantly
15diff --git a/debian/tests/control b/debian/tests/control
16index c004d95..deea1ac 100644
17--- a/debian/tests/control
18+++ b/debian/tests/control
19@@ -13,3 +13,12 @@ Restrictions: isolation-container, needs-root
20 Depends: bind9,
21 bind9-dnsutils,
22 bind9-utils
23+
24+Tests: dyndb-ldap
25+Restrictions: isolation-container, needs-root
26+Architecture: !i386
27+Depends: bind9,
28+ bind9-dyndb-ldap,
29+ slapd,
30+ ldap-utils,
31+ dpkg-dev
32diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
33new file mode 100644
34index 0000000..ac583bc
35--- /dev/null
36+++ b/debian/tests/dyndb-ldap
37@@ -0,0 +1,280 @@
38+#!/bin/bash
39+
40+set -e
41+
42+ldap_suffix="dc=example,dc=internal"
43+mydomain="example.internal"
44+myhostname="dep8"
45+ldap_admin_dn="cn=admin,${ldap_suffix}"
46+ldap_admin_pw="secret"
47+ldap_bind9_dn="uid=bind9,${ldap_suffix}"
48+ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
49+ldap_bind9_pw="secretagain"
50+
51+cleanup() {
52+ result=$?
53+ set +e
54+ if [ ${result} -ne 0 ]; then
55+ echo "## Something failed, gathering logs"
56+ echo
57+ echo "## /var/log/syslog:"
58+ tail -n 200 /var/log/syslog
59+ echo
60+ echo "## slapd journal"
61+ journalctl -u slapd
62+ echo
63+ echo "## bind journal"
64+ journalctl -u bind
65+ fi
66+ sed -i '/include.*ldap_zone/d' /etc/bind/named.conf.local
67+ rm -f /etc/bind/named.conf.ldap_zone
68+}
69+
70+trap cleanup EXIT
71+
72+try_reload_apparmor_profile() {
73+ local apparmor_profile="${1}"
74+ local -i rc=0
75+ local arch
76+ local vendor
77+
78+ apparmor_parser -r -W -T "${apparmor_profile}" 2>&1 || rc=$?
79+ if [ ${rc} -ne 0 ]; then
80+ # This can fail on armhf in the Ubuntu DEP8 infrastructure
81+ # because that environment restricts changing apparmor profiles.
82+ # (See LP: #2008393)
83+ arch=$(dpkg --print-architecture)
84+ vendor=$(dpkg-vendor --query Vendor)
85+ if [ "${arch}" = "armhf" ] && [ "${vendor}" = "Ubuntu" ]; then
86+ echo "WARNING: failed to enforce apparmor profile."
87+ echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error."
88+ echo "See #2008393 for details."
89+ rc=0
90+ else
91+ echo "ERROR: failed to adjust the slapd apparmor profile for this test."
92+ fi
93+ fi
94+ return ${rc}
95+}
96+
97+adjust_apparmor_profile() {
98+ local profile_name="usr.sbin.named"
99+ local profile_path="/etc/apparmor.d/${profile_name}"
100+
101+ if [ -f "${profile_path}" ]; then
102+ if aa-status --enabled 2>/dev/null; then
103+ # Adjust apparmor so bind9 can connect to slapd's unix socket
104+ echo " /run/slapd/ldapi rw," >> "/etc/apparmor.d/local/${profile_name}"
105+ try_reload_apparmor_profile "${profile_path}"
106+ fi
107+ fi
108+}
109+
110+check_slapd_ready() {
111+ ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1
112+}
113+
114+wait_service_ready() {
115+ local service="${1}"
116+ local check_function="${2}"
117+ local -i tries=5
118+ echo -n "Waiting for ${service} to be ready "
119+ while [ ${tries} -ne 0 ]; do
120+ echo -n "."
121+ if "${check_function}"; then
122+ echo
123+ break
124+ fi
125+ tries=$((tries-1))
126+ sleep 1s
127+ done
128+ if [ ${tries} -eq 0 ]; then
129+ echo "ERROR: ${service} is not ready"
130+ return 1
131+ fi
132+}
133+
134+setup_slapd() {
135+ local domain="$1"
136+ local password="$2"
137+ # MUST use REAL TABS as delimiters below!
138+ debconf-set-selections << EOF
139+slapd slapd/domain string ${domain}
140+slapd shared/organization string ${domain}
141+slapd slapd/password1 password ${password}
142+slapd slapd/password2 password ${password}
143+EOF
144+ rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
145+ dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1
146+ systemctl restart slapd # http://bugs.debian.org/1010678
147+ wait_service_ready slapd check_slapd_ready
148+}
149+
150+configure_slapd_logging() {
151+ ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <<EOF
152+dn: cn=config
153+changetype: modify
154+replace: olcLogLevel
155+olcLogLevel: stats
156+
157+EOF
158+}
159+
160+create_bind9_uid() {
161+ ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF
162+dn: ${ldap_bind9_dn}
163+${ldap_bind9_rdn}
164+objectClass: simpleSecurityObject
165+objectClass: account
166+userPassword: {CRYPT}x
167+
168+EOF
169+ # this sets the password
170+ ldappasswd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" -s "${ldap_bind9_pw}" "${ldap_bind9_dn}"
171+
172+ # The plugin can change some attributes, like SOA records. For this test,
173+ # it's simpler to just allow it to write to the whole dns tree.
174+ ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
175+dn: olcDatabase={1}mdb,cn=config
176+changetype: modify
177+add: olcAccess
178+olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none
179+
180+EOF
181+}
182+
183+
184+load_dyndb_schema() {
185+ local schema_file="/usr/share/doc/bind9-dyndb-ldap/schema.ldif.gz"
186+
187+ # https://wiki.debian.org/LDAP/OpenLDAPSetup#DNS.2FBind9
188+ zcat "${schema_file}" |
189+ sed 's/^attributeTypes:/olcAttributeTypes:/;
190+ s/^objectClasses:/olcObjectClasses:/;
191+ 1,/1.3.6.1.4.1.2428.20.0.0/ {/1.3.6.1.4.1.2428.20.0.0/!s/^/#/};
192+ 1idn: cn=dns,cn=schema,cn=config\nobjectClass: olcSchemaConfig' |
193+ ldapadd -Q -Y EXTERNAL -H ldapi:///
194+}
195+
196+load_syncprov() {
197+ ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
198+dn: cn=module{0},cn=config
199+changetype: modify
200+add: olcModuleLoad
201+olcModuleLoad: syncprov
202+
203+EOF
204+
205+ ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
206+dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
207+changeType: add
208+objectClass: olcOverlayConfig
209+objectClass: olcSyncProvConfig
210+olcOverlay: syncprov
211+olcSpCheckpoint: 100 10
212+olcSpSessionLog: 100
213+
214+EOF
215+}
216+
217+load_dns_data() {
218+ ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" <<EOF
219+dn: ou=dns,${ldap_suffix}
220+objectClass: organizationalUnit
221+objectClass: top
222+ou: dns
223+
224+dn: idnsName=${mydomain},ou=dns,${ldap_suffix}
225+objectClass: top
226+objectClass: idnsZone
227+objectClass: idnsRecord
228+idnsName: ${mydomain}
229+idnsZoneActive: TRUE
230+idnsSOAmName: ${myhostname}.${mydomain}
231+idnsSOArName: root.${myhostname}.${mydomain}
232+idnsSOAserial: 1
233+idnsSOArefresh: 10800
234+idnsSOAretry: 900
235+idnsSOAexpire: 604800
236+idnsSOAminimum: 86400
237+NSRecord: ${mydomain}.
238+ARecord: 192.168.141.5
239+
240+dn: idnsName=${myhostname},idnsName=${mydomain},ou=dns,${ldap_suffix}
241+objectClass: idnsRecord
242+objectClass: top
243+idnsName: ${myhostname}
244+CNAMERecord: ${mydomain}.
245+
246+dn: idnsName=_ldap._tcp,idnsName=${mydomain},ou=dns,${ldap_suffix}
247+objectClass: idnsRecord
248+objectClass: top
249+idnsName: _ldap._tcp
250+SRVRecord: 0 100 389 ${myhostname}
251+
252+dn: idnsName=somehost,idnsName=${mydomain},ou=dns,${ldap_suffix}
253+objectClass: idnsRecord
254+objectClass: top
255+ARecord: 192.168.141.6
256+
257+EOF
258+}
259+
260+configure_dyndb() {
261+ if ! grep -qE "ldap_zone" /etc/bind/named.conf.local; then
262+ echo "include \"/etc/bind/named.conf.ldap_zone\";" >> /etc/bind/named.conf.local
263+ fi
264+ cat > /etc/bind/named.conf.ldap_zone <<EOF
265+dyndb "ldap_zone" "/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/bind/ldap.so" {
266+ uri "ldapi:///";
267+ base "ou=dns,${ldap_suffix}";
268+ auth_method "simple";
269+ bind_dn "${ldap_bind9_dn}";
270+ password "${ldap_bind9_pw}";
271+};
272+EOF
273+ chmod 0640 /etc/bind/named.conf.ldap_zone
274+ chgrp bind /etc/bind/named.conf.ldap_zone
275+ echo "## Restarting bind9"
276+ systemctl restart bind9.service
277+}
278+
279+echo "## Adjust bind9's apparmor profile if needed"
280+adjust_apparmor_profile
281+
282+echo "## Setting up slapd"
283+setup_slapd "${mydomain}" "${ldap_admin_pw}"
284+echo
285+
286+echo "## Configuring slapd logging"
287+configure_slapd_logging
288+echo
289+
290+echo "## Creating bind9 ldap uid"
291+create_bind9_uid
292+echo
293+
294+echo "## Loading bind9-dyndb-ldap schema"
295+load_dyndb_schema
296+echo
297+
298+echo "## Loading syncproc module"
299+load_syncprov
300+echo
301+
302+echo "## Loading DNS sample data"
303+load_dns_data
304+echo
305+
306+echo "## Configuring bind9 to use bind9-dyndb-ldap"
307+configure_dyndb
308+echo
309+
310+echo "## Checking DNS records"
311+host "somehost.${mydomain}" 127.0.0.1
312+echo
313+host "${myhostname}.${mydomain}" 127.0.0.1
314+echo
315+host -t srv "_ldap._tcp.${mydomain}" 127.0.0.1
316+echo
317+host -t soa "${mydomain}" 127.0.0.1

Subscribers

People subscribed via source and target branches