Skip to content

Commit 093f296

Browse files
authored
Merge pull request #5 from cisagov/improvement/support-more-configuration-options
Support more configuration options
2 parents 122f3c2 + ba7962f commit 093f296

27 files changed

+434
-36
lines changed

.github/workflows/build.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,8 @@ jobs:
176176
matrix:
177177
scenario:
178178
- default
179+
- disable_stub_resolver
180+
- specify_resolv_conf_target
179181
steps:
180182
- id: harden-runner
181183
name: Harden the runner

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,7 @@ repos:
126126
hooks:
127127
- id: bandit
128128
# Bandit complains about the use of assert() in tests
129-
exclude: molecule/(default|systemd_enabled)/tests
129+
exclude: molecule/(default|disable_stub_resolver|specify_resolv_conf_target)/tests
130130
args:
131131
- --config=.bandit.yml
132132
- repo: https://github.com/psf/black-pre-commit-mirror

README.md

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,22 +9,21 @@ It performs the following actions:
99

1010
- Installs `systemd-resolved` and ensures that `resolvconf` is not
1111
installed.
12-
- Creates an `/etc/resolv.conf` symlink that results in the
13-
`systemd-resolved` stub DNS resolver being used by default for all
14-
system DNS lookups.
12+
- Creates an `/etc/resolv.conf` symlink.
13+
- Optionally disables the `systemd-resolved` stub DNS resolver that
14+
listens at `127.0.0.53`.
1515

1616
## Requirements ##
1717

1818
None.
1919

2020
## Role Variables ##
2121

22-
None.
23-
24-
<!--
2522
| Variable | Description | Default | Required |
2623
|----------|-------------|---------|----------|
27-
| optional_variable | Describe its purpose. | `default_value` | No |
24+
| systemd_resolved_dns_stub_listener | The value to use for the DNSStubListener value in the `systemd-resolved` configuration file. Must be `tcp`, `udp`, or a boolean value. See [here](https://man.archlinux.org/man/resolved.conf.5.en) for more information. | `true` | No |
25+
| systemd_resolved_resolv_conf_filename | The location of the target to which `/etc/resolv.conf` will be symlinked. Note that `dynamic_resolv_conf_target_dir` and `static_resolv_conf_target_dir` are role vars that are available for use when defining this variable. See [here](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF) for more information. | `"{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"` | No |
26+
<!--
2827
| required_variable | Describe its purpose. | n/a | Yes |
2928
-->
3029

defaults/main.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
# The value to use for the DNSStubListener value in the
3+
# systemd-resolved configuration file. Must be tcp, udp, or a boolean
4+
# value.
5+
#
6+
# See here for more information:
7+
# https://man.archlinux.org/man/resolved.conf.5.en
8+
systemd_resolved_dns_stub_listener: true
9+
10+
# The location of the file to which /etc/resolv.conf will be
11+
# symlinked. The symlink target should normally be one of the
12+
# following files provided by systemd-resolved:
13+
# 1. "{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"
14+
# 2. "{{ dynamic_resolv_conf_target_dir }}/resolv.conf"
15+
# 3. "{{ static_resolv_conf_target_dir }}/resolv.conf"
16+
#
17+
# Note that the values of dynamic_resolv_conf_target_dir and
18+
# static_resolv_conf_target_dir come from the role vars.
19+
#
20+
# In most cases you will want to use option 1 when using the
21+
# systemd-resolved stub DNS resolver (127.0.0.53) and option 2 when
22+
# using the DNS resolver provided via DHCP. See here for more
23+
# information:
24+
# https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF
25+
systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"

molecule/default/prepare.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,14 @@
1010
- name: Unmount /etc/resolv.conf
1111
ansible.builtin.import_playbook: unmount.yml
1212

13-
# We require dig for one of our Molecule tests
13+
# We require dig and netstat for our Molecule tests
1414
- name: Install dig
1515
hosts: all
1616
become: true
1717
become_method: ansible.builtin.sudo
1818
tasks:
19-
- name: Install dig
19+
- name: Install some tools that are required for testing
2020
ansible.builtin.package:
2121
name:
2222
- dnsutils
23+
- net-tools
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
"""Module containing the tests for the default scenario."""
2+
3+
# Standard Python Libraries
4+
import os
5+
6+
# Third-Party Libraries
7+
import testinfra.utils.ansible_runner
8+
9+
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
10+
os.environ["MOLECULE_INVENTORY_FILE"]
11+
).get_hosts("all")
12+
13+
14+
def test_packages(host):
15+
"""Verify that the expected packages are installed/uninstalled."""
16+
assert host.package(
17+
"systemd-resolved"
18+
).is_installed, "The package systemd-resolved is not installed."
19+
assert not host.package(
20+
"resolvconf"
21+
).is_installed, "The package resolvconf is installed."
22+
23+
24+
def test_services(host):
25+
"""Verify that the expected services are present."""
26+
s = host.service("systemd-resolved")
27+
# TODO - This assertion currently fails because of
28+
# pytest-dev/pytest-testinfra#757. Once
29+
# pytest-dev/pytest-testinfra#754 has been merged and a new
30+
# release is created the following line can be uncommented.
31+
#
32+
# See #3 for more details.
33+
# assert s.exists, "systemd-resolved service does not exist."
34+
assert s.is_enabled, "systemd-resolved service is not enabled."
35+
assert s.is_running, "systemd-resolved service is not running."

molecule/default/tests/test_default.py renamed to molecule/default/tests/test_default_specific.py

Lines changed: 1 addition & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,6 @@
1313
).get_hosts("all")
1414

1515

16-
def test_packages(host):
17-
"""Verify that the expected packages are installed/uninstalled."""
18-
assert host.package(
19-
"systemd-resolved"
20-
).is_installed, "The package systemd-resolved is not installed."
21-
assert not host.package(
22-
"resolvconf"
23-
).is_installed, "The package resolvconf is installed."
24-
25-
2616
def test_symlink(host):
2717
"""Verify that /etc/resolv.conf is the expected symlink."""
2818
f = host.file("/etc/resolv.conf")
@@ -41,20 +31,6 @@ def test_symlink(host):
4131
), f"/etc/resolv.conf is not a symlink to {symlink_target}."
4232

4333

44-
def test_services(host):
45-
"""Verify that the expected services are present."""
46-
s = host.service("systemd-resolved")
47-
# TODO - This assertion currently fails because of
48-
# pytest-dev/pytest-testinfra#757. Once
49-
# pytest-dev/pytest-testinfra#754 has been merged and a new
50-
# release is created the following line can be uncommented.
51-
#
52-
# See #3 for more details.
53-
# assert s.exists, "systemd-resolved service does not exist."
54-
assert s.is_enabled, "systemd-resolved service is not enabled."
55-
assert s.is_running, "systemd-resolved service is not running."
56-
57-
5834
@pytest.mark.parametrize(
5935
"dig_command",
6036
[
@@ -78,4 +54,4 @@ def test_dns_resolution(host, dig_command):
7854
assert (
7955
re.search(r"^;; SERVER: 127\.0\.0\.53#53", cmd.stdout, re.MULTILINE)
8056
is not None
81-
), f"Command dig {dig_command} did not return a results from 127.0.0.53."
57+
), f"Command dig {dig_command} did not return a result from 127.0.0.53."
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
../default/INSTALL.rst
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
---
2+
- name: Converge
3+
hosts: all
4+
tasks:
5+
- name: Include ansible-role-systemd-resolved
6+
ansible.builtin.include_role:
7+
name: ansible-role-systemd-resolved
8+
vars:
9+
systemd_resolved_dns_stub_listener: false
Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
---
2+
dependency:
3+
name: galaxy
4+
driver:
5+
name: docker
6+
platforms:
7+
- cgroupns_mode: host
8+
command: /lib/systemd/systemd
9+
image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest
10+
name: amazonlinux2023-systemd
11+
platform: amd64
12+
pre_build_image: true
13+
privileged: true
14+
volumes:
15+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
16+
# These platforms do not provide systemd-resolved.
17+
# - cgroupns_mode: host
18+
# command: /lib/systemd/systemd
19+
# image: docker.io/geerlingguy/docker-debian10-ansible:latest
20+
# name: debian10-systemd
21+
# platform: amd64
22+
# pre_build_image: true
23+
# privileged: true
24+
# volumes:
25+
# - /sys/fs/cgroup:/sys/fs/cgroup:rw
26+
# - cgroupns_mode: host
27+
# command: /lib/systemd/systemd
28+
# image: docker.io/geerlingguy/docker-debian11-ansible:latest
29+
# name: debian11-systemd
30+
# platform: amd64
31+
# pre_build_image: true
32+
# privileged: true
33+
# volumes:
34+
# - /sys/fs/cgroup:/sys/fs/cgroup:rw
35+
- cgroupns_mode: host
36+
command: /lib/systemd/systemd
37+
image: docker.io/geerlingguy/docker-debian12-ansible:latest
38+
name: debian12-systemd
39+
platform: amd64
40+
pre_build_image: true
41+
privileged: true
42+
volumes:
43+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
44+
- cgroupns_mode: host
45+
command: /lib/systemd/systemd
46+
image: docker.io/cisagov/docker-debian13-ansible:latest
47+
name: debian13-systemd
48+
platform: amd64
49+
pre_build_image: true
50+
privileged: true
51+
volumes:
52+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
53+
- cgroupns_mode: host
54+
command: /lib/systemd/systemd
55+
image: docker.io/cisagov/docker-kali-ansible:latest
56+
name: kali-systemd
57+
platform: amd64
58+
pre_build_image: true
59+
privileged: true
60+
volumes:
61+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
62+
- cgroupns_mode: host
63+
command: /lib/systemd/systemd
64+
image: docker.io/geerlingguy/docker-fedora38-ansible:latest
65+
name: fedora38-systemd
66+
platform: amd64
67+
pre_build_image: true
68+
privileged: true
69+
volumes:
70+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
71+
- cgroupns_mode: host
72+
command: /lib/systemd/systemd
73+
image: docker.io/geerlingguy/docker-fedora39-ansible:latest
74+
name: fedora39-systemd
75+
platform: amd64
76+
pre_build_image: true
77+
privileged: true
78+
volumes:
79+
- /sys/fs/cgroup:/sys/fs/cgroup:rw
80+
# These platforms do not provide systemd-resolved.
81+
# - cgroupns_mode: host
82+
# command: /lib/systemd/systemd
83+
# image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest
84+
# name: ubuntu-20-systemd
85+
# platform: amd64
86+
# pre_build_image: true
87+
# privileged: true
88+
# volumes:
89+
# - /sys/fs/cgroup:/sys/fs/cgroup:rw
90+
# - cgroupns_mode: host
91+
# command: /lib/systemd/systemd
92+
# image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest
93+
# name: ubuntu-22-systemd
94+
# platform: amd64
95+
# pre_build_image: true
96+
# privileged: true
97+
# volumes:
98+
# - /sys/fs/cgroup:/sys/fs/cgroup:rw
99+
scenario:
100+
name: disable_stub_resolver
101+
verifier:
102+
name: testinfra

0 commit comments

Comments
 (0)