Merge pull request #1 from cisagov/first-commits

First commits for an Ansible role to install and configure `systemd-resolved`

Author: jsf9k

.github/dependabot.yml

@@ -19,17 +19,17 @@ updates:
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
-      # # Managed by cisagov/skeleton-ansible-role
-      # - dependency-name: github/codeql-action
+      # Managed by cisagov/skeleton-ansible-role
+      - dependency-name: github/codeql-action
     package-ecosystem: github-actions
     schedule:
       interval: weekly
 
   - directory: /
-    # ignore:
-    #   # Managed by cisagov/skeleton-ansible-role
-    #   - dependency-name: ansible
-    #   - dependency-name: ansible-core
+    ignore:
+      # Managed by cisagov/skeleton-ansible-role
+      - dependency-name: ansible
+      - dependency-name: ansible-core
     package-ecosystem: pip
     schedule:
       interval: weekly

.pre-commit-config.yaml

@@ -157,6 +157,20 @@ repos:
     rev: v24.2.0
     hooks:
       - id: ansible-lint
+        additional_dependencies:
+          # Per the documentation and the pre-commit hook
+          # configuration, ansible-lint does not know about modules
+          # that live outside of ansible-core.  See these links for
+          # more details:
+          # - https://github.com/ansible/ansible-lint/blob/main/src/ansiblelint/rules/syntax_check.md#syntax-checkunknown-module
+          # - https://github.com/ansible/ansible-lint/blob/ad0157eb38059b02d57458504340209f221e3189/.pre-commit-hooks.yaml#L14-L19
+          #
+          # Since ansible.posix.mount lives inside of the ansible
+          # package itself, we must include that package here.
+          #
+          # Note also that for consistency's sake we pull in the same
+          # version of ansible that is used in requirements-test.txt.
+          - ansible>=8,<10
       # files: molecule/default/playbook.yml
 
   # Terraform hooks

README.md

@@ -3,13 +3,15 @@
 [![GitHub Build Status](https://github.com/cisagov/ansible-role-systemd-resolved/workflows/build/badge.svg)](https://github.com/cisagov/ansible-role-systemd-resolved/actions)
 [![CodeQL](https://github.com/cisagov/ansible-role-systemd-resolved/workflows/CodeQL/badge.svg)](https://github.com/cisagov/ansible-role-systemd-resolved/actions/workflows/codeql-analysis.yml)
 
-This is a skeleton project that can be used to quickly get a new
-[cisagov](https://github.com/cisagov) Ansible role GitHub project
-started.  This skeleton project contains
-[licensing information](LICENSE), as well as
-[pre-commit hooks](https://pre-commit.com) and
-[GitHub Actions](https://github.com/features/actions) configurations
-appropriate for an Ansible role.
+This is an Ansible role that installs and configures
+[`systemd-resolved`](https://wiki.archlinux.org/title/systemd-resolved).
+It performs the following actions:
+
+- Installs `systemd-resolved` and ensures that `resolvconf` is not
+  installed.
+- Creates an `/etc/resolv.conf` symlink that results in the
+  `systemd-resolved` stub DNS resolver being used by default for all
+  system DNS lookups.
 
 ## Requirements ##
 
@@ -42,7 +44,7 @@ where `requirements.yml` looks like:
 
 ```yaml
 ---
-- name: skeleton
+- name: systemd_resolved
   src: https://github.com/cisagov/ansible-role-systemd-resolved
 ```
 
@@ -61,18 +63,11 @@ Here's how to use it in a playbook:
   become: true
   become_method: sudo
   tasks:
-    - name: Include skeleton
+    - name: Include systemd-resolved
       ansible.builtin.include_role:
-        name: skeleton
+        name: systemd_resolved
 ```
 
-## New Repositories from a Skeleton ##
-
-Please see our [Project Setup guide](https://github.com/cisagov/development-guide/tree/develop/project_setup)
-for step-by-step instructions on how to start a new repository from
-a skeleton. This will save you time and effort when configuring a
-new repository!
-
 ## Contributing ##
 
 We welcome contributions!  Please see [`CONTRIBUTING.md`](CONTRIBUTING.md) for
@@ -93,4 +88,4 @@ with this waiver of copyright interest.
 
 ## Author Information ##
 
-First Last - <first.last@gwe.cisa.dhs.gov>
+Shane Frasier - <jeremy.frasier@gwe.cisa.dhs.gov>

meta/main.yml

@@ -6,11 +6,13 @@
 # See also cisagov/skeleton-ansible-role#153.
 dependencies: []
 galaxy_info:
-  author: First Last
+  author: Shane Frasier
   company: CISA Cyber Assessments
-  description: Skeleton Ansible role
+  description: Install and configure systemd-resolved
   galaxy_tags:
-    - skeleton
+    - resolved
+    - systemd
+    - systemdresolved
   license: CC0
   # With the release of version 2.10, Ansible finally correctly
   # identifies Kali Linux as being the Kali distribution of the Debian
@@ -25,8 +27,9 @@ galaxy_info:
         - "2023"
     - name: Debian
       versions:
-        - buster
-        - bullseye
+        # These platforms do not provide systemd-resolved.
+        # - buster
+        # - bullseye
         - bookworm
         - trixie
     - name: Fedora
@@ -36,9 +39,10 @@ galaxy_info:
     - name: Kali
       versions:
         - "2023"
-    - name: Ubuntu
-      versions:
-        - focal
-        - jammy
-  role_name: skeleton
+    # These platforms do not provide systemd-resolved.
+    # - name: Ubuntu
+    #   versions:
+    #     - focal
+    #     - jammy
+  role_name: systemd_resolved
   standalone: true

molecule/default/molecule.yml

@@ -13,24 +13,25 @@ platforms:
     privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
-  - cgroupns_mode: host
-    command: /lib/systemd/systemd
-    image: docker.io/geerlingguy/docker-debian10-ansible:latest
-    name: debian10-systemd
-    platform: amd64
-    pre_build_image: true
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-  - cgroupns_mode: host
-    command: /lib/systemd/systemd
-    image: docker.io/geerlingguy/docker-debian11-ansible:latest
-    name: debian11-systemd
-    platform: amd64
-    pre_build_image: true
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # These platforms do not provide systemd-resolved.
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-debian10-ansible:latest
+  #   name: debian10-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-debian11-ansible:latest
+  #   name: debian11-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
   - cgroupns_mode: host
     command: /lib/systemd/systemd
     image: docker.io/geerlingguy/docker-debian12-ansible:latest
@@ -76,24 +77,25 @@ platforms:
     privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
-  - cgroupns_mode: host
-    command: /lib/systemd/systemd
-    image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest
-    name: ubuntu-20-systemd
-    platform: amd64
-    pre_build_image: true
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-  - cgroupns_mode: host
-    command: /lib/systemd/systemd
-    image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest
-    name: ubuntu-22-systemd
-    platform: amd64
-    pre_build_image: true
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # These platforms do not provide systemd-resolved.
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest
+  #   name: ubuntu-20-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest
+  #   name: ubuntu-22-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
 scenario:
   name: default
 verifier:

molecule/default/prepare.yml

@@ -1,3 +1,22 @@
 ---
 - name: Import upgrade playbook
   ansible.builtin.import_playbook: upgrade.yml
+
+# Docker bind mounts a file from the host to /etc/resolv.conf.  This
+# is inconvenient for us, since we need to create a symlink at
+# /etc/resolv.conf.  At the same time, we don't want to break DNS.
+# The playbook being imported contains a workaround for this
+# situation.
+- name: Unmount /etc/resolv.conf
+  ansible.builtin.import_playbook: unmount.yml
+
+# We require dig for one of our Molecule tests
+- name: Install dig
+  hosts: all
+  become: true
+  become_method: ansible.builtin.sudo
+  tasks:
+  - name: Install dig
+    ansible.builtin.package:
+      name:
+        - dnsutils

molecule/default/tests/test_default.py

@@ -2,6 +2,7 @@
 
 # Standard Python Libraries
 import os
+import re
 
 # Third-Party Libraries
 import pytest
@@ -12,7 +13,69 @@
 ).get_hosts("all")
 
 
-@pytest.mark.parametrize("x", [True])
-def test_packages(host, x):
-    """Run a dummy test, just to show what one would look like."""
-    assert x
+def test_packages(host):
+    """Verify that the expected packages are installed/uninstalled."""
+    assert host.package(
+        "systemd-resolved"
+    ).is_installed, "The package systemd-resolved is not installed."
+    assert not host.package(
+        "resolvconf"
+    ).is_installed, "The package resolvconf is installed."
+
+
+def test_symlink(host):
+    """Verify that /etc/resolv.conf is the expected symlink."""
+    f = host.file("/etc/resolv.conf")
+    assert f.is_symlink, "/etc/resolv.conf is not a symlink."
+
+    if host.system_info.distribution in ["amzn"]:
+        # /run/systemd/resolve/stub-resolv.conf is a symlink to
+        # /run/systemd/resolve/resolv.conf in AL2023, so the
+        # /etc/resolv.conf symlink resolves to the latter.
+        symlink_target = "/run/systemd/resolve/resolv.conf"
+    else:
+        symlink_target = "/run/systemd/resolve/stub-resolv.conf"
+
+    assert (
+        f.linked_to == symlink_target
+    ), f"/etc/resolv.conf is not a symlink to {symlink_target}."
+
+
+def test_services(host):
+    """Verify that the expected services are present."""
+    s = host.service("systemd-resolved")
+    # TODO - This assertion currently fails because of
+    # pytest-dev/pytest-testinfra#757.  Once
+    # pytest-dev/pytest-testinfra#754 has been merged and a new
+    # release is created the following line can be uncommented.
+    #
+    # See #3 for more details.
+    # assert s.exists, "systemd-resolved service does not exist."
+    assert s.is_enabled, "systemd-resolved service is not enabled."
+    assert s.is_running, "systemd-resolved service is not running."
+
+
+@pytest.mark.parametrize(
+    "dig_command",
+    [
+        "www.yahoo.com",
+        "AAAA www.yahoo.com",
+    ],
+)
+def test_dns_resolution(host, dig_command):
+    """Verify that the systemd-resolved resolver is being used by default."""
+    cmd = host.run(f"dig {dig_command}")
+    assert cmd.rc == 0, f"Command dig {dig_command} did not exit successfully."
+    # AL2023 is funky.  /run/systemd/resolve/stub-resolv.conf is
+    # itself a symlink to /run/systemd/resolve/resolv.conf, which
+    # points directly to the nameserver obtained from DNS.  I don't
+    # know why it does this, but our testing must work around it.
+    if host.system_info.distribution in ["amzn"]:
+        pass
+    else:
+        # Verify that the dig result came from the systemd-resolved
+        # service.
+        assert (
+            re.search(r"^;; SERVER: 127\.0\.0\.53#53", cmd.stdout, re.MULTILINE)
+            is not None
+        ), f"Command dig {dig_command} did not return a results from 127.0.0.53."

molecule/default/unmount.yml

@@ -0,0 +1,36 @@
+---
+- name: Unmount /etc/resolv.conf
+  hosts: all
+  become: true
+  become_method: ansible.builtin.sudo
+  tasks:
+    - name: >-
+        Grab the current owner, group, and mode for the existing
+        /etc/resolv.conf
+      ansible.builtin.stat:
+        follow: true
+        path: /etc/resolv.conf
+      register: resolv_conf
+
+    - name: Copy /etc/resolv.conf to /tmp, preserving owner, group, and mode
+      ansible.builtin.copy:
+        dest: /tmp/resolv.conf
+        group: "{{ resolv_conf.stat.gid }}"
+        mode: "{{ resolv_conf.stat.mode }}"
+        owner: "{{ resolv_conf.stat.uid }}"
+        remote_src: true
+        src: /etc/resolv.conf
+
+    - name: Unmount /etc/resolv.conf
+      ansible.posix.mount:
+        path: /etc/resolv.conf
+        state: unmounted
+
+    - name: Copy /tmp/resolv.conf to /etc, preserving owner, group, and mode
+      ansible.builtin.copy:
+        dest: /etc/resolv.conf
+        group: "{{ resolv_conf.stat.gid }}"
+        mode: "{{ resolv_conf.stat.mode }}"
+        owner: "{{ resolv_conf.stat.uid }}"
+        remote_src: true
+        src: /tmp/resolv.conf