Allow user to disable the systemd-resolved stub DNS resolver

jsf9k · jsf9k · commit 2b35b8d77b97 · 2024-05-10T14:37:00.000-04:00
Also add a Molecule scenario that tests this functionality.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -176,6 +176,7 @@ jobs:
       matrix:
         scenario:
           - default
+          - disable_stub_resolver
           - specify_resolv_conf_target
     steps:
       - id: harden-runner
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -126,7 +126,7 @@ repos:
     hooks:
       - id: bandit
         # Bandit complains about the use of assert() in tests
-        exclude: molecule/(default|specify_resolv_conf_target)/tests
+        exclude: molecule/(default|disable_stub_resolver|specify_resolv_conf_target)/tests
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ It performs the following actions:
 - Installs `systemd-resolved` and ensures that `resolvconf` is not
   installed.
 - Creates an `/etc/resolv.conf` symlink.
+- Optionally disables the `systemd-resolved` stub DNS resolver that
+  listens at `127.0.0.53`.
 
 ## Requirements ##
 
@@ -19,7 +21,8 @@ None.
 
 | Variable | Description | Default | Required |
 |----------|-------------|---------|----------|
-| systemd_resolved_resolv_conf_filename | The location of the target to which /etc/resolv.conf will be symlinked.  Note that `dynamic_resolv_conf_target_dir` and `static_resolv_conf_target_dir` are role vars that are available for use when defining this variable.  See [here](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF) for more information. | `"{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"` | No |
+| systemd_resolved_dns_stub_listener | The value to use for the DNSStubListener value in the `systemd-resolved` configuration file.  Must be `tcp`, `udp`, or a boolean value.  See [here](https://man.archlinux.org/man/resolved.conf.5.en) for more information. | `"yes"` | No |
+| systemd_resolved_resolv_conf_filename | The location of the target to which `/etc/resolv.conf` will be symlinked.  Note that `dynamic_resolv_conf_target_dir` and `static_resolv_conf_target_dir` are role vars that are available for use when defining this variable.  See [here](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF) for more information. | `"{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"` | No |
 <!--
 | required_variable | Describe its purpose. | n/a | Yes |
 -->
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,4 +1,12 @@
 ---
+# The value to use for the DNSStubListener value in the
+# systemd-resolved configuration file.  Must be tcp, udp, or a boolean
+# value.
+#
+# See here for more information:
+# https://man.archlinux.org/man/resolved.conf.5.en
+systemd_resolved_dns_stub_listener: true
+
 # The location of the file to which /etc/resolv.conf will be
 # symlinked.  The symlink target should normally be one of the
 # following files provided by systemd-resolved:
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -10,13 +10,14 @@
 - name: Unmount /etc/resolv.conf
   ansible.builtin.import_playbook: unmount.yml
 
-# We require dig for one of our Molecule tests
+# We require dig and netstat for our Molecule tests
 - name: Install dig
   hosts: all
   become: true
   become_method: ansible.builtin.sudo
   tasks:
-  - name: Install dig
+  - name: Install some tools that are required for testing
     ansible.builtin.package:
       name:
         - dnsutils
+        - net-tools
diff --git a/molecule/disable_stub_resolver/INSTALL.rst b/molecule/disable_stub_resolver/INSTALL.rst
@@ -0,0 +1 @@
+../default/INSTALL.rst
diff --git a/molecule/disable_stub_resolver/converge.yml b/molecule/disable_stub_resolver/converge.yml
@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Include ansible-role-systemd-resolved
+      ansible.builtin.include_role:
+        name: ansible-role-systemd-resolved
+      vars:
+        systemd_resolved_dns_stub_listener: false
diff --git a/molecule/disable_stub_resolver/molecule.yml b/molecule/disable_stub_resolver/molecule.yml
@@ -0,0 +1,102 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest
+    name: amazonlinux2023-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # These platforms do not provide systemd-resolved.
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-debian10-ansible:latest
+  #   name: debian10-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-debian11-ansible:latest
+  #   name: debian11-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-debian12-ansible:latest
+    name: debian12-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/cisagov/docker-debian13-ansible:latest
+    name: debian13-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/cisagov/docker-kali-ansible:latest
+    name: kali-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-fedora38-ansible:latest
+    name: fedora38-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-fedora39-ansible:latest
+    name: fedora39-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # These platforms do not provide systemd-resolved.
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest
+  #   name: ubuntu-20-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest
+  #   name: ubuntu-22-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+scenario:
+  name: disable_stub_resolver
+verifier:
+  name: testinfra
diff --git a/molecule/disable_stub_resolver/prepare.yml b/molecule/disable_stub_resolver/prepare.yml
@@ -0,0 +1 @@
+../default/prepare.yml
diff --git a/molecule/disable_stub_resolver/requirements.yml b/molecule/disable_stub_resolver/requirements.yml
@@ -0,0 +1 @@
+../default/requirements.yml
diff --git a/molecule/disable_stub_resolver/tests/test_default_basic.py b/molecule/disable_stub_resolver/tests/test_default_basic.py
@@ -0,0 +1 @@
+../../default/tests/test_default_basic.py
diff --git a/molecule/disable_stub_resolver/tests/test_disable_stub_resolver.py b/molecule/disable_stub_resolver/tests/test_disable_stub_resolver.py
@@ -0,0 +1,29 @@
+"""Module containing the tests for the default scenario."""
+
+# Standard Python Libraries
+import os
+
+# Third-Party Libraries
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_port_53_listener(host):
+    """Verify that nothing is listening on port 53."""
+    # Have netstat output all TCP and UDP IPv4 listeners.
+    netstat_cmd = "netstat --protocol inet --listening --tcp --udp --numeric"
+    # Skip the first two lines of the output.
+    tail_cmd = "tail --lines +3"
+    # Grab only the 4th column.
+    awk_cmd = "awk '{print $4}'"
+    # Grab only the port.
+    cut_cmd = "cut --delimiter ':' --fields 2"
+    # Output the number of lines that contain only the number 53.
+    grep_cmd = 'grep --count "^53$"'
+    cmd = host.run(
+        f"test 0 -eq $({netstat_cmd} | {tail_cmd} | {awk_cmd} | {cut_cmd} | {grep_cmd})"
+    )
+    assert cmd.rc == 0, "Something is listening on port 53."
diff --git a/molecule/disable_stub_resolver/unmount.yml b/molecule/disable_stub_resolver/unmount.yml
@@ -0,0 +1 @@
+../default/unmount.yml
diff --git a/molecule/disable_stub_resolver/upgrade.yml b/molecule/disable_stub_resolver/upgrade.yml
@@ -0,0 +1 @@
+../default/upgrade.yml
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -16,6 +16,20 @@
     name:
       - systemd-resolved
 
+- name: Set DNSStubListener in the systemd-resolved configuration file
+  community.general.ini_file:
+    # This config file should already exist, and putting false here
+    # allows us to avoid ansible-lint warnings about needing to
+    # specify the group, owner, and mode of the file.
+    create: false
+    # This is just to maintain the look and feel of the file as
+    # provided by systemd-resolved.
+    no_extra_spaces: true
+    option: DNSStubListener
+    path: /etc/systemd/resolved.conf
+    section: Resolve
+    value: "{{ systemd_resolved_dns_stub_listener }}"
+
 - name: Enable and start systemd-resolved
   ansible.builtin.service:
     enabled: true
diff --git a/vars/default.yml b/vars/default.yml
@@ -1,4 +1,7 @@
 ---
+# The location of the systemd-resolved configuration file.
+config_file: /etc/systemd/resolved.conf
+
 # The directory where systemd-resolved stores the _dynamic_
 # resolv.conf symlink targets it provides.
 dynamic_resolv_conf_target_dir: /run/systemd/resolve
