Allow user to specify /etc/resolv.conf target

jsf9k · jsf9k · commit 9106d2b69a3d · 2024-05-10T12:57:30.000-04:00
Also add a Molecule scenario that tests this functionality.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -176,6 +176,7 @@ jobs:
       matrix:
         scenario:
           - default
+          - specify_resolv_conf_target
     steps:
       - id: harden-runner
         name: Harden the runner
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -126,7 +126,7 @@ repos:
     hooks:
       - id: bandit
         # Bandit complains about the use of assert() in tests
-        exclude: molecule/(default|systemd_enabled)/tests
+        exclude: molecule/(default|specify_resolv_conf_target)/tests
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
diff --git a/README.md b/README.md
@@ -9,22 +9,18 @@ It performs the following actions:
 
 - Installs `systemd-resolved` and ensures that `resolvconf` is not
   installed.
-- Creates an `/etc/resolv.conf` symlink that results in the
-  `systemd-resolved` stub DNS resolver being used by default for all
-  system DNS lookups.
+- Creates an `/etc/resolv.conf` symlink.
 
 ## Requirements ##
 
 None.
 
 ## Role Variables ##
 
-None.
-
-<!--
 | Variable | Description | Default | Required |
 |----------|-------------|---------|----------|
-| optional_variable | Describe its purpose. | `default_value` | No |
+| systemd_resolved_resolv_conf_filename | The location of the target to which /etc/resolv.conf will be symlinked.  Note that `dynamic_resolv_conf_target_dir` and `static_resolv_conf_target_dir` are role vars that are available for use when defining this variable.  See [here](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF) for more information. | `"{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"` | No |
+<!--
 | required_variable | Describe its purpose. | n/a | Yes |
 -->
 
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+# The location of the file to which /etc/resolv.conf will be
+# symlinked.  The symlink target should normally be one of the
+# following files provided by systemd-resolved:
+# 1. "{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"
+# 2. "{{ dynamic_resolv_conf_target_dir }}/resolv.conf"
+# 3. "{{ static_resolv_conf_target_dir }}/resolv.conf"
+#
+# Note that the values of dynamic_resolv_conf_target_dir and
+# static_resolv_conf_target_dir come from the role vars.
+#
+# In most cases you will want to use option 1 when using the
+# systemd-resolved stub DNS resolver (127.0.0.53) and option 2 when
+# using the DNS resolver provided via DHCP.  See here for more
+# information:
+# https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF
+systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf"
diff --git a/molecule/default/tests/test_default_basic.py b/molecule/default/tests/test_default_basic.py
@@ -0,0 +1,35 @@
+"""Module containing the tests for the default scenario."""
+
+# Standard Python Libraries
+import os
+
+# Third-Party Libraries
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_packages(host):
+    """Verify that the expected packages are installed/uninstalled."""
+    assert host.package(
+        "systemd-resolved"
+    ).is_installed, "The package systemd-resolved is not installed."
+    assert not host.package(
+        "resolvconf"
+    ).is_installed, "The package resolvconf is installed."
+
+
+def test_services(host):
+    """Verify that the expected services are present."""
+    s = host.service("systemd-resolved")
+    # TODO - This assertion currently fails because of
+    # pytest-dev/pytest-testinfra#757.  Once
+    # pytest-dev/pytest-testinfra#754 has been merged and a new
+    # release is created the following line can be uncommented.
+    #
+    # See #3 for more details.
+    # assert s.exists, "systemd-resolved service does not exist."
+    assert s.is_enabled, "systemd-resolved service is not enabled."
+    assert s.is_running, "systemd-resolved service is not running."
diff --git a/molecule/default/tests/test_default_specific.py b/molecule/default/tests/test_default_specific.py
@@ -13,16 +13,6 @@
 ).get_hosts("all")
 
 
-def test_packages(host):
-    """Verify that the expected packages are installed/uninstalled."""
-    assert host.package(
-        "systemd-resolved"
-    ).is_installed, "The package systemd-resolved is not installed."
-    assert not host.package(
-        "resolvconf"
-    ).is_installed, "The package resolvconf is installed."
-
-
 def test_symlink(host):
     """Verify that /etc/resolv.conf is the expected symlink."""
     f = host.file("/etc/resolv.conf")
@@ -41,20 +31,6 @@ def test_symlink(host):
     ), f"/etc/resolv.conf is not a symlink to {symlink_target}."
 
 
-def test_services(host):
-    """Verify that the expected services are present."""
-    s = host.service("systemd-resolved")
-    # TODO - This assertion currently fails because of
-    # pytest-dev/pytest-testinfra#757.  Once
-    # pytest-dev/pytest-testinfra#754 has been merged and a new
-    # release is created the following line can be uncommented.
-    #
-    # See #3 for more details.
-    # assert s.exists, "systemd-resolved service does not exist."
-    assert s.is_enabled, "systemd-resolved service is not enabled."
-    assert s.is_running, "systemd-resolved service is not running."
-
-
 @pytest.mark.parametrize(
     "dig_command",
     [
diff --git a/molecule/specify_resolv_conf_target/INSTALL.rst b/molecule/specify_resolv_conf_target/INSTALL.rst
@@ -0,0 +1 @@
+../default/INSTALL.rst
diff --git a/molecule/specify_resolv_conf_target/converge.yml b/molecule/specify_resolv_conf_target/converge.yml
@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Include ansible-role-systemd-resolved
+      ansible.builtin.include_role:
+        name: ansible-role-systemd-resolved
+      vars:
+        systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/resolv.conf"
diff --git a/molecule/specify_resolv_conf_target/molecule.yml b/molecule/specify_resolv_conf_target/molecule.yml
@@ -0,0 +1,102 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest
+    name: amazonlinux2023-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # These platforms do not provide systemd-resolved.
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-debian10-ansible:latest
+  #   name: debian10-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-debian11-ansible:latest
+  #   name: debian11-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-debian12-ansible:latest
+    name: debian12-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/cisagov/docker-debian13-ansible:latest
+    name: debian13-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/cisagov/docker-kali-ansible:latest
+    name: kali-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-fedora38-ansible:latest
+    name: fedora38-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  - cgroupns_mode: host
+    command: /lib/systemd/systemd
+    image: docker.io/geerlingguy/docker-fedora39-ansible:latest
+    name: fedora39-systemd
+    platform: amd64
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # These platforms do not provide systemd-resolved.
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest
+  #   name: ubuntu-20-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  # - cgroupns_mode: host
+  #   command: /lib/systemd/systemd
+  #   image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest
+  #   name: ubuntu-22-systemd
+  #   platform: amd64
+  #   pre_build_image: true
+  #   privileged: true
+  #   volumes:
+  #     - /sys/fs/cgroup:/sys/fs/cgroup:rw
+scenario:
+  name: specify_resolv_conf_target
+verifier:
+  name: testinfra
diff --git a/molecule/specify_resolv_conf_target/prepare.yml b/molecule/specify_resolv_conf_target/prepare.yml
@@ -0,0 +1 @@
+../default/prepare.yml
diff --git a/molecule/specify_resolv_conf_target/requirements.yml b/molecule/specify_resolv_conf_target/requirements.yml
@@ -0,0 +1 @@
+../default/requirements.yml
diff --git a/molecule/specify_resolv_conf_target/tests/test_default_basic.py b/molecule/specify_resolv_conf_target/tests/test_default_basic.py
@@ -0,0 +1 @@
+../../default/tests/test_default_basic.py
diff --git a/molecule/specify_resolv_conf_target/tests/test_specify_resolv_conf_target.py b/molecule/specify_resolv_conf_target/tests/test_specify_resolv_conf_target.py
@@ -0,0 +1,45 @@
+"""Module containing the tests for the default scenario."""
+
+# Standard Python Libraries
+import os
+
+# Third-Party Libraries
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_symlink(host):
+    """Verify that /etc/resolv.conf is the expected symlink."""
+    f = host.file("/etc/resolv.conf")
+    assert f.is_symlink, "/etc/resolv.conf is not a symlink."
+
+    symlink_target = "/run/systemd/resolve/resolv.conf"
+
+    assert (
+        f.linked_to == symlink_target
+    ), f"/etc/resolv.conf is not a symlink to {symlink_target}."
+
+
+# Unfortunately this test does not function as expected, since Docker
+# containers normally just get a copy of their host's /etc/resolv.conf
+# and do not receive any DNS nameservers via DHCP.
+# @pytest.mark.parametrize(
+#     "dig_command",
+#     [
+#         "www.yahoo.com",
+#         "AAAA www.yahoo.com",
+#     ],
+# )
+# def test_dns_resolution(host, dig_command):
+#     """Verify that the systemd-resolved resolver is not being used by default."""
+#     cmd = host.run(f"dig {dig_command}")
+#     assert cmd.rc == 0, f"Command dig {dig_command} did not exit successfully."
+#     # Verify that the dig result came from the systemd-resolved
+#     # service.
+#     assert (
+#         re.search(r"^;; SERVER: 127\.0\.0\.53#53", cmd.stdout, re.MULTILINE)
+#         is None
+#     ), f"Command dig {dig_command} returned a result from 127.0.0.53."
diff --git a/molecule/specify_resolv_conf_target/unmount.yml b/molecule/specify_resolv_conf_target/unmount.yml
@@ -0,0 +1 @@
+../default/unmount.yml
diff --git a/molecule/specify_resolv_conf_target/upgrade.yml b/molecule/specify_resolv_conf_target/upgrade.yml
@@ -0,0 +1 @@
+../default/upgrade.yml
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,4 +1,16 @@
 ---
+- name: Load var file with package names based on the OS type
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution }}.yml"
+        - "{{ ansible_os_family }}.yml"
+        - default.yml
+      paths:
+        - "{{ role_path }}/vars"
+
 - name: Install systemd-resolved
   ansible.builtin.package:
     name:
@@ -41,5 +53,5 @@
     # delete it.
     force: true
     path: /etc/resolv.conf
-    src: /run/systemd/resolve/stub-resolv.conf
+    src: "{{ systemd_resolved_resolv_conf_filename }}"
     state: link
diff --git a/vars/default.yml b/vars/default.yml
@@ -0,0 +1,7 @@
+---
+# The directory where systemd-resolved stores the _dynamic_
+# resolv.conf symlink targets it provides.
+dynamic_resolv_conf_target_dir: /run/systemd/resolve
+# The directory where systemd-resolved stores the _static_ resolv.conf
+# symlink targets it provides.
+static_resolv_conf_target_dir: /usr/lib/systemd
