本章节介绍如何使用Ansible来进行DNS配置。
可以使用Ansible来自动部署Unbound缓存名称服务器,也可以BIND主或辅助名称服务器。这两种方法的自动化过程通常是相似的。
对于这些示例,假设您有以下清单:
[caching_dns] dns1.example.com dns2.example.com [primary_dns] instructor.example.com [secondary_dns] ns1.example.com ns2.example.com
caching_dns组包含缓存名称服务器,primary_dns组包含主名称服务器,secondary_dns组包含辅助名称服务器。这使您更容易在不编辑剧本的情况下更改用于何种目的的主机。
部署Unbound的基本过程如下所示:
安装unbound包。
为主机创建一个Unbound配置,如果配置变更,重新启动Unbound服务。
启用并启动Unbound服务。
配置防火墙允许DNS入方向的流量。
为了确保在缓存名称服务器上安装和配置Unbound,需要将编辑后的配置文件部署到每个服务器上。
一种方法是预先为每个服务器准备正确的/etc/unbound/unbound.conf配置文件,然后使用复制模块将正确的文件部署到每个服务器。这很容易编码。
默认的unbound.conf文件有一个指令,可以简化这些文件。有include /etc/unbound/conf.d/*.conf行,这一行自动包含/etc/unbound/conf.d目录文件中以.conf结尾的文件作为/etc/unbound/unbound.conf的一部分。这些文件可以覆盖主配置文件中的设置。您可以编写一组简单的文件,对每个服务器进行正确的编辑,并在那里部署适当的服务器。
然而,在本例中,我们使用jinj2模板自动生成这些文件。在playbook的模板目录中,您可以放置一个名为server.conf.j2的文件:
在上面的例子中,有一个jinj2 for循环,它为部署模板的主机的ansible_facts[‘all_ipv4_addresses’]事实中包含的列表中的每个IP地址打印一个interface行。此列表包含该主机上除127.0.0.1之外的所有IPv4地址。{{ ip }}表达式依次被每个IPv4地址替换,{% and %}中包含的行会消失。
使用template模板模块将这个模板部署到/etc/unbound/conf.d/server.conf。
当有模板时,编写一个Ansible剧本来确保Unbound被正确设置是相对简单的。示例模板如下所示:
如果配置文件发生变化,模板任务调用处理程序重新启动Unbound。这是因为有可能配置文件丢失了,但其他一切都是正确的,因此如果unbound服务发生更改,希望重新启动它。如果一切都已正确,则处理程序不会重新启动服务。它可能不需要显式地为所部署的文件指定权限和SELinux类型,但这可以确保这些设置是正确的。
部署BIND主服务器或备用服务器的基本过程如下所示:
安装bind包。
为主名称服务器或辅助名称服务器创建适当的BIND配置,并在配置发生更改时重新启动命名服务。
如果这是主名称服务器,请确保区域文件是正确的;当它们被更改时重新加载named。
启用并启动named服务。
配置防火墙允许DNS入方向的流量。
下面的示例部署BIND主名称服务器。它假设所有区域的区域文件都在files/zone-files目录中,并且主要配置文件已经准备好并位于files/named-primary.conf文件中。
此示例剧本假定您正在编辑区域文件,并在运行剧本之前确保它们的最新版本在您的files/zone-files目录中。请记住,copy模块的src指令在files目录中查找您的文件。
重要:如果配置文件或区域文件发生更改,您应该通知处理程序。区域文件更新不需要完全重新启动,因此存在用于重新加载或重新启动的独立处理程序。当发生任何变化时,无论您启动服务还是处理程序重新启动它,当剧本完成时服务将处于正确的状态。
部署BIND次要名称服务器可以稍微简单一些:
这个剧本部署了辅助服务器的配置文件,并省略了区域文件的部署(因为初始区域传输将处理该文件)。它也不需要两个处理程序。
[student@workstation ~]$ lab dns-automation start
[student@workstation ~]$ cd ~/dns-auto
[student@workstation dns-auto]$
列出顶级项目目录中的文件和目录。位于解决方案目录中的文件是完整的Ansible Playbook文件,您可以作为参考使用。
在本练习中,您将使用位于files目录中的已完成的配置和区域文件来使用Ansible部署BIND。不需要修改这些文件,但是如果您对它们的配置有疑问,建议您查看它们。
[student@workstation dns-auto]$ tree . ├── ansible.cfg ├── ansible-starter-files │ └── configure_primary.yml.starter ├── files │ ├── primary-192.168.0.zone │ ├── primary-backend.lab.example.com.zone │ ├── primary-named.backend.conf │ ├── primary-named.conf │ ├── secondary-named.backend.conf │ └── secondary-named.conf ├── inventory ├── solution │ ├── configure_caching.yml.solution │ ├── configure_primary.yml.solution │ ├── configure_secondary.yml.solution │ └── playbook.yml.solution └── templates └── unbound.conf.j2 4 directories, 14 files [student@workstation dns-auto]$ cat inventory [control_node] workstation.lab.example.com [caching_dns] servera.lab.example.com [primary_dns] serverb.lab.example.com [secondary_dns] serverc.lab.example.com [student@workstation dns-auto]$ cat ansible.cfg [defaults] inventory=./inventory remote_user=devops [privilege_escalation] become = False become_method = sudo become_user = root become_ask_pass = False
在serverb上配置主名称服务器。
[student@workstation dns-auto]$ vim configure_primary.yml --- - name: Configure primary nameserver hosts: primary_dns remote_user: devops become: yes tasks: - name: Install BIND9 yum: name: bind state: present - name: Copy primary config file copy: src: files/primary-named.conf dest: /etc/named.conf owner: root group: named mode: 0640 notify: - reload_named - name: Copy forward zone file to primary copy: src: files/primary-backend.lab.example.com.zone dest: /var/named/backend.lab.example.com.zone owner: root group: named mode: 0640 notify: - reload_named - name: Copy reverse zone file to primary copy: src: files/primary-192.168.0.zone dest: /var/named/192.168.0.zone owner: root group: named mode: 0640 notify: - reload_named - name: Copy backend config file (for zones) copy: src: files/primary-named.backend.conf dest: /etc/named.backend.conf owner: root group: named mode: 0640 notify: - reload_named - name: Allow dns service on firewall firewalld: service: dns state: enabled immediate: yes permanent: yes - name: Ensure named is running and enabled service: name: named state: started enabled: yes handlers: - name: reload_named service: name: named state: reloaded
配置serverc为备用名称服务器。
[student@workstation dns-auto]$ cat configure_secondary.yml --- - name: Configure secondary nameserver hosts: secondary_dns remote_user: devops become: yes tasks: - name: Install BIND9 yum: name: bind state: present - name: Copy secondary config file copy: src: files/secondary-named.conf dest: /etc/named.conf owner: root group: named mode: 0640 notify: - reload_named - name: Copy backend config file (for zones) copy: src: files/secondary-named.backend.conf dest: /etc/named.backend.conf owner: root group: named mode: 0640 notify: - reload_named - name: Allow dns service on firewall firewalld: service: dns state: enabled immediate: yes permanent: yes - name: Ensure named is running and enabled service: name: named state: started enabled: yes handlers: - name: reload_named service: name: named state: reloaded
在serverc上部署缓存名称服务器。在/etc/unbound/conf.d中添加一个补充配置文件,使用模板来配置unbound。
[student@workstation dns-auto]$ cat templates/unbound.conf.j2 server: interface: {{ interface }} interface-automatic: {{ interface_automatic }} {% for acl in access_control %} access-control: {{ acl }} {% endfor %} domain-insecure: "{{ domain_insecure }}" forward-zone: name: "{{ forward_zone_name }}" forward-addr: {{ forward_zone_addr }} [student@workstation dns-auto]$ cat configure_caching.yml --- - name: Install cache only nameserver hosts: caching_dns remote_user: devops become: yes vars: interface: 0.0.0.0 interface_automatic: "yes" access_control: - "172.25.250.0/24 allow" domain_insecure: example.com forward_zone_name: . forward_zone_addr: "172.25.250.254" tasks: - name: Install cache only nameserver yum: name: unbound state: present - name: Create configuration file on caching server host template: src: unbound.conf.j2 dest: /etc/unbound/conf.d/unbound.conf - name: Allow dns service on firewall firewalld: service: dns state: enabled immediate: yes permanent: yes - name: Ensure unbound is running and enabled service: name: unbound state: started enabled: yes handlers: - name: restart_unbound service: name: unbound state: restarted
按照执行顺序导入完成的剧本,将主、辅和缓存名称服务器部署到它们各自的主机上。运行的剧本。
[student@workstation dns-auto]$ vim playbook.yml --- - import_playbook: configure_primary.yml - import_playbook: configure_secondary.yml - import_playbook: configure_caching.yml [student@workstation dns-auto]$ ansible-playbook --syntax-check playbook.yml [student@workstation dns-auto]$ ansible-playbook playbook.yml
[student@servera ~]$ dig localhost.localdomain @172.25.250.11 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @172.25.250.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59393 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2876e7f0fe7a8fbec188063760c61e1e54c5a838de33deda (good) ;; QUESTION SECTION: ;localhost.localdomain. IN A ;; Query time: 1 msec ;; SERVER: 172.25.250.11#53(172.25.250.11) ;; WHEN: Sun Jun 13 23:02:54 CST 2021 ;; MSG SIZE rcvd: 78 [student@servera ~]$ dig localhost.localdomain @192.168.0.11 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @192.168.0.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41294 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ce6cd1cbcd3e1e5f04ea4eee60c61e5759ac729caf5145d1 (good) ;; QUESTION SECTION: ;localhost.localdomain. IN A ;; ANSWER SECTION: localhost.localdomain. 86400 IN A 127.0.0.1 ;; AUTHORITY SECTION: localhost.localdomain. 86400 IN NS localhost.localdomain. ;; ADDITIONAL SECTION: localhost.localdomain. 86400 IN AAAA ::1 ;; Query time: 1 msec ;; SERVER: 192.168.0.11#53(192.168.0.11) ;; WHEN: Sun Jun 13 23:03:51 CST 2021 ;; MSG SIZE rcvd: 136 [student@servera ~]$ dig serverc.backend.lab.example.com @192.168.0.11 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverc.backend.lab.example.com @192.168.0.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5912 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: af1d60a753c1268febff460060c61f57f2e00f5dfc9d2642 (good) ;; QUESTION SECTION: ;serverc.backend.lab.example.com. IN A ;; ANSWER SECTION: serverc.backend.lab.example.com. 300 IN A 192.168.0.12 ;; AUTHORITY SECTION: backend.lab.example.com. 600 IN NS serverb.backend.lab.example.com. ;; ADDITIONAL SECTION: serverb.backend.lab.example.com. 300 IN A 192.168.0.11 ;; Query time: 1 msec ;; SERVER: 192.168.0.11#53(192.168.0.11) ;; WHEN: Sun Jun 13 23:08:07 CST 2021 ;; MSG SIZE rcvd: 142
[student@serverb ~]$ dig -x 192.168.0.13 @localhost ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> -x 192.168.0.13 @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31007 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: d9943612607f8e9bf14e586360c61fbf79d88efb37548ac9 (good) ;; QUESTION SECTION: ;13.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.0.168.192.in-addr.arpa. 300 IN PTR serverd.backend.lab.example.com. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 600 IN NS serverb.backend.lab.example.com. ;; ADDITIONAL SECTION: serverb.backend.lab.example.com. 300 IN A 192.168.0.11 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun Jun 13 23:09:51 CST 2021 ;; MSG SIZE rcvd: 165 [student@serverb ~]$ dig servera.backend.lab.example.com @192.168.0.12 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> servera.backend.lab.example.com @192.168.0.12 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40510 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 904b2cdab8b1ddccbf18a5ff60c61fe43522eebd11321726 (good) ;; QUESTION SECTION: ;servera.backend.lab.example.com. IN A ;; ANSWER SECTION: servera.backend.lab.example.com. 300 IN A 192.168.0.10 ;; AUTHORITY SECTION: backend.lab.example.com. 600 IN NS serverb.backend.lab.example.com. ;; ADDITIONAL SECTION: serverb.backend.lab.example.com. 300 IN A 192.168.0.11 ;; Query time: 1 msec ;; SERVER: 192.168.0.12#53(192.168.0.12) ;; WHEN: Sun Jun 13 23:10:28 CST 2021 ;; MSG SIZE rcvd: 142 [student@serverb ~]$ dig serverd.backend.lab.example.com @172.25.250.10 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverd.backend.lab.example.com @172.25.250.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14116 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;serverd.backend.lab.example.com. IN A ;; ANSWER SECTION: serverd.backend.lab.example.com. 300 IN A 192.168.0.13 ;; Query time: 3 msec ;; SERVER: 172.25.250.10#53(172.25.250.10) ;; WHEN: Sun Jun 13 23:11:16 CST 2021 ;; MSG SIZE rcvd: 76
[student@workstation ~]$ lab dns-automation finish