Bug 44462 - Use UCS specific make_resolv_conf
Use UCS specific make_resolv_conf
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: DHCP
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0
Assigned To: Sönke Schwardt-Krummrich
Philipp Hahn
:
Depends on:
Blocks: 53679
  Show dependency treegraph
 
Reported: 2017-04-24 13:21 CEST by Philipp Hahn
Modified: 2021-08-19 13:08 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017042421000243
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-04-24 13:21:18 CEST
"/sbin/dhclient-script" defines the function make_resolv_conf() to create the file "/etc/resolf.conf". This is a generic scripts provided by Debian.
Afterwards the UCS specific scripts "/etc/dhcp/dhclient-exit-hooks.d/resolvconf" parses the file to extract the values and stored them in UCR (only on servers running BIND - on other roles UCRV nameserver[123] are only added).

This leads to such situations like Ticket#2017042421000243, where other UCRVs are ignored.

We should replace our "exit.d/resolvconf" by a different hook in "enter.d" to overwrite the generic "make_resolv_conf" function:
- no need to parse the intermediate resolf.conv file but use the environment variables directly.
Comment 1 Philipp Hahn univentionstaff 2017-04-24 13:33:58 CEST
(In reply to Philipp Hahn from comment #0)
> "/sbin/dhclient-script" defines the function make_resolv_conf() to create
> the file "/etc/resolf.conf". This is a generic scripts provided by Debian.
> Afterwards the UCS specific scripts
> "/etc/dhcp/dhclient-exit-hooks.d/resolvconf" parses the file to extract the
> values and stored them in UCR (only on servers running BIND - on other roles
> UCRV nameserver[123] are only added).
> 
> This leads to such situations like Ticket#2017042421000243, where other
> UCRVs are ignored.

For clarification:
On a Member-Server using DHCP /etc/resolv.conf is generated by /sbin/dhclient-script: The does *does* *not* have the UCR template warning
As soon as any UCRV triggering /etc/resolv.conf is set, the file shows the UCRV warning until next dhclient renews the lease, again stripping the header.
Comment 2 Philipp Hahn univentionstaff 2018-05-26 09:09:20 CEST
Another variant of this is Bug #46993: Our EC2 images currently have nameserver1=OpenDNS hardcoded. The AmazonProvidedDNS is only added 2nd, so each DNS query needs to pass the Amazon gateway to reach the internet (until the setup is complete). This is slower and is also considered a DoS when NAT is used.

Currently DNS handling is very confusing:
- on joined DCs the DHCP provided DNS is stored in "dns/forwarder[123]"
  - except when "nameserver/external" is enabled.
- otherwise "/etc/resolv.conf" is created bypassing UCR but prepending "nameseerver[123]"

The following logic would be more consistent:
- Copy the DHCP provided DNS into "nameserver[123]" - than the regular UCR mechanism can generate the file.
- Optionally provide a new UCRV to define additional DNS servers to prepend or tell the user to use the '--forced' layer to disable that mechanism.

I have an implementation in
<https://git.knut.univention.de/univention/ucs/tree/phahn/4.3-0+44462dns-resolv-dhcp>
Comment 3 Ingo Steuwer univentionstaff 2020-07-03 20:54:03 CEST
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 4 Philipp Hahn univentionstaff 2020-07-04 13:43:40 CEST
Our mechanism to handle /etc/resolv.conv is still problematic.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2021-03-04 18:18:24 CET
UCS systems are able to automatically use nameservers that are transmitted to the UCS system via DHCP.

The behavior of UCS 4 is no longer sufficient at this point. As Philipp has already described, on unjoined systems or non-domain controller systems, the nameservers supplied via DHCP are included in the /etc/resolv.conf file, but the nameserver settings are overwritten again the next time the corresponding UCR template is evaluated. This may then lead to a defective DNS configuration, which has also been shown regularly in our automated tests. Therefore, the behavior has been changed.

Starting with UCS 5.0-0 the mechanism has been simplified considerably.
For details please have a look at univention-network-manager/README.md or the gitlab merge request.

[5.0-0] 40ae8281ec Bug #44462: avoid deprecation warnings about "log.warn"
[5.0-0] 1d73ee83cb Bug #44462: switch from optparse to argparse
[5.0-0] c3e1c820a9 Bug #44462: add changelog entry for univention-network-manager
[5.0-0] 3b81fb5fa1 Bug #44462: add changelog entry for univention-server
[5.0-0] 2c672c29ab Bug #44462: migrate univention-fix-ucr-dns to py3
[5.0-0] bc845b9ccd Bug #44462: add new DHCP helper enter hook
[5.0-0] 1a4182bfc8 Bug #44462: add possibility to define nameservers/forwarders via DHCP
[5.0-0] 94853f7c64 Bug #44462: raise loglevel for final settings
[5.0-0] b38e045ddc Bug #44462: fix UCRV description
[5.0-0] 1a1abb6340 Bug #44462: remove old exit-hook
[5.0-0] a456078a7f Bug #44462: add mypy types

Package: univention-network-manager
Version: 12.0.2-1A~5.0.0.202103041815
Branch: ucs_5.0-0

Package: univention-server
Version: 15.0.3-1A~5.0.0.202103041815
Branch: ucs_5.0-0
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2021-03-08 12:41:18 CET
[5.0-0] e69b9d46eb Bug #44462: add entry to changelog.xml
[5.0-0] 58a47b12fd Bug #44462: add changelog entry
[5.0-0] 0389505116 Bug #44462: do not update UCR/reload bind if nothing changed
[5.0-0] b4e98803a4 Bug #44462: always set nameservers passed via CLI
[5.0-0] d725854581 Bug #44462: small additions to the mypy hints

Package: univention-server
Version: 15.0.3-2A~5.0.0.202103081114
Branch: ucs_5.0-0
Comment 8 Philipp Hahn univentionstaff 2021-03-09 10:30:03 CET
OK: /etc/dhcp/dhclient-enter-hooks.d/resolvconf
OK: ucr set interfaces/enp1s0/type=dhcp
OK: ucr get nameserver/external=yes
  DHCP does not copy servers to ^nameserver or ^dns/forwarder at all - admin has to specify UCRVs manually, which are still used for /etc/resolv.conf
OK: ucr search --brief ^nameserver ^dns/forwarder
OK: /usr/share/univention-server/univention-fix-ucr-dns --help
FIXED: rm /var/univention-join/joined

+ /usr/share/univention-server/univention-fix-ucr-dns --no-ucr --no-self --dnsserver 10.207.0.2
2021-03-05 18:42:04,166 INFO    __main__.cli/ns   Added server 10.207.0.2 via CLI argument
2021-03-05 18:42:04,168 INFO    __main__.ucr/fwd  Skip reading forwarders from UCR
2021-03-05 18:42:04,169 INFO    __main__.ucr/ns   Skip reading nameservers from UCR
2021-03-05 18:42:04,178 INFO    __main__.xor      Skip removing nameservers from forwarders
2021-03-05 18:42:04,179 INFO    __main__.ucr/self Skip adding self
2021-03-05 18:42:04,181 INFO    __main__.ns       Skip adding NS
2021-03-05 18:42:04,182 INFO    __main__.ldap     Skip adding Primary Directory Node
2021-03-05 18:42:04,183 CRITICAL __main__          No nameserver remains - aborting

OK: d725854581 b4e98803a4 0389505116 58a47b12fd e69b9d46eb

FAIL: "univention-network-common" is installed very early on when "univention-server" providing "univention-fix-ucs-dns" is not yet installed. This leads to errors in
- apt/term.log
- syslog
- daemon.log
- journal
Proposal: return from /etc/dhcp/dhclient-enter/resolvconf if univention-fix-ucs-dns is not installed to keep original function by-passing UCR for /etc/resolv.conf

FAIL: unjoined DC may not have any DNS configured at all IFF the externally provided DNS server is external, e.g. VM@my-domain getting  DHCP@KNUT.
Proposal: If unjoined OR non-DC -> always EVERYTHING in nameserver
Comment 9 Philipp Hahn univentionstaff 2021-03-09 11:17:22 CET
[5.0-0] 27a7d8f6e3 docs[net,server]: Changelog univention-fix-ucr-dns
 base/univention-network-manager/debian/changelog | 6 ++++++
 base/univention-server/debian/changelog          | 6 ++++++
 2 files changed, 12 insertions(+)

[5.0-0] 1242df220e style[server]: Improve debug output
 base/univention-server/univention-fix-ucr-dns | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[5.0-0] 0e117b89b0 refactor[server]: tripple nested if-then
 base/univention-server/univention-fix-ucr-dns | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

[5.0-0] be9536592e fix[server]: Reload BIND only on joined DC
 base/univention-server/univention-fix-ucr-dns | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

[5.0-0] d2c3353bc9 fix[server]: Move forwarder to nameserver
 base/univention-server/univention-fix-ucr-dns | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

[5.0-0] 137211e6a2 refactor[net]: Remove original function
 base/univention-network-manager/etc/dhcp/dhclient-enter-hooks.d/resolvconf | 2 --
 1 file changed, 2 deletions(-)

[5.0-0] 932d9acb99 fix[net]: Check for univention-server
 base/univention-network-manager/etc/dhcp/dhclient-enter-hooks.d/resolvconf | 1 +
 1 file changed, 1 insertion(+)

[5.0-0] 60f772b335 test[net]: shellcheck resolvconf
 base/univention-network-manager/etc/dhcp/dhclient-enter-hooks.d/resolvconf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

[5.0-0] de1584d6d7 style[server]: com2ann univention-fix-ucr-dns
 base/univention-server/univention-fix-ucr-dns | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

[5.0-0] 009d8b6f85 style[server]: isort univention-fix-ucr-dns
 base/univention-server/univention-fix-ucr-dns | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

[5.0-0] e0082cefd8 doc[server]: Document univention-fix-ucr-dns
 base/univention-server/univention-fix-ucr-dns | 98 +++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 95 insertions(+), 3 deletions(-)

Package: univention-server
Version: 15.0.3-3A~5.0.0.202103091054

Package: univention-network-manager
Version: 12.0.2-2A~5.0.0.202103091056

OK: chmod -x univention-fix-ucr-dns
OK: rm joined

FYI: If you join the system you must reboot (or remove the lease file /var/lib/dhcp/dhclient.*.leases): in that case there is no change in the list of servers, so `resolvconf` aborts early and does not reach calling univention-fix-ucr-dns
Comment 10 Florian Best univentionstaff 2021-05-25 16:01:54 CEST
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".