Univention Bugzilla – Bug 44462
Use UCS specific make_resolv_conf
Last modified: 2021-08-19 13:08:22 CEST
"/sbin/dhclient-script" defines the function make_resolv_conf() to create the file "/etc/resolf.conf". This is a generic scripts provided by Debian. Afterwards the UCS specific scripts "/etc/dhcp/dhclient-exit-hooks.d/resolvconf" parses the file to extract the values and stored them in UCR (only on servers running BIND - on other roles UCRV nameserver[123] are only added). This leads to such situations like Ticket#2017042421000243, where other UCRVs are ignored. We should replace our "exit.d/resolvconf" by a different hook in "enter.d" to overwrite the generic "make_resolv_conf" function: - no need to parse the intermediate resolf.conv file but use the environment variables directly.
(In reply to Philipp Hahn from comment #0) > "/sbin/dhclient-script" defines the function make_resolv_conf() to create > the file "/etc/resolf.conf". This is a generic scripts provided by Debian. > Afterwards the UCS specific scripts > "/etc/dhcp/dhclient-exit-hooks.d/resolvconf" parses the file to extract the > values and stored them in UCR (only on servers running BIND - on other roles > UCRV nameserver[123] are only added). > > This leads to such situations like Ticket#2017042421000243, where other > UCRVs are ignored. For clarification: On a Member-Server using DHCP /etc/resolv.conf is generated by /sbin/dhclient-script: The does *does* *not* have the UCR template warning As soon as any UCRV triggering /etc/resolv.conf is set, the file shows the UCRV warning until next dhclient renews the lease, again stripping the header.
Another variant of this is Bug #46993: Our EC2 images currently have nameserver1=OpenDNS hardcoded. The AmazonProvidedDNS is only added 2nd, so each DNS query needs to pass the Amazon gateway to reach the internet (until the setup is complete). This is slower and is also considered a DoS when NAT is used. Currently DNS handling is very confusing: - on joined DCs the DHCP provided DNS is stored in "dns/forwarder[123]" - except when "nameserver/external" is enabled. - otherwise "/etc/resolv.conf" is created bypassing UCR but prepending "nameseerver[123]" The following logic would be more consistent: - Copy the DHCP provided DNS into "nameserver[123]" - than the regular UCR mechanism can generate the file. - Optionally provide a new UCRV to define additional DNS servers to prepend or tell the user to use the '--forced' layer to disable that mechanism. I have an implementation in <https://git.knut.univention.de/univention/ucs/tree/phahn/4.3-0+44462dns-resolv-dhcp>
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Our mechanism to handle /etc/resolv.conv is still problematic.
WIP: https://git.knut.univention.de/univention/ucs/-/merge_requests/71
UCS systems are able to automatically use nameservers that are transmitted to the UCS system via DHCP. The behavior of UCS 4 is no longer sufficient at this point. As Philipp has already described, on unjoined systems or non-domain controller systems, the nameservers supplied via DHCP are included in the /etc/resolv.conf file, but the nameserver settings are overwritten again the next time the corresponding UCR template is evaluated. This may then lead to a defective DNS configuration, which has also been shown regularly in our automated tests. Therefore, the behavior has been changed. Starting with UCS 5.0-0 the mechanism has been simplified considerably. For details please have a look at univention-network-manager/README.md or the gitlab merge request. [5.0-0] 40ae8281ec Bug #44462: avoid deprecation warnings about "log.warn" [5.0-0] 1d73ee83cb Bug #44462: switch from optparse to argparse [5.0-0] c3e1c820a9 Bug #44462: add changelog entry for univention-network-manager [5.0-0] 3b81fb5fa1 Bug #44462: add changelog entry for univention-server [5.0-0] 2c672c29ab Bug #44462: migrate univention-fix-ucr-dns to py3 [5.0-0] bc845b9ccd Bug #44462: add new DHCP helper enter hook [5.0-0] 1a4182bfc8 Bug #44462: add possibility to define nameservers/forwarders via DHCP [5.0-0] 94853f7c64 Bug #44462: raise loglevel for final settings [5.0-0] b38e045ddc Bug #44462: fix UCRV description [5.0-0] 1a1abb6340 Bug #44462: remove old exit-hook [5.0-0] a456078a7f Bug #44462: add mypy types Package: univention-network-manager Version: 12.0.2-1A~5.0.0.202103041815 Branch: ucs_5.0-0 Package: univention-server Version: 15.0.3-1A~5.0.0.202103041815 Branch: ucs_5.0-0
[5.0-0] e69b9d46eb Bug #44462: add entry to changelog.xml [5.0-0] 58a47b12fd Bug #44462: add changelog entry [5.0-0] 0389505116 Bug #44462: do not update UCR/reload bind if nothing changed [5.0-0] b4e98803a4 Bug #44462: always set nameservers passed via CLI [5.0-0] d725854581 Bug #44462: small additions to the mypy hints Package: univention-server Version: 15.0.3-2A~5.0.0.202103081114 Branch: ucs_5.0-0
OK: /etc/dhcp/dhclient-enter-hooks.d/resolvconf OK: ucr set interfaces/enp1s0/type=dhcp OK: ucr get nameserver/external=yes DHCP does not copy servers to ^nameserver or ^dns/forwarder at all - admin has to specify UCRVs manually, which are still used for /etc/resolv.conf OK: ucr search --brief ^nameserver ^dns/forwarder OK: /usr/share/univention-server/univention-fix-ucr-dns --help FIXED: rm /var/univention-join/joined + /usr/share/univention-server/univention-fix-ucr-dns --no-ucr --no-self --dnsserver 10.207.0.2 2021-03-05 18:42:04,166 INFO __main__.cli/ns Added server 10.207.0.2 via CLI argument 2021-03-05 18:42:04,168 INFO __main__.ucr/fwd Skip reading forwarders from UCR 2021-03-05 18:42:04,169 INFO __main__.ucr/ns Skip reading nameservers from UCR 2021-03-05 18:42:04,178 INFO __main__.xor Skip removing nameservers from forwarders 2021-03-05 18:42:04,179 INFO __main__.ucr/self Skip adding self 2021-03-05 18:42:04,181 INFO __main__.ns Skip adding NS 2021-03-05 18:42:04,182 INFO __main__.ldap Skip adding Primary Directory Node 2021-03-05 18:42:04,183 CRITICAL __main__ No nameserver remains - aborting OK: d725854581 b4e98803a4 0389505116 58a47b12fd e69b9d46eb FAIL: "univention-network-common" is installed very early on when "univention-server" providing "univention-fix-ucs-dns" is not yet installed. This leads to errors in - apt/term.log - syslog - daemon.log - journal Proposal: return from /etc/dhcp/dhclient-enter/resolvconf if univention-fix-ucs-dns is not installed to keep original function by-passing UCR for /etc/resolv.conf FAIL: unjoined DC may not have any DNS configured at all IFF the externally provided DNS server is external, e.g. VM@my-domain getting DHCP@KNUT. Proposal: If unjoined OR non-DC -> always EVERYTHING in nameserver
[5.0-0] 27a7d8f6e3 docs[net,server]: Changelog univention-fix-ucr-dns base/univention-network-manager/debian/changelog | 6 ++++++ base/univention-server/debian/changelog | 6 ++++++ 2 files changed, 12 insertions(+) [5.0-0] 1242df220e style[server]: Improve debug output base/univention-server/univention-fix-ucr-dns | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [5.0-0] 0e117b89b0 refactor[server]: tripple nested if-then base/univention-server/univention-fix-ucr-dns | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) [5.0-0] be9536592e fix[server]: Reload BIND only on joined DC base/univention-server/univention-fix-ucr-dns | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) [5.0-0] d2c3353bc9 fix[server]: Move forwarder to nameserver base/univention-server/univention-fix-ucr-dns | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) [5.0-0] 137211e6a2 refactor[net]: Remove original function base/univention-network-manager/etc/dhcp/dhclient-enter-hooks.d/resolvconf | 2 -- 1 file changed, 2 deletions(-) [5.0-0] 932d9acb99 fix[net]: Check for univention-server base/univention-network-manager/etc/dhcp/dhclient-enter-hooks.d/resolvconf | 1 + 1 file changed, 1 insertion(+) [5.0-0] 60f772b335 test[net]: shellcheck resolvconf base/univention-network-manager/etc/dhcp/dhclient-enter-hooks.d/resolvconf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) [5.0-0] de1584d6d7 style[server]: com2ann univention-fix-ucr-dns base/univention-server/univention-fix-ucr-dns | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) [5.0-0] 009d8b6f85 style[server]: isort univention-fix-ucr-dns base/univention-server/univention-fix-ucr-dns | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) [5.0-0] e0082cefd8 doc[server]: Document univention-fix-ucr-dns base/univention-server/univention-fix-ucr-dns | 98 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 95 insertions(+), 3 deletions(-) Package: univention-server Version: 15.0.3-3A~5.0.0.202103091054 Package: univention-network-manager Version: 12.0.2-2A~5.0.0.202103091056 OK: chmod -x univention-fix-ucr-dns OK: rm joined FYI: If you join the system you must reboot (or remove the lease file /var/lib/dhcp/dhclient.*.leases): in that case there is no change in the list of servers, so `resolvconf` aborts early and does not reach calling univention-fix-ucr-dns
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".