MAAS

MAAS didn't parse dnssec-validation automatically

Bug #1513775 reported by Andres Rodriguez on 2015-11-06

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	High	Andres Rodriguez	MAAS 2.4.0beta1
	2.3	Fix Released	High	Andres Rodriguez	MAAS 2.3.3

Bug Description

By default, bind9 installed a config that included 'dnssec-validation auto'. Howeve,r when MAAS went to overwrite this file, it never removed such option and bind9 ended up with a duplicated option:

//
// This file is managed by MAAS. Although MAAS attempts to preserve changes
// made here, it is possible to create conflicts that MAAS can not resolve.
//
// DNS settings available in MAAS (for example, forwarders and
// dnssec-validation) should be managed only in MAAS.
//
// The previous configuration file was backed up at:
// /etc/bind/named.conf.options.2015-11-05T23:40:55.108084
//
options { directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
include "/etc/bind/maas/named.conf.options.inside.maas"; };

and:

named.conf.options.inside.maas:

dnssec-validation auto;

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

Related branches

~andreserl/maas:2.3_migrate_conflicting_options

Merged into maas:2.3

Andres Rodriguez (community): Approve on 2018-05-09

~andreserl/maas:lp1513775_fix_named_init_config_packaging

Merged into maas:master

Newell Jensen (community): Approve on 2018-03-29

MAAS Lander: Approve on 2018-03-29

~andreserl/maas:lp1513775_fix_named_init_config

Merged into maas:master

MAAS Lander: Approve on 2018-03-28

Mike Pontillo (community): Approve on 2018-03-27

MAAS Maintainers: Pending requested 2018-03-27

Andres Rodriguez (andreserl) on 2015-11-06

Changed in maas:
importance:	Undecided → Critical
milestone:	none → 1.9.0

Andres Rodriguez (andreserl) on 2015-11-06

summary:	- MAAS didn't automatically understand dnssec-validation + MAAS didn't parse dnssec-validation
summary:	- MAAS didn't parse dnssec-validation + MAAS didn't parse dnssec-validation automatically

Revision history for this message

Mike Pontillo (mpontillo) wrote on 2015-11-07:

Need the contents of the backup file (/etc/bind/named.conf.options.2015-11-05T23:40:55.108084) in order to triage this.

I'm checking the CI logs to see if I can find anything.

Changed in maas:
status:	New → Incomplete

Revision history for this message

Mike Pontillo (mpontillo) wrote on 2015-11-07:

I've been looking at the CI logs here:

/job/maas-trusty-trunk-manual/802/artifact/results/artifacts/maas-logs/var/log/

Is it possible that a version of MAAS without the patch was installed on this machine before it was upgraded to the current version?

I found this in the logs:

Nov 6 13:56:15 autopkgtest named[11375]: loading configuration from '/etc/bind/named.conf'
Nov 6 13:56:15 autopkgtest named[11375]: /etc/bind/maas/named.conf.options.inside.maas:2: 'dnssec-validation' redefined near 'dnssec-validation'
Nov 6 13:56:15 autopkgtest named[11375]: loading configuration: already exists

...

Nov 6 13:58:32 autopkgtest named[12695]: loading configuration from '/etc/bind/named.conf'
Nov 6 13:58:32 autopkgtest named[12695]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Nov 6 13:58:32 autopkgtest named[12695]: using default UDP/IPv4 port range: [1024, 65535]
Nov 6 13:58:32 autopkgtest named[12695]: using default UDP/IPv6 port range: [1024, 65535]
Nov 6 13:58:32 autopkgtest named[12695]: listening on IPv6 interfaces, port 53
Nov 6 13:58:32 autopkgtest named[12695]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 6 13:58:32 autopkgtest named[12695]: listening on IPv4 interface eth1, 10.245.136.6#53

To me, this seems to be a temporary condition which resolved itself in a couple of minutes. (possibly a version of MAAS without this fix was on the server, then it was upgraded?)

Revision history for this message

Mike Pontillo (mpontillo) wrote on 2015-11-07:

I think this may be a race condition that can be explained as follows:

- The "maas-region-admin edit_named_options" command is run from two places in the packaging:
- maas-dns postinst
- maas-region-controller postinst
- Only maas-region-controller calls it with the --migrate-conflicting-options paramter

The first time, if it runs via maas-dns, it will update the configuration, but NOT migrate the options.

If maas-region-controller is being installed, it will later run again, and *then* migrate the configuratoin.

I don't remember why we chose to do it this way, but it was probably a good reason. ;-)

Revision history for this message

Mike Pontillo (mpontillo) wrote on 2015-11-09:

We just discussed this on a hangout. This was done to support the use case of a juju charm that wants to install maas-dns, but doesn't have a database configured yet.

Changed in maas:
status:	Incomplete → Invalid

Christian Reis (kiko) on 2016-02-18

Changed in maas:
milestone:	1.9.0 → 1.9.1

Andres Rodriguez (andreserl) on 2016-02-18

Changed in maas:
milestone:	1.9.1 → none

Revision history for this message

Mark Shuttleworth (sabdfl) wrote on 2018-03-24:

I've just seen this issue with 2.4a2.

I had a rack controller which I wanted to upgrade to a region controller. I installed the maas-region-api and maas-dns packages (btw, why is maas-dns not a dependency of maas-region-api?). I noticed that bind was not working, and the region is that dnssec-validation is in both named.conf.options and named.conf.options.inside.maas

Changed in maas:
status:	Invalid → Confirmed

Andres Rodriguez (andreserl) on 2018-03-26

Changed in maas:
assignee:	nobody → Andres Rodriguez (andreserl)
importance:	Critical → High
milestone:	none → 2.4.0beta2
milestone:	2.4.0beta2 → 2.4.0beta1
status:	Confirmed → In Progress