MAAS didn't parse dnssec-validation automatically

Bug #1513775 reported by Andres Rodriguez on 2015-11-06
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
MAAS
High
Andres Rodriguez
2.3
High
Andres Rodriguez

Bug Description

By default, bind9 installed a config that included 'dnssec-validation auto'. Howeve,r when MAAS went to overwrite this file, it never removed such option and bind9 ended up with a duplicated option:

//
// This file is managed by MAAS. Although MAAS attempts to preserve changes
// made here, it is possible to create conflicts that MAAS can not resolve.
//
// DNS settings available in MAAS (for example, forwarders and
// dnssec-validation) should be managed only in MAAS.
//
// The previous configuration file was backed up at:
// /etc/bind/named.conf.options.2015-11-05T23:40:55.108084
//
options { directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
include "/etc/bind/maas/named.conf.options.inside.maas"; };

and:

named.conf.options.inside.maas:

dnssec-validation auto;

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

Related branches

Changed in maas:
importance: Undecided → Critical
milestone: none → 1.9.0
summary: - MAAS didn't automatically understand dnssec-validation
+ MAAS didn't parse dnssec-validation
summary: - MAAS didn't parse dnssec-validation
+ MAAS didn't parse dnssec-validation automatically
Mike Pontillo (mpontillo) wrote :

Need the contents of the backup file (/etc/bind/named.conf.options.2015-11-05T23:40:55.108084) in order to triage this.

I'm checking the CI logs to see if I can find anything.

Changed in maas:
status: New → Incomplete
Mike Pontillo (mpontillo) wrote :

I've been looking at the CI logs here:

/job/maas-trusty-trunk-manual/802/artifact/results/artifacts/maas-logs/var/log/

Is it possible that a version of MAAS without the patch was installed on this machine before it was upgraded to the current version?

I found this in the logs:

Nov 6 13:56:15 autopkgtest named[11375]: loading configuration from '/etc/bind/named.conf'
Nov 6 13:56:15 autopkgtest named[11375]: /etc/bind/maas/named.conf.options.inside.maas:2: 'dnssec-validation' redefined near 'dnssec-validation'
Nov 6 13:56:15 autopkgtest named[11375]: loading configuration: already exists

...

Nov 6 13:58:32 autopkgtest named[12695]: loading configuration from '/etc/bind/named.conf'
Nov 6 13:58:32 autopkgtest named[12695]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Nov 6 13:58:32 autopkgtest named[12695]: using default UDP/IPv4 port range: [1024, 65535]
Nov 6 13:58:32 autopkgtest named[12695]: using default UDP/IPv6 port range: [1024, 65535]
Nov 6 13:58:32 autopkgtest named[12695]: listening on IPv6 interfaces, port 53
Nov 6 13:58:32 autopkgtest named[12695]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 6 13:58:32 autopkgtest named[12695]: listening on IPv4 interface eth1, 10.245.136.6#53

To me, this seems to be a temporary condition which resolved itself in a couple of minutes. (possibly a version of MAAS without this fix was on the server, then it was upgraded?)

Mike Pontillo (mpontillo) wrote :

I think this may be a race condition that can be explained as follows:

 - The "maas-region-admin edit_named_options" command is run from two places in the packaging:
   - maas-dns postinst
   - maas-region-controller postinst
 - Only maas-region-controller calls it with the --migrate-conflicting-options paramter

The first time, if it runs via maas-dns, it will update the configuration, but NOT migrate the options.

If maas-region-controller is being installed, it will later run again, and *then* migrate the configuratoin.

I don't remember why we chose to do it this way, but it was probably a good reason. ;-)

Mike Pontillo (mpontillo) wrote :

We just discussed this on a hangout. This was done to support the use case of a juju charm that wants to install maas-dns, but doesn't have a database configured yet.

Changed in maas:
status: Incomplete → Invalid
Christian Reis (kiko) on 2016-02-18
Changed in maas:
milestone: 1.9.0 → 1.9.1
Changed in maas:
milestone: 1.9.1 → none
Mark Shuttleworth (sabdfl) wrote :

I've just seen this issue with 2.4a2.

I had a rack controller which I wanted to upgrade to a region controller. I installed the maas-region-api and maas-dns packages (btw, why is maas-dns not a dependency of maas-region-api?). I noticed that bind was not working, and the region is that dnssec-validation is in both named.conf.options and named.conf.options.inside.maas

Changed in maas:
status: Invalid → Confirmed
Changed in maas:
assignee: nobody → Andres Rodriguez (andreserl)
importance: Critical → High
milestone: none → 2.4.0beta2
milestone: 2.4.0beta2 → 2.4.0beta1
status: Confirmed → In Progress
Changed in maas:
status: In Progress → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
Jason Hobbs (jason-hobbs) wrote :
Jason Hobbs (jason-hobbs) wrote :
Jason Hobbs (jason-hobbs) wrote :

I think we're hitting this now because we dropped 'migrate-conflicting-options'.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments