RH358管理DNS和DNS服务器–自动化名称服务器配置
本章节介绍如何使用Ansible来进行DNS配置。
专栏地址:https://blog.csdn.net/qq_41765918/category_11532281.html
文章目录
1. 自动化DNS服务器部署
可以使用Ansible来自动部署Unbound缓存名称服务器,也可以BIND主或辅助名称服务器。这两种方法的自动化过程通常是相似的。
对于这些示例,假设您有以下清单:
[caching_dns]
dns1.example.com
dns2.example.com
[primary_dns]
instructor.example.com
[secondary_dns]
ns1.example.com
ns2.example.com
caching_dns组包含缓存名称服务器,primary_dns组包含主名称服务器,secondary_dns组包含辅助名称服务器。这使您更容易在不编辑剧本的情况下更改用于何种目的的主机。
2. 使用Ansible部署Unbound
部署Unbound的基本过程如下所示:
-
安装unbound包。
-
为主机创建一个Unbound配置,如果配置变更,重新启动Unbound服务。
-
启用并启动Unbound服务。
-
配置防火墙允许DNS入方向的流量。
准备配置文件
为了确保在缓存名称服务器上安装和配置Unbound,需要将编辑后的配置文件部署到每个服务器上。
一种方法是预先为每个服务器准备正确的/etc/unbound/unbound.conf配置文件,然后使用复制模块将正确的文件部署到每个服务器。这很容易编码。
默认的unbound.conf文件有一个指令,可以简化这些文件。有include /etc/unbound/conf.d/*.conf行,这一行自动包含/etc/unbound/conf.d目录文件中以.conf结尾的文件作为/etc/unbound/unbound.conf的一部分。这些文件可以覆盖主配置文件中的设置。您可以编写一组简单的文件,对每个服务器进行正确的编辑,并在那里部署适当的服务器。
然而,在本例中,我们使用jinj2模板自动生成这些文件。在playbook的模板目录中,您可以放置一个名为server.conf.j2的文件:
在上面的例子中,有一个jinj2 for循环,它为部署模板的主机的ansible_facts[‘all_ipv4_addresses’]事实中包含的列表中的每个IP地址打印一个interface行。此列表包含该主机上除127.0.0.1之外的所有IPv4地址。{ { ip }}表达式依次被每个IPv4地址替换,{% and %}中包含的行会消失。
使用template模板模块将这个模板部署到/etc/unbound/conf.d/server.conf。
为Unbound写剧本
当有模板时,编写一个Ansible剧本来确保Unbound被正确设置是相对简单的。示例模板如下所示:
如果配置文件发生变化,模板任务调用处理程序重新启动Unbound。这是因为有可能配置文件丢失了,但其他一切都是正确的,因此如果unbound服务发生更改,希望重新启动它。如果一切都已正确,则处理程序不会重新启动服务。它可能不需要显式地为所部署的文件指定权限和SELinux类型,但这可以确保这些设置是正确的。
3. 使用Ansible部署授权BIND服务器
部署BIND主服务器或备用服务器的基本过程如下所示:
-
安装bind包。
-
为主名称服务器或辅助名称服务器创建适当的BIND配置,并在配置发生更改时重新启动命名服务。
-
如果这是主名称服务器,请确保区域文件是正确的;当它们被更改时重新加载named。
-
启用并启动named服务。
-
配置防火墙允许DNS入方向的流量。
自动化主名称服务器部署
下面的示例部署BIND主名称服务器。它假设所有区域的区域文件都在files/zone-files目录中,并且主要配置文件已经准备好并位于files/named-primary.conf文件中。
此示例剧本假定您正在编辑区域文件,并在运行剧本之前确保它们的最新版本在您的files/zone-files目录中。请记住,copy模块的src指令在files目录中查找您的文件。
重要:如果配置文件或区域文件发生更改,您应该通知处理程序。区域文件更新不需要完全重新启动,因此存在用于重新加载或重新启动的独立处理程序。当发生任何变化时,无论您启动服务还是处理程序重新启动它,当剧本完成时服务将处于正确的状态。
自动化辅助名称服务器部署
部署BIND次要名称服务器可以稍微简单一些:
这个剧本部署了辅助服务器的配置文件,并省略了区域文件的部署(因为初始区域传输将处理该文件)。它也不需要两个处理程序。
4. 课本练习
[student@workstation ~]$ lab dns-automation start
1. 查看dns-auto项目目录的结构和内容,以熟悉为本练习提供的文件。
[student@workstation ~]$ cd ~/dns-auto
[student@workstation dns-auto]$
列出顶级项目目录中的文件和目录。位于解决方案目录中的文件是完整的Ansible Playbook文件,您可以作为参考使用。
在本练习中,您将使用位于files目录中的已完成的配置和区域文件来使用Ansible部署BIND。不需要修改这些文件,但是如果您对它们的配置有疑问,建议您查看它们。
[student@workstation dns-auto]$ tree
.
├── ansible.cfg
├── ansible-starter-files
│ └── configure_primary.yml.starter
├── files
│ ├── primary-192.168.0.zone
│ ├── primary-backend.lab.example.com.zone
│ ├── primary-named.backend.conf
│ ├── primary-named.conf
│ ├── secondary-named.backend.conf
│ └── secondary-named.conf
├── inventory
├── solution
│ ├── configure_caching.yml.solution
│ ├── configure_primary.yml.solution
│ ├── configure_secondary.yml.solution
│ └── playbook.yml.solution
└── templates
└── unbound.conf.j2
4 directories, 14 files
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
[student@workstation dns-auto]$ cat ansible.cfg
[defaults]
inventory=./inventory
remote_user=devops
[privilege_escalation]
become = False
become_method = sudo
become_user = root
become_ask_pass = False
2. 按要求创建一个名为configure_primary的Ansible Playbook。
在serverb上配置主名称服务器。
[student@workstation dns-auto]$ vim configure_primary.yml
---
- name: Configure primary nameserver
hosts: primary_dns
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: present
- name: Copy primary config file
copy:
src: files/primary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy forward zone file to primary
copy:
src: files/primary-backend.lab.example.com.zone
dest: /var/named/backend.lab.example.com.zone
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy reverse zone file to primary
copy:
src: files/primary-192.168.0.zone
dest: /var/named/192.168.0.zone
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy backend config file (for zones)
copy:
src: files/primary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure named is running and enabled
service:
name: named
state: started
enabled: yes
handlers:
- name: reload_named
service:
name: named
state: reloaded
3. 按要求创建一个名为configure_secondary的Ansible Playbook。
配置serverc为备用名称服务器。
[student@workstation dns-auto]$ cat configure_secondary.yml
---
- name: Configure secondary nameserver
hosts: secondary_dns
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: present
- name: Copy secondary config file
copy:
src: files/secondary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy backend config file (for zones)
copy:
src: files/secondary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure named is running and enabled
service:
name: named
state: started
enabled: yes
handlers:
- name: reload_named
service:
name: named
state: reloaded
4. 按要求创建一个名为configure_caching的Ansible Playbook。
在serverc上部署缓存名称服务器。在/etc/unbound/conf.d中添加一个补充配置文件,使用模板来配置unbound。
[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
interface: {
{
interface }}
interface-automatic: {
{
interface_automatic }}
{
% for acl in access_control %}
access-control: {
{
acl }}
{
% endfor %}
domain-insecure: "{
{ domain_insecure }}"
forward-zone:
name: "{
{ forward_zone_name }}"
forward-addr: {
{
forward_zone_addr }}
[student@workstation dns-auto]$ cat configure_caching.yml
---
- name: Install cache only nameserver
hosts: caching_dns
remote_user: devops
become: yes
vars:
interface: 0.0.0.0
interface_automatic: "yes"
access_control:
- "172.25.250.0/24 allow"
domain_insecure: example.com
forward_zone_name: .
forward_zone_addr: "172.25.250.254"
tasks:
- name: Install cache only nameserver
yum:
name: unbound
state: present
- name: Create configuration file on caching server host
template:
src: unbound.conf.j2
dest: /etc/unbound/conf.d/unbound.conf
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure unbound is running and enabled
service:
name: unbound
state: started
enabled: yes
handlers:
- name: restart_unbound
service:
name: unbound
state: restarted
5. 按要求创建playbook.yml文件并运行。
按照执行顺序导入完成的剧本,将主、辅和缓存名称服务器部署到它们各自的主机上。运行的剧本。
[student@workstation dns-auto]$ vim playbook.yml
---
- import_playbook: configure_primary.yml
- import_playbook: configure_secondary.yml
- import_playbook: configure_caching.yml
[student@workstation dns-auto]$ ansible-playbook --syntax-check playbook.yml
[student@workstation dns-auto]$ ansible-playbook playbook.yml
6. 进行结果测试。
[student@servera ~]$ dig localhost.localdomain @172.25.250.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @172.25.250.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59393
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2876e7f0fe7a8fbec188063760c61e1e54c5a838de33deda (good)
;; QUESTION SECTION:
;localhost.localdomain. IN A
;; Query time: 1 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Jun 13 23:02:54 CST 2021
;; MSG SIZE rcvd: 78
[student@servera ~]$ dig localhost.localdomain @192.168.0.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @192.168.0.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41294
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ce6cd1cbcd3e1e5f04ea4eee60c61e5759ac729caf5145d1 (good)
;; QUESTION SECTION:
;localhost.localdomain. IN A
;; ANSWER SECTION:
localhost.localdomain. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost.localdomain. 86400 IN NS localhost.localdomain.
;; ADDITIONAL SECTION:
localhost.localdomain. 86400 IN AAAA ::1
;; Query time: 1 msec
;; SERVER: 192.168.0.11#53(192.168.0.11)
;; WHEN: Sun Jun 13 23:03:51 CST 2021
;; MSG SIZE rcvd: 136
[student@servera ~]$ dig serverc.backend.lab.example.com @192.168.0.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverc.backend.lab.example.com @192.168.0.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5912
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: af1d60a753c1268febff460060c61f57f2e00f5dfc9d2642 (good)
;; QUESTION SECTION:
;serverc.backend.lab.example.com. IN A
;; ANSWER SECTION:
serverc.backend.lab.example.com. 300 IN A 192.168.0.12
;; AUTHORITY SECTION:
backend.lab.example.com. 600 IN NS serverb.backend.lab.example.com.
;; ADDITIONAL SECTION:
serverb.backend.lab.example.com. 300 IN A 192.168.0.11
;; Query time: 1 msec
;; SERVER: 192.168.0.11#53(192.168.0.11)
;; WHEN: Sun Jun 13 23:08:07 CST 2021
;; MSG SIZE rcvd: 142
[student@serverb ~]$ dig -x 192.168.0.13 @localhost
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> -x 192.168.0.13 @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31007
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d9943612607f8e9bf14e586360c61fbf79d88efb37548ac9 (good)
;; QUESTION SECTION:
;13.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
13.0.168.192.in-addr.arpa. 300 IN PTR serverd.backend.lab.example.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 600 IN NS serverb.backend.lab.example.com.
;; ADDITIONAL SECTION:
serverb.backend.lab.example.com. 300 IN A 192.168.0.11
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Jun 13 23:09:51 CST 2021
;; MSG SIZE rcvd: 165
[student@serverb ~]$ dig servera.backend.lab.example.com @192.168.0.12
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> servera.backend.lab.example.com @192.168.0.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40510
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 904b2cdab8b1ddccbf18a5ff60c61fe43522eebd11321726 (good)
;; QUESTION SECTION:
;servera.backend.lab.example.com. IN A
;; ANSWER SECTION:
servera.backend.lab.example.com. 300 IN A 192.168.0.10
;; AUTHORITY SECTION:
backend.lab.example.com. 600 IN NS serverb.backend.lab.example.com.
;; ADDITIONAL SECTION:
serverb.backend.lab.example.com. 300 IN A 192.168.0.11
;; Query time: 1 msec
;; SERVER: 192.168.0.12#53(192.168.0.12)
;; WHEN: Sun Jun 13 23:10:28 CST 2021
;; MSG SIZE rcvd: 142
[student@serverb ~]$ dig serverd.backend.lab.example.com @172.25.250.10
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverd.backend.lab.example.com @172.25.250.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14116
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;serverd.backend.lab.example.com. IN A
;; ANSWER SECTION:
serverd.backend.lab.example.com. 300 IN A 192.168.0.13
;; Query time: 3 msec
;; SERVER: 172.25.250.10#53(172.25.250.10)
;; WHEN: Sun Jun 13 23:11:16 CST 2021
;; MSG SIZE rcvd: 76
完成实验
[student@workstation ~]$ lab dns-automation finish
总结
- 使用Ansible编写剧本来配置DNS服务器。
- 若喜欢金鱼哥的文章,顺手点个赞。也可点个关注,因为后续会不断上干货。
