Allow configuration checks to be turned off #178
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexjfisher
approved these changes
Oct 29, 2020
alexjfisher
requested changes
Oct 30, 2020
alexjfisher
approved these changes
Oct 30, 2020
ekohl
approved these changes
Nov 1, 2020
penguinspiral
added a commit
to penguinspiral/puppet-control-repo
that referenced
this pull request
Jan 13, 2021
The 'Profiles' module class 'dns' currently relies entirely upon the functionality of the community component module 'theforeman-dns'. Examining the implementation of this component module reveals that the ISC BIND9 configuration validator, `/usr/sbin/named-checkconf`, is used to verify the generated configuration files. This configuration verification process includes all DNS view files located under the '/etc/bind/views/' directory. The Embedded RuBy (ERB) template for generating DNS view configuration files within the 'theforeman-dns' module does *not* populate configured ACLs as part of template rendering. This results in the following error when `/usr/sbin/named-checkconfig` is invoked against the view configuration file: raft.com.conf:6: undefined ACL 'trusted' raft.com.conf:4: undefined ACL 'trusted' raft.com.conf:5: undefined ACL 'trusted' The lack of ACL definition within the DNS view configuration file causes `/usr/sbin/named-checkconfig` to return exit code 1 which in turn results in Puppet failing to apply the remaining catalogue. It should be noted that due to the "include" ordering within the ISC BIND9 configuration the declaration of the configured ACL within the 'named.conf' file is sufficient for ISC BIND9 server to run correctly. The contents of the view referencing an "external" (insomuch it is defined in a separate configuration file) is perfectly valid given the previously instantiated ACL. It is likely the next release of the 'theforeman-dns' community component module will likely contain an option for omitting the currently compulsory `/usr/sbin/named-checkconfig` checks given the functionality was recently merged: theforeman/puppet-dns#178 This commit addresses a temporary, limited workaround whereby the originally specified ACL, 'trusted', is now simply "aliased" in Hiera. Ultimately its a shift in redirection from the ISC BIND9 server configuration "layer" to the Puppet manifest data-driven "layer". The restriction here is that Hiera can only alias a single ACL hash whereby ISC BIND9 could define an arbitrary amount of ACLs. This commit should be reverted once 'theforeman-dns' community component module supports disabling/omitting the `/usr/sbin/named-checkconfig` configuration validation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was having the same issue as described in #164 so I added this so the checks could be turned off if needed.