This Ansible role writes zone files to a hard coded /etc/bind/zones directory, which causes problems on systems with mandatory access control such as Apparmor. The profile for Apparmor does not allow the BIND process to create the necessary journal files and update the zone files under /etc/bind/zones.
Solution
Parameterize the zone directory and default to /var/lib/bind/zones, for which write access is allowed by the Apparmor profile.
PR
This PR parameterises the location for storing the zone files. It also includes code to generate DDNS keys using tsig-keygen if a configured update_keyfile does not exist already. Since tsig-keygen generates a full key configuration section, the named.conf.options.j2 template has been adjusted accordingly.
Problem
This Ansible role writes zone files to a hard coded
/etc/bind/zones
directory, which causes problems on systems with mandatory access control such as Apparmor. The profile for Apparmor does not allow the BIND process to create the necessary journal files and update the zone files under/etc/bind/zones
.Solution
Parameterize the zone directory and default to
/var/lib/bind/zones
, for which write access is allowed by the Apparmor profile.PR
This PR parameterises the location for storing the zone files. It also includes code to generate DDNS keys using
tsig-keygen
if a configuredupdate_keyfile
does not exist already. Sincetsig-keygen
generates a fullkey
configuration section, thenamed.conf.options.j2
template has been adjusted accordingly.