Created
March 27, 2021 03:35
-
-
Save BenjamenMeyer/51a6b62576051b9b546e1c4b67c42fc9 to your computer and use it in GitHub Desktop.
Ansible DNS Root MD5 Dict Lookups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I am attempting to download the Root DNS Zones from ISC and I want to validate the data using the MD5 sums they provide. | |
| I had this working in the past (summer 2020) but something changed and I had to rewrite it to the content in the root_zone.yml. | |
| The essential is this: | |
| 1. dns_root_zones holds the dict of data (set via the role defaults) | |
| 2. the data is downloaded onto the node | |
| 3. the MD5 contents are slurped back to the host so it can be used in the verification step of the actual root file download | |
| 4. If I hard code the `selectattr` parameter, then it works fine; but that's not extensible | |
| 5. If I link the `selectattr` parameter to the loop variable so I can process the dns_root_zones properly ( like I do in other roles) then it breaks and doesn't find the data | |
| There must be something I am missing. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| dns_root_zones: | |
| - { | |
| 'url': 'https://www.internic.net/domain/named.root', | |
| 'md5': 'https://www.internic.net/domain/named.root.md5', | |
| 'sig': 'https://www.internic.net/domain/named.root.sig', | |
| 'target': 'db.root' | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TASK [dns.firewall : debug] ********************************************************************************************************** | |
| ok: [192.168.60.28] => { | |
| "dns_root_zones": [ | |
| { | |
| "md5": "https://www.internic.net/domain/named.root.md5", | |
| "sig": "https://www.internic.net/domain/named.root.sig", | |
| "target": "db.root", | |
| "url": "https://www.internic.net/domain/named.root" | |
| } | |
| ] | |
| } | |
| TASK [dns.firewall : Download MD5 Checksums] ***************************************************************************************** | |
| ok: [192.168.60.28] => (item={'url': 'https://www.internic.net/domain/named.root', 'md5': 'https://www.internic.net/domain/named.root.md5', 'sig': 'https://www.internic.net/domain/named.root.sig', 'target': 'db.root'}) | |
| TASK [dns.firewall : Download Signatures] ******************************************************************************************** | |
| ok: [192.168.60.28] => (item={'url': 'https://www.internic.net/domain/named.root', 'md5': 'https://www.internic.net/domain/named.root.md5', 'sig': 'https://www.internic.net/domain/named.root.sig', 'target': 'db.root'}) | |
| TASK [dns.firewall : ansible.builtin.slurp] ****************************************************************************************** | |
| ok: [192.168.60.28] => (item={'url': 'https://www.internic.net/domain/named.root', 'md5': 'https://www.internic.net/domain/named.root.md5', 'sig': 'https://www.internic.net/domain/named.root.sig', 'target': 'db.root'}) | |
| TASK [dns.firewall : debug] ********************************************************************************************************** | |
| ok: [192.168.60.28] => { | |
| "dns_root_zones_MD5": { | |
| "changed": false, | |
| "msg": "All items completed", | |
| "results": [ | |
| { | |
| "ansible_loop_var": "item", | |
| "changed": false, | |
| "content": "ODUyMGIwYzQyMWUyZDExNGIwZmU2ODMxNDY4NDNjNjEK", | |
| "encoding": "base64", | |
| "failed": false, | |
| "invocation": { | |
| "module_args": { | |
| "src": "/var/cache/dns.root/db.root.MD5" | |
| } | |
| }, | |
| "item": { | |
| "md5": "https://www.internic.net/domain/named.root.md5", | |
| "sig": "https://www.internic.net/domain/named.root.sig", | |
| "target": "db.root", | |
| "url": "https://www.internic.net/domain/named.root" | |
| }, | |
| "source": "/var/cache/dns.root/db.root.MD5" | |
| } | |
| ] | |
| } | |
| } | |
| TASK [dns.firewall : debug] ********************************************************************************************************** | |
| ok: [192.168.60.28] => (item={'url': 'https://www.internic.net/domain/named.root', 'md5': 'https://www.internic.net/domain/named.root.md5', 'sig': 'https://www.internic.net/domain/named.root.sig', 'target': 'db.root'}) => { | |
| "msg": "db.root yields /var/cache/dns.root/db.root.MD5" | |
| } | |
| TASK [dns.firewall : debug] ********************************************************************************************************** | |
| ok: [192.168.60.28] => (item={'url': 'https://www.internic.net/domain/named.root', 'md5': 'https://www.internic.net/domain/named.root.md5', 'sig': 'https://www.internic.net/domain/named.root.sig', 'target': 'db.root'}) => { | |
| "msg": [] | |
| } | |
| TASK [dns.firewall : Download Root Cache Data] *************************************************************************************** | |
| fatal: [192.168.60.28]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: No first item, sequence was empty.\n\nThe error appears to be in '/home/bmeyer/SysOps/ansible-home/roles/dns.firewall/tasks/root_zone.yml': line 53, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Download Root Cache Data\n ^ here\n"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Establish Root Server Data Cache Location | |
| file: | |
| path: "{{ item }}" | |
| state: directory | |
| recurse: yes | |
| owner: root | |
| group: bind | |
| mode: '0664' | |
| loop: | |
| - "{{ dns_root_cache_location }}" | |
| - "{{ dns_root_target }}" | |
| - debug: | |
| var: dns_root_zones | |
| - name: Download MD5 Checksums | |
| get_url: | |
| url: "{{ item.md5 }}" | |
| dest: "{{ dns_root_cache_location }}/{{ item.target }}.MD5" | |
| mode: '0664' | |
| loop: "{{ dns_root_zones }}" | |
| - name: Download Signatures | |
| get_url: | |
| url: "{{ item.sig }}" | |
| dest: "{{ dns_root_cache_location }}/{{ item.target }}.sig" | |
| mode: '0664' | |
| loop: "{{ dns_root_zones }}" | |
| - ansible.builtin.slurp: | |
| src: "{{ dns_root_cache_location }}/{{ item.target }}.MD5" | |
| register: "dns_root_zones_MD5" | |
| loop: "{{ dns_root_zones }}" | |
| - debug: | |
| var: dns_root_zones_MD5 | |
| - debug: | |
| msg: "{{ item.target }} yields {{ dns_root_cache_location }}/{{ item.target }}.MD5" | |
| loop: "{{ dns_root_zones }}" | |
| - debug: | |
| msg: "{{ (dns_root_zones_MD5['results'] | selectattr( 'source', 'equalto', '{{ dns_root_cache_location }}/{{ item.target }}.MD5') | list ) }}" | |
| loop: "{{ dns_root_zones }}" | |
| # msg: "{{ (dns_root_zones_MD5['results'] | selectattr( 'source', 'search', '{{ item.target }}') | list | first).content | b64decode | trim }}" | |
| # why does the below work but the above does not???? | |
| #msg: "{{ (dns_root_zones_MD5['results'] | selectattr( 'source', 'equalto', '/var/cache/dns.root/db.root.MD5') | list | first).content | b64decode | trim }}" | |
| - name: Download Root Cache Data | |
| get_url: | |
| url: "{{ item.url }}" | |
| dest: "{{ dns_root_cache_location }}/{{ item.target }}" | |
| mode: '0664' | |
| checksum: "md5:| {{ (dns_root_zones_MD5['results'] | selectattr( 'source', 'equalto', '{{ dns_root_cache_location }}/{{ item.target }}.MD5') | list | first).content | b64decode | trim }}" | |
| loop: "{{ dns_root_zones }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment