From 4e10d0b4df0118c048c815d30191da702776735e Mon Sep 17 00:00:00 2001
From: Jochen Sprickerhof <git@jochen.sprickerhof.de>
Date: Thu, 22 Dec 2022 12:27:46 +0100
Subject: Add a DNS resolver (Closes: #3)
---
debvm-create | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/debvm-create b/debvm-create
index c44b67d..e907962 100755
--- a/debvm-create
+++ b/debvm-create
@@ -112,6 +112,27 @@ if test -n "$SSHKEY"; then
INCLUDE_PACKAGES="$INCLUDE_PACKAGES,openssh-server"
fi
+# add a DNS resolver
+case "$SUITE" in
+ jessie)
+ set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
+ set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@"
+ ;;
+ stretch)
+ set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
+ set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@"
+ INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
+ ;;
+ buster|bullseye|stable)
+ set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
+ set -- '--customize-hook=ln -fs ../run/systemd/resolve/stub-resolv.conf "$1/etc/resolv.conf"' "$@"
+ INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
+ ;;
+ *)
+ INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
+ ;;
+esac
+
# construct mmdebstrap options as $@:
set -- \
--verbose \
--
cgit v1.2.3
From 444b51356c20471c891dd41c7b08b6fb4d475cb3 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 22 Dec 2022 22:04:03 +0100
Subject: fix local dns search
Previously, the /etc/resolv.conf was inherited from the host. It would
thus also inherit the search domains. Now, the generated image lacks the
host's resolv.conf and thus it search domains. This is good for
reproducibility. In order to continue resolving plain host names, we
tell qemu to serve the search domain via dhcp and we tell networkd to
trust the dhcp server's domains.
Signed-off-by: Jochen Sprickerhof <git@jochen.sprickerhof.de>
---
debvm-create | 2 +-
debvm-run | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/debvm-create b/debvm-create
index e907962..5bcd55d 100755
--- a/debvm-create
+++ b/debvm-create
@@ -157,7 +157,7 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@"
# dhcp on all network interfaces
set -- \
'--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \
- "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
+ "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCPv4]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
"$@"
# add ssh key for root
diff --git a/debvm-run b/debvm-run
index 9b26a76..ffae61c 100755
--- a/debvm-run
+++ b/debvm-run
@@ -144,6 +144,10 @@ fi
if test -n "$SSHPORT"; then
NETDEV="$NETDEV,hostfwd=tcp:127.0.0.1:$SSHPORT-:22"
fi
+DNSSEARCH=$(dnsdomainname)
+if test -n "$DNSSEARCH"; then
+ NETDEV="$NETDEV,dnssearch=$DNSSEARCH"
+fi
set -- \
-append "$KERNEL_CMDLINE" \
-netdev "$NETDEV" \
--
cgit v1.2.3
From 1bc6070756dc40fd7ce3380aff5b476d52ea0e4d Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 22 Dec 2022 22:52:53 +0100
Subject: debvm-create: move UseDomains to DHCP section
The DHCP section covers both v4 and v6. On buster The versioned variants
do not exist.
---
debvm-create | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debvm-create b/debvm-create
index 5bcd55d..ae9d65e 100755
--- a/debvm-create
+++ b/debvm-create
@@ -157,7 +157,7 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@"
# dhcp on all network interfaces
set -- \
'--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \
- "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCPv4]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
+ "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
"$@"
# add ssh key for root
--
cgit v1.2.3
From 04cc838b9e2ec01e5a6beed90f749f390c458441 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 23 Dec 2022 07:45:10 +0100
Subject: debvm-create: extend negative dnssec trust anchors
systemd turns on dnssec validation since buster and that makes local
domain resolution break unless having a negative trust anchor. The
standards settled on .home.arpa, but this is only listed since bullseye.
In order to have this domain work on buster, it must be listed
explicitly. It is a noop on later releases.
---
debvm-create | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debvm-create b/debvm-create
index ae9d65e..e574ee1 100755
--- a/debvm-create
+++ b/debvm-create
@@ -157,7 +157,7 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@"
# dhcp on all network interfaces
set -- \
'--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \
- "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
+ "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\nDNSSECNegativeTrustAnchors=home.arpa\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
"$@"
# add ssh key for root
--
cgit v1.2.3
From fa29c199e7dfda1cc9c93f6948e8d9688c345d64 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 23 Dec 2022 07:47:16 +0100
Subject: debvm-run: change dhcp option for dns search
systemd on Debian stretch does not yet understand dnssearch aka dhcp
option 119 and ignores it. Instead we pass it as domain name aka dhcp
option 15. This option can only specify one name, which is what we do
already. Beyond extending the search list, it may also affect the fqdn
of the VM, but this shouldn't hurt.
---
debvm-run | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debvm-run b/debvm-run
index ffae61c..06dd250 100755
--- a/debvm-run
+++ b/debvm-run
@@ -146,7 +146,7 @@ if test -n "$SSHPORT"; then
fi
DNSSEARCH=$(dnsdomainname)
if test -n "$DNSSEARCH"; then
- NETDEV="$NETDEV,dnssearch=$DNSSEARCH"
+ NETDEV="$NETDEV,domainname=$DNSSEARCH"
fi
set -- \
-append "$KERNEL_CMDLINE" \
--
cgit v1.2.3
From 50c37f591b854aa96e47f5ecb9cfcd2bf06eaa6d Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 23 Dec 2022 09:08:36 +0100
Subject: debvm-create: restrict networkd quirks to old releases
Reported-by: Jochen Sprickerhof <git@jochen.sprickerhof.de>
---
debvm-create | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/debvm-create b/debvm-create
index e574ee1..e16c632 100755
--- a/debvm-create
+++ b/debvm-create
@@ -155,9 +155,16 @@ set -- \
set -- '--customize-hook=chroot "$1" passwd --delete root' "$@"
# dhcp on all network interfaces
+SYSD_NET_MATCH='Name=en*\n'
+test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\\n"
+SYSD_NET_NET='DHCP=yes\n'
+# This anchor is included by default since bullseye. Fails DNSSEC validation when missing.
+case "$SUITE" in jessie|stretch|buster)
+ SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n\n"
+;; esac
set -- \
'--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \
- "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\nDNSSECNegativeTrustAnchors=home.arpa\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \
+ "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}[Network]\\n$SYSD_NET_NET"'[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \
"$@"
# add ssh key for root
--
cgit v1.2.3
From c100114c51d2f5e9e8ed2efd58d065b0dd3b34f8 Mon Sep 17 00:00:00 2001
From: Jochen Sprickerhof <git@jochen.sprickerhof.de>
Date: Fri, 23 Dec 2022 10:05:44 +0100
Subject: Fix newlines in network file
---
debvm-create | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/debvm-create b/debvm-create
index e16c632..dbf1192 100755
--- a/debvm-create
+++ b/debvm-create
@@ -156,15 +156,15 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@"
# dhcp on all network interfaces
SYSD_NET_MATCH='Name=en*\n'
-test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\\n"
+test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\n"
SYSD_NET_NET='DHCP=yes\n'
# This anchor is included by default since bullseye. Fails DNSSEC validation when missing.
case "$SUITE" in jessie|stretch|buster)
- SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n\n"
+ SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n"
;; esac
set -- \
'--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \
- "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}[Network]\\n$SYSD_NET_NET"'[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \
+ "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}\\n[Network]\\n$SYSD_NET_NET"'\n[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \
"$@"
# add ssh key for root
--
cgit v1.2.3
From 82720d195c6b243f8f3a610c555392d20745889b Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 23 Dec 2022 10:27:17 +0100
Subject: debvm-create: conditionalize network workarounds on $DEBVER
---
debvm-create | 38 ++++++++++++++------------------------
1 file changed, 14 insertions(+), 24 deletions(-)
diff --git a/debvm-create b/debvm-create
index 8ea33fb..f9bd458 100755
--- a/debvm-create
+++ b/debvm-create
@@ -145,25 +145,17 @@ if test -n "$SSHKEY"; then
fi
# add a DNS resolver
-case "$SUITE" in
- jessie)
- set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
- set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@"
- ;;
- stretch)
- set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
- set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@"
- INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
- ;;
- buster|bullseye|stable)
- set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
- set -- '--customize-hook=ln -fs ../run/systemd/resolve/stub-resolv.conf "$1/etc/resolv.conf"' "$@"
- INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
- ;;
- *)
- INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
- ;;
-esac
+if test "$DEBVER" -ge 9; then
+ INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve"
+fi
+if test "$DEBVER" -le 11; then
+ set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@"
+fi
+if test "$DEBVER" -le 9; then
+ set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@"
+elif test "$DEBVER" -le 11; then
+ set -- '--customize-hook=ln -fs ../run/systemd/resolve/stub-resolv.conf "$1/etc/resolv.conf"' "$@"
+fi
# construct mmdebstrap options as $@:
set -- \
@@ -187,15 +179,13 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@"
# dhcp on all network interfaces
SYSD_NET_MATCH='Name=en*\n'
-test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\n"
+test "$DEBVER" -le 8 && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\\n"
SYSD_NET_NET='DHCP=yes\n'
# This anchor is included by default since bullseye. Fails DNSSEC validation when missing.
-case "$SUITE" in jessie|stretch|buster)
- SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n"
-;; esac
+test "$DEBVER" -le 11 && SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\\n"
set -- \
'--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \
- "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}\\n[Network]\\n$SYSD_NET_NET"'\n[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \
+ "--customize-hook=printf \"[Match]\\n$SYSD_NET_MATCH\\n[Network]\\n$SYSD_NET_NET"'\n[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \
"$@"
# add ssh key for root
--
cgit v1.2.3