From 4e10d0b4df0118c048c815d30191da702776735e Mon Sep 17 00:00:00 2001 From: Jochen Sprickerhof Date: Thu, 22 Dec 2022 12:27:46 +0100 Subject: Add a DNS resolver (Closes: #3) --- debvm-create | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/debvm-create b/debvm-create index c44b67d..e907962 100755 --- a/debvm-create +++ b/debvm-create @@ -112,6 +112,27 @@ if test -n "$SSHKEY"; then INCLUDE_PACKAGES="$INCLUDE_PACKAGES,openssh-server" fi +# add a DNS resolver +case "$SUITE" in + jessie) + set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" + set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@" + ;; + stretch) + set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" + set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@" + INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" + ;; + buster|bullseye|stable) + set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" + set -- '--customize-hook=ln -fs ../run/systemd/resolve/stub-resolv.conf "$1/etc/resolv.conf"' "$@" + INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" + ;; + *) + INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" + ;; +esac + # construct mmdebstrap options as $@: set -- \ --verbose \ -- cgit v1.2.3 From 444b51356c20471c891dd41c7b08b6fb4d475cb3 Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Thu, 22 Dec 2022 22:04:03 +0100 Subject: fix local dns search Previously, the /etc/resolv.conf was inherited from the host. It would thus also inherit the search domains. Now, the generated image lacks the host's resolv.conf and thus it search domains. This is good for reproducibility. In order to continue resolving plain host names, we tell qemu to serve the search domain via dhcp and we tell networkd to trust the dhcp server's domains. Signed-off-by: Jochen Sprickerhof --- debvm-create | 2 +- debvm-run | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/debvm-create b/debvm-create index e907962..5bcd55d 100755 --- a/debvm-create +++ b/debvm-create @@ -157,7 +157,7 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@" # dhcp on all network interfaces set -- \ '--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \ - "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ + "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCPv4]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ "$@" # add ssh key for root diff --git a/debvm-run b/debvm-run index 9b26a76..ffae61c 100755 --- a/debvm-run +++ b/debvm-run @@ -144,6 +144,10 @@ fi if test -n "$SSHPORT"; then NETDEV="$NETDEV,hostfwd=tcp:127.0.0.1:$SSHPORT-:22" fi +DNSSEARCH=$(dnsdomainname) +if test -n "$DNSSEARCH"; then + NETDEV="$NETDEV,dnssearch=$DNSSEARCH" +fi set -- \ -append "$KERNEL_CMDLINE" \ -netdev "$NETDEV" \ -- cgit v1.2.3 From 1bc6070756dc40fd7ce3380aff5b476d52ea0e4d Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Thu, 22 Dec 2022 22:52:53 +0100 Subject: debvm-create: move UseDomains to DHCP section The DHCP section covers both v4 and v6. On buster The versioned variants do not exist. --- debvm-create | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debvm-create b/debvm-create index 5bcd55d..ae9d65e 100755 --- a/debvm-create +++ b/debvm-create @@ -157,7 +157,7 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@" # dhcp on all network interfaces set -- \ '--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \ - "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCPv4]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ + "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ "$@" # add ssh key for root -- cgit v1.2.3 From 04cc838b9e2ec01e5a6beed90f749f390c458441 Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Fri, 23 Dec 2022 07:45:10 +0100 Subject: debvm-create: extend negative dnssec trust anchors systemd turns on dnssec validation since buster and that makes local domain resolution break unless having a negative trust anchor. The standards settled on .home.arpa, but this is only listed since bullseye. In order to have this domain work on buster, it must be listed explicitly. It is a noop on later releases. --- debvm-create | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debvm-create b/debvm-create index ae9d65e..e574ee1 100755 --- a/debvm-create +++ b/debvm-create @@ -157,7 +157,7 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@" # dhcp on all network interfaces set -- \ '--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \ - "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ + "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\nDNSSECNegativeTrustAnchors=home.arpa\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ "$@" # add ssh key for root -- cgit v1.2.3 From fa29c199e7dfda1cc9c93f6948e8d9688c345d64 Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Fri, 23 Dec 2022 07:47:16 +0100 Subject: debvm-run: change dhcp option for dns search systemd on Debian stretch does not yet understand dnssearch aka dhcp option 119 and ignores it. Instead we pass it as domain name aka dhcp option 15. This option can only specify one name, which is what we do already. Beyond extending the search list, it may also affect the fqdn of the VM, but this shouldn't hurt. --- debvm-run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debvm-run b/debvm-run index ffae61c..06dd250 100755 --- a/debvm-run +++ b/debvm-run @@ -146,7 +146,7 @@ if test -n "$SSHPORT"; then fi DNSSEARCH=$(dnsdomainname) if test -n "$DNSSEARCH"; then - NETDEV="$NETDEV,dnssearch=$DNSSEARCH" + NETDEV="$NETDEV,domainname=$DNSSEARCH" fi set -- \ -append "$KERNEL_CMDLINE" \ -- cgit v1.2.3 From 50c37f591b854aa96e47f5ecb9cfcd2bf06eaa6d Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Fri, 23 Dec 2022 09:08:36 +0100 Subject: debvm-create: restrict networkd quirks to old releases Reported-by: Jochen Sprickerhof --- debvm-create | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/debvm-create b/debvm-create index e574ee1..e16c632 100755 --- a/debvm-create +++ b/debvm-create @@ -155,9 +155,16 @@ set -- \ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@" # dhcp on all network interfaces +SYSD_NET_MATCH='Name=en*\n' +test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\\n" +SYSD_NET_NET='DHCP=yes\n' +# This anchor is included by default since bullseye. Fails DNSSEC validation when missing. +case "$SUITE" in jessie|stretch|buster) + SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n\n" +;; esac set -- \ '--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \ - "--customize-hook=printf '"'[Match]\nName=en*\nName=eth*\n[Network]\nDHCP=yes\nDNSSECNegativeTrustAnchors=home.arpa\n[DHCP]\nUseDomains=yes\n'"'"' > "$1/etc/systemd/network/20-wired.network"' \ + "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}[Network]\\n$SYSD_NET_NET"'[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \ "$@" # add ssh key for root -- cgit v1.2.3 From c100114c51d2f5e9e8ed2efd58d065b0dd3b34f8 Mon Sep 17 00:00:00 2001 From: Jochen Sprickerhof Date: Fri, 23 Dec 2022 10:05:44 +0100 Subject: Fix newlines in network file --- debvm-create | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debvm-create b/debvm-create index e16c632..dbf1192 100755 --- a/debvm-create +++ b/debvm-create @@ -156,15 +156,15 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@" # dhcp on all network interfaces SYSD_NET_MATCH='Name=en*\n' -test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\\n" +test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\n" SYSD_NET_NET='DHCP=yes\n' # This anchor is included by default since bullseye. Fails DNSSEC validation when missing. case "$SUITE" in jessie|stretch|buster) - SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n\n" + SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n" ;; esac set -- \ '--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \ - "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}[Network]\\n$SYSD_NET_NET"'[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \ + "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}\\n[Network]\\n$SYSD_NET_NET"'\n[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \ "$@" # add ssh key for root -- cgit v1.2.3 From 82720d195c6b243f8f3a610c555392d20745889b Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Fri, 23 Dec 2022 10:27:17 +0100 Subject: debvm-create: conditionalize network workarounds on $DEBVER --- debvm-create | 38 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/debvm-create b/debvm-create index 8ea33fb..f9bd458 100755 --- a/debvm-create +++ b/debvm-create @@ -145,25 +145,17 @@ if test -n "$SSHKEY"; then fi # add a DNS resolver -case "$SUITE" in - jessie) - set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" - set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@" - ;; - stretch) - set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" - set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@" - INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" - ;; - buster|bullseye|stable) - set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" - set -- '--customize-hook=ln -fs ../run/systemd/resolve/stub-resolv.conf "$1/etc/resolv.conf"' "$@" - INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" - ;; - *) - INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" - ;; -esac +if test "$DEBVER" -ge 9; then + INCLUDE_PACKAGES="$INCLUDE_PACKAGES,libnss-resolve" +fi +if test "$DEBVER" -le 11; then + set -- '--customize-hook=chroot "$1" systemctl enable systemd-resolved.service' "$@" +fi +if test "$DEBVER" -le 9; then + set -- '--customize-hook=ln -fs ../run/systemd/resolve/resolv.conf "$1/etc/resolv.conf"' "$@" +elif test "$DEBVER" -le 11; then + set -- '--customize-hook=ln -fs ../run/systemd/resolve/stub-resolv.conf "$1/etc/resolv.conf"' "$@" +fi # construct mmdebstrap options as $@: set -- \ @@ -187,15 +179,13 @@ set -- '--customize-hook=chroot "$1" passwd --delete root' "$@" # dhcp on all network interfaces SYSD_NET_MATCH='Name=en*\n' -test "$SUITE" = jessie && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\n" +test "$DEBVER" -le 8 && SYSD_NET_MATCH="${SYSD_NET_MATCH}Name=eth*\\n" SYSD_NET_NET='DHCP=yes\n' # This anchor is included by default since bullseye. Fails DNSSEC validation when missing. -case "$SUITE" in jessie|stretch|buster) - SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\n" -;; esac +test "$DEBVER" -le 11 && SYSD_NET_NET="${SYSD_NET_NET}DNSSECNegativeTrustAnchors=home.arpa\\n" set -- \ '--customize-hook=chroot "$1" systemctl enable systemd-networkd.service' \ - "--customize-hook=printf \"[Match]\\n${SYSD_NET_MATCH}\\n[Network]\\n$SYSD_NET_NET"'\n[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \ + "--customize-hook=printf \"[Match]\\n$SYSD_NET_MATCH\\n[Network]\\n$SYSD_NET_NET"'\n[DHCP]\nUseDomains=yes\n" > "$1/etc/systemd/network/20-wired.network"' \ "$@" # add ssh key for root -- cgit v1.2.3