Page MenuHomePhabricator

Wikidough: Upgrade to dnsdist 1.5.0
Closed, ResolvedPublic

Description

Wikidough is currently running dnsdist 1.4.0. This version introduced DoH support and was the latest version in Debian testing when we started the project and that we backported to buster (buster has dnsdist 1.3.3).

The current version in testing is dnsdist 1.5.0, released on July 30 of this year. We should look into upgrading to the current version in testing and this task tracks the changes required, including updating the Debian package (currently 1.4.0-1~deb10u2), identifying the major changes since 1.4.0, and updating the dnsdist.conf file to match those changes.

Code changes for upgrade:

  • backport dnsdist-1.5.0 from testing
  • webserver ACL now defaults to 127.0.0.1, ::1; update it to allow traffic from outside for Prometheus (already restricted to production network)
  • confirm DoH endpoints in addDOHLocal() match the changes in 1.5.0
  • remove the provideroption for the TLS library as OpenSSL is now the default (only applies to DoT) [see https://github.com/PowerDNS/pdns/pull/8380]

Event Timeline

ssingh created this task.Sep 24 2020, 8:09 PM
Restricted Application added a project: SRE. · View Herald TranscriptSep 24 2020, 8:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ssingh claimed this task.Sep 24 2020, 8:12 PM
ssingh triaged this task as Medium priority.
ssingh updated the task description. (Show Details)Oct 1 2020, 3:03 PM

Change 631508 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: add acl parameter for webserver configuration

https://gerrit.wikimedia.org/r/631508

Change 631827 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: temporarily disable validate_cmd for dnsdist.conf

https://gerrit.wikimedia.org/r/631827

Change 631827 merged by Ssingh:
[operations/puppet@production] dnsdist: temporarily disable validate_cmd for dnsdist.conf

https://gerrit.wikimedia.org/r/631827

Change 631508 merged by Ssingh:
[operations/puppet@production] dnsdist: add acl parameter for webserver configuration

https://gerrit.wikimedia.org/r/631508

ssingh updated the task description. (Show Details)Oct 2 2020, 8:06 PM
ssingh updated the task description. (Show Details)Oct 2 2020, 8:48 PM

Change 632217 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: do not set the TLS library explicitly (use dnsdist's default)

https://gerrit.wikimedia.org/r/632217

Change 632217 merged by Ssingh:
[operations/puppet@production] dnsdist: do not set the TLS library explicitly (use dnsdist's default)

https://gerrit.wikimedia.org/r/632217

ssingh updated the task description. (Show Details)Oct 5 2020, 11:54 AM
ssingh added a comment.Oct 5 2020, 5:21 PM

Another important change in 1.5.0 is https://github.com/PowerDNS/pdns/pull/7138 [dnsdist/rec: Drop remaining capabilities after startup]. For our dnsdist instance, this is handled for dnsdist.conf and the TLS certs by the following:

For dnsdist.conf, the Debian package for dnsdist takes care of setting the right permissions for dnsdist.conf during (after) the installation; from debian/dnsdist.postinst in dnsdist/testing:

chown root:_dnsdist /etc/dnsdist/dnsdist.conf
chmod g+r /etc/dnsdist/dnsdist.conf

For the TLS certs, we are already setting key_group for acmechief to _dnsdist (see commit a551c82d7c) so dnsdist should have no problem reading the certificate files.

ema added a subscriber: ema.Oct 5 2020, 5:23 PM

Mentioned in SAL (#wikimedia-operations) [2020-10-06T14:57:17Z] <sukhe> upload dnsdist_1.5.0-1wm1 to apt.wm.o (buster) - T263789

ssingh closed this task as Resolved.Oct 6 2020, 3:07 PM
ssingh updated the task description. (Show Details)
sukhe@malmok:~$ /usr/bin/dnsdist --version
dnsdist 1.5.0 (Lua 5.2.4)

Completed upgrade to dnsdist 1.5.0, marking as closed.