Fix DHCP4 configuration in Netplan

Debian Bookworm switches DNS management from resolvconf to systemd-resolved. This change results in Bookworm instances having an incompatible hostname resolution configuration. Since we rely on cloud-init to automatically configure some of our DNS settings we need to adjust the configuration of Netplan (used by cloud-init) to get the correct configuration for our system. The issue is that Netplan uses a default of false for the value of dhcp4-overrides.use-domains and cloud-init does not explicitly set this key or provide a means to do so. We remedy this by modifying the cloud-init configuration of Bookworm instances to use a Python script to adjust the Netplan configuration and then re-apply Netplan to enable our desired configuration. Co-authored-by: Shane Frasier <[email protected]>
cisagov · Jan 11, 2024 · 8812309 · 8812309
1 parent c687251
commit 8812309
Show file tree

Hide file tree

Showing 9 changed files with 243 additions and 0 deletions.
diff --git a/packer/ansible/bookworm.yml b/packer/ansible/bookworm.yml
@@ -0,0 +1,12 @@
+---
+- hosts: bastion,docker,nessus,nmap
+  name: Perform additional tasks to support Debian Bookworm
+  become: yes
+  become_method: ansible.builtin.sudo
+  tasks:
+    # We have a cloud-init script to fix the Netplan configuration that needs
+    # this Python package.
+    - name: Ensure the PyYAML package is installed
+      ansible.builtin.package:
+        name:
+          - python3-yaml
diff --git a/packer/ansible/playbook.yml b/packer/ansible/playbook.yml
@@ -2,6 +2,9 @@
 - name: Import base image playbook
   ansible.builtin.import_playbook: base.yml
 
+- name: Import Debian Bookworm playbook
+  ansible.builtin.import_playbook: bookworm.yml
+
 - name: Import AWS playbook
   ansible.builtin.import_playbook: aws.yml
 

diff --git a/terraform/bod_bastion_cloud_init.tf b/terraform/bod_bastion_cloud_init.tf
@@ -15,4 +15,42 @@ data "cloudinit_config" "bod_bastion_cloud_init_tasks" {
     filename     = "set_hostname.yml"
     merge_type   = "list(append)+dict(recurse_array)+str()"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/bod_docker_cloud_init.tf b/terraform/bod_docker_cloud_init.tf
@@ -86,4 +86,42 @@ data "cloudinit_config" "bod_docker_cloud_init_tasks" {
     content_type = "text/x-shellscript"
     filename     = "04_cyhy_docker_chown_vdp_output_directory.sh"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/cloud-init/fix_dhcp.tpl.py b/terraform/cloud-init/fix_dhcp.tpl.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+"""Append the necessary DHCP options to the Netplan configuration.
+
+The Netplan configuration is created by cloud-init, but it needs to be
+slightly modified and reapplied.  This script takes care of the
+modification.
+See these issues for more details:
+- cisagov/skeleton-packer#300
+- canonical/cloud-init#4764
+This file is a template.  It should be processed by Terraform.
+"""
+
+# Third-Party Libraries
+import yaml
+
+# Inputs from Terraform
+NETPLAN_CONFIG = "${netplan_config}"
+
+with open(NETPLAN_CONFIG) as f:
+    # Load the current Netplan configuration
+    config = yaml.safe_load(f)
+    # Add a dhcp4-overrides section to each network
+    config["network"]["ethernets"] = {
+        k: v | {"dhcp4-overrides": {"use-domains": True}}
+        for (k, v) in config["network"]["ethernets"].items()
+    }
+
+# Write the results back out to the Netplan configuration file
+with open(NETPLAN_CONFIG, "w") as f:
+    f.write(yaml.dump(config))
diff --git a/terraform/cloud-init/fix_dhcp.yml b/terraform/cloud-init/fix_dhcp.yml
@@ -0,0 +1,7 @@
+---
+
+# There is a Python script that fixes the DHCP4 options in the Netplan
+# configuration already generated by cloud-init.  The following simply
+# reapplies the Netplan configuration after the modification.
+runcmd:
+  - [netplan, apply]
diff --git a/terraform/cyhy_bastion_cloud_init.tf b/terraform/cyhy_bastion_cloud_init.tf
@@ -15,4 +15,42 @@ data "cloudinit_config" "cyhy_bastion_cloud_init_tasks" {
     filename     = "set_hostname.yml"
     merge_type   = "list(append)+dict(recurse_array)+str()"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/cyhy_nessus_cloud_init.tf b/terraform/cyhy_nessus_cloud_init.tf
@@ -64,4 +64,42 @@ data "cloudinit_config" "cyhy_nessus_cloud_init_tasks" {
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_nessus_chown_runner_directory.sh"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }
diff --git a/terraform/cyhy_nmap_cloud_init.tf b/terraform/cyhy_nmap_cloud_init.tf
@@ -64,4 +64,42 @@ data "cloudinit_config" "cyhy_nmap_cloud_init_tasks" {
     content_type = "text/x-shellscript"
     filename     = "02_cyhy_nmap_chown_runner_directory.sh"
   }
+
+  # Fix the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content = templatefile(
+      "${path.module}/cloud-init/fix_dhcp.tpl.py", {
+        netplan_config = "/etc/netplan/50-cloud-init.yaml"
+    })
+    content_type = "text/x-shellscript"
+    filename     = "fix_dhcp.py"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
+
+  # Now that the DHCP options in the Canonical Netplan configuration
+  # created by cloud-init have been fixed, reapply the Netplan
+  # configuration.
+  #
+  # The issue is that Netplan uses a default of false for
+  # dhcp4-overrides.use-domains, and cloud-init does not explicitly
+  # set this key or provide any way to do so.
+  #
+  # See these issues for more details:
+  # - cisagov/skeleton-packer#300
+  # - canonical/cloud-init#4764
+  part {
+    content      = file("${path.module}/cloud-init/fix_dhcp.yml")
+    content_type = "text/cloud-config"
+    filename     = "fix_dhcp.yml"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+  }
 }