10 Commits

Author SHA1 Message Date
Daniel Akulenok 957efdf7c7 docs: clarify BIND9 9.20 branch strategy
Test / Lint (pull_request) Failing after 1m3s
Test / Test (pull_request) Has been skipped
2026-07-02 10:44:41 +02:00
Daniel Akulenok cd3a35e7a9 tiny little bug fix
Test / Lint (push) Failing after 21s
Test / Test (push) Has been skipped
2026-03-27 22:05:02 +01:00
Daniel Akulenok 77212eef9b improve molecule
Test / Lint (push) Failing after 1m40s
Test / Test (push) Has been skipped
2026-02-12 15:05:51 +01:00
Daniel Akulenok 79ac474a85 Merge branch 'main' of ssh://git.valid.dk:2222/daniel/ansible-bind9-role
Test / Lint (push) Successful in 15s
Test / Test (push) Has been skipped
2026-02-09 12:34:04 +01:00
daniel abd150f581 Merge pull request 'Fix default Molecule scenario and add testing skill' (#18) from fix/molecule-default-test into main
Test / Lint (push) Successful in 16s
Test / Test (push) Has been skipped
Reviewed-on: #18
2026-02-09 11:33:11 +00:00
Daniel Akulenok cb20db00af Merge branch 'main' of ssh://git.valid.dk:2222/daniel/ansible-bind9-role
Test / Lint (push) Successful in 17s
Test / Test (push) Has been skipped
2026-02-09 12:17:45 +01:00
Daniel Akulenok 07f84b7c96 Fix Molecule default scenario tests
Test / Lint (pull_request) Successful in 16s
Test / Test (pull_request) Failing after 2m12s
2026-02-08 20:43:56 +01:00
Daniel Akulenok a4f06d3daf fix: Install molecule-podman driver for CI/CD tests
Test / Lint (push) Successful in 16s
Test / Test (push) Has been skipped
The test stage was failing because molecule couldn't find the podman
driver. The issue was that 'molecule[podman]' extra doesn't exist in
molecule 25.12.0. Install 'molecule-podman' package instead which
provides the required podman driver for molecule.
2026-02-08 00:29:47 +01:00
Daniel Akulenok 282e7601b4 fix: Add pipefail option to shell command in verify.yml
Test / Lint (push) Successful in 15s
Test / Test (push) Has been skipped
Resolves ansible-lint risky-shell-pipe violation by adding
'set -o pipefail' to shell task that uses pipes.
2026-02-08 00:26:46 +01:00
daniel f15d33b619 Merge pull request 'feat: Add BIND9 9.20 support with molecule scenario and documentation' (#14) from feature/bind9-20-support into main
Test / Lint (push) Failing after 15s
Test / Test (push) Has been skipped
Reviewed-on: #14
2026-02-07 23:21:35 +00:00
11 changed files with 111 additions and 85 deletions
+2 -2
View File
@@ -54,8 +54,8 @@ jobs:
run: | run: |
pip install --no-cache-dir \ pip install --no-cache-dir \
ansible \ ansible \
molecule[podman] \ molecule \
podman-compose \ molecule-podman \
pyyaml \ pyyaml \
jinja2 jinja2
@@ -0,0 +1,31 @@
---
name: molecule-role-testing
description: Run Molecule scenarios to test the bind9 role using the repository's Molecule configuration.
---
Use this skill when asked to test or validate the role with Molecule.
## Scope
- Repository root: /home/alive/Code/ansible-bind9-role
- Scenarios: molecule/default and molecule/bind9-20
- Driver: podman
## Prerequisites
1. Ensure Podman is available and the current user can run it.
2. Ensure Molecule and Ansible are installed in the active Python environment.
## Default scenario (BIND 9.18 LTS)
1. From the repository root, run:
- molecule test
2. If a faster check is requested, run:
- molecule converge
## BIND 9.20+ scenario
1. From the repository root, run:
- molecule test -s bind9-20
2. If a faster check is requested, run:
- molecule converge -s bind9-20
## Notes
- The scenarios use systemd-enabled containers and require privileged Podman.
- If a scenario fails, capture the error summary and relevant logs before making changes.
+36 -34
View File
@@ -2,53 +2,53 @@
## Overview ## Overview
This document describes the ansible-bind9-role implementation for BIND9 9.20+ support through the `feature/bind9-20-support` branch. This document describes the ansible-bind9-role strategy for BIND9 9.20+ support through a dedicated version branch.
The current implementation uses branch-level compatibility boundaries instead of runtime version detection. The main branch targets BIND9 9.18.x LTS, while the 9.20 branch targets BIND9 9.20+ feature releases.
## Architecture ## Architecture
### Multi-Version Support Strategy ### Branch-Based Support Strategy
The role supports multiple BIND9 versions using: The role uses branch-only support boundaries:
1. **Runtime Version Detection**: BIND9 version is detected at runtime and stored in the `bind9_version` fact 1. `main` branch: BIND9 9.18.x LTS support for production-stable deployments.
2. **Template Conditionals**: Jinja2 conditionals in templates apply version-specific configurations 2. `9.20` branch: BIND9 9.20+ feature-release support with version-specific templates, grammar data, tests, and documentation.
3. **Separate Branches**: Different BIND9 feature release series are maintained on separate branches
- `main`: BIND9 9.18.x (LTS) - Production stable The role does not currently detect BIND9 versions at runtime and does not use runtime version conditionals in templates. Each branch is expected to be tested against the BIND9 series it supports.
- `9.20`: BIND9 9.20+ (feature releases) - New features and modern approach
This approach is preferred because:
- compatibility boundaries are clear for users and maintainers;
- templates avoid cross-version conditional complexity;
- each branch can evolve with the grammar and package behavior of its target BIND9 series;
- generated configuration does not silently change based on the installed package version.
### Branch Structure ### Branch Structure
``` ```
main # BIND9 9.18.x LTS (stable) main # BIND9 9.18.x LTS support
└─ 9.20 # BIND9 9.20+ feature releases └─ 9.20 # BIND9 9.20+ feature-release support
─ feature/bind9-20-support # Current development branch ─ feature/* # Short-lived feature branches targeting 9.20
└─ (will merge to 9.20 after testing)
``` ```
## Implementation Details ## Implementation Details
### 1. Version Detection (tasks/main.yml) ### 1. Task Flow
```yaml 1. Install the configured BIND9 packages from `bind9_packages`.
- name: Detect BIND9 version at runtime 2. Ensure backup and logging directories exist when enabled or configured.
ansible.builtin.command: 3. Render configured BIND9 files through `named.conf.generator.j2`.
cmd: named -v 4. Validate the generated configuration with `named-checkconf -z`.
register: _bind9_version_output 5. Restore backed-up configuration files if validation fails.
changed_when: false 6. Start and enable the `named` service.
- name: Set bind9_version fact There is no runtime `bind9_version` fact in this flow.
ansible.builtin.set_fact:
bind9_version: "{{ _bind9_version_output.stdout | regex_search('BIND (\\S+)', '\\1') | first }}"
```
### 2. Meta/Argument Specs Updates ### 2. Meta/Argument Specs Updates
The `meta/argument_specs.yml` has been updated to: The `meta/argument_specs.yml` file documents the public role inputs for the current branch. It must not document runtime-only variables that the role does not set or consume.
- Document BIND9 9.20+ support alongside 9.18.x
- Add `bind9_version` variable documentation (read-only, auto-detected)
- Clarify version-specific behavior
### 3. Molecule Testing ### 3. Molecule Testing
@@ -67,7 +67,7 @@ Two molecule scenarios are now available:
### 4. Template Version Compatibility ### 4. Template Version Compatibility
Templates have been audited for BIND9 9.20 compatibility. The primary template files include: Templates in each version branch should be audited for the BIND9 series targeted by that branch. The primary template files include:
- `named.conf.options.j2` - Global options block - `named.conf.options.j2` - Global options block
- `named.conf.zone.j2` - Zone definitions - `named.conf.zone.j2` - Zone definitions
@@ -77,10 +77,10 @@ Templates have been audited for BIND9 9.20 compatibility. The primary template f
### 5. Deprecated Options Handling ### 5. Deprecated Options Handling
BIND9 9.20 removes 44 options from 9.18. The role handles this through: BIND9 9.20 removes 44 options from 9.18. The 9.20 branch should handle this through:
1. **Documentation**: Each deprecated option is documented in BIND9_MIGRATION_GUIDE.md 1. **Documentation**: Each deprecated option is documented in BIND9_MIGRATION_GUIDE.md
2. **Conditional Removal**: Templates check version and exclude removed options 2. **Branch-specific templates**: Templates on the 9.20 branch omit removed options
3. **Migration Path**: BIND9_MIGRATION_GUIDE.md provides alternatives for each removed option 3. **Migration Path**: BIND9_MIGRATION_GUIDE.md provides alternatives for each removed option
## Critical BIND9 9.20 Changes ## Critical BIND9 9.20 Changes
@@ -204,6 +204,8 @@ Users upgrading from 9.18 to 9.20 should:
- [ ] Automated configuration migration tool - [ ] Automated configuration migration tool
- [ ] Deprecation warnings in role output - [ ] Deprecation warnings in role output
- [ ] Runtime version detection if branch-per-version maintenance becomes insufficient
- [ ] Template conditionals only if a future design intentionally supports multiple BIND9 series from one branch
- [ ] 9.21+ preparation when available - [ ] 9.21+ preparation when available
- [ ] Performance tuning for 9.20 features - [ ] Performance tuning for 9.20 features
- [ ] DNS-over-HTTPS (DoH) support - [ ] DNS-over-HTTPS (DoH) support
@@ -214,9 +216,9 @@ Users upgrading from 9.18 to 9.20 should:
- [ISC BIND9 Website](https://www.isc.org/bind/) - [ISC BIND9 Website](https://www.isc.org/bind/)
- [BIND9 9.20 Release Notes](https://www.isc.org/download/news/) - [BIND9 9.20 Release Notes](https://www.isc.org/download/news/)
- [BIND9 Documentation](https://bind9.readthedocs.io/) - [BIND9 Documentation](https://bind9.readthedocs.io/)
- [BIND9 Version Differences](../../docs/BIND_VERSION_DIFFERENCES.md) - [BIND9 Version Differences](BIND_VERSION_DIFFERENCES.md)
- [BIND9 Migration Guide](../../docs/BIND9_MIGRATION_GUIDE.md) - [BIND9 Migration Guide](BIND9_MIGRATION_GUIDE.md)
- [VERSION_SUPPORT.md](../../docs/VERSION_SUPPORT.md) - [VERSION_SUPPORT.md](VERSION_SUPPORT.md)
## Support ## Support
+1 -2
View File
@@ -347,9 +347,8 @@ Create a test playbook to validate migration:
```yaml ```yaml
--- ---
# Test playbook for BIND9 9.20 migration
- hosts: test_servers - hosts: test_servers
vars:
bind9_version: "9.20" # Document version being tested
tasks: tasks:
- name: Apply BIND9 9.20 configuration - name: Apply BIND9 9.20 configuration
+8 -25
View File
@@ -270,36 +270,20 @@ bind9-grammar/
## Version-Specific Features ## Version-Specific Features
### Version Detection ### Branch-Level Version Targeting
The role will detect BIND9 version at runtime: The role currently uses branch-level version targeting instead of runtime version detection:
```yaml - `main` targets BIND9 9.18.x LTS.
# tasks/main.yml (planned implementation) - `9.20` targets BIND9 9.20+ feature releases.
- name: Detect BIND9 version
ansible.builtin.command: named -V
register: _bind9_version_output
changed_when: false
- name: Set BIND9 version facts Each branch carries the templates, grammar data, documentation, and tests appropriate for its supported BIND9 series. This keeps generated configuration predictable and avoids mixing incompatible BIND9 grammar rules in one template path.
ansible.builtin.set_fact:
bind9_version_full: "{{ _bind9_version_output.stdout | regex_search('BIND (\\S+)', '\\1') | first }}"
bind9_version_major: "{{ _bind9_version_output.stdout | regex_search('BIND (\\d+)\\.(\\d+)', '\\1') | first }}"
bind9_version_minor: "{{ _bind9_version_output.stdout | regex_search('BIND (\\d+)\\.(\\d+)', '\\2') | first }}"
```
### Conditional Configuration ### Runtime Detection
Templates will use version-aware conditionals: Runtime version detection is not part of the current implementation. The role does not set `bind9_version_full`, `bind9_version_major`, `bind9_version_minor`, or `bind9_version`, and templates do not branch on those values.
```jinja2 Runtime detection may be reconsidered in the future if maintaining separate version branches becomes more expensive than supporting multiple BIND9 series from one branch. That future design would require dedicated tasks, public metadata, template changes, and Molecule coverage before being documented as supported behavior.
{# templates/named.conf.options.j2 (planned) #}
{% if bind9_version_major | int >= 20 %}
{# BIND9 9.20+ specific options #}
{% else %}
{# BIND9 9.18 options #}
{% endif %}
```
## Migration Guidance ## Migration Guidance
@@ -367,4 +351,3 @@ See `CHANGELOG.md` for version-specific migration notes.
| Date | Version | Changes | | Date | Version | Changes |
|------|---------|---------| |------|---------|---------|
| 2026-02-07 | 1.0 | Initial version support policy | | 2026-02-07 | 1.0 | Initial version support policy |
+1 -9
View File
@@ -4,8 +4,7 @@ argument_specs:
short_description: The main entry point for the bind9 role. short_description: The main entry point for the bind9 role.
description: description:
- Configures BIND9 DNS server on Debian-based systems. - Configures BIND9 DNS server on Debian-based systems.
- "Supported BIND9 versions: 9.18.x (LTS), 9.20+ (feature releases)" - "Supported BIND9 versions are branch-specific: main targets 9.18.x (LTS), and the 9.20 branch targets 9.20+ feature releases."
- Version detection is automatic at runtime.
options: options:
bind9_config: bind9_config:
type: list type: list
@@ -57,10 +56,3 @@ argument_specs:
bind9_backup_dir: bind9_backup_dir:
type: str type: str
description: Directory for backups. description: Directory for backups.
bind9_version:
type: str
description:
- BIND9 version detected at runtime (read-only, set automatically).
- "Format: X.Y.Z (e.g., 9.18.44, 9.20.18)"
- Used by templates to apply version-specific configurations.
- Users should not set this variable directly.
+1
View File
@@ -105,6 +105,7 @@
- name: Verify no critical errors in logs - name: Verify no critical errors in logs
ansible.builtin.shell: | ansible.builtin.shell: |
set -o pipefail
if grep -i "error" /var/log/named/default.log | grep -v "error reporting" > /dev/null; then if grep -i "error" /var/log/named/default.log | grep -v "error reporting" > /dev/null; then
exit 1 exit 1
fi fi
+14 -12
View File
@@ -1,19 +1,10 @@
--- ---
- name: Converge - name: Converge
hosts: all hosts: all
tasks: roles:
- name: Create log directory for BIND - ansible-bind9-role
ansible.builtin.file:
path: /var/log/named
state: directory
mode: '0755'
owner: bind
group: bind
- name: Include bind9 role
ansible.builtin.include_role:
name: ../../../ansible-bind9-role # noqa: role-name[path]
vars: vars:
bind9_log_dir: /var/log/named
bind9_backup_config: false bind9_backup_config: false
bind9_host_config: bind9_host_config:
- name: named.conf.options - name: named.conf.options
@@ -113,3 +104,14 @@
forwarders: forwarders:
- 10.0.0.53 - 10.0.0.53
- 10.0.0.54 - 10.0.0.54
- name: Post-converge
hosts: all
tasks:
- name: Create log directory for BIND
ansible.builtin.file:
path: /var/log/named
state: directory
mode: '0750'
owner: bind
group: bind
+2
View File
@@ -11,6 +11,8 @@ platforms:
cgroupns_mode: host cgroupns_mode: host
provisioner: provisioner:
name: ansible name: ansible
env:
ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/..
config_options: config_options:
defaults: defaults:
ALLOW_BROKEN_CONDITIONALS: true ALLOW_BROKEN_CONDITIONALS: true
+2 -1
View File
@@ -41,7 +41,8 @@
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- "'forwarders' in __options_decoded" - "'forwarders' in __options_decoded"
- "'8.8.8.8' in __options_decoded" - "'91.239.100.100' in __options_decoded"
- "'89.233.43.71' in __options_decoded"
- "'forward first' in __options_decoded" - "'forward first' in __options_decoded"
fail_msg: Forwarders not properly configured in named.conf.options fail_msg: Forwarders not properly configured in named.conf.options
vars: vars:
+13
View File
@@ -18,6 +18,17 @@
mode: "0750" mode: "0750"
when: bind9_backup_config is defined and bind9_backup_config | bool when: bind9_backup_config is defined and bind9_backup_config | bool
- name: Ensure logging directory exists if defined
ansible.builtin.file:
path: "{{ bind9_log_dir }}"
state: directory
owner: bind
group: bind
mode: "0750"
when:
- bind9_log_dir is defined
- bind9_log_dir is not none
- name: Deploy and Validate Configuration - name: Deploy and Validate Configuration
tags: tags:
- bind9 - bind9
@@ -34,6 +45,7 @@
owner: root owner: root
group: bind group: bind
mode: "0640" mode: "0640"
when: bind9_backup_config | bool
changed_when: false changed_when: false
failed_when: false # It's okay if the file doesn't exist yet failed_when: false # It's okay if the file doesn't exist yet
loop: "{{ bind9_config }}" loop: "{{ bind9_config }}"
@@ -85,6 +97,7 @@
loop: "{{ bind9_config }}" loop: "{{ bind9_config }}"
loop_control: loop_control:
label: "{{ item.name }}" label: "{{ item.name }}"
changed_when: false
when: bind9_backup_config | bool is false when: bind9_backup_config | bool is false
- name: Ensure the named service is started - name: Ensure the named service is started