From 0ff6735546fe368698ed43d76e7b6118b199df46 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 09:42:04 +0200 Subject: [PATCH 1/3] Fall back to dig for SRV lookup, if no dnspython This is a known/intentional regression since f92c4d5a27d7758fc. The new stance on this is that most people would not have dnspython, but may have the `dig` tool. There's no good reason for not increasing our chances of success by trying both methods (Ansible dig lookup and using the `dig` CLI tool). Fixes #85 (Github issue). --- .../matrix-base/tasks/self_check_dns_srv.yml | 63 +++++++++++++++---- 1 file changed, 51 insertions(+), 12 deletions(-) diff --git a/roles/matrix-base/tasks/self_check_dns_srv.yml b/roles/matrix-base/tasks/self_check_dns_srv.yml index 249b10ee..9300fb65 100644 --- a/roles/matrix-base/tasks/self_check_dns_srv.yml +++ b/roles/matrix-base/tasks/self_check_dns_srv.yml @@ -1,26 +1,65 @@ --- -# This requires the dnspython library and will fail with a friendly error when unavailable. -- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} +# This requires the dnspython library which is usually unavailable. +- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using Ansible dig lookup set_fact: - result_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" + lookup_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" + register: result_lookup_dig_srv + ignore_errors: true -- name: Fail if DNS SRV record missing +- name: Fail if DNS SRV check via Ansible dig lookup failed for non-dependency reason fail: - msg: "It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." - when: "result_dig_srv == 'NXDOMAIN'" + msg: "DNS SRV record check via Ansible dig lookup plugin (which uses the dnspython package) failed. Error is: {{ result_lookup_dig_srv.msg }}" + when: "result_lookup_dig_srv.failed and 'dnspython' not in result_lookup_dig_srv.msg" -- name: Fail if DNS SRV record incorrect +# Fallback to using the dig CLI tool if dnspython was unavailable. +- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using dig CLI tool + shell: + cmd: "dig -t srv {{ (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain)|quote }}" + register: result_cli_dig_srv + changed_when: false + ignore_errors: true + when: "lookup_dig_srv is not defined" + +- name: Fail if dig CLI used and failed + fail: + msg: >- + Failed performing DNS SRV record check. + You neither have the `dnspython` Python package, nor the `dig` program installed locally. + You need to install one of those, so we could perform a DNS SRV record check. + Full error from trying to run `dig`: {{ result_cli_dig_srv }} + when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''" + +- name: Fail if DNS SRV record missing (Ansible dig lookup) + fail: + msg: >- + It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). + See the 'Configuring DNS' documentation for this playbook. + when: "lookup_dig_srv is defined and lookup_dig_srv == 'NXDOMAIN'" + +- name: Fail if DNS SRV record incorrect (Ansible dig lookup) + fail: + msg: >- + It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. + Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). + Found it pointing to `{{ lookup_dig_srv.target }}` (port {{ lookup_dig_srv.port }}). + See the 'Configuring DNS' documentation for this playbook. + when: "lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)" + +# We expect an answer like this: +# ;; ANSWER SECTION: +# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN. +- name: Fail if DNS SRV record missing or incorrect (dig CLI tool) fail: - msg: > + msg: >- It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). - Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). See the 'Configuring DNS' documentation for this playbook. - when: "result_dig_srv.target != dns_srv_record_check.expected_target or result_dig_srv.port != dns_srv_record_check.expected_port" + Full response from the `dig` lookup was: {{ result_cli_dig_srv }} + when: "lookup_dig_srv is not defined and (dns_srv_record_check.expected_port|string + ' ' + dns_srv_record_check.expected_target) not in result_cli_dig_srv.stdout" - name: Report correct DNS SRV record debug: - msg: > + msg: >- The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}` - points to `{{ result_dig_srv.target }}` (port {{ dns_srv_record_check.expected_port }}), as expected \ No newline at end of file + points to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}), as expected. From 9830a0871d11336157f3a89e6cf8fc25cbf98d7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 11:47:31 +0200 Subject: [PATCH 2/3] Fix self-check for mxisd not being enabled --- roles/matrix-mxisd/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml index 43dba179..c0e863d4 100644 --- a/roles/matrix-mxisd/tasks/main.yml +++ b/roles/matrix-mxisd/tasks/main.yml @@ -16,4 +16,6 @@ - import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" delegate_to: 127.0.0.1 become: false - when: "run_self_check and matrix_mxisd_enabled" \ No newline at end of file + when: "run_self_check and matrix_mxisd_enabled" + tags: + - self-check From cbc1cdbbf08c4901c7905947bbc772c369d2ee63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Jan 2019 17:56:40 +0200 Subject: [PATCH 3/3] Do not try to load certificates Seems like we unintentionally removed the mounting of certificates (the `/matrix-config` mount) as part of splitting the playbook into roles in 51312b8250d0c394083. It appears that those certificates weren't necessary for coturn to funciton though, so we might just get rid of the configuration as well. --- roles/matrix-coturn/templates/turnserver.conf.j2 | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 7aea813c..32329d60 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -1,14 +1,11 @@ use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} realm=turn.{{ hostname_matrix }} -cert=/matrix-config/{{ hostname_matrix }}.tls.crt -pkey=/matrix-config/{{ hostname_matrix }}.tls.key -dh-file=/matrix-config/{{ hostname_matrix }}.tls.dh -cipher-list="HIGH" min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} external-ip={{ matrix_coturn_turn_external_ip_address }} log-file=stdout pidfile=/var/tmp/turnserver.pid userdb=/var/tmp/turnserver.db -no-cli \ No newline at end of file +no-cli +prod