Skip to content

Commit

Permalink
DNS from VPC DHCP optionset
Browse files Browse the repository at this point in the history 
Choose one option as per this priority:
1. Customer provided DNS IPs (as optional arguments)
If DNS IPs are not provided, use option 2) or 3).
2. If “Dig” already resolves correctly, /etc/resolv.conf will not be modified.
3. Use DNS IPs from Directory Service (Active Directory) as it is currently done.
  • Loading branch information
@smhmhmd @danr-amz
smhmhmd authored and danr-amz committed Jan 6, 2022
1 parent 04c1f28 commit 7d13cec
Showing 1 changed file with 77 additions and 41 deletions.
118 changes: 77 additions & 41 deletions agent/plugins/domainjoin/domainjoin_unix_script.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ DIRECTORY_ID=""
DIRECTORY_NAME=""
DIRECTORY_OU=""
REALM=""
DNS_IP_ADDRESS1=""
DNS_IP_ADDRESS2=""
INPUT_DNS_IP_ADDRESS1=""
INPUT_DNS_IP_ADDRESS2=""
LINUX_DISTRO=""
CURTIME=""
REGION=""
Expand All @@ -58,6 +58,8 @@ AWS_CLI_INSTALL_DIR="$PWD/"
SET_HOSTNAME=""
SET_HOSTNAME_APPEND_NUM_DIGITS=""
MAX_APPEND_DIGITS=5
RESOLVED_DNS_IP_ADDRESSES=""
UNMUTATED_DNS_RESOLVE_STATUS=1
# NetBIOS computer names consist of up to 15 bytes of OEM characters
# https://docs.microsoft.com/en-us/windows/win32/sysinfo/computer-names?redirectedfrom=MSDN
Expand Down Expand Up @@ -388,6 +390,9 @@ install_components() {
fi
if [ "$SUSE_MAJOR_VERSION" -eq "15" ]; then
sudo SUSEConnect -p PackageHub/15.1/x86_64
if [ $? -ne 0 ]; then
sudo SUSEConnect
fi
fi
LINUX_DISTRO='SUSE'
sudo zypper update -y
Expand Down Expand Up @@ -474,34 +479,34 @@ get_servicecreds() {
## to prevent overwriting of resolv.conf ######
##################################################
setup_resolv_conf_and_dhclient_conf() {
if [ ! -z "$DNS_IP_ADDRESS1" ] && [ ! -z "$DNS_IP_ADDRESS2" ]; then
if [ ! -z "$INPUT_DNS_IP_ADDRESS1" ] && [ ! -z "$INPUT_DNS_IP_ADDRESS2" ]; then
touch /etc/resolv.conf
mv /etc/resolv.conf /etc/resolv.conf.backup."$CURTIME"
echo ";Generated by Domain Join SSMDocument" > /etc/resolv.conf
echo "search $DIRECTORY_NAME" >> /etc/resolv.conf
echo "nameserver $DNS_IP_ADDRESS1" >> /etc/resolv.conf
echo "nameserver $DNS_IP_ADDRESS2" >> /etc/resolv.conf
echo "nameserver $INPUT_DNS_IP_ADDRESS1" >> /etc/resolv.conf
echo "nameserver $INPUT_DNS_IP_ADDRESS2" >> /etc/resolv.conf
touch /etc/dhcp/dhclient.conf
mv /etc/dhcp/dhclient.conf /etc/dhcp/dhclient.conf.backup."$CURTIME"
echo "supersede domain-name-servers $DNS_IP_ADDRESS1, $DNS_IP_ADDRESS2;" > /etc/dhcp/dhclient.conf
elif [ ! -z "$DNS_IP_ADDRESS1" ] && [ -z "$DNS_IP_ADDRESS2" ]; then
echo "supersede domain-name-servers $INPUT_DNS_IP_ADDRESS1, $INPUT_DNS_IP_ADDRESS2;" > /etc/dhcp/dhclient.conf
elif [ ! -z "$INPUT_DNS_IP_ADDRESS1" ] && [ -z "$INPUT_DNS_IP_ADDRESS2" ]; then
touch /etc/resolv.conf
mv /etc/resolv.conf /etc/resolv.conf.backup."$CURTIME"
echo ";Generated by Domain Join SSMDocument" > /etc/resolv.conf
echo "search $DIRECTORY_NAME" >> /etc/resolv.conf
echo "nameserver $DNS_IP_ADDRESS1" >> /etc/resolv.conf
echo "nameserver $INPUT_DNS_IP_ADDRESS1" >> /etc/resolv.conf
touch /etc/dhcp/dhclient.conf
mv /etc/dhcp/dhclient.conf /etc/dhcp/dhclient.conf.backup."$CURTIME"
echo "supersede domain-name-servers $DNS_IP_ADDRESS1;" > /etc/dhcp/dhclient.conf
elif [ -z "$DNS_IP_ADDRESS1" ] && [ ! -z "$DNS_IP_ADDRESS2" ]; then
echo "supersede domain-name-servers $INPUT_DNS_IP_ADDRESS1;" > /etc/dhcp/dhclient.conf
elif [ -z "$INPUT_DNS_IP_ADDRESS1" ] && [ ! -z "$INPUT_DNS_IP_ADDRESS2" ]; then
touch /etc/resolv.conf
mv /etc/resolv.conf /etc/resolv.conf.backup."$CURTIME"
echo ";Generated by Domain Join SSMDocument" > /etc/resolv.conf
echo "search $DIRECTORY_NAME" >> /etc/resolv.conf
echo "nameserver $DNS_IP_ADDRESS2" >> /etc/resolv.conf
echo "nameserver $INPUT_DNS_IP_ADDRESS2" >> /etc/resolv.conf
touch /etc/dhcp/dhclient.conf
mv /etc/dhcp/dhclient.conf /etc/dhcp/dhclient.conf.backup."$CURTIME"
echo "supersede domain-name-servers $DNS_IP_ADDRESS2;" > /etc/dhcp/dhclient.conf
echo "supersede domain-name-servers $INPUT_DNS_IP_ADDRESS2;" > /etc/dhcp/dhclient.conf
else
echo "***Failed: No DNS IPs available" && exit 1
fi
Expand Down Expand Up @@ -532,8 +537,8 @@ print_vars() {
echo "DIRECTORY_NAME = $DIRECTORY_NAME"
echo "DIRECTORY_OU = $DIRECTORY_OU"
echo "REALM = $REALM"
echo "DNS_IP_ADDRESS1 = $DNS_IP_ADDRESS1"
echo "DNS_IP_ADDRESS2 = $DNS_IP_ADDRESS2"
echo "INPUT_DNS_IP_ADDRESS1 = $INPUT_DNS_IP_ADDRESS1"
echo "INPUT_DNS_IP_ADDRESS2 = $INPUT_DNS_IP_ADDRESS2"
echo "COMPUTER_NAME = $COMPUTER_NAME"
echo "hostname = $(hostname)"
echo "LINUX_DISTRO = $LINUX_DISTRO"
Expand Down Expand Up @@ -601,7 +606,7 @@ network:
ethernets:
eth0:
nameservers:
addresses: [$DNS_IP_ADDRESS1, $DNS_IP_ADDRESS2]
addresses: [$INPUT_DNS_IP_ADDRESS1, $INPUT_DNS_IP_ADDRESS2]
dhcp4-overrides:
use-dns: false
EOF
Expand Down Expand Up @@ -630,30 +635,61 @@ EOF
##################################################
## Resolve domain name to IP address(es) ##
## by using nslookup command ##
## and checking if they match Directory Service ##
##################################################
resolve_name_to_ip() {
(
nslookup "$1"| tail -n +3 | sed -n 's/Address:\s*//p'
) && return 0 || return 1
if [ -z "$1" ]; then
echo "**Failed: resolve_name_to_ip - No input domain name" && exit 1
fi
RESOLVED_DNS_IP_ADDRESSES=$(dig "$1" +short | tr '\n' ' ')
# Derive DNS IPs if they are not provided as inputs
if [ -z "$INPUT_DNS_IP_ADDRESS1" ] && [ -z "$INPUT_DNS_IP_ADDRESS2" ]; then
DS_DNS_IP_ADDRESSES=$($AWSCLI ds describe-directories --region $REGION --directory-id $DIRECTORY_ID --query 'DirectoryDescriptions[*].DnsIpAddrs' --output text)
if [ $? -ne 0 ] || [ -z "$DS_DNS_IP_ADDRESSES" ]; then
echo "***Failed: Cannot find IPs from directory $DIRECTORY_ID" && exit 1
fi
# Only use resolved IPs that match DNS IPs of Directory Service
# This will rule out erroneous DNS resolutions (like public domain names)
for RESOLVED_IP in $RESOLVED_DNS_IP_ADDRESSES
do
for DS_DNS_IP in $DS_DNS_IP_ADDRESSES
do
if [ "$RESOLVED_IP" = "$DS_DNS_IP" ]; then
if [ -z "$INPUT_DNS_IP_ADDRESS1" ]; then
INPUT_DNS_IP_ADDRESS1=$RESOLVED_IP
UNMUTATED_DNS_RESOLVE_STATUS=0
elif [ -z "$INPUT_DNS_IP_ADDRESS2" ]; then
INPUT_DNS_IP_ADDRESS2=$RESOLVED_IP
UNMUTATED_DNS_RESOLVE_STATUS=0
fi
fi
done
done
fi
# If above does not assign, use DNS IPs of Directory Service
if [ -z "$INPUT_DNS_IP_ADDRESS1" ] && [ -z "$INPUT_DNS_IP_ADDRESS2" ]; then
INPUT_DNS_IP_ADDRESS1=$(echo $DS_DNS_IP_ADDRESSES | awk '{ print $1 }')
INPUT_DNS_IP_ADDRESS2=$(echo $DS_DNS_IP_ADDRESSES | awk '{ print $2 }')
fi
}
##################################################
## DNS may already be reachable if DHCP option ##
## sets are used. ##
##################################################
is_directory_reachable() {
grep "Generated by Domain Join SSMDocument" /etc/resolv.conf
if [ $? -ne 0 ]; then
echo "**Failed: /etc/resolv.conf was overwritten"
exit 1
fi
DNS_IPS=$(resolve_name_to_ip $DIRECTORY_NAME)
if [ $? -ne 0 ]; then
echo "***Failed: Cannot resolve domain name $DIRECTORY_NAME" && return 1
RESOLVED_DNS_IP_ADDRESSES=$(dig ${DIRECTORY_NAME} +short | tr '\n' ' ')
if [ ! -z "$RESOLVED_DNS_IP_ADDRESSES" ]; then
echo "Resolved $DIRECTORY_NAME to IP address(es): $RESOLVED_DNS_IP_ADDRESSES"
return 0
fi
echo -e "Successfully resolve domain name $DIRECTORY_NAME to IP address(es):\n$DNS_IPS"
return 0
echo -e "Could not resolve $DIRECTORY_NAME"
return 1
}
##################################################
Expand Down Expand Up @@ -737,7 +773,7 @@ reconfigure_samba() {
if [ $? -ne 0 ]; then
service winbind restart
fi
fi
fi
}
##################################################
Expand Down Expand Up @@ -774,8 +810,8 @@ for i in "$@"; do
--dns-addresses)
shift;
DNS_ADDRESSES="$1"
DNS_IP_ADDRESS1=$(echo $DNS_ADDRESSES | awk -F',' '{ print $1 }')
DNS_IP_ADDRESS2=$(echo $DNS_ADDRESSES | awk -F',' '{ print $2 }')
INPUT_DNS_IP_ADDRESS1=$(echo $DNS_ADDRESSES | awk -F',' '{ print $1 }')
INPUT_DNS_IP_ADDRESS2=$(echo $DNS_ADDRESSES | awk -F',' '{ print $2 }')
continue
;;
--proxy-address)
Expand Down Expand Up @@ -816,7 +852,7 @@ fi
# Deal with scenario where this script is run again after the domain is already joined.
# We want to avoid rerunning as the set_hostname function can change the hostname of a server that is already
# domain joined and cause a mismatch.
# domain joined and cause a mismatch.
realm list 2>/dev/null | grep -q "domain-name: ${DIRECTORY_NAME}\$"
if [ $? -eq 0 ]; then
echo "########## SKIPPING Domain Join: ${DIRECTORY_NAME} already joined ##########"
Expand All @@ -836,17 +872,14 @@ do
sleep 30
done
if [ -z $DNS_IP_ADDRESS1 ] && [ -z $DNS_IP_ADDRESS2 ]; then
DNS_ADDRESSES=$($AWSCLI ds describe-directories --region $REGION --directory-id $DIRECTORY_ID --output text | grep DNSIPADDR | awk '{print $2}')
if [ $? -ne 0 ]; then
echo "***Failed: DNS IPs not found" && exit 1
fi
DNS_IP_ADDRESS1=$(echo $DNS_ADDRESSES | awk '{ print $1 }')
DNS_IP_ADDRESS2=$(echo $DNS_ADDRESSES | awk '{ print $2 }')
resolve_name_to_ip $DIRECTORY_NAME
# Modify DNS config only if DNS resolution does not already work
if [ $UNMUTATED_DNS_RESOLVE_STATUS -eq 1 ]; then
echo "Modify DNS configuration using $INPUT_DNS_IP_ADDRESS1 $INPUT_DNS_IP_ADDRESS2"
do_dns_config
fi
## Configure DNS even if DHCP option set is used.
do_dns_config
get_servicecreds
COMPUTER_NAME=$(hostname --short)
Expand All @@ -858,9 +891,12 @@ if [ ! -z $SET_HOSTNAME ]; then
exit 1
fi
else
# 'Realm join' needs FQDN with domain name instead of *.compute.internal
get_default_hostname
fi
echo "Host name = $COMPUTER_NAME"
set_hostname
configure_hosts_file
Expand Down

0 comments on commit 7d13cec

Please sign in to comment.