DNS woes with Debian Bookworm

[jsf9k]

🐛 Summary

@mcdonnnj has reported DNS woes when using a Debian Bookworm base AMI. He says that DNS resolution requires the FQDN (e.g., kali1.envX.cool.cyber.dhs.gov); simply using the hostname (e.g., kali1) does not work.

The reason for the difference appears to be that Bookworm uses systemd-resolved whereas previous Debian releases used resolvconf.

To reproduce

1. Build a new COOL AMI from an AMI based on Debian Bookworm.
2. Deploy the new COOL AMI along with an old, Bullseye-based COOL AMI into a COOL environment.
3. Observe that, in the instance based on the new COOL AMI, DNS fails to resolve without using the FQDN; but, DNS does resolve in the instance based on the old AMI without the FQDN.

Expected behavior

The DNS behavior should remain the same, regardless of whether systemd-resolved or resolvconf is used.

[mcdonnnj]

Please note I ran into issues while testing Debian Bookworm with the images used in the CyHy environment. I have not done any testing with Bookworm images used in a COOL assessment environment or similar.

[jsf9k]

I have identified the source of the problem. I'd prefer to modify the netplan configuration to ensure that the correct systemd-networkd configuration files are created, but it may be necessary to edit the latter directly after they are created.

[jsf9k]

See also canonical/cloud-init#4764.

[jsf9k]

See this branch, which together with this branch demonstrates and fixes the problem. A Debian Desktop instance created via these branches has been deployed to the COOL staging environment env6 if anyone from @cisagov/team-ois wants to inspect it.

@mcdonnnj - Can you make similar changes in CyHy and verify that you can safely move to Bookworm now? If so then I'd like to do a mini-Kraken that includes #242.

[jsf9k]

I suspect this was already an issue for our Kali instances, but we didn't notice because they don't rely on getting search domains from DHCP; however, our Guacamole instance may rely on such functionality. We certainly rely on it in CyHy.

[jsf9k]

I suspect this was already an issue for our Kali instances, but we didn't notice because they don't rely on getting search domains from DHCP; however, our Guacamole instance may rely on such functionality. We certainly rely on it in CyHy.

This is not the case after all. Kali does not use Netplan.

[mcdonnnj]

After copying the changes in #242 I verified functionality in my testing deployment of the CyHy environment. I confirmed that the cyhy-commander was able to push work and retrieve results. I also verified that I was able to access all of the instances as expected:

$ for host in bastion vulnscan1 portscan1 portscan2 portscan3 portscan4; do ssh "$host".mcdonnnj.cyhy "hostname; lsb_release -d"; done
bastion
Description:	Debian GNU/Linux 12 (bookworm)
vulnscan1
Description:	Debian GNU/Linux 12 (bookworm)
portscan1
Description:	Debian GNU/Linux 12 (bookworm)
portscan2
Description:	Debian GNU/Linux 12 (bookworm)
portscan3
Description:	Debian GNU/Linux 12 (bookworm)
portscan4
Description:	Debian GNU/Linux 12 (bookworm)
$ for host in bastion docker; do ssh "$host".mcdonnnj.bod "hostname; lsb_release -d"; done
bastion
Description:	Debian GNU/Linux 12 (bookworm)
docker
Description:	Debian GNU/Linux 12 (bookworm)

Please see cisagov/cyhy_amis#746.

[jsf9k]

There are still some PRs around this issue that need to be merged before it can be closed.

[jsf9k]

There are still one more PR around this issue that needs to be merged before it can be closed.