CHG: CentOS bug #16988 hotfix, systemd-resolved fails to start on boot (common/update-config)

9cad0d32 · Hephaestus Builder · 0a3ad26b · 9cad0d32 · 9cad0d32
Verified Commit 9cad0d32 authored 4 years ago by Hephaestus Builder
--- a/resources/playbooks/migrations/2020_11_22_210151_systemd-resolved-namespace.yml
+++ b/resources/playbooks/migrations/2020_11_22_210151_systemd-resolved-namespace.yml
+# Migration play
+# vim:et ts=2 sw=2 sts=2 syntax=yaml filetype=yaml
+# - CentOS bug #16988
+---
+- block:
+    - name: Update systemd-resolved
+      include_role: name=common/update-config
+    when: ansible_distribution_major_version == '8'
+  tags: ['up']
--- a/resources/playbooks/roles/common/update-config/tasks/setup-resolved.yml
+++ b/resources/playbooks/roles/common/update-config/tasks/setup-resolved.yml
@@ -8,9 +8,24 @@
  register: s
 - set_fact: update_resolv="{{ '=inactive' in s.stdout }}"
  when: canonical_resolv == 'auto'
+- block:
+    # via CentOS #16988, witnessed on C8.2019, fixed in systemd 239-40
+    # https://bugs.centos.org/view.php?id=16988
+  - name: Apply ProtectSystem= usage
+    include_role: name=systemd/override-config
+    vars:
+      service: systemd-resolved
+      config:
+        - group: Service
+          vars:
+            ProtectSystem: "strict"
+            PrivateTmp: "yes"
+    when: ansible_distribution_major_version == '8'
+
  - name: Start systemd-resolved
    systemd: name=systemd-resolved state=started enabled=yes
  when: not update_resolv
+
  # Witnessed on fastpipe.io, falling back to dns using advertised
  # nameservers times out on FQDN lookup that impacts hostname -f
  # blocking normal startup of ApisCP