Always make /etc/resolv.conf immutable

Maybe, just maybe, it will stop the rax file injection.

Change-Id: I4258fa52e43b0a93f30319630291e5ae0f37a548

modules/unbound/manifests/init.pp

@@ -40,15 +40,6 @@ class unbound (
       require => File['/etc/default/unbound'],
     }
 
-    # Rackspace uses static config files
-    file { '/etc/resolv.conf':
-      content => "nameserver 127.0.0.1\n",
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0444',
-      require => Service['unbound'],
-    }
-
     # Tripleo uses dhcp
     file { '/etc/dhcp/dhclient.conf':
       source  => 'puppet:///modules/unbound/dhclient.conf.debian',
@@ -65,6 +56,12 @@ class unbound (
       ensure  => present,
     }
 
+    # HPCloud uses dhclient; tell dhclient to use our nameserver instead.
+    exec { '/usr/bin/printf "\nsupersede domain-name-servers 127.0.0.1;\n" >> /etc/dhcp/dhclient-eth0.conf':
+        unless => '/bin/grep -q "supersede domain-name-servers" /etc/dhcp/dhclient-eth0.conf'
+    }
+  }
+
   # Rackspace uses static config files
   file { '/etc/resolv.conf':
     content => "nameserver 127.0.0.1\n",
@@ -86,12 +83,6 @@ class unbound (
     refreshonly => true,
   }
 
-    # HPCloud uses dhclient; tell dhclient to use our nameserver instead.
-    exec { '/usr/bin/printf "\nsupersede domain-name-servers 127.0.0.1;\n" >> /etc/dhcp/dhclient-eth0.conf':
-        unless => '/bin/grep -q "supersede domain-name-servers" /etc/dhcp/dhclient-eth0.conf'
-    }
-  }
-
   service { 'unbound':
     ensure     => running,
     name       => 'unbound',