Add unbound role

Add it to the base playbook and add a testinfra test for it. Change-Id: Id5098f33aac213e6add6f061684d0214dc99ab5b
2018-08-27 13:04:57 -07:00 · 2018-08-27 13:04:57 -07:00 · 3d166f99f6
commit 3d166f99f6
parent 4dfd604936
10 changed files with 80 additions and 8 deletions
--- a/modules.env
+++ b/modules.env
@ -146,7 +146,6 @@ INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-sudoers"]="origi
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-tmpreaper"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-ulimit"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-unattended_upgrades"]="origin/master"
-INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-unbound"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-user"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zanata"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zuul"]="origin/master"
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@ -4,7 +4,6 @@
 class openstack_project::server (
  $pin_puppet                = '3.',
  $ca_server                 = undef,
-  $enable_unbound            = true,
  $afs                       = false,
  $afs_cache_size            = 500000,
  $pypi_index_url            = 'https://pypi.python.org/simple',
@ -18,12 +17,6 @@ class openstack_project::server (
  ###########################################################
  # Process if ( $high_level_directive ) blocks

-  if ($enable_unbound) {
-    class { 'unbound':
-      install_resolv_conf => $install_resolv_conf
-    }
-  }
-
  if $afs {
    class { 'openafs::client':
      cell         => 'openstack.org',
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@ -9,6 +9,7 @@
  roles:
    - base-server
    - timezone
+    - unbound

 - hosts: "puppet:!disabled"
  roles:
--- a/playbooks/roles/unbound/README.rst
+++ b/playbooks/roles/unbound/README.rst
@ -0,0 +1 @@
+Installs and configures the unbound DNS resolver
--- a/playbooks/roles/unbound/files/dhclient.conf
+++ b/playbooks/roles/unbound/files/dhclient.conf
@ -0,0 +1,7 @@
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+send host-name "<hostname>";
+request subnet-mask, broadcast-address, routers,
+	interface-mtu, rfc3442-classless-static-routes;
+supersede domain-name-servers 127.0.0.1;
+supersede domain-search "";
+supersede domain-name "";
--- a/playbooks/roles/unbound/files/resolv.conf
+++ b/playbooks/roles/unbound/files/resolv.conf
@ -0,0 +1 @@
+nameserver 127.0.0.1
--- a/playbooks/roles/unbound/files/unbound.default
+++ b/playbooks/roles/unbound/files/unbound.default
@ -0,0 +1,18 @@
+# If set, the unbound daemon will be started and stopped by the init script.
+UNBOUND_ENABLE=true
+
+# Whether to automatically update the root trust anchor file.
+ROOT_TRUST_ANCHOR_UPDATE=true
+
+# File in which to store the root trust anchor.
+ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
+
+# If set, the unbound init script will provide unbound's listening
+# IP addresses as nameservers to resolvconf.
+RESOLVCONF=true
+
+# If set, resolvconf nameservers will be configured as forwarders
+# to be used by unbound.
+RESOLVCONF_FORWARDERS=false
+
+#DAEMON_OPTS="-c /etc/unbound/unbound.conf"
--- a/playbooks/roles/unbound/tasks/Debian.yaml
+++ b/playbooks/roles/unbound/tasks/Debian.yaml
@ -0,0 +1,13 @@
+# We require the defaults file be in place before installing the
+# package to work around this bug:
+# https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513
+# where we could end up briefly forwarding to a provider's broken
+# DNS.
+
+# This file differs from that in the package only by setting
+# RESOLVCONF_FORWARDERS to false.
+- name: Install unbound defaults file
+  copy:
+    src: unbound.default
+    dest: /etc/default/unbound
+    mode: 0444
--- a/playbooks/roles/unbound/tasks/main.yaml
+++ b/playbooks/roles/unbound/tasks/main.yaml
@ -0,0 +1,34 @@
+- name: Include OS-specific tasks
+  include_tasks: "{{ item }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      skip: true
+  loop: "{{ query('first_found', params) }}"
+
+- name: Install unbound
+  package:
+    state: present
+    name: unbound
+
+- name: Write dhclient config file
+  copy:
+    src: dhclient.conf
+    dest: "{{ item }}"
+    mode: 0444
+  when: item is file
+  loop:
+    - /etc/dhcp/dhclient.conf
+    - /etc/dhcp/dhclient-eth0.conf
+
+- name: Write resolv.conf
+  copy:
+    src: resolv.conf
+    dest: /etc/resolv.conf
+    mode: 0444
+
+- name: Enable unbound
+  service:
+    name: unbound
+    enabled: true
+    state: started
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@ -91,3 +91,8 @@ def test_snmp(host):
 def test_timezone(host):
    tz = host.check_output('date +%Z')
    assert tz == "UTC"
+
+
+def test_unbound(host):
+    output = host.check_output('host git.openstack.org')
+    assert 'has address' in output
				`@ -0,0 +1 @@`
				`Installs and configures the unbound DNS resolver`