From 3d166f99f65ddd9399c5429abdfedf72b18371ea Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Mon, 27 Aug 2018 13:04:57 -0700
Subject: [PATCH] Add unbound role

Add it to the base playbook and add a testinfra test for it.

Change-Id: Id5098f33aac213e6add6f061684d0214dc99ab5b
---
 modules.env                                   |  1 -
 modules/openstack_project/manifests/server.pp |  7 ----
 playbooks/base.yaml                           |  1 +
 playbooks/roles/unbound/README.rst            |  1 +
 playbooks/roles/unbound/files/dhclient.conf   |  7 ++++
 playbooks/roles/unbound/files/resolv.conf     |  1 +
 playbooks/roles/unbound/files/unbound.default | 18 ++++++++++
 playbooks/roles/unbound/tasks/Debian.yaml     | 13 +++++++
 playbooks/roles/unbound/tasks/main.yaml       | 34 +++++++++++++++++++
 testinfra/test_base.py                        |  5 +++
 10 files changed, 80 insertions(+), 8 deletions(-)
 create mode 100644 playbooks/roles/unbound/README.rst
 create mode 100644 playbooks/roles/unbound/files/dhclient.conf
 create mode 100644 playbooks/roles/unbound/files/resolv.conf
 create mode 100644 playbooks/roles/unbound/files/unbound.default
 create mode 100644 playbooks/roles/unbound/tasks/Debian.yaml
 create mode 100644 playbooks/roles/unbound/tasks/main.yaml

diff --git a/modules.env b/modules.env
index 97bfd0ea8e..3e25a2095e 100644
--- a/modules.env
+++ b/modules.env
@@ -146,7 +146,6 @@ INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-sudoers"]="origi
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-tmpreaper"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-ulimit"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-unattended_upgrades"]="origin/master"
-INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-unbound"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-user"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zanata"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zuul"]="origin/master"
diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp
index 1d4c438725..e37e5cb201 100644
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@@ -4,7 +4,6 @@
 class openstack_project::server (
   $pin_puppet                = '3.',
   $ca_server                 = undef,
-  $enable_unbound            = true,
   $afs                       = false,
   $afs_cache_size            = 500000,
   $pypi_index_url            = 'https://pypi.python.org/simple',
@@ -18,12 +17,6 @@ class openstack_project::server (
   ###########################################################
   # Process if ( $high_level_directive ) blocks
 
-  if ($enable_unbound) {
-    class { 'unbound':
-      install_resolv_conf => $install_resolv_conf
-    }
-  }
-
   if $afs {
     class { 'openafs::client':
       cell         => 'openstack.org',
diff --git a/playbooks/base.yaml b/playbooks/base.yaml
index d8504ea21c..1719e2de53 100644
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@@ -9,6 +9,7 @@
   roles:
     - base-server
     - timezone
+    - unbound
 
 - hosts: "puppet:!disabled"
   roles:
diff --git a/playbooks/roles/unbound/README.rst b/playbooks/roles/unbound/README.rst
new file mode 100644
index 0000000000..095dc5700f
--- /dev/null
+++ b/playbooks/roles/unbound/README.rst
@@ -0,0 +1 @@
+Installs and configures the unbound DNS resolver
diff --git a/playbooks/roles/unbound/files/dhclient.conf b/playbooks/roles/unbound/files/dhclient.conf
new file mode 100644
index 0000000000..1eac762675
--- /dev/null
+++ b/playbooks/roles/unbound/files/dhclient.conf
@@ -0,0 +1,7 @@
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+send host-name "<hostname>";
+request subnet-mask, broadcast-address, routers,
+	interface-mtu, rfc3442-classless-static-routes;
+supersede domain-name-servers 127.0.0.1;
+supersede domain-search "";
+supersede domain-name "";
diff --git a/playbooks/roles/unbound/files/resolv.conf b/playbooks/roles/unbound/files/resolv.conf
new file mode 100644
index 0000000000..bbc8559cd5
--- /dev/null
+++ b/playbooks/roles/unbound/files/resolv.conf
@@ -0,0 +1 @@
+nameserver 127.0.0.1
diff --git a/playbooks/roles/unbound/files/unbound.default b/playbooks/roles/unbound/files/unbound.default
new file mode 100644
index 0000000000..784cb4c947
--- /dev/null
+++ b/playbooks/roles/unbound/files/unbound.default
@@ -0,0 +1,18 @@
+# If set, the unbound daemon will be started and stopped by the init script.
+UNBOUND_ENABLE=true
+
+# Whether to automatically update the root trust anchor file.
+ROOT_TRUST_ANCHOR_UPDATE=true
+
+# File in which to store the root trust anchor.
+ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
+
+# If set, the unbound init script will provide unbound's listening
+# IP addresses as nameservers to resolvconf.
+RESOLVCONF=true
+
+# If set, resolvconf nameservers will be configured as forwarders
+# to be used by unbound.
+RESOLVCONF_FORWARDERS=false
+
+#DAEMON_OPTS="-c /etc/unbound/unbound.conf"
diff --git a/playbooks/roles/unbound/tasks/Debian.yaml b/playbooks/roles/unbound/tasks/Debian.yaml
new file mode 100644
index 0000000000..a112e61fa8
--- /dev/null
+++ b/playbooks/roles/unbound/tasks/Debian.yaml
@@ -0,0 +1,13 @@
+# We require the defaults file be in place before installing the
+# package to work around this bug:
+# https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513
+# where we could end up briefly forwarding to a provider's broken
+# DNS.
+
+# This file differs from that in the package only by setting
+# RESOLVCONF_FORWARDERS to false.
+- name: Install unbound defaults file
+  copy:
+    src: unbound.default
+    dest: /etc/default/unbound
+    mode: 0444
diff --git a/playbooks/roles/unbound/tasks/main.yaml b/playbooks/roles/unbound/tasks/main.yaml
new file mode 100644
index 0000000000..36d8f345b6
--- /dev/null
+++ b/playbooks/roles/unbound/tasks/main.yaml
@@ -0,0 +1,34 @@
+- name: Include OS-specific tasks
+  include_tasks: "{{ item }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      skip: true
+  loop: "{{ query('first_found', params) }}"
+
+- name: Install unbound
+  package:
+    state: present
+    name: unbound
+
+- name: Write dhclient config file
+  copy:
+    src: dhclient.conf
+    dest: "{{ item }}"
+    mode: 0444
+  when: item is file
+  loop:
+    - /etc/dhcp/dhclient.conf
+    - /etc/dhcp/dhclient-eth0.conf
+
+- name: Write resolv.conf
+  copy:
+    src: resolv.conf
+    dest: /etc/resolv.conf
+    mode: 0444
+
+- name: Enable unbound
+  service:
+    name: unbound
+    enabled: true
+    state: started
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
index d5540e0bb6..df5854d0b6 100644
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@@ -91,3 +91,8 @@ def test_snmp(host):
 def test_timezone(host):
     tz = host.check_output('date +%Z')
     assert tz == "UTC"
+
+
+def test_unbound(host):
+    output = host.check_output('host git.openstack.org')
+    assert 'has address' in output