Configure opendev nameservers using ansible

Change-Id: Ie6430053159bf5a09b2c002ad6a4f84334a5bca3
This commit is contained in:
James E. Blair 2018-11-01 13:24:41 -07:00
parent 90e6088881
commit dae1a0351c
10 changed files with 145 additions and 1 deletions

View File

@ -206,14 +206,19 @@
label: ubuntu-bionic label: ubuntu-bionic
- name: adns1.opendev.org - name: adns1.opendev.org
label: ubuntu-bionic label: ubuntu-bionic
- name: ns1.opendev.org
label: ubuntu-bionic
files: files:
- .zuul.yaml - .zuul.yaml
- playbooks/group_vars/adns.yaml - playbooks/group_vars/adns.yaml
- playbooks/group_vars/dns.yaml - playbooks/group_vars/dns.yaml
- playbooks/host_vars/adns1.opendev.org.yaml - ^playbooks/host_vars/(ad)?ns\d+.opendev.org.yaml
- playbooks/zuul/templates/group_vars/adns.yaml.j2 - playbooks/zuul/templates/group_vars/adns.yaml.j2
- playbooks/zuul/templates/group_vars/ns.yaml.j2
- playbooks/roles/master-nameserver/ - playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/
- testinfra/test_adns.py - testinfra/test_adns.py
- testinfra/test_ns.py
- job: - job:
name: infra-prod-playbook name: infra-prod-playbook

View File

@ -46,3 +46,8 @@
name: "Base: configure adns1.opendev.org" name: "Base: configure adns1.opendev.org"
roles: roles:
- master-nameserver - master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
name: "Base: configure authoritative nameservers"
roles:
- nameserver

View File

@ -13,3 +13,4 @@ dns_zones:
dns_notify: dns_notify:
- 104.239.140.165 - 104.239.140.165
- 162.253.55.16 - 162.253.55.16
dns_master: 104.239.146.24

View File

@ -0,0 +1,42 @@
Configure an authoritative nameserver
This role installs and configures nsd to be an authoritative
nameserver.
**Role Variables**
.. zuul:rolevar:: tsig_key
:type: dict
The TSIG key used to authenticate connections between nameservers.
.. zuul:rolevar:: algorithm
The algorithm used by the key.
.. zuul:rolevar:: secret
The secret portion of the key.
.. zuul:rolevar:: dns_zones
:type: list
A list of zones that should be served by named. Each item in the
list is a dictionary with the following keys:
.. zuul:rolevar:: name
The name of the zone.
.. zuul:rolevar:: source
The repo name and path of the directory containing the zone
file. For example if a repo was provided to
:zuul:rolevar:`master-nameserver.dns_repos.name` with the name
``example.com``, and within that repo, the ``zone.db`` file was
located at ``zones/example_com/zone.db``, then the value here
should be ``example.com/zones/example_com``.
.. zuul:rolevar:: dns_master
The IP addresses of the master nameserver.

View File

@ -0,0 +1,2 @@
- name: Reconfigure NSD
command: "nsd-control reconfig"

View File

@ -0,0 +1,23 @@
# Install the NSD config before installing the package because the
# default packaged config listens on all addresses therefore will
# not start.
- name: Ensure NSD config directory exists
file:
path: /etc/nsd
state: directory
- name: Install NSD config
template:
src: templates/nsd.conf.j2
dest: /etc/nsd/nsd.conf
owner: root
group: root
mode: 0444
notify: Reconfigure NSD
- name: Install packages
package:
name:
- nsd
- name: Enable NSD
service:
name: nsd
enabled: true

View File

@ -0,0 +1,41 @@
server:
{% if 'address' in ansible_facts.default_ipv4 %}
ip-address: {{ ansible_facts.default_ipv4.address }}
{% endif %}
{% if 'address' in ansible_facts.default_ipv6 %}
ip-address: {{ ansible_facts.default_ipv6.address }}
{% endif %}
ip-transparent: no
debug-mode: no
database: /var/lib/nsd/nsd.db
identity: {{ inventory_hostname }}
server-count: 1
tcp-count: 250
tcp-query-count: 0
ipv4-edns-size: 4096
ipv6-edns-size: 4096
pidfile: /run/nsd/nsd.pid
port: 53
username: nsd
zonesdir: /var/lib/nsd
xfrdfile: /var/lib/nsd/xfrd.state
xfrd-reload-timeout: 1
verbosity: 0
hide-version: no
rrl-size: 1000000
rrl-ratelimit: 200
rrl-slip: 2
rrl-ipv4-prefix-length: 24
rrl-ipv6-prefix-length: 64
rrl-whitelist-ratelimit: 4000
key:
name: tsig
algorithm: {{ tsig_key.algorithm }}
secret: {{ tsig_key.secret }}
{% for zone in dns_zones %}
zone:
name: {{ zone.name }}
zonefile: /var/lib/nsd/zone/{{ zone.name }}
allow-notify: {{ dns_master }} NOKEY
request-xfr: AXFR {{ dns_master }} tsig
{% endfor %}

View File

@ -60,6 +60,7 @@
- group_vars/all.yaml - group_vars/all.yaml
- group_vars/adns.yaml - group_vars/adns.yaml
- group_vars/nodepool.yaml - group_vars/nodepool.yaml
- group_vars/ns.yaml
- host_vars/bridge.openstack.org.yaml - host_vars/bridge.openstack.org.yaml
- name: Display group membership - name: Display group membership
command: ansible localhost -m debug -a 'var=groups' command: ansible localhost -m debug -a 'var=groups'

View File

@ -0,0 +1,3 @@
tsig_key:
algorithm: hmac-md5
secret: 9zO/4WnUinnLHISPgDI5Aw==

21
testinfra/test_ns.py Normal file
View File

@ -0,0 +1,21 @@
# Copyright 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
testinfra_hosts = ['ns1.opendev.org']
def test_nsd(host):
nsd = host.service('nsd')
assert nsd.is_running