James E. Blair bd0f5b5cd7 Run rndc reload instead of restarting bind
It looks like restarting bind immediately after a zone file update
may be a bad idea and may lead to corrupted journal files.  Instead,
issue a rndc reload which is much gentler.

Change-Id: I237183315e877709e93eaba8ab5435c9c71b21ba
2018-01-15 10:20:03 -08:00

127 lines
3.2 KiB
Puppet

define openstack_project::master_zone (
$source = undef,
) {
concat::fragment { "dns_zones+10_${name}.dns":
target => $::dns::publicviewpath,
content => template('openstack_project/nameserver/bind.zone.erb'),
order => "10-${name}",
}
file { "/var/lib/bind/zones/${name}":
ensure => directory,
owner => 'bind',
group => 'bind',
mode => 'u+rwX,g+rX,o+rX',
source => $source,
recurse => remote,
require => File['/var/lib/bind/zones'],
notify => Exec['rndc_reload'],
}
file { "/etc/bind/keys/${name}":
require => File['/etc/bind/keys'],
ensure => directory,
owner => 'root',
group => 'bind',
mode => '0750',
}
}
define openstack_project::dnssec_key (
$public = undef,
$private = undef,
$zone = undef,
) {
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
ensure => present,
content => $public,
owner => 'root',
group => 'bind',
mode => '0440',
require => File["/etc/bind/keys/${zone}"],
}
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
ensure => present,
content => $private,
owner => 'root',
group => 'bind',
mode => '0440',
require => File["/etc/bind/keys/${zone}"],
}
}
define openstack_project::bind_key (
$key = undef,
) {
file { "/etc/bind/${name}.key":
require => Package[$::dns::dns_server_package],
owner => 'root',
group => 'bind',
mode => '0440',
content => template('openstack_project/nameserver/bind.key.erb'),
}
}
class openstack_project::master_nameserver (
$tsig_key = undef,
$dnssec_keys = undef,
$notifies = undef,
) {
$also_notify = join($notifies, ';')
class { '::haveged': }
class { '::dns':
dns_notify => yes,
listen_on_v6 => "${::ipaddress6}",
additional_directives => [
'include "/etc/bind/tsig.key";',
],
additional_options => {
'listen-on' => "{ ${::ipaddress}; }",
# Notify requests can also be TSIG signed, but the current version
# of the NSD puppet module doesn't let us configure that easily.
'also-notify' => "{ ${also_notify}; }",
# Bind doesn't make it easy (or possible?) to restrict transfers by
# ip address and TSIG, so we only use the TSIG key here.
'allow-transfer' => "{ key tsig; }",
}
}
file { '/etc/bind/keys':
require => Package[$::dns::dns_server_package],
ensure => directory,
owner => 'root',
group => 'bind',
mode => '0750',
}
file { '/var/lib/bind/zones':
require => Package[$::dns::dns_server_package],
ensure => directory,
}
openstack_project::bind_key { 'tsig':
key => $tsig_key,
}
create_resources(openstack_project::dnssec_key, $dnssec_keys)
# Per zone configuration
vcsrepo { '/opt/zone-zuul-ci.org':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
}
openstack_project::master_zone { 'zuul-ci.org':
source => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
require => Vcsrepo['/opt/zone-zuul-ci.org'],
}
exec { 'rndc_reload' :
command => 'rndc reload',
path => '/sbin:/usr/sbin:/bin:/usr/bin',
refreshonly => true,
}
}