bd0f5b5cd7
It looks like restarting bind immediately after a zone file update may be a bad idea and may lead to corrupted journal files. Instead, issue a rndc reload which is much gentler. Change-Id: I237183315e877709e93eaba8ab5435c9c71b21ba
127 lines
3.2 KiB
Puppet
127 lines
3.2 KiB
Puppet
define openstack_project::master_zone (
|
|
$source = undef,
|
|
) {
|
|
concat::fragment { "dns_zones+10_${name}.dns":
|
|
target => $::dns::publicviewpath,
|
|
content => template('openstack_project/nameserver/bind.zone.erb'),
|
|
order => "10-${name}",
|
|
}
|
|
file { "/var/lib/bind/zones/${name}":
|
|
ensure => directory,
|
|
owner => 'bind',
|
|
group => 'bind',
|
|
mode => 'u+rwX,g+rX,o+rX',
|
|
source => $source,
|
|
recurse => remote,
|
|
require => File['/var/lib/bind/zones'],
|
|
notify => Exec['rndc_reload'],
|
|
}
|
|
file { "/etc/bind/keys/${name}":
|
|
require => File['/etc/bind/keys'],
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'bind',
|
|
mode => '0750',
|
|
}
|
|
}
|
|
|
|
define openstack_project::dnssec_key (
|
|
$public = undef,
|
|
$private = undef,
|
|
$zone = undef,
|
|
) {
|
|
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
|
|
ensure => present,
|
|
content => $public,
|
|
owner => 'root',
|
|
group => 'bind',
|
|
mode => '0440',
|
|
require => File["/etc/bind/keys/${zone}"],
|
|
}
|
|
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
|
|
ensure => present,
|
|
content => $private,
|
|
owner => 'root',
|
|
group => 'bind',
|
|
mode => '0440',
|
|
require => File["/etc/bind/keys/${zone}"],
|
|
}
|
|
}
|
|
|
|
define openstack_project::bind_key (
|
|
$key = undef,
|
|
) {
|
|
file { "/etc/bind/${name}.key":
|
|
require => Package[$::dns::dns_server_package],
|
|
owner => 'root',
|
|
group => 'bind',
|
|
mode => '0440',
|
|
content => template('openstack_project/nameserver/bind.key.erb'),
|
|
}
|
|
}
|
|
|
|
class openstack_project::master_nameserver (
|
|
$tsig_key = undef,
|
|
$dnssec_keys = undef,
|
|
$notifies = undef,
|
|
) {
|
|
|
|
$also_notify = join($notifies, ';')
|
|
|
|
class { '::haveged': }
|
|
|
|
class { '::dns':
|
|
dns_notify => yes,
|
|
listen_on_v6 => "${::ipaddress6}",
|
|
additional_directives => [
|
|
'include "/etc/bind/tsig.key";',
|
|
],
|
|
additional_options => {
|
|
'listen-on' => "{ ${::ipaddress}; }",
|
|
# Notify requests can also be TSIG signed, but the current version
|
|
# of the NSD puppet module doesn't let us configure that easily.
|
|
'also-notify' => "{ ${also_notify}; }",
|
|
# Bind doesn't make it easy (or possible?) to restrict transfers by
|
|
# ip address and TSIG, so we only use the TSIG key here.
|
|
'allow-transfer' => "{ key tsig; }",
|
|
}
|
|
}
|
|
|
|
file { '/etc/bind/keys':
|
|
require => Package[$::dns::dns_server_package],
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'bind',
|
|
mode => '0750',
|
|
}
|
|
file { '/var/lib/bind/zones':
|
|
require => Package[$::dns::dns_server_package],
|
|
ensure => directory,
|
|
}
|
|
|
|
openstack_project::bind_key { 'tsig':
|
|
key => $tsig_key,
|
|
}
|
|
|
|
create_resources(openstack_project::dnssec_key, $dnssec_keys)
|
|
|
|
# Per zone configuration
|
|
vcsrepo { '/opt/zone-zuul-ci.org':
|
|
ensure => latest,
|
|
provider => git,
|
|
revision => 'master',
|
|
source => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
|
|
}
|
|
openstack_project::master_zone { 'zuul-ci.org':
|
|
source => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
|
|
require => Vcsrepo['/opt/zone-zuul-ci.org'],
|
|
}
|
|
|
|
exec { 'rndc_reload' :
|
|
command => 'rndc reload',
|
|
path => '/sbin:/usr/sbin:/bin:/usr/bin',
|
|
refreshonly => true,
|
|
}
|
|
|
|
}
|