opendev/system-config
Code Issues Proposed changes

Add an authoritative hidden master

Browse Source 
This runs bind as a hidden master nameserver so we can do all the
keysigning there, and then use nsd (or bind) as public authoritative
slaves.

Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1
This commit is contained in:
James E. Blair 2017-12-15 16:20:56 -08:00
parent 832eb323a6
commit 4ccf277850
7 changed files with 171 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/source/dns.rst
View File

@ -23,7 +23,16 @@ At a Glance
Adding a Zone
=============
To add a new zone, add an entry to :file:`manifests/site.pp`, and
To add a new zone, add an entry to :file:`manifests/site.pp`,
:file:`modules/openstack_project/manifests/master_nameserver.pp` and
create a new git repository to hold the contents of the zone.
Run::
dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net
And add the resulting files to the `dnssec_keys` key in the
`group/adns.yaml` private hiera file on puppetmaster.
.. note:: This section will be expanded.

21
manifests/site.pp
View File

@ -825,6 +825,27 @@ node /^status\d*\.openstack\.org$/ {
}
}
# This is a hidden authoritative master nameserver, not publicly
# accessible.
# Node-OS: xenial
node /^adns\d+\.openstack\.org$/ {
$group = 'adns'
class { 'openstack_project::server':
sysadmins => hiera('sysadmins', []),
iptables_allowed_hosts => [
{protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
],
}
class { 'openstack_project::master_nameserver':
tsig_key => hiera('tsig_key', {}),
dnssec_keys => hiera_hash('dnssec_keys', {}),
notifies => dns_a('ns1.openstack.org'),
}
}
# These are publicly accessible authoritative slave nameservers.
# Node-OS: xenial
node /^ns\d+\.openstack\.org$/ {
$group = 'ns'

1
modules.env
View File

@ -80,6 +80,7 @@ SOURCE_MODULES["https://github.com/rafaelfelix/puppet-pear"]="1.0.3"
SOURCE_MODULES["https://github.com/saz/puppet-memcached"]="v2.6.0"
SOURCE_MODULES["https://github.com/saz/puppet-timezone"]="v3.3.0"
SOURCE_MODULES["https://github.com/stankevich/puppet-python"]="1.9.4"
SOURCE_MODULES["https://github.com/theforeman/puppet-dns"]="4.1.0"
SOURCE_MODULES["https://github.com/vamsee/puppet-solr"]="0.0.8"
SOURCE_MODULES["https://github.com/voxpupuli/puppet-alternatives"]="0.3.0"
SOURCE_MODULES["https://github.com/voxpupuli/puppet-archive"]="v0.5.1"

2
modules/openstack_project/files/puppetmaster/groups.txt
View File

@ -22,3 +22,5 @@ zuul-executor ~ze\d+\.openstack\.org
grafana ~grafana\d*\.openstack\.org
status ~status\d*\.openstack\.org
paste ~paste\d*\.openstack\.org
adns ~adns\d*\.openstack\.org
ns ~ns\d*\.openstack\.org

120
modules/openstack_project/manifests/master_nameserver.pp Normal file
View File

@ -0,0 +1,120 @@
define openstack_project::master_zone (
$source = undef,
) {
concat::fragment { "dns_zones+10_${name}.dns":
target => $::dns::publicviewpath,
content => template('openstack_project/nameserver/bind.zone.erb'),
order => "10-${name}",
}
file { "/var/lib/bind/zones/${name}":
ensure => directory,
owner => 'bind',
group => 'bind',
mode => 'u+rwX,g+rX,o+rX',
source => $source,
recurse => remote,
require => File['/var/lib/bind/zones'],
notify => Service[$::dns::namedservicename],
}
file { "/etc/bind/keys/${name}":
require => File['/etc/bind/keys'],
ensure => directory,
owner => 'root',
group => 'bind',
mode => '0750',
}
}
define openstack_project::dnssec_key (
$public = undef,
$private = undef,
$zone = undef,
) {
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
ensure => present,
content => $public,
owner => 'root',
group => 'bind',
mode => '0440',
require => File["/etc/bind/keys/${zone}"],
}
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
ensure => present,
content => $private,
owner => 'root',
group => 'bind',
mode => '0440',
require => File["/etc/bind/keys/${zone}"],
}
}
define openstack_project::bind_key (
$key = undef,
) {
file { "/etc/bind/${name}.key":
require => Package[$::dns::dns_server_package],
owner => 'root',
group => 'bind',
mode => '0440',
content => template('openstack_project/nameserver/bind.key.erb'),
}
}
class openstack_project::master_nameserver (
$tsig_key = undef,
$dnssec_keys = undef,
$notifies = undef,
) {
$also_notify = join($notifies, ';')
class { '::haveged': }
class { '::dns':
dns_notify => yes,
listen_on_v6 => "${::ipaddress6}",
additional_directives => [
'include "/etc/bind/tsig.key";',
],
additional_options => {
'listen-on' => "{ ${::ipaddress}; }",
# Notify requests can also be TSIG signed, but the current version
# of the NSD puppet module doesn't let us configure that easily.
'also-notify' => "{ ${also_notify}; }",
# Bind doesn't make it easy (or possible?) to restrict transfers by
# ip address and TSIG, so we only use the TSIG key here.
'allow-transfer' => "{ key tsig; }",
}
}
file { '/etc/bind/keys':
require => Package[$::dns::dns_server_package],
ensure => directory,
owner => 'root',
group => 'bind',
mode => '0750',
}
file { '/var/lib/bind/zones':
require => Package[$::dns::dns_server_package],
ensure => directory,
}
openstack_project::bind_key { 'tsig':
key => $tsig_key,
}
create_resources(openstack_project::dnssec_key, $dnssec_keys)
# Per zone configuration
vcsrepo { '/opt/zone-zuul-ci.org':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
}
openstack_project::master_zone { 'zuul-ci.org':
source => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
require => Vcsrepo['/opt/zone-zuul-ci.org'],
}
}

4
modules/openstack_project/templates/nameserver/bind.key.erb Normal file
View File

@ -0,0 +1,4 @@
key "<%= @name %>" {
algorithm <%= @key['algorithm'] %>;
secret "<%= @key['secret'] %>";
};

13
modules/openstack_project/templates/nameserver/bind.zone.erb Normal file
View File

@ -0,0 +1,13 @@
zone <%= @name %> {
type master;
file "/var/lib/bind/zones/<%= @name %>/zone.db";
# look for dnssec keys here:
key-directory "/etc/bind/keys/<%= @name %>";
# publish and activate dnssec keys:
auto-dnssec maintain;
# use inline signing:
inline-signing yes;
};