From b8b1fdde7507b6e90860cd2657686c154560d29b Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 8 Jan 2019 08:24:29 -0800 Subject: [PATCH] Nameservers are now managed with ansible Remove the puppetry for managing nameservers as we now use ansible configured name servers without puppet. We will need to follow this up with deletion of the existing ns*.openstack.org and adns1.openstack.org servers. Change-Id: Id7ec8fa58c9e37ce94ec71e4562607914e5c3ea4 --- hiera/common.yaml | 6 +- inventory/groups.yaml | 5 - inventory/openstack.yaml | 24 ---- manifests/site.pp | 46 ------- modules.env | 1 - .../manifests/master_nameserver.pp | 130 ------------------ .../test-fixtures/results.yaml | 5 +- 7 files changed, 5 insertions(+), 212 deletions(-) delete mode 100644 modules/openstack_project/manifests/master_nameserver.pp diff --git a/hiera/common.yaml b/hiera/common.yaml index 545f35bb2e..649de28949 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -233,7 +233,7 @@ meetbot_channels: - '#tripleo' - '#zuul' cacti_hosts: -- adns1.openstack.org +- adns1.opendev.org - afs01.dfw.openstack.org - afs02.dfw.openstack.org - afs01.ord.openstack.org @@ -302,8 +302,8 @@ cacti_hosts: - nl02.openstack.org - nl03.openstack.org - nl04.openstack.org -- ns1.openstack.org -- ns2.openstack.org +- ns1.opendev.org +- ns2.opendev.org - openstackid.org - paste.openstack.org - pbx.openstack.org diff --git a/inventory/groups.yaml b/inventory/groups.yaml index a5b21af5b6..34656174ee 100644 --- a/inventory/groups.yaml +++ b/inventory/groups.yaml @@ -35,7 +35,6 @@ groups: files: files[0-9]*.open*.org firehose: firehose[0-9]*.open*.org futureparser: - - adns[0-9]*.openstack.org - ask-staging[0-9]*.open*.org - cacti[0-9]*.open*.org - codesearch[0-9]*.open*.org @@ -62,7 +61,6 @@ groups: - mirror[0-9]*.*.*.open*.org - nb[0-9]*.open*.org - nl[0-9]*.open*.org - - ns[0-9]*.openstack.org - paste[0-9]*.open*.org - pbx*.open*.org - planet[0-9]*.open*.org @@ -122,7 +120,6 @@ groups: pbx: - pbx*.open*.org puppet: - - adns1.openstack.org - afs[0-9]*.open*.org - afsdb[0-9]*.open*.org - ask*.open*.org @@ -152,8 +149,6 @@ groups: - mirror[0-9]*.open*.org - nb[0-9]*.open*.org - nl[0-9]*.open*.org - - ns1.openstack.org - - ns2.openstack.org - openstackid-dev*.open*.org - openstackid.org - paste[0-9]*.open*.org diff --git a/inventory/openstack.yaml b/inventory/openstack.yaml index 5e3ae9d0a2..d69ede3cf4 100644 --- a/inventory/openstack.yaml +++ b/inventory/openstack.yaml @@ -8,14 +8,6 @@ all: private_v4: 10.209.134.4 public_v4: 104.239.146.24 public_v6: 2001:4800:7819:104:be76:4eff:fe04:43d0 - adns1.openstack.org: - ansible_host: 2001:4801:7824:101:be76:4eff:fe10:c98e - location: - cloud: openstackci-rax - region_name: ORD - private_v4: 10.209.103.102 - public_v4: 23.253.63.149 - public_v6: 2001:4801:7824:101:be76:4eff:fe10:c98e afs01.dfw.openstack.org: ansible_host: 2001:4800:7818:103:be76:4eff:fe04:a376 location: @@ -768,14 +760,6 @@ all: private_v4: 10.209.133.154 public_v4: 104.239.140.165 public_v6: 2001:4800:7819:104:be76:4eff:fe04:38f0 - ns1.openstack.org: - ansible_host: 2001:4800:7817:103:be76:4eff:fe04:3fc7 - location: - cloud: openstackci-rax - region_name: DFW - private_v4: 10.208.160.121 - public_v4: 23.253.236.219 - public_v6: 2001:4800:7817:103:be76:4eff:fe04:3fc7 ns2.opendev.org: ansible_host: 2604:e100:1:0:f816:3eff:fe2c:7447 location: @@ -784,14 +768,6 @@ all: private_v4: '' public_v4: 162.253.55.16 public_v6: 2604:e100:1:0:f816:3eff:fe2c:7447 - ns2.openstack.org: - ansible_host: 2604:e100:1:0:f816:3eff:fe53:ee69 - location: - cloud: openstackci-vexxhost - region_name: ca-ymq-1 - private_v4: '' - public_v4: 162.253.55.139 - public_v6: 2604:e100:1:0:f816:3eff:fe53:ee69 openstackid-dev.openstack.org: ansible_host: 2001:4800:7819:103:be76:4eff:fe05:3d location: diff --git a/manifests/site.pp b/manifests/site.pp index afa74f1554..f1c0933108 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -696,52 +696,6 @@ node /^survey\d+\.open.*\.org$/ { } } -# This is a hidden authoritative master nameserver, not publicly -# accessible. -# Node-OS: xenial -node /^adns\d+\.open.*\.org$/ { - $group = 'adns' - - class { 'openstack_project::server': } - - class { 'openstack_project::master_nameserver': - tsig_key => hiera('tsig_key', {}), - dnssec_keys => hiera_hash('dnssec_keys', {}), - notifies => concat(dns_a('ns1.openstack.org'), dns_a('ns2.openstack.org')), - } -} - -# These are publicly accessible authoritative slave nameservers. -# Node-OS: xenial -node /^ns\d+\.open.*\.org$/ { - $group = 'ns' - - class { 'openstack_project::server': } - - $tsig_key = hiera('tsig_key', {}) - if $tsig_key != {} { - $tsig_name = 'tsig' - nsd::tsig { 'tsig': - algo => $tsig_key[algorithm], - data => $tsig_key[secret], - } - } else { - $tsig_name = undef - } - - class { '::nsd': - ip_addresses => [ $::ipaddress, $::ipaddress6 ], - zones => { - 'adns1_zones' => { - allow_notify => dns_a('adns1.openstack.org'), - masters => dns_a('adns1.openstack.org'), - zones => ['zuul-ci.org', 'zuulci.org'], - tsig_name => $tsig_name, - } - } - } -} - # Node-OS: xenial node /^nl\d+\.open.*\.org$/ { $group = 'nodepool' diff --git a/modules.env b/modules.env index 8d9fe1dda1..89464a0ef8 100644 --- a/modules.env +++ b/modules.env @@ -44,7 +44,6 @@ SOURCE_MODULES["https://github.com/dalen/puppet-dnsquery"]="2.0.1" SOURCE_MODULES["https://github.com/deric/puppet-zookeeper"]="v0.5.5" SOURCE_MODULES["https://github.com/duritong/puppet-sysctl"]="v0.0.11" # initfact is a dep of biemond-wildfly -SOURCE_MODULES["https://github.com/icann-dns/puppet-nsd"]="0.1.10" SOURCE_MODULES["https://github.com/jethrocarr/puppet-initfact"]="1.0.1" SOURCE_MODULES["https://github.com/jfryman/puppet-selinux"]="v0.2.5" SOURCE_MODULES["https://github.com/maestrodev/puppet-wget"]="v1.6.0" diff --git a/modules/openstack_project/manifests/master_nameserver.pp b/modules/openstack_project/manifests/master_nameserver.pp deleted file mode 100644 index cb2ca0ccac..0000000000 --- a/modules/openstack_project/manifests/master_nameserver.pp +++ /dev/null @@ -1,130 +0,0 @@ -define openstack_project::master_zone ( - $source = undef, -) { - concat::fragment { "dns_zones+10_${name}.dns": - target => $::dns::publicviewpath, - content => template('openstack_project/nameserver/bind.zone.erb'), - order => "10-${name}", - } - file { "/var/lib/bind/zones/${name}": - ensure => directory, - owner => 'bind', - group => 'bind', - mode => 'u+rwX,g+rX,o+rX', - source => $source, - recurse => remote, - require => File['/var/lib/bind/zones'], - notify => Exec['rndc_reload'], - } - file { "/etc/bind/keys/${name}": - require => File['/etc/bind/keys'], - ensure => directory, - owner => 'root', - group => 'bind', - mode => '0750', - } -} - -define openstack_project::dnssec_key ( - $public = undef, - $private = undef, - $zone = undef, -) { - file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key": - ensure => present, - content => $public, - owner => 'root', - group => 'bind', - mode => '0440', - require => File["/etc/bind/keys/${zone}"], - } - file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private": - ensure => present, - content => $private, - owner => 'root', - group => 'bind', - mode => '0440', - require => File["/etc/bind/keys/${zone}"], - } -} - -define openstack_project::bind_key ( - $key = undef, -) { - file { "/etc/bind/${name}.key": - require => Package[$::dns::dns_server_package], - owner => 'root', - group => 'bind', - mode => '0440', - content => template('openstack_project/nameserver/bind.key.erb'), - } -} - -class openstack_project::master_nameserver ( - $tsig_key = undef, - $dnssec_keys = undef, - $notifies = undef, -) { - - $also_notify = join($notifies, ';') - - class { '::haveged': } - - class { '::dns': - dns_notify => yes, - listen_on_v6 => "${::ipaddress6}", - additional_directives => [ - 'include "/etc/bind/tsig.key";', - ], - additional_options => { - 'listen-on' => "{ ${::ipaddress}; }", - # Notify requests can also be TSIG signed, but the current version - # of the NSD puppet module doesn't let us configure that easily. - 'also-notify' => "{ ${also_notify}; }", - # Bind doesn't make it easy (or possible?) to restrict transfers by - # ip address and TSIG, so we only use the TSIG key here. - 'allow-transfer' => "{ key tsig; }", - } - } - - file { '/etc/bind/keys': - require => Package[$::dns::dns_server_package], - ensure => directory, - owner => 'root', - group => 'bind', - mode => '0750', - } - file { '/var/lib/bind/zones': - require => Package[$::dns::dns_server_package], - ensure => directory, - } - - openstack_project::bind_key { 'tsig': - key => $tsig_key, - } - - create_resources(openstack_project::dnssec_key, $dnssec_keys) - - # Per zone configuration - vcsrepo { '/opt/zone-zuul-ci.org': - ensure => latest, - provider => git, - revision => 'master', - source => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org', - } - openstack_project::master_zone { 'zuul-ci.org': - source => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org', - require => Vcsrepo['/opt/zone-zuul-ci.org'], - } - openstack_project::master_zone { 'zuulci.org': - source => 'file:///opt/zone-zuul-ci.org/zones/zuulci.org', - require => Vcsrepo['/opt/zone-zuul-ci.org'], - } - - exec { 'rndc_reload' : - command => 'rndc reload', - path => '/sbin:/usr/sbin:/bin:/usr/bin', - refreshonly => true, - } - -} diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml index f5f43b59dd..fae6798bbc 100644 --- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml +++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml @@ -3,10 +3,9 @@ results: - adns1.openstack.org: + adns1.opendev.org: - adns - - puppet - - futureparser + - dns afs01.dfw.openstack.org: - afs