opendev/system-config
Code Issues Proposed changes

Nameservers are now managed with ansible

Browse Source 
Remove the puppetry for managing nameservers as we now use ansible
configured name servers without puppet.

We will need to follow this up with deletion of the existing
ns*.openstack.org and adns1.openstack.org servers.

Change-Id: Id7ec8fa58c9e37ce94ec71e4562607914e5c3ea4
This commit is contained in:
Clark Boylan 2019-01-08 08:24:29 -08:00
parent 7040063c1a
commit b8b1fdde75
7 changed files with 5 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hiera/common.yaml
View File

@ -233,7 +233,7 @@ meetbot_channels:
- '#tripleo' - '#tripleo'
- '#zuul' - '#zuul'
cacti_hosts: cacti_hosts:
- adns1.openstack.org - adns1.opendev.org
- afs01.dfw.openstack.org - afs01.dfw.openstack.org
- afs02.dfw.openstack.org - afs02.dfw.openstack.org
- afs01.ord.openstack.org - afs01.ord.openstack.org
@ -302,8 +302,8 @@ cacti_hosts:
- nl02.openstack.org - nl02.openstack.org
- nl03.openstack.org - nl03.openstack.org
- nl04.openstack.org - nl04.openstack.org
- ns1.openstack.org - ns1.opendev.org
- ns2.openstack.org - ns2.opendev.org
- openstackid.org - openstackid.org
- paste.openstack.org - paste.openstack.org
- pbx.openstack.org - pbx.openstack.org

5
inventory/groups.yaml
View File

@ -35,7 +35,6 @@ groups:
files: files[0-9]*.open*.org files: files[0-9]*.open*.org
firehose: firehose[0-9]*.open*.org firehose: firehose[0-9]*.open*.org
futureparser: futureparser:
- adns[0-9]*.openstack.org
- ask-staging[0-9]*.open*.org - ask-staging[0-9]*.open*.org
- cacti[0-9]*.open*.org - cacti[0-9]*.open*.org
- codesearch[0-9]*.open*.org - codesearch[0-9]*.open*.org
@ -62,7 +61,6 @@ groups:
- mirror[0-9]*.*.*.open*.org - mirror[0-9]*.*.*.open*.org
- nb[0-9]*.open*.org - nb[0-9]*.open*.org
- nl[0-9]*.open*.org - nl[0-9]*.open*.org
- ns[0-9]*.openstack.org
- paste[0-9]*.open*.org - paste[0-9]*.open*.org
- pbx*.open*.org - pbx*.open*.org
- planet[0-9]*.open*.org - planet[0-9]*.open*.org
@ -122,7 +120,6 @@ groups:
pbx: pbx:
- pbx*.open*.org - pbx*.open*.org
puppet: puppet:
- adns1.openstack.org
- afs[0-9]*.open*.org - afs[0-9]*.open*.org
- afsdb[0-9]*.open*.org - afsdb[0-9]*.open*.org
- ask*.open*.org - ask*.open*.org
@ -152,8 +149,6 @@ groups:
- mirror[0-9]*.open*.org - mirror[0-9]*.open*.org
- nb[0-9]*.open*.org - nb[0-9]*.open*.org
- nl[0-9]*.open*.org - nl[0-9]*.open*.org
- ns1.openstack.org
- ns2.openstack.org
- openstackid-dev*.open*.org - openstackid-dev*.open*.org
- openstackid.org - openstackid.org
- paste[0-9]*.open*.org - paste[0-9]*.open*.org

24
inventory/openstack.yaml
View File

@ -8,14 +8,6 @@ all:
private_v4: 10.209.134.4 private_v4: 10.209.134.4
public_v4: 104.239.146.24 public_v4: 104.239.146.24
public_v6: 2001:4800:7819:104:be76:4eff:fe04:43d0 public_v6: 2001:4800:7819:104:be76:4eff:fe04:43d0
adns1.openstack.org:
ansible_host: 2001:4801:7824:101:be76:4eff:fe10:c98e
location:
cloud: openstackci-rax
region_name: ORD
private_v4: 10.209.103.102
public_v4: 23.253.63.149
public_v6: 2001:4801:7824:101:be76:4eff:fe10:c98e
afs01.dfw.openstack.org: afs01.dfw.openstack.org:
ansible_host: 2001:4800:7818:103:be76:4eff:fe04:a376 ansible_host: 2001:4800:7818:103:be76:4eff:fe04:a376
location: location:
@ -768,14 +760,6 @@ all:
private_v4: 10.209.133.154 private_v4: 10.209.133.154
public_v4: 104.239.140.165 public_v4: 104.239.140.165
public_v6: 2001:4800:7819:104:be76:4eff:fe04:38f0 public_v6: 2001:4800:7819:104:be76:4eff:fe04:38f0
ns1.openstack.org:
ansible_host: 2001:4800:7817:103:be76:4eff:fe04:3fc7
location:
cloud: openstackci-rax
region_name: DFW
private_v4: 10.208.160.121
public_v4: 23.253.236.219
public_v6: 2001:4800:7817:103:be76:4eff:fe04:3fc7
ns2.opendev.org: ns2.opendev.org:
ansible_host: 2604:e100:1:0:f816:3eff:fe2c:7447 ansible_host: 2604:e100:1:0:f816:3eff:fe2c:7447
location: location:
@ -784,14 +768,6 @@ all:
private_v4: '' private_v4: ''
public_v4: 162.253.55.16 public_v4: 162.253.55.16
public_v6: 2604:e100:1:0:f816:3eff:fe2c:7447 public_v6: 2604:e100:1:0:f816:3eff:fe2c:7447
ns2.openstack.org:
ansible_host: 2604:e100:1:0:f816:3eff:fe53:ee69
location:
cloud: openstackci-vexxhost
region_name: ca-ymq-1
private_v4: ''
public_v4: 162.253.55.139
public_v6: 2604:e100:1:0:f816:3eff:fe53:ee69
openstackid-dev.openstack.org: openstackid-dev.openstack.org:
ansible_host: 2001:4800:7819:103:be76:4eff:fe05:3d ansible_host: 2001:4800:7819:103:be76:4eff:fe05:3d
location: location:

46
manifests/site.pp
View File

@ -696,52 +696,6 @@ node /^survey\d+\.open.*\.org$/ {
} }
} }
# This is a hidden authoritative master nameserver, not publicly
# accessible.
# Node-OS: xenial
node /^adns\d+\.open.*\.org$/ {
$group = 'adns'
class { 'openstack_project::server': }
class { 'openstack_project::master_nameserver':
tsig_key => hiera('tsig_key', {}),
dnssec_keys => hiera_hash('dnssec_keys', {}),
notifies => concat(dns_a('ns1.openstack.org'), dns_a('ns2.openstack.org')),
}
}
# These are publicly accessible authoritative slave nameservers.
# Node-OS: xenial
node /^ns\d+\.open.*\.org$/ {
$group = 'ns'
class { 'openstack_project::server': }
$tsig_key = hiera('tsig_key', {})
if $tsig_key != {} {
$tsig_name = 'tsig'
nsd::tsig { 'tsig':
algo => $tsig_key[algorithm],
data => $tsig_key[secret],
}
} else {
$tsig_name = undef
}
class { '::nsd':
ip_addresses => [ $::ipaddress, $::ipaddress6 ],
zones => {
'adns1_zones' => {
allow_notify => dns_a('adns1.openstack.org'),
masters => dns_a('adns1.openstack.org'),
zones => ['zuul-ci.org', 'zuulci.org'],
tsig_name => $tsig_name,
}
}
}
}
# Node-OS: xenial # Node-OS: xenial
node /^nl\d+\.open.*\.org$/ { node /^nl\d+\.open.*\.org$/ {
$group = 'nodepool' $group = 'nodepool'

1
modules.env
View File

@ -44,7 +44,6 @@ SOURCE_MODULES["https://github.com/dalen/puppet-dnsquery"]="2.0.1"
SOURCE_MODULES["https://github.com/deric/puppet-zookeeper"]="v0.5.5" SOURCE_MODULES["https://github.com/deric/puppet-zookeeper"]="v0.5.5"
SOURCE_MODULES["https://github.com/duritong/puppet-sysctl"]="v0.0.11" SOURCE_MODULES["https://github.com/duritong/puppet-sysctl"]="v0.0.11"
# initfact is a dep of biemond-wildfly # initfact is a dep of biemond-wildfly
SOURCE_MODULES["https://github.com/icann-dns/puppet-nsd"]="0.1.10"
SOURCE_MODULES["https://github.com/jethrocarr/puppet-initfact"]="1.0.1" SOURCE_MODULES["https://github.com/jethrocarr/puppet-initfact"]="1.0.1"
SOURCE_MODULES["https://github.com/jfryman/puppet-selinux"]="v0.2.5" SOURCE_MODULES["https://github.com/jfryman/puppet-selinux"]="v0.2.5"
SOURCE_MODULES["https://github.com/maestrodev/puppet-wget"]="v1.6.0" SOURCE_MODULES["https://github.com/maestrodev/puppet-wget"]="v1.6.0"

130
modules/openstack_project/manifests/master_nameserver.pp
View File

@ -1,130 +0,0 @@
define openstack_project::master_zone (
$source = undef,
) {
concat::fragment { "dns_zones+10_${name}.dns":
target => $::dns::publicviewpath,
content => template('openstack_project/nameserver/bind.zone.erb'),
order => "10-${name}",
}
file { "/var/lib/bind/zones/${name}":
ensure => directory,
owner => 'bind',
group => 'bind',
mode => 'u+rwX,g+rX,o+rX',
source => $source,
recurse => remote,
require => File['/var/lib/bind/zones'],
notify => Exec['rndc_reload'],
}
file { "/etc/bind/keys/${name}":
require => File['/etc/bind/keys'],
ensure => directory,
owner => 'root',
group => 'bind',
mode => '0750',
}
}
define openstack_project::dnssec_key (
$public = undef,
$private = undef,
$zone = undef,
) {
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
ensure => present,
content => $public,
owner => 'root',
group => 'bind',
mode => '0440',
require => File["/etc/bind/keys/${zone}"],
}
file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
ensure => present,
content => $private,
owner => 'root',
group => 'bind',
mode => '0440',
require => File["/etc/bind/keys/${zone}"],
}
}
define openstack_project::bind_key (
$key = undef,
) {
file { "/etc/bind/${name}.key":
require => Package[$::dns::dns_server_package],
owner => 'root',
group => 'bind',
mode => '0440',
content => template('openstack_project/nameserver/bind.key.erb'),
}
}
class openstack_project::master_nameserver (
$tsig_key = undef,
$dnssec_keys = undef,
$notifies = undef,
) {
$also_notify = join($notifies, ';')
class { '::haveged': }
class { '::dns':
dns_notify => yes,
listen_on_v6 => "${::ipaddress6}",
additional_directives => [
'include "/etc/bind/tsig.key";',
],
additional_options => {
'listen-on' => "{ ${::ipaddress}; }",
# Notify requests can also be TSIG signed, but the current version
# of the NSD puppet module doesn't let us configure that easily.
'also-notify' => "{ ${also_notify}; }",
# Bind doesn't make it easy (or possible?) to restrict transfers by
# ip address and TSIG, so we only use the TSIG key here.
'allow-transfer' => "{ key tsig; }",
}
}
file { '/etc/bind/keys':
require => Package[$::dns::dns_server_package],
ensure => directory,
owner => 'root',
group => 'bind',
mode => '0750',
}
file { '/var/lib/bind/zones':
require => Package[$::dns::dns_server_package],
ensure => directory,
}
openstack_project::bind_key { 'tsig':
key => $tsig_key,
}
create_resources(openstack_project::dnssec_key, $dnssec_keys)
# Per zone configuration
vcsrepo { '/opt/zone-zuul-ci.org':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
}
openstack_project::master_zone { 'zuul-ci.org':
source => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
require => Vcsrepo['/opt/zone-zuul-ci.org'],
}
openstack_project::master_zone { 'zuulci.org':
source => 'file:///opt/zone-zuul-ci.org/zones/zuulci.org',
require => Vcsrepo['/opt/zone-zuul-ci.org'],
}
exec { 'rndc_reload' :
command => 'rndc reload',
path => '/sbin:/usr/sbin:/bin:/usr/bin',
refreshonly => true,
}
}

5
playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
View File

@ -3,10 +3,9 @@
results: results:
adns1.openstack.org: adns1.opendev.org:
- adns - adns
- puppet - dns
- futureparser
afs01.dfw.openstack.org: afs01.dfw.openstack.org:
- afs - afs