Secure dns and ntp

Set dnsmasq and ntpd to listen on
management VIP in vrouter namespace

Change-Id: I94556e3a8765b3b5b337c68df6cf0ca848ee1645
Closes-Bug: 1466090

deployment/puppet/osnailyfacter/manifests/dnsmasq.pp

@@ -10,11 +10,16 @@
 # [*$master_ip*]
 # Ip address of fuel master node
 #
+# [*$management_vrouter_vip*]
+#
+# IP address of management interface in vrouter namespace
+#
 # === Examples
 #
 #  class { osnailyfacter::dnsmasq:
-#    external_dns => [ 'pool.ntp.org', 'ntp.local.company.com' ],
-#    master_ip    => '1.1.1.1'
+#    external_dns           => [ 'pool.ntp.org', 'ntp.local.company.com' ],
+#    master_ip              => '1.1.1.1',
+#    management_vrouter_vip => '1.2.3.4'
 #  }
 #
 # === Authors
@@ -27,7 +32,8 @@
 #
 class osnailyfacter::dnsmasq (
   $external_dns,
-  $master_ip
+  $master_ip,
+  $management_vrouter_vip,
 ) {
   $package_name = $osfamily ? {
     /(RedHat|CentOS)/ => 'dnsmasq',

deployment/puppet/osnailyfacter/modular/dns/dns-server.pp

@@ -1,12 +1,14 @@
 notice('MODULAR: dns-server.pp')
 
-$dns_servers        = hiera('external_dns')
-$primary_controller = hiera('primary_controller')
-$master_ip          = hiera('master_ip')
+$dns_servers            = hiera('external_dns')
+$primary_controller     = hiera('primary_controller')
+$master_ip              = hiera('master_ip')
+$management_vrouter_vip = hiera('management_vrouter_vip')
 
 class { 'osnailyfacter::dnsmasq':
-  external_dns => strip(split($dns_servers['dns_list'], ',')),
-  master_ip    => $master_ip,
+  external_dns           => strip(split($dns_servers['dns_list'], ',')),
+  master_ip              => $master_ip,
+  management_vrouter_vip => $management_vrouter_vip,
 } ->
 
 class { 'cluster::dns_ocf':

deployment/puppet/osnailyfacter/modular/ntp/ntp-client.pp

@@ -1,12 +1,13 @@
 notice('MODULAR: ntp-client.pp')
 
-$management_vip  = hiera('management_vrouter_vip')
-$nodes_hash      = hiera('nodes', {})
-$roles           = node_roles($nodes_hash, hiera('uid'))
+$management_vrouter_vip  = hiera('management_vrouter_vip')
+$nodes_hash              = hiera('nodes', {})
+$roles                   = node_roles($nodes_hash, hiera('uid'))
 
 if !(member($roles, 'controller') or member($roles, 'primary-controller')) {
   class { 'ntp':
-    servers        => [$management_vip],
+    servers        => [$management_vrouter_vip],
+    interfaces     => ['lo'],
     service_ensure => running,
     service_enable => true,
     iburst_enable  => true,

deployment/puppet/osnailyfacter/modular/ntp/ntp-server.pp

@@ -1,9 +1,11 @@
 notice('MODULAR: ntp-server.pp')
 
-$ntp_servers        = hiera('external_ntp')
+$ntp_servers            = hiera('external_ntp')
+$management_vrouter_vip = hiera('management_vrouter_vip')
 
 class { 'ntp':
   servers        => strip(split($ntp_servers['ntp_list'], ',')),
+  interfaces     => [$management_vrouter_vip],
   service_enable => false,
   service_ensure => stopped,
   iburst_enable  => true,

deployment/puppet/osnailyfacter/templates/dnsmasq.conf.erb

@@ -1,3 +1,5 @@
 domain=<%= scope.lookupvar('::domain') %>
 server=/<%= scope.lookupvar('::domain') %>/<%= @master_ip %>
 resolv-file=/etc/resolv.dnsmasq.conf
+bind-interfaces
+listen-address=<%= @management_vrouter_vip %>

files/fuel-ha-utils/ocf/ns_ntp

@@ -179,7 +179,7 @@ ntp_start()
   fi
 
   # run the ntp binary
-        ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -g -c ${CONF_FILE}
+  ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c ${CONF_FILE}
   if [ $? -ne 0 ]; then
     ocf_log err "Error. ntp daemon returned error $?."
     return $OCF_ERR_GENERIC