Move resolvconf JIT execution to common tasks

Use include_role in a common-tasks include to execute the resolvconf role when unbound is used. Change-Id: Id70f3d5dc66701a1fb593e6309b071d0e38ea282
2017-09-16 12:57:20 -05:00 · 2017-09-16 12:57:20 -05:00 · 718f790a37
parent 4e4343d7d8
commit 718f790a37
40 changed files with 227 additions and 251 deletions
--- a/group_vars/all/all.yml
+++ b/group_vars/all/all.yml
@ -119,4 +119,3 @@ ansible_ssh_extra_args: >

 # Toggle whether the service is deployed in a container or not
 is_metal: "{{ properties.is_metal | default(false) }}"
-
--- a/host_vars/.placeholder
+++ b/host_vars/.placeholder
--- a/host_vars/localhost.yml
+++ b/host_vars/localhost.yml
@ -0,0 +1,22 @@
+---
+# Copyright 2017, Logan Vig <logan2211@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resolvconf_enabled: "{{ groups['unbound'] is defined and groups['unbound'] | length > 0 }}"
+unbound_physical_hosts: >-
+  {{ groups[resolvconf_resolver_group] |
+    map('extract', hostvars, 'physical_host') |
+    select('defined') |
+    list
+  }}
--- a/playbooks/ceph-install.yml
+++ b/playbooks/ceph-install.yml
@ -26,6 +26,10 @@
    - include: common-tasks/os-lxc-container-setup.yml
      vars:
        list_of_bind_mounts: "{{ ceph_container_bind_mounts }}"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
    #TODO: mgariepy, revisit to use include_role when https://github.com/ansible/ansible/issues/20077 is fixed
    - name: install the ceph stable repository key
@ -130,6 +134,10 @@
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-ceph"
            dest: "/var/log/ceph"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
    #TODO: mgariepy, revisit to use include_role when https://github.com/ansible/ansible/issues/20077 is fixed
    - name: install the ceph stable repository key
--- a/playbooks/common-playbooks/cinder.yml
+++ b/playbooks/common-playbooks/cinder.yml
@ -68,6 +68,11 @@
          - src: "/openstack/log/{{ inventory_hostname }}-cinder"
            dest: "/var/log/cinder"

+    - include: ../common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
    - name: Configure package proxy cache
      include: ../common-tasks/package-cache-proxy.yml

--- a/playbooks/common-playbooks/glance.yml
+++ b/playbooks/common-playbooks/glance.yml
@ -55,6 +55,11 @@
          - src: "/openstack/log/{{ inventory_hostname }}-glance"
            dest: "/var/log/glance"

+    - include: ../common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
    - name: Configure package proxy cache
      include: ../common-tasks/package-cache-proxy.yml

--- a/playbooks/common-playbooks/neutron.yml
+++ b/playbooks/common-playbooks/neutron.yml
@ -63,6 +63,11 @@
      when:
        - "'neutron_calico_dhcp_agent' in group_names"

+    - include: ../common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
    - name: Configure package proxy cache
      include: ../common-tasks/package-cache-proxy.yml

--- a/playbooks/common-playbooks/nova.yml
+++ b/playbooks/common-playbooks/nova.yml
@ -74,6 +74,11 @@
          - src: "/openstack/log/{{ inventory_hostname }}-nova"
            dest: "/var/log/nova"

+    - include: ../common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
    - name: Configure package proxy cache
      include: ../common-tasks/package-cache-proxy.yml

--- a/playbooks/common-playbooks/unbound-clients.yml
+++ b/playbooks/common-playbooks/unbound-clients.yml
@ -1,77 +0,0 @@
---
-# Copyright 2016, Logan Vig <logan2211@gmail.com>
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Install unbound DNS resolver client configurations
-  gather_facts: true
-  hosts: "{{ unbound_group }}"
-  user: root
-  pre_tasks:
-    #gather a list of physical_hosts containing unbound containers
-    - name: Set unbound physical hosts fact
-      set_fact:
-        unbound_physical_hosts: >
-          {% set _var = [] -%}
-          {% for i in groups[resolvconf_resolver_group] -%}
-          {% if hostvars[i]['physical_host'] is defined -%}
-          {% if _var.append(hostvars[i]['physical_host']) -%}{% endif -%}
-          {% endif -%}
-          {% endfor -%}
-          {{ _var }}
-
-    #create a sorted resolver list with affinity toward unbound container(s)
-    #on the same physical_host
-    - name: Apply resolver sorting
-      set_fact:
-        resolver_list: >
-          {% set _var = [] -%}
-          {% for i in groups[resolvconf_resolver_group] -%}
-          {% if physical_host is defined
-            and hostvars[i]['physical_host'] is defined
-            and physical_host == hostvars[i]['physical_host'] -%}
-          {% if _var.append(dict(host=hostvars[i]['ansible_host'], priority=100)) -%}{% endif -%}
-          {% else -%}
-          {% if _var.append(dict(host=hostvars[i]['ansible_host'], priority=50)) -%}{% endif -%}
-          {% endif -%}
-          {% endfor -%}
-          {{ _var }}
-      when:
-        - physical_host is defined
-        - physical_host in unbound_physical_hosts
-
-    - name: Set resolver IP list fact
-      set_fact:
-        resolvconf_resolver_ips: "{{ resolver_list | sort(reverse=true, attribute='priority') | map(attribute='host') | list }}"
-        resolvconf_options:
-          - 'timeout:1'
-      when:
-        - resolver_list is defined
-        - resolver_list | length > 0
-
-    #rotate is only used when no physical_host affinity is defined
-    - name: Set resolver rotate when physical_host is not an unbound host
-      set_fact:
-        resolvconf_options:
-          - 'timeout:1'
-          - 'rotate'
-      when:
-        - resolver_list is not defined
-  roles:
-    - role: "resolvconf"
-      tags:
-        - unbound_client
-  vars:
-    #Only run the resolvconf role when DNS containers are deployed to the env.
-    resolvconf_enabled: "{{ groups['unbound'] is defined and groups['unbound'] | length > 0 }}"
-  environment: "{{ deployment_environment_variables | default({}) }}"
--- a/playbooks/common-tasks/unbound-clients.yml
+++ b/playbooks/common-tasks/unbound-clients.yml
@ -0,0 +1,65 @@
+---
+# Copyright 2017, Logan Vig <logan2211@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#create a sorted resolver list with affinity toward unbound container(s)
+#on the same physical_host
+- name: Apply resolver sorting
+  set_fact:
+    resolver_list: |-
+      {% set _var = [] %}
+      {% for host in groups[resolvconf_resolver_group] %}
+      {%   if physical_host is defined and
+              hostvars[host]['physical_host'] is defined
+              and physical_host == hostvars[host]['physical_host'] %}
+      {%     set _prio = 100 %}
+      {%   else %}
+      {%     set _prio = 50 %}
+      {%   endif %}
+      {%   set _ = _var.append({
+             'host': hostvars[host]['ansible_host'],
+             'priority': _prio
+           })
+      %}
+      {% endfor %}
+      {{ _var |
+         sort(reverse=true, attribute='priority') |
+         map(attribute='host') |
+         list
+      }}
+  when:
+    - physical_host is defined
+    - physical_host in hostvars['localhost']['unbound_physical_hosts']
+
+- name: Set resolver IP list fact
+  set_fact:
+    resolvconf_resolver_ips: "{{ resolver_list }}"
+    resolvconf_options:
+      - 'timeout:1'
+  when:
+    - resolver_list is defined
+    - resolver_list | length > 0
+
+#rotate is only used when no physical_host affinity is defined
+- name: Set resolver rotate when physical_host is not an unbound host
+  set_fact:
+    resolvconf_options:
+      - 'timeout:1'
+      - 'rotate'
+  when:
+    - resolver_list is not defined
+
+- name: Include the resolvconf role
+  include_role:
+    name: resolvconf
--- a/playbooks/etcd-install.yml
+++ b/playbooks/etcd-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "etcd_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install etcd server cluster
  hosts: etcd_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -26,6 +20,10 @@
  user: root
  pre_tasks:
    - include: common-tasks/os-lxc-container-setup.yml
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "etcd"
--- a/playbooks/galera-install.yml
+++ b/playbooks/galera-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "galera_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Galera container config
  hosts: galera_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -36,6 +30,10 @@
        list_of_bind_mounts: "{{ galera_container_bind_mounts }}"
        extra_container_config_no_restart:
          - "lxc.start.order=10"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  vars:
    is_metal: "{{ properties.is_metal|default(false) }}"
--- a/playbooks/haproxy-install.yml
+++ b/playbooks/haproxy-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "haproxy"
-  when:
-    - resolvconf_enabled | bool
-
 - name: haproxy base config
  hosts: haproxy
  gather_facts: "{{ gather_facts | default(True) }}"
@ -30,6 +24,10 @@
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-haproxy"
            dest: "/var/log/haproxy"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
  roles:
    - role: "keepalived"
      when: haproxy_use_keepalived | bool
--- a/playbooks/inventory/localhost
+++ b/playbooks/inventory/localhost
@ -0,0 +1,2 @@
+[all]
+localhost
--- a/playbooks/memcached-install.yml
+++ b/playbooks/memcached-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "memcached"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install memcached
  hosts: memcached
  gather_facts: "{{ gather_facts | default(True) }}"
@ -31,6 +25,10 @@
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-memcached"
            dest: "/var/log/memcached"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "memcached_server"
--- a/playbooks/os-aodh-install.yml
+++ b/playbooks/os-aodh-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "aodh_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install the aodh components
  hosts: aodh_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -49,6 +43,10 @@
        login_host: "{{ aodh_galera_address }}"
        db_name: "{{ aodh_galera_database }}"
      when: inventory_hostname == groups['aodh_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_aodh"
--- a/playbooks/os-barbican-install.yml
+++ b/playbooks/os-barbican-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "barbican_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Installation and setup of barbican
  hosts: barbican_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -49,6 +43,10 @@
        login_host: "{{ barbican_galera_address }}"
        db_name: "{{ barbican_galera_database }}"
      when: inventory_hostname == groups['barbican_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_barbican"
--- a/playbooks/os-ceilometer-install.yml
+++ b/playbooks/os-ceilometer-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "ceilometer_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install the ceilometer components
  hosts: ceilometer_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -41,6 +35,10 @@
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-ceilometer"
            dest: "/var/log/ceilometer"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_ceilometer"
--- a/playbooks/os-cinder-install.yml
+++ b/playbooks/os-cinder-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "cinder_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Prepare MQ/DB services
  hosts: cinder_all
  gather_facts: no
--- a/playbooks/os-designate-install.yml
+++ b/playbooks/os-designate-install.yml
@ -16,12 +16,6 @@
 # (c) 2016 Donovan Francesco <donovan.francesco@is.co.za>
 # (c) 2016 Paul Stevens <paul.stevens@is.co.za>

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "designate_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install designate server
  hosts: designate_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -64,6 +58,10 @@
        login_host: "{{ designate_galera_address }}"
        db_name: "{{ designate_galera_database_name }}"
      when: inventory_hostname == groups['designate_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_designate"
--- a/playbooks/os-glance-install.yml
+++ b/playbooks/os-glance-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "glance_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Prepare MQ/DB services
  hosts: glance_all
  gather_facts: no
--- a/playbooks/os-gnocchi-install.yml
+++ b/playbooks/os-gnocchi-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "gnocchi_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install Gnocchi components
  hosts: gnocchi_all
  max_fail_percentage: 20
@ -47,6 +41,10 @@
        login_host: "{{ gnocchi_galera_address }}"
        db_name: "{{ gnocchi_galera_database }}"
      when: inventory_hostname == groups['gnocchi_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "ceph_client"
--- a/playbooks/os-heat-install.yml
+++ b/playbooks/os-heat-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "heat_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install heat server
  hosts: heat_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -62,6 +56,10 @@
        login_host: "{{ heat_galera_address }}"
        db_name: "{{ heat_galera_database }}"
      when: inventory_hostname == groups['heat_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_heat"
--- a/playbooks/os-horizon-install.yml
+++ b/playbooks/os-horizon-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "horizon_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install horizon server
  hosts: horizon_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -39,6 +33,10 @@
        login_host: "{{ horizon_galera_address }}"
        db_name: "{{ horizon_galera_database }}"
      when: inventory_hostname == groups['horizon_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_horizon"
--- a/playbooks/os-ironic-install.yml
+++ b/playbooks/os-ironic-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "ironic_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Installation and setup of Ironic
  hosts: ironic_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -43,6 +37,10 @@
        login_host: "{{ ironic_galera_address }}"
        db_name: "{{ ironic_galera_database }}"
      when: inventory_hostname == groups['ironic_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_ironic"
--- a/playbooks/os-keystone-install.yml
+++ b/playbooks/os-keystone-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "keystone_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Prepare MQ/DB services
  hosts: keystone_all
  gather_facts: no
@ -101,6 +95,11 @@
          - src: "/openstack/log/{{ inventory_hostname }}-keystone"
            dest: "/var/log/keystone"

+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
    - name: Configure package proxy cache
      include: common-tasks/package-cache-proxy.yml

--- a/playbooks/os-magnum-install.yml
+++ b/playbooks/os-magnum-install.yml
@ -16,12 +16,6 @@
 # (c) 2016 Donovan Francesco <donovan.francesco@is.co.za>
 # (c) 2016 Paul Stevens <paul.stevens@is.co.za>

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "magnum_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install magnum server
  hosts: magnum_all
  max_fail_percentage: 20
@ -33,6 +27,10 @@
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-magnum"
            dest: "/var/log/magnum"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/rabbitmq-vhost-user.yml
      static: no
      vars:
--- a/playbooks/os-molteniron-install.yml
+++ b/playbooks/os-molteniron-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "molteniron_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Installation and setup of molteniron
  hosts: molteniron_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -35,6 +29,10 @@
            dest: "/var/log/molteniron"
            owner: "syslog"
            group: "syslog"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
  roles:
    - role: "os_molteniron"
      molteniron_venv_tag: "{{ openstack_release }}"
--- a/playbooks/os-neutron-install.yml
+++ b/playbooks/os-neutron-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "neutron_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Configure Neutron dynamic host groupings
  hosts: localhost
  gather_facts: no
--- a/playbooks/os-nova-install.yml
+++ b/playbooks/os-nova-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "nova_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Prepare MQ/DB services
  hosts: nova_conductor
  gather_facts: no
--- a/playbooks/os-octavia-install.yml
+++ b/playbooks/os-octavia-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "octavia_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install octavia server
  hosts: octavia_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -50,6 +44,10 @@
        login_host: "{{ octavia_galera_address }}"
        db_name: "{{ octavia_galera_database }}"
      when: inventory_hostname == groups['octavia_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_octavia"
--- a/playbooks/os-rally-install.yml
+++ b/playbooks/os-rally-install.yml
@ -13,17 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "utility_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Installation and setup of Rally
  hosts: utility_all
  gather_facts: "{{ gather_facts | default(True) }}"
  user: root
  pre_tasks:
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/mysql-db-user.yml
      static: no
      vars:
--- a/playbooks/os-sahara-install.yml
+++ b/playbooks/os-sahara-install.yml
@ -11,12 +11,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "sahara_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install sahara server
  hosts: sahara_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -59,6 +53,10 @@
        login_host: "{{ sahara_galera_address }}"
        db_name: "{{ sahara_galera_database }}"
      when: inventory_hostname == groups['sahara_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_sahara"
--- a/playbooks/os-swift-install.yml
+++ b/playbooks/os-swift-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "swift_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Installation and setup of Swift
  hosts: swift_all:swift_remote_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -38,6 +32,10 @@
            # NOTE(hwoarang) The syslog user on openSUSE belongs to the 'users'
            # group. There is no dedicated syslog group.
            group: "{{ (ansible_pkg_mgr == 'zypper') | ternary ('users', 'syslog') }}"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml

    # If we're using ceilometer then swift needs a rabbitmq/vhost & usera
--- a/playbooks/os-trove-install.yml
+++ b/playbooks/os-trove-install.yml
@ -16,12 +16,6 @@
 # (c) 2016 Donovan Francesco <donovan.francesco@is.co.za>
 # (c) 2016 Paul Stevens <paul.stevens@is.co.za>

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "trove_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install trove server
  hosts: trove_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -64,6 +58,10 @@
        login_host: "{{ trove_galera_address }}"
        db_name: "{{ trove_galera_database_name }}"
      when: inventory_hostname == groups['trove_all'][0]
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_trove"
--- a/playbooks/rabbitmq-install.yml
+++ b/playbooks/rabbitmq-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "rabbitmq_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Create and configure rabbitmq container
  hosts: "{{ rabbitmq_host_group | default('rabbitmq_all') }}"
  serial: 1
@ -31,6 +25,10 @@
      vars:
        extra_container_config_no_restart:
          - "lxc.start.order=19"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "system_crontab_coordination"
--- a/playbooks/repo-server.yml
+++ b/playbooks/repo-server.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "repo_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Setup repo servers
  hosts: repo_all
  gather_facts: "{{ gather_facts | default(True) }}"
@ -52,6 +46,11 @@
      when:
        - repo_build_git_cache is defined
        - _local_git_cache.stat.exists
+
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
  roles:
    - role: "repo_server"
    - role: "rsyslog_client"
--- a/playbooks/rsyslog-install.yml
+++ b/playbooks/rsyslog-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "rsyslog"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Install rsyslog
  hosts: rsyslog
  gather_facts: "{{ gather_facts | default(True) }}"
@ -32,6 +26,10 @@
            mount_path: "/openstack/{{ inventory_hostname }}/log-storage"
        extra_container_config_no_restart:
          - "lxc.start.order=19"
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "rsyslog_server"
--- a/playbooks/unbound-install.yml
+++ b/playbooks/unbound-install.yml
@ -34,8 +34,14 @@
  vars:
    is_metal: "{{ properties.is_metal|default(false) }}"

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "{{ openstack_host_group|default('hosts') }}:{{ lxc_host_group | default('lxc_hosts') }}"
-  when:
-    - resolvconf_enabled | bool
+- name: Install unbound DNS resolver client configurations
+  hosts:
+    - "!unbound"
+    - "{{ openstack_host_group|default('hosts') }}"
+  user: root
+  tasks:
+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+  environment: "{{ deployment_environment_variables | default({}) }}"
--- a/playbooks/utility-install.yml
+++ b/playbooks/utility-install.yml
@ -13,12 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include: common-playbooks/unbound-clients.yml
-  vars:
-    unbound_group: "utility_all"
-  when:
-    - resolvconf_enabled | bool
-
 - name: Setup the utility location(s)
  hosts: utility_all
  max_fail_percentage: 20
@ -32,6 +26,11 @@
          - src: "/openstack/log/{{ inventory_hostname }}-utility"
            dest: "/var/log/utility"

+    - include: common-tasks/unbound-clients.yml
+      static: no
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
    - include: common-tasks/package-cache-proxy.yml

    - name: Create log directory (not is_metal)