#!/bin/bash # Copyright (C) 2011-2013 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # # See the License for the specific language governing permissions and # limitations under the License. # dib-lint: disable=set setu setpipefail indent if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then set -x fi set -e # # Note that in OpenStack infra, the configure-unbound role [1] that is # part of the base jobs will reconfigure unbound based on the host's # ipv6 support very early in the job setup. Thus the following # forwarder setup is only relevant to the initial boot and some parts # of the integration-tests before configure-unbound role is used. # # [1] https://opendev.org/opendev/base-jobs/src/branch/master/roles/configure-unbound # NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-1.0.0.1} NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8} # Explicitly setting a v6 nameserver implies you want ipv6 if [[ -n ${NODEPOOL_STATIC_NAMESERVER_V6:-} || -n ${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK} ]]; then NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6=1 fi if [[ ${NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6:-0} == 1 ]]; then NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2606:4700:4700::1111} NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888} dd of=/tmp/forwarding.conf < /tmp/unbound-logging.conf if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora|opensuse) ]] ; then UNBOUND_CONFD=/etc/unbound/conf.d elif [[ "$DISTRO_NAME" =~ 'gentoo' ]] ; then UNBOUND_CONFD=/etc/unbound/conf.d mkdir -p $UNBOUND_CONFD echo "include: \"$UNBOUND_CONFD/*.conf\"" >> /etc/unbound/unbound.conf else UNBOUND_CONFD=/etc/unbound/unbound.conf.d fi mv /tmp/unbound-logging.conf $UNBOUND_CONFD chown root:root $UNBOUND_CONFD/unbound-logging.conf chmod a+r $UNBOUND_CONFD/unbound-logging.conf touch /var/log/unbound.log chown unbound /var/log/unbound.log chmod 0644 /var/log/unbound.log if [[ "$DISTRO_NAME" =~ (opensuse) ]] ; then rclocal=/etc/init.d/boot.local elif [[ "${DISTRO_NAME}" =~ "gentoo" ]]; then rclocal=/etc/local.d/unbound.start mkdir -p /etc/local.d else # You'd think rc.local would be simple ... # # On Redhat systems, systemd's rc-local service looks for an # executable /etc/rc.d/rc.local file to run. On Debian/Ubuntu, the # eqivalent file is /etc/rc.local, which is missing on Debian stretch. # # Centos' systemd package symlinks /etc/rc.local to /etc/rc.d/rc.local # correctly. Fedora, however, does not come with an rc.local file at # all. Thus if we have a rc.d directory, but no rc.local file, we # need to create it (if you don't have an rc.d directory, and don't # have /etc/rc.local, then it's not clear what platform you are on). # # Bug [1] is filed to bring Fedora in-line with Centos, and has more # details on all this. As at 2016-10-18 is unresolved. # # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052 if [[ ! -e /etc/rc.local ]] && [[ ! -e /etc/debian_version ]]; then if [[ ! -d /etc/rc.d ]]; then echo "No rc.local and no rc.d directory! See comments in 89-boot-settings" exit 1 fi touch /etc/rc.d/rc.local ln -sf /etc/rc.d/rc.local /etc/rc.local # permissions added below. selinux context will be fixed up at # end of build. fi rclocal=/etc/rc.local fi # Overwrite /etc/resolv.conf at boot (let's hope nothing else is using # rc.local...) cat >$rclocal < /etc/resolv.conf EOF # openSUSE doesn't have an iptables service, so apply the iptables rules at boot if [[ "${DISTRO_NAME}" =~ (opensuse) ]] ; then cat >>$rclocal <>$rclocal <> /etc/unbound/unbound.conf # Disable dlv. Per the unbound.conf manpage this should not be used # anymore but is in use by some of our distros. The problem here is it # does lookasides for DNSSEC which increases the number of queries and # introduces more points of lookup failure. Disable it to avoid these # problems. sed -i -e 's/dlv-anchor-file:/#dlv-anchor-file:/g' /etc/unbound/unbound.conf # This defaults file must be in place to work around this bug: # https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513 # The issue is fixed for Xenial so this is only required for Trusty. if [ "$DIB_RELEASE" == "trusty" ] ; then cat > /etc/default/unbound < $dhcp_file <"; request subnet-mask, broadcast-address, routers, interface-mtu, rfc3442-classless-static-routes; supersede domain-name-servers 127.0.0.1; supersede domain-search ""; supersede domain-name ""; EOF fi # On bionic and later, the install of the new systemd-resolved in the # chroot will see that there is no /etc/resolv.conf and assume it is a # blank system where it will be the nameserver provider. It thus # creates /etc/resolv.conf as a link back to its compatability files. # To configure systemd-resolved's resolvers you need to modify # /etc/systemd/resolved.conf; which would be possible, but we'd prefer # to be consistent across all our platforms. # # dib will copy whatever is in /etc/resolv.conf.ORIG to # /etc/resolv.conf as one of the final steps in image creation. Thus # we are hard-coding resolution to localhost (unbound) here. # # Note that with /etc/resolv.conf as a regular file, systemd-resolved # will also obey it for nameserver info when it starts at boot. rm -f /etc/resolv.conf.ORIG echo "nameserver 127.0.0.1" > /etc/resolv.conf.ORIG case "$DIB_INIT_SYSTEM" in upstart) # nothing to do ;; systemd) systemctl enable unbound.service ;; openrc) rc-update add unbound default ;; sysv) # nothing to do ;; *) echo "Unsupported init system $DIB_INIT_SYSTEM" exit 1 ;; esac