openstack/project-config
Code Issues Proposed changes
ac7ffa6808
project-config/nodepool/elements/nodepool-base/finalise.d/89-boot-settings
Colleen Murphy 587b85ba36 Use iptables for openSUSE 
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the openSUSE nodeset to use plain
iptables rather than injecting iptables rules into the SuSEfirewall2
service. This will work on both Tumbleweed and Leap nodesets.

openSUSE provides no iptables-service package the way the RHEL family
does, so we can't fall back to that. Rather than try to convert iptables
rules to firewalld syntax, this change leverages init.d to ensure
iptables rules are loaded at boot. The 89-unbound script has been
coopted for this purpose since it already creates
/etc/init.d/boot.local. Switched from `dd` to `cat` which makes
conditionally composing the file more natural.

[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd
2019-09-20 12:05:09 -07:00

248 lines
8.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright (C) 2011-2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
# dib-lint: disable=set setu setpipefail indent
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -e
#
# Note that in OpenStack infra, the configure-unbound role [1] that is
# part of the base jobs will reconfigure unbound based on the host's
# ipv6 support very early in the job setup. Thus the following
# forwarder setup is only relevant to the initial boot and some parts
# of the integration-tests before configure-unbound role is used.
#
# [1] https://opendev.org/opendev/base-jobs/src/branch/master/roles/configure-unbound
#
NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-1.0.0.1}
NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8}
# Explicitly setting a v6 nameserver implies you want ipv6
if [[ -n ${NODEPOOL_STATIC_NAMESERVER_V6:-} || -n ${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK} ]]; then
NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6=1
fi
if [[ ${NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6:-0} == 1 ]]; then
NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2606:4700:4700::1111}
NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888}
dd of=/tmp/forwarding.conf <<EOF
forward-zone:
name: "."
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V6
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK
EOF
else
# Otherwise, only populate ipv4 nameservers here. We used to just
# do both, but we found it unreliable on hosts/platforms without
# ipv6 support (see
# https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4188).
dd of=/tmp/forwarding.conf <<EOF
forward-zone:
name: "."
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK
EOF
fi
mv /tmp/forwarding.conf /etc/unbound/
chown root:root /etc/unbound/forwarding.conf
chmod a+r /etc/unbound/forwarding.conf
if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
LOG_FILE="/var/lib/unbound/unbound.log"
else
LOG_FILE="/var/log/unbound.log"
fi
UNBOUND_LOGGING_CONF="\
server:
chroot: \"\"
logfile: \"$LOG_FILE\"
# Log debug messages
verbosity: 5"
echo "$UNBOUND_LOGGING_CONF" > /tmp/unbound-logging.conf
if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora|opensuse) ]] ; then
UNBOUND_CONFD=/etc/unbound/conf.d
elif [[ "$DISTRO_NAME" =~ 'gentoo' ]] ; then
UNBOUND_CONFD=/etc/unbound/conf.d
mkdir -p $UNBOUND_CONFD
echo "include: \"$UNBOUND_CONFD/*.conf\"" >> /etc/unbound/unbound.conf
else
UNBOUND_CONFD=/etc/unbound/unbound.conf.d
fi
mv /tmp/unbound-logging.conf $UNBOUND_CONFD
chown root:root $UNBOUND_CONFD/unbound-logging.conf
chmod a+r $UNBOUND_CONFD/unbound-logging.conf
touch /var/log/unbound.log
chown unbound /var/log/unbound.log
chmod 0644 /var/log/unbound.log
if [[ "$DISTRO_NAME" =~ (opensuse) ]] ; then
rclocal=/etc/init.d/boot.local
elif [[ "${DISTRO_NAME}" =~ "gentoo" ]]; then
rclocal=/etc/local.d/unbound.start
mkdir -p /etc/local.d
else
# You'd think rc.local would be simple ...
#
# On Redhat systems, systemd's rc-local service looks for an
# executable /etc/rc.d/rc.local file to run. On Debian/Ubuntu, the
# eqivalent file is /etc/rc.local, which is missing on Debian stretch.
#
# Centos' systemd package symlinks /etc/rc.local to /etc/rc.d/rc.local
# correctly. Fedora, however, does not come with an rc.local file at
# all. Thus if we have a rc.d directory, but no rc.local file, we
# need to create it (if you don't have an rc.d directory, and don't
# have /etc/rc.local, then it's not clear what platform you are on).
#
# Bug [1] is filed to bring Fedora in-line with Centos, and has more
# details on all this. As at 2016-10-18 is unresolved.
#
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052
if [[ ! -e /etc/rc.local ]] && [[ ! -e /etc/debian_version ]]; then
if [[ ! -d /etc/rc.d ]]; then
echo "No rc.local and no rc.d directory! See comments in 89-boot-settings"
exit 1
fi
touch /etc/rc.d/rc.local
ln -sf /etc/rc.d/rc.local /etc/rc.local
# permissions added below. selinux context will be fixed up at
# end of build.
fi
rclocal=/etc/rc.local
fi
# Overwrite /etc/resolv.conf at boot (let's hope nothing else is using
# rc.local...)
cat >$rclocal <<EOF
#!/bin/bash
set -o xtrace
# Some providers inject dynamic network config statically. Work around this
# for DNS nameservers. This is expected to fail on some nodes so remove -e.
set +e
sed -i -e 's/^\(DNS[0-9]*=[.0-9]\+\)/#\1/g' /etc/sysconfig/network-scripts/ifcfg-*
sed -i -e 's/^NETCONFIG_DNS_POLICY=.*/NETCONFIG_DNS_POLICY=""/g' /etc/sysconfig/network/config
set -e
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
EOF
# openSUSE doesn't have an iptables service, so apply the iptables rules at boot
if [[ "${DISTRO_NAME}" =~ (opensuse) ]] ; then
cat >>$rclocal <<EOF
iptables-restore /etc/sysconfig/iptables
ip6tables-restore /etc/sysconfig/ip6tables
EOF
fi
cat >>$rclocal <<EOF
exit 0
EOF
# Debian/Ubuntu ship their dummy rc.local with +x permissions, but
# CentOS (and the file we created for Fedora) do not ... this is to
# avoid it holding up the boot as it relies on the network being up).
# Add +x so it runs.
chmod a+x $rclocal
echo 'include: /etc/unbound/forwarding.conf' >> /etc/unbound/unbound.conf
# Disable dlv. Per the unbound.conf manpage this should not be used
# anymore but is in use by some of our distros. The problem here is it
# does lookasides for DNSSEC which increases the number of queries and
# introduces more points of lookup failure. Disable it to avoid these
# problems.
sed -i -e 's/dlv-anchor-file:/#dlv-anchor-file:/g' /etc/unbound/unbound.conf
# This defaults file must be in place to work around this bug:
# https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513
# The issue is fixed for Xenial so this is only required for Trusty.
if [ "$DIB_RELEASE" == "trusty" ] ; then
cat > /etc/default/unbound <<EOF
UNBOUND_ENABLE=true
ROOT_TRUST_ANCHOR_UPDATE=true
ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
RESOLVCONF=true
RESOLVCONF_FORWARDERS=false
EOF
fi
# Tripleo uses dhcp
dhcp_file=''
if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
dhcp_file=/etc/dhcp/dhclient-eth0.conf
elif [[ "$DISTRO_NAME" =~ (debian|ubuntu|gentoo) ]] ; then
dhcp_file=/etc/dhcp/dhclient.conf
fi
if [ -n "$dhcp_file" ] ; then
cat > $dhcp_file <<EOF
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name "<hostname>";
request subnet-mask, broadcast-address, routers,
interface-mtu, rfc3442-classless-static-routes;
supersede domain-name-servers 127.0.0.1;
supersede domain-search "";
supersede domain-name "";
EOF
fi
# On bionic and later, the install of the new systemd-resolved in the
# chroot will see that there is no /etc/resolv.conf and assume it is a
# blank system where it will be the nameserver provider. It thus
# creates /etc/resolv.conf as a link back to its compatability files.
# To configure systemd-resolved's resolvers you need to modify
# /etc/systemd/resolved.conf; which would be possible, but we'd prefer
# to be consistent across all our platforms.
#
# dib will copy whatever is in /etc/resolv.conf.ORIG to
# /etc/resolv.conf as one of the final steps in image creation. Thus
# we are hard-coding resolution to localhost (unbound) here.
#
# Note that with /etc/resolv.conf as a regular file, systemd-resolved
# will also obey it for nameserver info when it starts at boot.
rm -f /etc/resolv.conf.ORIG
echo "nameserver 127.0.0.1" > /etc/resolv.conf.ORIG
case "$DIB_INIT_SYSTEM" in
upstart)
# nothing to do
;;
systemd)
systemctl enable unbound.service
;;
openrc)
rc-update add unbound default
;;
sysv)
# nothing to do
;;
*)
echo "Unsupported init system $DIB_INIT_SYSTEM"
exit 1
;;
esac
View Git Blame Copy Permalink