Add bind9 backend parameter to allow bypassing bind configuration
Adds designate::backedn::bind9::configure_bind parameter to allow
bypassing the dns puppet module. This is necessary when bind is not
installed on same host as designate.
Change-Id: I3e94e3846fb97f0a0a5d25b2f5a1ef02e88a84b2
(cherry picked from commit d68a16c853
)
This commit is contained in:
parent
6b2b21876f
commit
a6244026a4
|
@ -24,22 +24,55 @@
|
|||
# (optional) Hash defining controls configuration for rndc.
|
||||
# Defaults to undef, which uses the puppet-dns default
|
||||
#
|
||||
# [*configure_bind*]
|
||||
# (optional) Enables running named configuration for hosts where designate and
|
||||
# designate bind services are collocated.
|
||||
# Defaults to true
|
||||
#
|
||||
class designate::backend::bind9 (
|
||||
$rndc_host = '127.0.0.1',
|
||||
$rndc_port = '953',
|
||||
$rndc_config_file = '/etc/rndc.conf',
|
||||
$rndc_key_file = '/etc/rndc.key',
|
||||
$rndc_controls = undef,
|
||||
$configure_bind = true,
|
||||
) {
|
||||
|
||||
include designate::deps
|
||||
include designate
|
||||
if $rndc_controls {
|
||||
class { 'dns':
|
||||
controls => $rndc_controls,
|
||||
if $configure_bind {
|
||||
if $rndc_controls {
|
||||
class { 'dns':
|
||||
controls => $rndc_controls,
|
||||
}
|
||||
} else {
|
||||
include dns
|
||||
}
|
||||
} else {
|
||||
include dns
|
||||
concat::fragment { 'dns allow-new-zones':
|
||||
target => $::dns::optionspath,
|
||||
content => 'allow-new-zones yes;',
|
||||
order => '20',
|
||||
}
|
||||
|
||||
# Recommended by Designate docs as a mitigation for potential cache
|
||||
# poisoning attacks:
|
||||
# https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
|
||||
concat::fragment { 'dns minimal-responses':
|
||||
target => $::dns::optionspath,
|
||||
content => 'minimal-responses yes;',
|
||||
order => '21',
|
||||
}
|
||||
|
||||
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on
|
||||
# Debian. Both groups only have read access but require write permission in
|
||||
# order to be able to use rndc addzone/delzone commands that Designate uses.
|
||||
# NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
|
||||
# removing this from puppet-openstack-integration. Once that has been done
|
||||
# the ensure_resource wrapper could be removed.
|
||||
ensure_resource('file', $::dns::params::vardir, {
|
||||
mode => 'g+w',
|
||||
require => Package[$::dns::params::dns_server_package]
|
||||
})
|
||||
}
|
||||
|
||||
designate_config {
|
||||
|
@ -49,29 +82,4 @@ class designate::backend::bind9 (
|
|||
'backend:bind9/rndc_key_file' : value => $rndc_key_file;
|
||||
}
|
||||
|
||||
concat::fragment { 'dns allow-new-zones':
|
||||
target => $::dns::optionspath,
|
||||
content => 'allow-new-zones yes;',
|
||||
order => '20',
|
||||
}
|
||||
|
||||
# Recommended by Designate docs as a mitigation for potential cache
|
||||
# poisoning attacks:
|
||||
# https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
|
||||
concat::fragment { 'dns minimal-responses':
|
||||
target => $::dns::optionspath,
|
||||
content => 'minimal-responses yes;',
|
||||
order => '21',
|
||||
}
|
||||
|
||||
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on
|
||||
# Debian. Both groups only have read access but require write permission in
|
||||
# order to be able to use rndc addzone/delzone commands that Designate uses.
|
||||
# NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
|
||||
# removing this from puppet-openstack-integration. Once that has been done
|
||||
# the ensure_resource wrapper could be removed.
|
||||
ensure_resource('file', $::dns::params::vardir, {
|
||||
mode => 'g+w',
|
||||
require => Package[$::dns::params::dns_server_package]
|
||||
})
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- add designate::backend::bind9::configure_bind (defaults to true) to
|
||||
bypass attempts to bind9 configuration in the event that bind9 resides on
|
||||
a different host.
|
||||
|
|
@ -18,6 +18,19 @@ describe 'designate::backend::bind9' do
|
|||
end
|
||||
end
|
||||
|
||||
context 'with named configuration disabled ' do
|
||||
let :params do
|
||||
{ :configure_bind => false }
|
||||
end
|
||||
it 'configures designate backend bind9 with default parameters' do
|
||||
is_expected.to contain_designate_config('backend:bind9/rndc_host').with_value('127.0.0.1')
|
||||
is_expected.to contain_designate_config('backend:bind9/rndc_port').with_value('953')
|
||||
is_expected.to contain_designate_config('backend:bind9/rndc_config_file').with_value('/etc/rndc.conf')
|
||||
is_expected.to contain_designate_config('backend:bind9/rndc_key_file').with_value('/etc/rndc.key')
|
||||
is_expected.not_to contain_concat_fragment('dns allow-new-zones')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when overriding rndc_config_file' do
|
||||
let :params do
|
||||
{ :rndc_config_file => '/srv/designate/rndc.conf' }
|
||||
|
|
Loading…
Reference in New Issue