openstack/puppet-designate
Code Issues Proposed changes
74bae32e89
puppet-designate/manifests/backend/bind9.pp
Brent Eagles d68a16c853 Add bind9 backend parameter to allow bypassing bind configuration 
Adds designate::backedn::bind9::configure_bind parameter to allow
bypassing the dns puppet module. This is necessary when bind is not
installed on same host as designate.

Change-Id: I3e94e3846fb97f0a0a5d25b2f5a1ef02e88a84b2
2021-02-25 11:06:35 -03:30

86 lines
2.6 KiB
Puppet
Raw Blame History

# == Class designate::backend::bind9
#
# Configure bind9 as backend
#
# == Parameters
#
# [*rndc_config_file*]
# (optional) Location of the rndc configuration file.
# Defaults to '/etc/rndc.conf'
#
# [*rndc_key_file*]
# (optional) Location of the rndc key file.
# Defaults to '/etc/rndc.key'
#
# [*rndc_host*]
# (optional) Host running DNS service.
# Defaults to '127.0.0.1'
#
# [*rndc_port*]
# (optional) Port to use for dns service on rndc_host.
# Defaults to '953'
#
# [*rndc_controls*]
# (optional) Hash defining controls configuration for rndc.
# Defaults to undef, which uses the puppet-dns default
#
# [*configure_bind*]
# (optional) Enables running named configuration for hosts where designate and
# designate bind services are collocated.
# Defaults to true
#
class designate::backend::bind9 (
$rndc_host = '127.0.0.1',
$rndc_port = '953',
$rndc_config_file = '/etc/rndc.conf',
$rndc_key_file = '/etc/rndc.key',
$rndc_controls = undef,
$configure_bind = true,
) {
include designate::deps
include designate
if $configure_bind {
if $rndc_controls {
class { 'dns':
controls => $rndc_controls,
}
} else {
include dns
}
concat::fragment { 'dns allow-new-zones':
target => $::dns::optionspath,
content => 'allow-new-zones yes;',
order => '20',
}
# Recommended by Designate docs as a mitigation for potential cache
# poisoning attacks:
# https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
concat::fragment { 'dns minimal-responses':
target => $::dns::optionspath,
content => 'minimal-responses yes;',
order => '21',
}
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on
# Debian. Both groups only have read access but require write permission in
# order to be able to use rndc addzone/delzone commands that Designate uses.
# NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
# removing this from puppet-openstack-integration. Once that has been done
# the ensure_resource wrapper could be removed.
ensure_resource('file', $::dns::params::vardir, {
mode => 'g+w',
require => Package[$::dns::params::dns_server_package]
})
}
designate_config {
'backend:bind9/rndc_host' : value => $rndc_host;
'backend:bind9/rndc_port' : value => $rndc_port;
'backend:bind9/rndc_config_file' : value => $rndc_config_file;
'backend:bind9/rndc_key_file' : value => $rndc_key_file;
}
}
View Git Blame Copy Permalink