Merge "Add support for collocating Unbound and bind on the same host"

.ansible-lint

@@ -44,6 +44,7 @@ mock_modules:
     - tripleo_derive_hci_parameters
     - tripleo_diff_exec
     - tripleo_fernet_keys_rotate
+    - tripleo_findif_for_ip
     - tripleo_generate_ansible_inventory
     - tripleo_generate_overcloudrc
     - tripleo_get_flatten_stack

tripleo_ansible/roles/tripleo_unbound/tasks/collocated_bind.yml

@@ -0,0 +1,74 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Find the interface for the public API network
+  tripleo_findif_for_ip:
+    ip_address: "{{ lookup('vars', tripleo_unbound_bind_network + '_ip') }}"
+  register:
+    _public_api_interface
+
+# Using ifup-local to ensure the IP address is always set follows a pattern used
+# for resetting VF counts used in the SR-IOV support. The file shouldn't be
+# wiped clean because it may be being used for other things (e.g. SR-IOV)
+- name: create ifup-local if it doesn't exist
+  become: true
+  lineinfile:
+    create: true
+    path: "/sbin/ifup-local"
+    state: present
+    line: "#!/bin/bash"
+    insertbefore: BOF
+    mode: 0755
+
+# The following two blocks set the IP on the interface and add a line to
+# ifup-local to make sure the IP persists through reboots or ifup/ifdown
+# cycles. The comment at the end of the line in ifup-local serves as an anchor
+# to the regexp parameter to lineinfile. These will have to be modified when
+# moving to NetworkManager only environments.
+- name: If specified, have Unbound listen on a different IP (version 4)
+  when:
+    - tripleo_unbound_listen_interfaces[0]|ipv4
+    - (_public_api_interface.interface is defined) and (_public_api_interface.interface|length > 0)
+  become: true
+  block:
+    - name: Set the unbound additional IPv4 address on the required device.
+      command: "ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/32 dev {{ _public_api_interface.interface }}"
+
+    - name: Add line to ifup-local to make sure unbound's listen IPv4 address is set on restart
+      become: true
+      lineinfile:
+        path: "/sbin/ifup-local"
+        line: '[ "{{ _public_api_interface.interface }}" == "$1" ] && ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/32 dev {{ _public_api_interface.interface }} # collocated_unbound_bind'
+        regexp: 'collocated_unbound_bind'
+        state: present
+
+
+- name: If specified, have Unbound listen on a different IP (version 6)
+  when:
+    - tripleo_unbound_listen_interfaces[0]|ipv6
+    - (_public_api_interface.interface is defined) and (_public_api_interface.interface|length > 0)
+  become: true
+  block:
+    - name: Set the unbound additional IPv6 address on the required device.
+      command: "ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/128 dev {{ _public_api_interface.interface }}"
+
+    - name: Add line to ifup-local to make sure unbound's listen IPv6 address is set on restart
+      become: true
+      lineinfile:
+        path: "/sbin/ifup-local"
+        line: '[ "{{ _public_api_interface.interface }}" == "$1" ] && ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/128 dev {{ _public_api_interface.interface }} # collocated_unbound_bind'
+        regexp: 'collocated_unbound_bind'
+        state: present

tripleo_ansible/roles/tripleo_unbound/tasks/main.yml

@@ -14,6 +14,13 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+- name: If specified, configure Unbound to listen on a specific IP address
+  import_tasks: collocated_bind.yml
+  when:
+    - tripleo_unbound_listen_interfaces is defined
+    - tripleo_unbound_designate_integration|bool
+    - (tripleo_unbound_bind_network is defined) and (tripleo_unbound_bind_network|length > 0)
+
 - name: create directory {{ tripleo_unbound_config_basedir }}
   become: true
   ansible.builtin.file:

tripleo_ansible/roles/tripleo_unbound/templates/tripleo-base-unbound.conf.j2

@@ -18,7 +18,7 @@ distribution.
 server:
 
 {# The interface unbound should listen on. x.x.x.x x::x #}
-{% for interface in unbound_vars.tripleo_unbound_listen_interfaces %}
+{% for interface in unbound_vars.tripleo_unbound_listen_ips %}
     interface: {{ interface }}
 {% endfor %}
 {# We are in a container, stay in the foreground #}

tripleo_ansible/roles/tripleo_unbound/templates/unbound_build_vars.j2

@@ -15,11 +15,15 @@ https://review.opendev.org/c/openstack/tripleo-ansible/+/773784
 {# Get the unbound listen interface IP address #}
 
 {% if tripleo_unbound_listen_interfaces is not defined or tripleo_unbound_listen_interfaces == "" %}
-  {% if tripleo_unbound_network_name is defined and tripleo_unbound_network_name != "" %}
-    {% set tripleo_unbound_listen_interfaces = [hostvars[inventory_hostname][tripleo_unbound_network_name + "_ip"]] %}
+  {% if hostvars[inventory_hostname].tripleo_unbound_listen_interfaces is defined and hostvars[inventory_hostname].tripleo_unbound_listen_interfaces != "" %}
+    {% set tripleo_unbound_listen_ips = [hostvars[inventory_hostname].tripleo_unbound_listen_interfaces] %}
+  {% elif tripleo_unbound_network_name is defined and tripleo_unbound_network_name != "" %}
+    {% set tripleo_unbound_listen_ips = [hostvars[inventory_hostname][tripleo_unbound_network_name + "_ip"]] %}
   {% else %}
-    {% set tripleo_unbound_listen_interfaces = ['127.0.0.1'] %}
+    {% set tripleo_unbound_listen_ips = ['127.0.0.1'] %}
   {% endif %}
+{% else %}
+    {% set tripleo_unbound_listen_ips = tripleo_unbound_listen_interfaces %}
 {% endif %}
 
 {# Get the cloud "external" subnet CIDRs to allow for queries #}