Add support for collocating Unbound and bind on the same host

In designate deployments, bind and unbound might be collocated and need to be bound to the same port on the same network. This patch supports adding a unique IP so that the two services can do that. Conflicts: tripleo_ansible/roles/tripleo_unbound/tasks/main.yml Change-Id: I445418bb52fa38604c797a9dc69492edb0a41a8c (cherry picked from commit e8db40f753)
2021-04-16 12:24:06 -02:30 · 2021-04-16 12:24:06 -02:30 · 862f876dcd
commit 862f876dcd
parent 6d0523b6ff
5 changed files with 90 additions and 4 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -41,6 +41,7 @@ mock_modules:
    - tripleo_derive_hci_parameters
    - tripleo_diff_exec
    - tripleo_fernet_keys_rotate
+    - tripleo_findif_for_ip
    - tripleo_generate_ansible_inventory
    - tripleo_generate_overcloudrc
    - tripleo_get_flatten_stack
--- a/tripleo_ansible/roles/tripleo_unbound/tasks/collocated_bind.yml
+++ b/tripleo_ansible/roles/tripleo_unbound/tasks/collocated_bind.yml
@ -0,0 +1,74 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Find the interface for the public API network
+  tripleo_findif_for_ip:
+    ip_address: "{{ lookup('vars', tripleo_unbound_bind_network + '_ip') }}"
+  register:
+    _public_api_interface
+
+# Using ifup-local to ensure the IP address is always set follows a pattern used
+# for resetting VF counts used in the SR-IOV support. The file shouldn't be
+# wiped clean because it may be being used for other things (e.g. SR-IOV)
+- name: create ifup-local if it doesn't exist
+  become: true
+  lineinfile:
+    create: true
+    path: "/sbin/ifup-local"
+    state: present
+    line: "#!/bin/bash"
+    insertbefore: BOF
+    mode: 0755
+
+# The following two blocks set the IP on the interface and add a line to
+# ifup-local to make sure the IP persists through reboots or ifup/ifdown
+# cycles. The comment at the end of the line in ifup-local serves as an anchor
+# to the regexp parameter to lineinfile. These will have to be modified when
+# moving to NetworkManager only environments.
+- name: If specified, have Unbound listen on a different IP (version 4)
+  when:
+    - tripleo_unbound_listen_interfaces[0]|ipv4
+    - (_public_api_interface.interface is defined) and (_public_api_interface.interface|length > 0)
+  become: true
+  block:
+    - name: Set the unbound additional IPv4 address on the required device.
+      command: "ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/32 dev {{ _public_api_interface.interface }}"
+
+    - name: Add line to ifup-local to make sure unbound's listen IPv4 address is set on restart
+      become: true
+      lineinfile:
+        path: "/sbin/ifup-local"
+        line: '[ "{{ _public_api_interface.interface }}" == "$1" ] && ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/32 dev {{ _public_api_interface.interface }} # collocated_unbound_bind'
+        regexp: 'collocated_unbound_bind'
+        state: present
+
+
+- name: If specified, have Unbound listen on a different IP (version 6)
+  when:
+    - tripleo_unbound_listen_interfaces[0]|ipv6
+    - (_public_api_interface.interface is defined) and (_public_api_interface.interface|length > 0)
+  become: true
+  block:
+    - name: Set the unbound additional IPv6 address on the required device.
+      command: "ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/128 dev {{ _public_api_interface.interface }}"
+
+    - name: Add line to ifup-local to make sure unbound's listen IPv6 address is set on restart
+      become: true
+      lineinfile:
+        path: "/sbin/ifup-local"
+        line: '[ "{{ _public_api_interface.interface }}" == "$1" ] && ip addr add {{ tripleo_unbound_listen_interfaces[0] }}/128 dev {{ _public_api_interface.interface }} # collocated_unbound_bind'
+        regexp: 'collocated_unbound_bind'
+        state: present
--- a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml
@ -32,6 +32,13 @@
    selevel: s0
    state: present

+- name: If specified, configure Unbound to listen on a specific IP address
+  import_tasks: collocated_bind.yml
+  when:
+    - tripleo_unbound_listen_interfaces is defined
+    - tripleo_unbound_designate_integration|bool
+    - (tripleo_unbound_bind_network is defined) and (tripleo_unbound_bind_network|length > 0)
+
 - name: create directory {{ tripleo_unbound_config_basedir }}
  become: true
  ansible.builtin.file:
--- a/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-base-unbound.conf.j2
+++ b/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-base-unbound.conf.j2
@ -18,7 +18,7 @@ distribution.
 server:

 {# The interface unbound should listen on. x.x.x.x x::x #}
-{% for interface in unbound_vars.tripleo_unbound_listen_interfaces %}
+{% for interface in unbound_vars.tripleo_unbound_listen_ips %}
    interface: {{ interface }}
 {% endfor %}
 {# We are in a container, stay in the foreground #}
--- a/tripleo_ansible/roles/tripleo_unbound/templates/unbound_build_vars.j2
+++ b/tripleo_ansible/roles/tripleo_unbound/templates/unbound_build_vars.j2
@ -15,11 +15,15 @@ https://review.opendev.org/c/openstack/tripleo-ansible/+/773784
 {# Get the unbound listen interface IP address #}

 {% if tripleo_unbound_listen_interfaces is not defined or tripleo_unbound_listen_interfaces == "" %}
-  {% if tripleo_unbound_network_name is defined and tripleo_unbound_network_name != "" %}
-    {% set tripleo_unbound_listen_interfaces = [hostvars[inventory_hostname][tripleo_unbound_network_name + "_ip"]] %}
+  {% if hostvars[inventory_hostname].tripleo_unbound_listen_interfaces is defined and hostvars[inventory_hostname].tripleo_unbound_listen_interfaces != "" %}
+    {% set tripleo_unbound_listen_ips = [hostvars[inventory_hostname].tripleo_unbound_listen_interfaces] %}
+  {% elif tripleo_unbound_network_name is defined and tripleo_unbound_network_name != "" %}
+    {% set tripleo_unbound_listen_ips = [hostvars[inventory_hostname][tripleo_unbound_network_name + "_ip"]] %}
  {% else %}
-    {% set tripleo_unbound_listen_interfaces = ['127.0.0.1'] %}
+    {% set tripleo_unbound_listen_ips = ['127.0.0.1'] %}
  {% endif %}
+{% else %}
+    {% set tripleo_unbound_listen_ips = tripleo_unbound_listen_interfaces %}
 {% endif %}

 {# Get the cloud "external" subnet CIDRs to allow for queries #}