Designate: use extra IP for bind/unbound colocation on the bind9 backend

Using the standard DF supplied IP for the unbound resolver instead of the bind instance makes resolver integration with neutron a great deal more straightforward. This patch introduces ansible tasks for configuring the bind service to run on an alternate IP. Change-Id: I0a5d647cbfb01722f5ecdacd0dd07b839a71eb14
2022-05-04 09:59:01 -02:30 · 2022-05-04 09:59:01 -02:30 · a0004cf138
commit a0004cf138
parent 84a6731a1a
8 changed files with 206 additions and 6 deletions
--- a/tripleo_ansible/roles/designate_bind_config/molecule/default/converge.yml
+++ b/tripleo_ansible/roles/designate_bind_config/molecule/default/converge.yml
@ -24,3 +24,4 @@
      vars:
        designate_named_conf_path: "/etc"
        ctlplane_ip: "192.168.24.32"
+        tripleo_dns_listen_interfaces: ['127.0.0.1']
--- a/tripleo_ansible/roles/designate_bind_config/tasks/configure_interfaces.yml
+++ b/tripleo_ansible/roles/designate_bind_config/tasks/configure_interfaces.yml
@ -0,0 +1,91 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Find the interface for the public API network
+  tripleo_findif_for_ip:
+    ip_address: "{{ lookup('vars', tripleo_designate_bind_network + '_ip') }}"
+  register:
+    _public_api_interface
+
+# Using ifup-local to ensure the IP address is always set follows a pattern used
+# for resetting VF counts used in the SR-IOV support. The file shouldn't be
+# wiped clean because it may be being used for other things (e.g. SR-IOV)
+- name: create ifup-local if it doesn't exist
+  become: true
+  lineinfile:
+    create: true
+    path: "/sbin/ifup-local"
+    state: present
+    line: "#!/bin/bash"
+    insertbefore: BOF
+    mode: 0755
+
+# The following two blocks set the IP on the interface and add a line to
+# ifup-local to make sure the IP persists through reboots or ifup/ifdown
+# cycles. The comment at the end of the line in ifup-local serves as an anchor
+# to the regexp parameter to lineinfile. These will have to be modified when
+# moving to NetworkManager only environments.
+- name: If specified, have the dns service listen on a different IP (version 4)
+  when:
+    - tripleo_dns_listen_interfaces[0]|ipv4
+    - (_public_api_interface.interface is defined) and (_public_api_interface.interface|length > 0)
+  become: true
+  block:
+    - name: Check if the address is already on the device.
+      shell: "ip -o addr show dev {{ _public_api_interface.interface }} | grep {{ tripleo_dns_listen_interfaces[0] }}"
+      failed_when: false
+      register:
+        _current_addr_search
+
+    - name: Set the unbound additional IPv4 address on the required device.
+      command: "ip addr add {{ tripleo_dns_listen_interfaces[0] }}/32 dev {{ _public_api_interface.interface }}"
+      when:
+        _current_addr_search.rc == 1
+
+    - name: Add line to ifup-local to make sure unbound's listen IPv4 address is set on restart
+      become: true
+      lineinfile:
+        path: "/sbin/ifup-local"
+        line: '[ "{{ _public_api_interface.interface }}" == "$1" ] && ip addr add {{ tripleo_dns_listen_interfaces[0] }}/32 dev {{ _public_api_interface.interface }} # Designate collocated DNS services'
+        regexp: 'collocated_unbound_bind'
+        state: present
+
+
+- name: If specified, have the dns service listen on a different IP (version 6)
+  when:
+    - tripleo_dns_listen_interfaces[0]|ipv6
+    - (_public_api_interface.interface is defined) and (_public_api_interface.interface|length > 0)
+  become: true
+  block:
+    - name: Check if the address is already on the device.
+      shell: "ip -o addr show dev {{ _public_api_interface.interface }} | grep {{ tripleo_dns_listen_interfaces[0] }}"
+      failed_when: false
+      register:
+        _current_addr_search
+
+    - name: Set the unbound additional IPv6 address on the required device.
+      command: "ip addr add {{ tripleo_dns_listen_interfaces[0] }}/128 dev {{ _public_api_interface.interface }}"
+      when:
+        _current_addr_search.rc == 1
+
+
+    - name: Add line to ifup-local to make sure unbound's listen IPv6 address is set on restart
+      become: true
+      lineinfile:
+        path: "/sbin/ifup-local"
+        line: '[ "{{ _public_api_interface.interface }}" == "$1" ] && ip addr add {{ tripleo_dns_listen_interfaces[0] }}/128 dev {{ _public_api_interface.interface }} # Designate collocated DNS services'
+        regexp: 'collocated_unbound_bind'
+        state: present
--- a/tripleo_ansible/roles/designate_bind_config/tasks/create_collocated_ips.yml
+++ b/tripleo_ansible/roles/designate_bind_config/tasks/create_collocated_ips.yml
@ -0,0 +1,20 @@
+---
+- name: Create a neutron port for a new address
+  os_port:
+    state: present
+    network: "{{ network_name }}"
+    fixed_ips:
+      - subnet_id: "{{ subnet_id }}"
+    no_security_groups: True
+    name: "designate-{{ item }}-integration-port"
+  register: _dns_designate_ports
+  with_items:
+    - "{{ hosts_for_ports }}"
+
+- name: Set the unbound host ip fact
+  set_fact:
+    tripleo_dns_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
+  delegate_to: "{{ item.item }}"
+  delegate_facts: true
+  with_items:
+    - "{{ _dns_designate_ports.results }}"
--- a/tripleo_ansible/roles/designate_bind_config/tasks/distribute_extra_ips.yml
+++ b/tripleo_ansible/roles/designate_bind_config/tasks/distribute_extra_ips.yml
@ -0,0 +1,9 @@
+---
+- name: Distribute unique designate bind/unbound IPs across hosts
+  set_fact:
+    tripleo_extra_dns_interface: "[ '{{ item.0 }}' ]"
+  delegate_to: "{{ item.1 }}"
+  delegate_facts: true
+  with_together:
+    - "{{ designate_collocate_ips }}"
+    - "{{ hosts_for_ports }}"
--- a/tripleo_ansible/roles/designate_bind_config/templates/options.conf.j2
+++ b/tripleo_ansible/roles/designate_bind_config/templates/options.conf.j2
@ -2,11 +2,20 @@ options {
 	allow-new-zones yes;
 	directory "/var/named-persistent";

-	{% if external_ip|default(ctlplane_ip)|ipv4 %}
-	listen-on port 53 { {{ external_ip|default(ctlplane_ip) }};  };
-	{% elif external_ip|default(ctlplane_ip)|ipv6 %}
-	listen-on-v6 port 53 { {{ external_ip|default(ctlplane_ip) }}; };
+{% if tripleo_dns_listen_interfaces is defined %}
+	{% if tripleo_dns_listen_interfaces[0]|ipv4 %}
+	listen-on port 53 { {{ tripleo_dns_listen_interfaces[0] }};  };
+	{% elif tripleo_dns_listen_interfaces[0]|ipv6 %}
+	listen-on-v6 port 53 { {{ tripleo_dns_listen_interfaces[0] }};  };
 	{% endif %}
+	allow-notify { {{ tripleo_dns_listen_interfaces[0] }}; };
+{% else %}
+        {% if external_ip|default(ctlplane_ip)|ipv4 %}
+        listen-on port 53 { {{ external_ip|default(ctlplane_ip) }};  };
+        {% elif external_ip|default(ctlplane_ip)|ipv6 %}
+        listen-on-v6 port 53 { {{ external_ip|default(ctlplane_ip) }}; };
+        {% endif %}
+{% endif %}

 	{% if bind_lmdb_mapsize is defined %}
 	lmdb-mapsize {{ bind_lmdb_mapsize }};
--- a/tripleo_ansible/roles/designate_bind_config/templates/rndc.conf.j2
+++ b/tripleo_ansible/roles/designate_bind_config/templates/rndc.conf.j2
@ -1,3 +1,7 @@
 controls {
-	inet {{ external_ip|default(ctlplane_ip)|default('127.0.0.1') }} allow { {{ rndc_allowed_addresses|join(';') }}; } keys { "rndc-key"; };
+{% if tripleo_dns_listen_interfaces is defined %}
+	inet {{ tripleo_dns_listen_interfaces[0] }} allow { {{ rndc_allowed_addresses|join(';') }}; } keys { "rndc-key"; };
+{% else %}
+        inet {{ external_ip|default(ctlplane_ip)|default('127.0.0.1') }} allow { {{ rndc_allowed_addresses|join(';') }}; } keys { "rndc-key"; };
+{% endif %}
 };
--- a/tripleo_ansible/roles/designate_bind_pool/tasks/main.yml
+++ b/tripleo_ansible/roles/designate_bind_pool/tasks/main.yml
@ -1,10 +1,20 @@
 ---
 # XXX (beagles) which permissions?
- name: create bind pool configuration for designate
+- name: create bind pool configuration for designate with framework IPS
  become: true
  template:
      src: pools.yaml.j2
      dest: "{{ designate_pool_config_file_path }}"
+  when:
+    - alternate_bind is not defined
+
+- name: create bind pool configuration for designate with extra collocation IPs
+  become: true
+  template:
+      src: pools-extra.yaml.j2
+      dest: "{{ designate_pool_config_file_path }}"
+  when:
+    - alternate_bind is defined

 - name: ensure rndc key path exists
  become: true
--- a/tripleo_ansible/roles/designate_bind_pool/templates/pools-extra.yaml.j2
+++ b/tripleo_ansible/roles/designate_bind_pool/templates/pools-extra.yaml.j2
@ -0,0 +1,56 @@
+- name: default
+  # The name is immutable. There will be no option to change the name after
+  # creation and the only way will to change it will be to delete it
+  # (and all zones associated with it) and recreate it.
+  description: Default Pool
+
+  attributes: {}
+
+  # List out the NS records for zones hosted within this pool
+  # This should be a record that is created outside of designate, that
+  # points to the public IP of the controller node.
+  ns_records:
+    {% for nameserver in designate_bind_node_ips -%}
+    - hostname: ns{{ loop.index }}.{{ pool_zone_domain }}.
+      priority: {{ loop.index }}
+    {% endfor %}
+
+  # List out the nameservers for this pool. These are the actual BIND servers.
+  # We use these to verify changes have propagated to all nameservers.
+  nameservers:
+    {% for nameserver in groups.designate_bind -%}
+
+    - host: {{ hostvars[nameserver].tripleo_dns_listen_interfaces[0] }}
+      port: 53
+    {% endfor %}
+
+  # List out the targets for this pool. For BIND there will be one
+  # entry for each BIND server, as we have to run rndc command on each server
+  targets:
+    {% for server in groups.designate_bind -%}
+    - type: bind9
+      description: BIND9 Server {{ loop.index }}
+
+      # List out the designate-mdns servers from which BIND servers should
+      # request zone transfers (AXFRs) from.
+      # This should be the IP of the controller node.
+      # If you have multiple controllers you can add multiple masters
+      # by running designate-mdns on them, and adding them here.
+      # XXX(beagles): these are just internal API atm but there really needs to
+      # be a public VIP endpoint for each and will be addressed in a followup
+      # patch.
+      masters:
+        {% for minidns_server in designate_mdns_node_ips -%}
+        - host: {{ minidns_server }}
+          port: 5354
+        {% endfor %}
+
+      # BIND Configuration options
+      options:
+        host: {{ hostvars[server].tripleo_dns_listen_interfaces[0] }}
+        port: 53
+        rndc_host: {{ hostvars[server].tripleo_dns_listen_interfaces[0] }}
+        rndc_port:  953
+        rndc_key_file: {{ keyfile_base_path|default('/etc/designate/private/bind') }}{{ loop.index }}.key
+
+    {% endfor %}