openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Support additional IP so bind and unbound can collocate 

Adds support for collocating bind and unbound resolver on the same host.
Also adds handling for standalone deployments.

This is a squashed commit of the original patch plus change
Id17dec07c2aa0a3b080eb05f71c637d6a422ec41 (commit
857807247d).  Squashing was necessary
since the original change broke CI.

Depends-On: I445418bb52fa38604c797a9dc69492edb0a41a8c
Depends-On: I398d24406bafdb34dd0cf793ade8e4085d8fd1b0
Change-Id: Icdc6267b92f6272a7f296759e5ce9752dd42fab0
(cherry picked from commit 807d5a6e5b)
This commit is contained in:
Brent Eagles 2021-04-13 15:37:22 -02:30
parent 5ed35095e1
commit 497582342b
2 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ci/environments/scenario003-standalone.yaml
View File

@ -32,6 +32,7 @@ parameter_defaults:
RpcPort: 31459
NotifyPort: 5672
ContainerCli: podman
UnboundListenIPs: ["192.168.24.20"]
ExtraFirewallRules:
'301 allow arbitrary tcp rule':
dport: 12345

75
deployment/unbound/unbound-container-ansible.yaml
View File

@ -52,6 +52,30 @@ parameters:
description: When true, Unbound will block certain queries that could
have security implications to the Unbound service.
type: boolean
UnboundDesignateIntegration:
default: true
description: When true, Unbound will be configured to listen on an
unique IP so it can co-exist with bind on same host. Set
to false to run unbound independently of designate
type: boolean
UnboundListenIPs:
default: []
description: A list of IPs to add to the externally accessible interface
(e.g. interface on the external network or the VIP interface
in standalone). If provided, the number of IPs must match the
number of deployed Unbound instances. If left empty,
the deployment will create additonal IPs using the external
network.
type: comma_delimited_list
conditions:
public_net_is_ctlplane:
equals:
- {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
- {get_param: [ServiceData, net_vip_map, ctlplane]}
resources:
@ -119,9 +143,56 @@ outputs:
with_items:
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
external_deploy_tasks:
- name: Get list of provided listen ips
when:
- step|int == 1
set_fact:
unbound_listen_ips: { get_param: UnboundListenIPs }
- name: Distribute configured unbound listen IPs across nodes
when:
- step|int == 1
- unbound_listen_ips|length > 0
block:
- name: Set the unbound host ip fact
set_fact:
tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]"
delegate_to: "{{ item.1 }}"
delegate_facts: true
with_together:
- "{{ unbound_listen_ips }}"
- "{{ groups.unbound }}"
- name: Handle a bind and unbound collocated on the same host
when:
- step|int == 1
- unbound_listen_ips|length == 0
block:
- name: Create a neutron port for a new address
os_port:
state: present
network:
if:
- public_net_is_ctlplane
- 'ctlplane'
- { get_param: [ServiceNetMap, PublicNetwork] }
no_security_groups: True
name: "unbound-designate-{{ item }}-integration-port"
register: _unbound_designate_ports
with_items:
- "{{ groups.unbound }}"
- name: Set the unbound host ip fact
set_fact:
tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
delegate_to: "{{ item.item }}"
delegate_facts: true
with_items:
- "{{ _unbound_designate_ports.results }}"
deploy_steps_tasks:
- name: Configure Unbound
when: step|int == 0
when: step|int == 1
import_role:
name: tripleo_unbound
vars:
@ -132,3 +203,5 @@ outputs:
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}