Support additional IP so bind and unbound can collocate
Adds support for collocating bind and unbound resolver on the same host. Also adds handling for standalone deployments. This is a squashed commit of the original patch plus change Id17dec07c2aa0a3b080eb05f71c637d6a422ec41 (commit857807247d
). Squashing was necessary since the original change broke CI. Depends-On: I445418bb52fa38604c797a9dc69492edb0a41a8c Depends-On: I398d24406bafdb34dd0cf793ade8e4085d8fd1b0 Change-Id: Icdc6267b92f6272a7f296759e5ce9752dd42fab0 (cherry picked from commit807d5a6e5b
)
This commit is contained in:
parent
5ed35095e1
commit
497582342b
|
@ -32,6 +32,7 @@ parameter_defaults:
|
||||||
RpcPort: 31459
|
RpcPort: 31459
|
||||||
NotifyPort: 5672
|
NotifyPort: 5672
|
||||||
ContainerCli: podman
|
ContainerCli: podman
|
||||||
|
UnboundListenIPs: ["192.168.24.20"]
|
||||||
ExtraFirewallRules:
|
ExtraFirewallRules:
|
||||||
'301 allow arbitrary tcp rule':
|
'301 allow arbitrary tcp rule':
|
||||||
dport: 12345
|
dport: 12345
|
||||||
|
|
|
@ -52,6 +52,30 @@ parameters:
|
||||||
description: When true, Unbound will block certain queries that could
|
description: When true, Unbound will block certain queries that could
|
||||||
have security implications to the Unbound service.
|
have security implications to the Unbound service.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
UnboundDesignateIntegration:
|
||||||
|
default: true
|
||||||
|
description: When true, Unbound will be configured to listen on an
|
||||||
|
unique IP so it can co-exist with bind on same host. Set
|
||||||
|
to false to run unbound independently of designate
|
||||||
|
type: boolean
|
||||||
|
UnboundListenIPs:
|
||||||
|
default: []
|
||||||
|
description: A list of IPs to add to the externally accessible interface
|
||||||
|
(e.g. interface on the external network or the VIP interface
|
||||||
|
in standalone). If provided, the number of IPs must match the
|
||||||
|
number of deployed Unbound instances. If left empty,
|
||||||
|
the deployment will create additonal IPs using the external
|
||||||
|
network.
|
||||||
|
type: comma_delimited_list
|
||||||
|
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
public_net_is_ctlplane:
|
||||||
|
equals:
|
||||||
|
- {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
|
||||||
|
- {get_param: [ServiceData, net_vip_map, ctlplane]}
|
||||||
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
|
@ -119,9 +143,56 @@ outputs:
|
||||||
with_items:
|
with_items:
|
||||||
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
|
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
|
||||||
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
|
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
|
||||||
|
external_deploy_tasks:
|
||||||
|
- name: Get list of provided listen ips
|
||||||
|
when:
|
||||||
|
- step|int == 1
|
||||||
|
set_fact:
|
||||||
|
unbound_listen_ips: { get_param: UnboundListenIPs }
|
||||||
|
- name: Distribute configured unbound listen IPs across nodes
|
||||||
|
when:
|
||||||
|
- step|int == 1
|
||||||
|
- unbound_listen_ips|length > 0
|
||||||
|
block:
|
||||||
|
- name: Set the unbound host ip fact
|
||||||
|
set_fact:
|
||||||
|
tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]"
|
||||||
|
delegate_to: "{{ item.1 }}"
|
||||||
|
delegate_facts: true
|
||||||
|
with_together:
|
||||||
|
- "{{ unbound_listen_ips }}"
|
||||||
|
- "{{ groups.unbound }}"
|
||||||
|
|
||||||
|
- name: Handle a bind and unbound collocated on the same host
|
||||||
|
when:
|
||||||
|
- step|int == 1
|
||||||
|
- unbound_listen_ips|length == 0
|
||||||
|
block:
|
||||||
|
- name: Create a neutron port for a new address
|
||||||
|
os_port:
|
||||||
|
state: present
|
||||||
|
network:
|
||||||
|
if:
|
||||||
|
- public_net_is_ctlplane
|
||||||
|
- 'ctlplane'
|
||||||
|
- { get_param: [ServiceNetMap, PublicNetwork] }
|
||||||
|
no_security_groups: True
|
||||||
|
name: "unbound-designate-{{ item }}-integration-port"
|
||||||
|
register: _unbound_designate_ports
|
||||||
|
with_items:
|
||||||
|
- "{{ groups.unbound }}"
|
||||||
|
|
||||||
|
- name: Set the unbound host ip fact
|
||||||
|
set_fact:
|
||||||
|
tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
|
||||||
|
delegate_to: "{{ item.item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
with_items:
|
||||||
|
- "{{ _unbound_designate_ports.results }}"
|
||||||
|
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
- name: Configure Unbound
|
- name: Configure Unbound
|
||||||
when: step|int == 0
|
when: step|int == 1
|
||||||
import_role:
|
import_role:
|
||||||
name: tripleo_unbound
|
name: tripleo_unbound
|
||||||
vars:
|
vars:
|
||||||
|
@ -132,3 +203,5 @@ outputs:
|
||||||
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
|
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
|
||||||
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
|
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
|
||||||
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
|
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
|
||||||
|
tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
|
||||||
|
tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}
|
||||||
|
|
Loading…
Reference in New Issue