openstack/tripleo-heat-templates
Code Issues Proposed changes

Add the Unbound DNS resolver service

Browse Source 
This patch addes TripleO support for the Unbound DNS resolver service.
This service will initially be used by the Designate service.

Change-Id: I8135ce4f344aeb7c0cf7521e0ba42335c4c7bbc8
This commit is contained in:
Michael Johnson 2021-02-02 18:41:31 +00:00
parent 04f9e4f73a
commit 773fccb7c1
17 changed files with 153 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ci/environments/scenario000-standalone.yaml
View File

@ -175,6 +175,7 @@ resource_registry:
OS::TripleO::Services::TripleoUI: OS::Heat::None
OS::TripleO::Services::Tuned: OS::Heat::None
# OS::TripleO::Services::UndercloudMinionMessaging: ../../deployment/undercloud/minion-rabbitmq-puppet.yaml
OS::TripleO::Services::Unbound: OS::Heat::None
OS::TripleO::Services::UndercloudTLS: OS::Heat::None
OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None
OS::TripleO::Services::VRTSHyperScale: OS::Heat::None

1
ci/environments/scenario003-standalone.yaml
View File

@ -18,6 +18,7 @@ resource_registry:
OS::TripleO::Services::DesignateWorker: ../../deployment/experimental/designate/designate-worker-container-puppet.yaml
OS::TripleO::Services::DesignateMDNS: ../../deployment/experimental/designate/designate-mdns-container-puppet.yaml
OS::TripleO::Services::Redis: ../../deployment/database/redis-container-puppet.yaml
OS::TripleO::Services::Unbound: ../../deployment/unbound/unbound-container-ansible.yaml
parameter_defaults:
Debug: true

134
deployment/unbound/unbound-container-ansible.yaml Normal file
View File

@ -0,0 +1,134 @@
heat_template_version: rocky
description: >
OpenStack containerized Unbound DNS resolver
parameters:
ContainerUnboundImage:
description: image
type: string
ContainerUnboundConfigImage:
description: The container image to use for the unbound config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MonitoringSubscriptionUnbound:
default: 'overcloud-unbound'
type: string
# Unbound specific parameters
UnboundAllowedCIDRs:
default: []
description: A list of CIDRs allowed to make queries through Unbound.
Example, ['192.0.2.0/24', '198.51.100.0/24']
type: comma_delimited_list
UnboundLogQueries:
default: false
description: If true, Unbound will log the query requests.
type: boolean
UnboundSecurityHarden:
default: true
description: When true, Unbound will block certain queries that could
have security implications to the Unbound service.
type: boolean
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Unbound instance.
value:
service_name: unbound
firewall_rules:
'140 unbound udp':
proto: 'udp'
dport:
- 53
'141 unbound tcp':
proto: 'tcp'
dport:
- 53
- 853
monitoring_subscription: {get_param: MonitoringSubscriptionUnbound}
config_settings: {}
service_config_settings: {}
kolla_config:
/var/lib/kolla/config_files/unbound.json:
command: /usr/sbin/unbound -d -d -p
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/etc/unbound/conf.d/"
merge: true
owner: unbound:unbound
perm: '0640'
permissions:
- path: /var/log/unbound
owner: unbound:unbound
recurse: true
docker_config:
step_3:
unbound:
start_order: 1
image: {get_param: ContainerUnboundImage}
net: host
privileged: false
restart: always
healthcheck:
test: /usr/sbin/unbound-streamtcp -u . SOA IN
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /run/:/run/
- /var/lib/kolla/config_files/unbound.json:/var/lib/kolla/config_files/config.json:ro
- /var/log/containers/unbound:/var/log/unbound:z
- /var/lib/config-data/ansible-generated/unbound:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode }}"
with_items:
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
deploy_steps_tasks:
- name: Configure Unbound
when: step|int == 0
import_role:
name: tripleo_unbound
vars:
tripleo_unbound_config_basedir: /var/lib/config-data/ansible-generated/unbound
tripleo_unbound_network_name: {get_param: [ServiceNetMap, UnboundNetwork]}
tripleo_unbound_external_network_name: {get_param: [ServiceNetMap, PublicNetwork]}
tripleo_unbound_internal_network_name: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}

1
environments/enable-designate.yaml
View File

@ -18,3 +18,4 @@ resource_registry:
OS::TripleO::Services::DesignateProducer: ../deployment/experimental/designate/designate-producer-container-puppet.yaml
OS::TripleO::Services::DesignateWorker: ../deployment/experimental/designate/designate-worker-container-puppet.yaml
OS::TripleO::Services::Redis: ../deployment/database/redis-container-puppet.yaml
OS::TripleO::Services::Unbound: ../deployment/unbound/unbound-container-ansible.yaml

1
network/service_net_map.j2.yaml
View File

@ -89,6 +89,7 @@ parameters:
EtcdNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
# HaproxyNetwork currently only controls the haproxy.stats network binding
HaproxyNetwork: ctlplane
UnboundNetwork: {{ _service_nets.get('external', 'ctlplane') }}
# We special-case the default ResolveNetwork and MetricsQdrNetwork for the Ceph roles
# for backwards compatibility, all other roles default to internal_api
{%- for role in roles %}

1
overcloud-resource-registry-puppet.j2.yaml
View File

@ -324,6 +324,7 @@ resource_registry:
OS::TripleO::Services::GlanceApiEdge: OS::Heat::None
OS::TripleO::Services::HAproxyEdge: OS::Heat::None
OS::TripleO::Services::Frr: OS::Heat::None
OS::TripleO::Services::Unbound: OS::Heat::None
# Logging
OS::TripleO::Services::Tmpwatch: deployment/logrotate/tmpwatch-install.yaml

4
releasenotes/notes/Add-Unbound-service-ba72830f9c75ecc3.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- |
Added TripleO support for the Unbound DNS resolver service.

1
roles/Controller.yaml
View File

@ -181,5 +181,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/ControllerAllNovaStandalone.yaml
View File

@ -122,5 +122,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/ControllerNoCeph.yaml
View File

@ -169,5 +169,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/ControllerOpenstack.yaml
View File

@ -135,5 +135,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/ControllerSriov.yaml
View File

@ -175,5 +175,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/ControllerStorageDashboard.yaml
View File

@ -179,5 +179,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/ControllerStorageNfs.yaml
View File

@ -180,5 +180,6 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/Standalone.yaml
View File

@ -183,6 +183,7 @@
- OS::TripleO::Services::Tmpwatch
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles_data.yaml
View File

@ -184,6 +184,7 @@
- OS::TripleO::Services::TripleoFirewall
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Unbound
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar
###############################################################################

1
sample-env-generator/enable-services.yaml
View File

@ -17,6 +17,7 @@ environments:
OS::TripleO::Services::DesignateWorker: ../deployment/experimental/designate/designate-worker-container-puppet.yaml
OS::TripleO::Services::DesignateMDNS: ../deployment/experimental/designate/designate-mdns-container-puppet.yaml
OS::TripleO::Services::Redis: ../deployment/database/redis-container-puppet.yaml
OS::TripleO::Services::Unbound: ../deployment/unbound/unbound-container-ansible.yaml
-
name: designate-config
title: Configure Designate Parameters