From 773fccb7c1cc8b73f5d6246109c34ece5d8af557 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Tue, 2 Feb 2021 18:41:31 +0000 Subject: [PATCH] Add the Unbound DNS resolver service This patch addes TripleO support for the Unbound DNS resolver service. This service will initially be used by the Designate service. Change-Id: I8135ce4f344aeb7c0cf7521e0ba42335c4c7bbc8 --- ci/environments/scenario000-standalone.yaml | 1 + ci/environments/scenario003-standalone.yaml | 1 + .../unbound/unbound-container-ansible.yaml | 134 ++++++++++++++++++ environments/enable-designate.yaml | 1 + network/service_net_map.j2.yaml | 1 + overcloud-resource-registry-puppet.j2.yaml | 1 + .../Add-Unbound-service-ba72830f9c75ecc3.yaml | 4 + roles/Controller.yaml | 1 + roles/ControllerAllNovaStandalone.yaml | 1 + roles/ControllerNoCeph.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles/ControllerSriov.yaml | 1 + roles/ControllerStorageDashboard.yaml | 1 + roles/ControllerStorageNfs.yaml | 1 + roles/Standalone.yaml | 1 + roles_data.yaml | 1 + sample-env-generator/enable-services.yaml | 1 + 17 files changed, 153 insertions(+) create mode 100644 deployment/unbound/unbound-container-ansible.yaml create mode 100644 releasenotes/notes/Add-Unbound-service-ba72830f9c75ecc3.yaml diff --git a/ci/environments/scenario000-standalone.yaml b/ci/environments/scenario000-standalone.yaml index 71a8ed8072..12d2b9cdfc 100644 --- a/ci/environments/scenario000-standalone.yaml +++ b/ci/environments/scenario000-standalone.yaml @@ -175,6 +175,7 @@ resource_registry: OS::TripleO::Services::TripleoUI: OS::Heat::None OS::TripleO::Services::Tuned: OS::Heat::None # OS::TripleO::Services::UndercloudMinionMessaging: ../../deployment/undercloud/minion-rabbitmq-puppet.yaml + OS::TripleO::Services::Unbound: OS::Heat::None OS::TripleO::Services::UndercloudTLS: OS::Heat::None OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None OS::TripleO::Services::VRTSHyperScale: OS::Heat::None diff --git a/ci/environments/scenario003-standalone.yaml b/ci/environments/scenario003-standalone.yaml index 9954766290..977f97ba3e 100644 --- a/ci/environments/scenario003-standalone.yaml +++ b/ci/environments/scenario003-standalone.yaml @@ -18,6 +18,7 @@ resource_registry: OS::TripleO::Services::DesignateWorker: ../../deployment/experimental/designate/designate-worker-container-puppet.yaml OS::TripleO::Services::DesignateMDNS: ../../deployment/experimental/designate/designate-mdns-container-puppet.yaml OS::TripleO::Services::Redis: ../../deployment/database/redis-container-puppet.yaml + OS::TripleO::Services::Unbound: ../../deployment/unbound/unbound-container-ansible.yaml parameter_defaults: Debug: true diff --git a/deployment/unbound/unbound-container-ansible.yaml b/deployment/unbound/unbound-container-ansible.yaml new file mode 100644 index 0000000000..40656dbc01 --- /dev/null +++ b/deployment/unbound/unbound-container-ansible.yaml @@ -0,0 +1,134 @@ +heat_template_version: rocky + +description: > + OpenStack containerized Unbound DNS resolver + +parameters: + ContainerUnboundImage: + description: image + type: string + ContainerUnboundConfigImage: + description: The container image to use for the unbound config_volume + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + MonitoringSubscriptionUnbound: + default: 'overcloud-unbound' + type: string + +# Unbound specific parameters + UnboundAllowedCIDRs: + default: [] + description: A list of CIDRs allowed to make queries through Unbound. + Example, ['192.0.2.0/24', '198.51.100.0/24'] + type: comma_delimited_list + UnboundLogQueries: + default: false + description: If true, Unbound will log the query requests. + type: boolean + UnboundSecurityHarden: + default: true + description: When true, Unbound will block certain queries that could + have security implications to the Unbound service. + type: boolean + +resources: + + ContainersCommon: + type: ../containers-common.yaml + +outputs: + role_data: + description: Role data for the Unbound instance. + value: + service_name: unbound + firewall_rules: + '140 unbound udp': + proto: 'udp' + dport: + - 53 + '141 unbound tcp': + proto: 'tcp' + dport: + - 53 + - 853 + monitoring_subscription: {get_param: MonitoringSubscriptionUnbound} + config_settings: {} + service_config_settings: {} + kolla_config: + /var/lib/kolla/config_files/unbound.json: + command: /usr/sbin/unbound -d -d -p + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/etc/unbound/conf.d/" + merge: true + owner: unbound:unbound + perm: '0640' + permissions: + - path: /var/log/unbound + owner: unbound:unbound + recurse: true + docker_config: + step_3: + unbound: + start_order: 1 + image: {get_param: ContainerUnboundImage} + net: host + privileged: false + restart: always + healthcheck: + test: /usr/sbin/unbound-streamtcp -u . SOA IN + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /run/:/run/ + - /var/lib/kolla/config_files/unbound.json:/var/lib/kolla/config_files/config.json:ro + - /var/log/containers/unbound:/var/log/unbound:z + - /var/lib/config-data/ansible-generated/unbound:/var/lib/kolla/config_files/src:ro + environment: + KOLLA_CONFIG_STRATEGY: COPY_ALWAYS + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item.path }}" + state: directory + setype: "{{ item.setype }}" + mode: "{{ item.mode }}" + with_items: + - { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' } + deploy_steps_tasks: + - name: Configure Unbound + when: step|int == 0 + import_role: + name: tripleo_unbound + vars: + tripleo_unbound_config_basedir: /var/lib/config-data/ansible-generated/unbound + tripleo_unbound_network_name: {get_param: [ServiceNetMap, UnboundNetwork]} + tripleo_unbound_external_network_name: {get_param: [ServiceNetMap, PublicNetwork]} + tripleo_unbound_internal_network_name: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs} + tripleo_unbound_log_queries: {get_param: UnboundLogQueries} + tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden} diff --git a/environments/enable-designate.yaml b/environments/enable-designate.yaml index 3b85b73192..4e51c013c3 100644 --- a/environments/enable-designate.yaml +++ b/environments/enable-designate.yaml @@ -18,3 +18,4 @@ resource_registry: OS::TripleO::Services::DesignateProducer: ../deployment/experimental/designate/designate-producer-container-puppet.yaml OS::TripleO::Services::DesignateWorker: ../deployment/experimental/designate/designate-worker-container-puppet.yaml OS::TripleO::Services::Redis: ../deployment/database/redis-container-puppet.yaml + OS::TripleO::Services::Unbound: ../deployment/unbound/unbound-container-ansible.yaml diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index 95ba622855..65cf7f1473 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -89,6 +89,7 @@ parameters: EtcdNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} # HaproxyNetwork currently only controls the haproxy.stats network binding HaproxyNetwork: ctlplane + UnboundNetwork: {{ _service_nets.get('external', 'ctlplane') }} # We special-case the default ResolveNetwork and MetricsQdrNetwork for the Ceph roles # for backwards compatibility, all other roles default to internal_api {%- for role in roles %} diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 7af4a91ec4..9c1e086785 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -324,6 +324,7 @@ resource_registry: OS::TripleO::Services::GlanceApiEdge: OS::Heat::None OS::TripleO::Services::HAproxyEdge: OS::Heat::None OS::TripleO::Services::Frr: OS::Heat::None + OS::TripleO::Services::Unbound: OS::Heat::None # Logging OS::TripleO::Services::Tmpwatch: deployment/logrotate/tmpwatch-install.yaml diff --git a/releasenotes/notes/Add-Unbound-service-ba72830f9c75ecc3.yaml b/releasenotes/notes/Add-Unbound-service-ba72830f9c75ecc3.yaml new file mode 100644 index 0000000000..c4dd72ec47 --- /dev/null +++ b/releasenotes/notes/Add-Unbound-service-ba72830f9c75ecc3.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added TripleO support for the Unbound DNS resolver service. diff --git a/roles/Controller.yaml b/roles/Controller.yaml index f50f70993a..7487bd1df7 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -181,5 +181,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/ControllerAllNovaStandalone.yaml b/roles/ControllerAllNovaStandalone.yaml index a31faabe4d..27ed49a67a 100644 --- a/roles/ControllerAllNovaStandalone.yaml +++ b/roles/ControllerAllNovaStandalone.yaml @@ -122,5 +122,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index 5f82b3ddf8..4da35ebc22 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -169,5 +169,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index df87950cae..0329817601 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -135,5 +135,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/ControllerSriov.yaml b/roles/ControllerSriov.yaml index d3f26974e5..a670cce0e6 100644 --- a/roles/ControllerSriov.yaml +++ b/roles/ControllerSriov.yaml @@ -175,5 +175,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/ControllerStorageDashboard.yaml b/roles/ControllerStorageDashboard.yaml index 6df87e40dd..bce1b223ad 100644 --- a/roles/ControllerStorageDashboard.yaml +++ b/roles/ControllerStorageDashboard.yaml @@ -179,5 +179,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/ControllerStorageNfs.yaml b/roles/ControllerStorageNfs.yaml index ac33b82586..38ce5c565b 100644 --- a/roles/ControllerStorageNfs.yaml +++ b/roles/ControllerStorageNfs.yaml @@ -180,5 +180,6 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles/Standalone.yaml b/roles/Standalone.yaml index 9b4694a743..7ab8fd068e 100644 --- a/roles/Standalone.yaml +++ b/roles/Standalone.yaml @@ -183,6 +183,7 @@ - OS::TripleO::Services::Tmpwatch - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Tuned - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar diff --git a/roles_data.yaml b/roles_data.yaml index d28b9777f1..b04b199a5f 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -184,6 +184,7 @@ - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::Tuned + - OS::TripleO::Services::Unbound - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar ############################################################################### diff --git a/sample-env-generator/enable-services.yaml b/sample-env-generator/enable-services.yaml index fdc1a87ca8..70a8d8e78a 100644 --- a/sample-env-generator/enable-services.yaml +++ b/sample-env-generator/enable-services.yaml @@ -17,6 +17,7 @@ environments: OS::TripleO::Services::DesignateWorker: ../deployment/experimental/designate/designate-worker-container-puppet.yaml OS::TripleO::Services::DesignateMDNS: ../deployment/experimental/designate/designate-mdns-container-puppet.yaml OS::TripleO::Services::Redis: ../deployment/database/redis-container-puppet.yaml + OS::TripleO::Services::Unbound: ../deployment/unbound/unbound-container-ansible.yaml - name: designate-config title: Configure Designate Parameters