Make BIND listen address configurable

Previously BIND listened on all configured interfaces on the system. This doesn't make sense (why have DNS listening on the storage network, for example) and could be a security issue in some environments. This commit makes the BIND network configurable the same as any other service. Change-Id: Iaad11b1b4037719954ab17fb171e5804f3cbbe58
2018-06-15 14:05:12 -05:00 · 2018-06-15 14:05:12 -05:00 · cf2be03500
parent 7f278f795c
commit cf2be03500
2 changed files with 8 additions and 0 deletions
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@ -80,6 +80,7 @@ parameters:
      PacemakerRemoteNetwork: internal_api
      TripleoUINetwork: internal_api
      DesignateApiNetwork: internal_api
+      BINDNetwork: external
      # We special-case the default ResolveNetwork for the CephStorage role
      # for backwards compatibility, all other roles default to internal_api
      CephStorageHostnameResolveNetwork: storage
--- a/puppet/services/designate-worker.yaml
+++ b/puppet/services/designate-worker.yaml
@ -69,6 +69,13 @@ outputs:
        map_merge:
        - get_attr: [DesignateBase, role_data, config_settings]
        - designate::worker::worker_notify: true
+          dns::additional_options:
+            listen-on:
+              str_replace:
+                template:
+                  "{ 127.0.0.1; %{hiera('$NETWORK')}; }"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, BINDNetwork]}
          tripleo.designate_worker.firewall_rules:
            '140 designate_worker udp':
              proto: 'udp'