heat_template_version: wallaby description: > OpenStack containerized Unbound DNS resolver parameters: ContainerUnboundImage: description: image type: string ContainerUnboundConfigImage: description: The container image to use for the unbound config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json MonitoringSubscriptionUnbound: default: 'overcloud-unbound' type: string # Unbound specific parameters UnboundAllowedCIDRs: default: [] description: A list of CIDRs allowed to make queries through Unbound. Example, ['192.0.2.0/24', '198.51.100.0/24'] type: comma_delimited_list UnboundLogQueries: default: false description: If true, Unbound will log the query requests. type: boolean UnboundSecurityHarden: default: true description: When true, Unbound will block certain queries that could have security implications to the Unbound service. type: boolean UnboundDesignateIntegration: default: true description: When true, Unbound will be configured to listen on an unique IP so it can co-exist with bind on same host. Set to false to run unbound independently of designate type: boolean UnboundListenIPs: default: [] description: A list of IPs to add to the externally accessible interface (e.g. interface on the external network or the VIP interface in standalone). If provided, the number of IPs must match the number of deployed Unbound instances. If left empty, the deployment will create additonal IPs using the external network. type: comma_delimited_list conditions: public_net_is_ctlplane: equals: - {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]} - {get_param: [ServiceData, net_vip_map, ctlplane]} resources: ContainersCommon: type: ../containers-common.yaml outputs: role_data: description: Role data for the Unbound instance. value: service_name: unbound firewall_rules: '140 unbound udp': proto: 'udp' dport: - 53 '141 unbound tcp': proto: 'tcp' dport: - 53 - 853 monitoring_subscription: {get_param: MonitoringSubscriptionUnbound} config_settings: {} service_config_settings: {} kolla_config: /var/lib/kolla/config_files/unbound.json: command: /usr/sbin/unbound -d -d -p config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/etc/unbound/conf.d/" merge: true owner: unbound:unbound perm: '0640' permissions: - path: /var/log/unbound owner: unbound:unbound recurse: true docker_config: step_3: unbound: start_order: 1 image: {get_param: ContainerUnboundImage} net: host privileged: false restart: always healthcheck: test: /usr/sbin/unbound-streamtcp -u . SOA IN volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /run/:/run/ - /var/lib/kolla/config_files/unbound.json:/var/lib/kolla/config_files/config.json:ro - /var/log/containers/unbound:/var/log/unbound:z - /var/lib/config-data/ansible-generated/unbound:/var/lib/kolla/config_files/src:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' } external_deploy_tasks: - name: Get list of provided listen ips when: - step|int == 1 set_fact: unbound_listen_ips: { get_param: UnboundListenIPs } - name: Distribute configured unbound listen IPs across nodes when: - step|int == 1 - unbound_listen_ips|length > 0 block: - name: Set the unbound host ip fact set_fact: tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]" delegate_to: "{{ item.1 }}" delegate_facts: true with_together: - "{{ unbound_listen_ips }}" - "{{ groups.unbound }}" - name: Handle a bind and unbound collocated on the same host when: - step|int == 1 - unbound_listen_ips|length == 0 block: - name: Get the subnet id for the proper network openstack.cloud.subnets_info: name: if: - public_net_is_ctlplane - ctlplane_subnet - str_replace: template: "$NETWORK_subnet" params: $NETWORK: {get_param: [ServiceNetMap, PublicNetwork] } register: subnet_info - name: Create a neutron port for a new address os_port: state: present network: if: - public_net_is_ctlplane - 'ctlplane' - { get_param: [ServiceNetMap, PublicNetwork] } # NOTE(beagles): Seems to be required for some deployments to make sure # port gets an IP address. fixed_ips: - subnet_id: "{{ subnet_info.openstack_subnets[0].id }}" no_security_groups: True name: "unbound-designate-{{ item }}-integration-port" register: _unbound_designate_ports with_items: - "{{ groups.unbound }}" - name: Set the unbound host ip fact set_fact: tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]" delegate_to: "{{ item.item }}" delegate_facts: true with_items: - "{{ _unbound_designate_ports.results }}" deploy_steps_tasks: - name: Configure Unbound when: step|int == 1 import_role: name: tripleo_unbound vars: tripleo_unbound_config_basedir: /var/lib/config-data/ansible-generated/unbound tripleo_unbound_network_name: {get_param: [ServiceNetMap, UnboundNetwork]} tripleo_unbound_external_network_name: {get_param: [ServiceNetMap, PublicNetwork]} tripleo_unbound_internal_network_name: {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs} tripleo_unbound_log_queries: {get_param: UnboundLogQueries} tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden} tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration} tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}