Merge "Allow necessary write permissions for BIND zone creation"

2018-01-10 19:24:43 +00:00 · 2018-01-10 19:24:43 +00:00 · 78e64fac7e
parent 3e28a26c9a 970212fc1c
commit 78e64fac7e
1 changed files with 12 additions and 1 deletions
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@ -24,7 +24,7 @@ class designate::backend::bind9 (
  $rndc_host           = '127.0.0.1',
  $rndc_port           = '953',
  $rndc_config_file    = '/etc/rndc.conf',
-  $rndc_key_file       = '/etc/rndc.key'
+  $rndc_key_file       = '/etc/rndc.key',
 ) {

  include ::designate::deps
@ -43,4 +43,15 @@ class designate::backend::bind9 (
    content => 'allow-new-zones yes;',
    order   => '20',
  }
+
+  # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
+  # Debian. Both groups only have read access but require write permission in
+  # order to be able to use rndc addzone/delzone commands that Designate uses.
+  # NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
+  # removing this from puppet-openstack-integration.  Once that has been done
+  # the ensure_resource wrapper could be removed.
+  ensure_resource('file', $::dns::params::vardir, {
+    mode    => 'g+w',
+    require => Package[$::dns::params::dns_server_package]
+  })
 }