commit e5e832f5c0f985f546fb2e695ef239421b60c822 Author: James E. Blair Date: Wed Mar 12 14:24:20 2014 -0700 Use unbound On all machines, set up unbound as a caching recursive resolver. On single-use slaves, set it up to forward cache misses to the DNS servers obtained by the template host on boot. Change-Id: I8505f5a277f20b1328900a9a515cd84db77b2b3b diff --git a/files/unbound.default b/files/unbound.default new file mode 100644 index 0000000..784cb4c --- /dev/null +++ b/files/unbound.default @@ -0,0 +1,18 @@ +# If set, the unbound daemon will be started and stopped by the init script. +UNBOUND_ENABLE=true + +# Whether to automatically update the root trust anchor file. +ROOT_TRUST_ANCHOR_UPDATE=true + +# File in which to store the root trust anchor. +ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key + +# If set, the unbound init script will provide unbound's listening +# IP addresses as nameservers to resolvconf. +RESOLVCONF=true + +# If set, resolvconf nameservers will be configured as forwarders +# to be used by unbound. +RESOLVCONF_FORWARDERS=false + +#DAEMON_OPTS="-c /etc/unbound/unbound.conf" diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..ba56607 --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,86 @@ +# Copyright (C) 2014 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: unbound + +# This installs unbound in its default configuration as a caching +# recursive resolver. + +class unbound ( +) { + + if ($::osfamily == 'Debian') { + # This file differs from that in the package only by setting + # RESOLVCONF_FORWARDERS to false. + file { '/etc/default/unbound': + source => 'puppet:///modules/unbound/unbound.default', + owner => 'root', + group => 'root', + mode => '0444', + } + + # We require the defaults file be in place before installing the + # package to work around this bug: + # https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513 + # where we could end up briefly forwarding to a provider's broken + # DNS. + package { 'unbound': + ensure => present, + require => File['/etc/default/unbound'], + } + } + + # Ubuntu uses resolvconf which will update resolv.conf to point to + # localhost after unbound is installed. NOTE: Debian unknown. + if ($::osfamily == 'RedHat') { + package { 'unbound': + ensure => present, + } + + # Rackspace uses static config files + file { '/etc/resolv.conf': + content => "nameserver 127.0.0.1\n", + owner => 'root', + group => 'root', + mode => '0444', + require => Service['unbound'], + notify => Exec['make-resolv-conf-immutable'], + } + + # Rackspace uses file injection to configure networking which + # overwrites all of the files on disk where we could set the env + # variable to disable the resolv.conf update on network-up. + # Instead, make that file immutable so that the update will fail + # (harmlessly). Of course this means Puppet won't be able to + # update it either after this, but we don't plan on changing it. + exec { 'make-resolv-conf-immutable': + command => '/usr/bin/chattr +i /etc/resolv.conf', + refreshonly => true, + } + + # HPCloud uses dhclient; tell dhclient to use our nameserver instead. + exec { '/usr/bin/printf "\nsupersede domain-name-servers 127.0.0.1;\n" >> /etc/dhcp/dhclient-eth0.conf': + unless => '/bin/grep -q "supersede domain-name-servers" /etc/dhcp/dhclient-eth0.conf' + } + } + + service { 'unbound': + ensure => running, + name => 'unbound', + enable => true, + hasrestart => true, + hasstatus => false, + require => Package['unbound'], + } +}