General improvements to configure-unbound role
- Improve README - Improve integration test coverage - Prefix variable names with "unbound_" to avoid clashes between different roles - Unbound will very likely be installed but don't assume it is. Add an assertion to fail early if it isn't. Change-Id: Ib8ca105938afdc0ccb1f524df3cae916c845efb8
This commit is contained in:
parent
4c2a544c3b
commit
d3a30a01e1
|
@ -10,18 +10,22 @@ usable IPv6 default route, otherwise IPv4.
|
||||||
|
|
||||||
**Role Variables**
|
**Role Variables**
|
||||||
|
|
||||||
.. zuul:rolevar:: primary_nameserver_v4
|
.. zuul:rolevar:: unbound_primary_nameserver_v4
|
||||||
|
:default: 208.67.222.222 (OpenDNS)
|
||||||
|
|
||||||
The primary IPv4 nameserver for fowarding requests
|
The primary IPv4 nameserver for fowarding requests
|
||||||
|
|
||||||
.. zuul:rolevar:: primary_nameserver_v6
|
.. zuul:rolevar:: unbound_secondary_nameserver_v4
|
||||||
|
:default: 8.8.8.8 (Google)
|
||||||
The primary IPv6 nameserver for fowarding requests
|
|
||||||
|
|
||||||
.. zuul:rolevar:: secondary_nameserver_v4
|
|
||||||
|
|
||||||
The secondary IPv4 nameserver for fowarding requests
|
The secondary IPv4 nameserver for fowarding requests
|
||||||
|
|
||||||
.. zuul:rolevar:: secondary_nameserver_v6
|
.. zuul:rolevar:: unbound_primary_nameserver_v6
|
||||||
|
:default: 2620:0:ccc::2 (OpenDNS)
|
||||||
|
|
||||||
|
The primary IPv6 nameserver for fowarding requests
|
||||||
|
|
||||||
|
.. zuul:rolevar:: unbound_secondary_nameserver_v6
|
||||||
|
:default: 2001:4860:4860::8888 (Google)
|
||||||
|
|
||||||
The seconary IPv6 nameserver for fowarding requests
|
The seconary IPv6 nameserver for fowarding requests
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# OpenDNS
|
# OpenDNS
|
||||||
primary_nameserver_v6: "2620:0:ccc::2"
|
unbound_primary_nameserver_v6: "2620:0:ccc::2"
|
||||||
primary_nameserver_v4: "208.67.222.222"
|
unbound_primary_nameserver_v4: "208.67.222.222"
|
||||||
|
|
||||||
# Google
|
# Google
|
||||||
secondary_nameserver_v6: "2001:4860:4860::8888"
|
unbound_secondary_nameserver_v6: "2001:4860:4860::8888"
|
||||||
secondary_nameserver_v4: "8.8.8.8"
|
unbound_secondary_nameserver_v4: "8.8.8.8"
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
- name: Restart unbound
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: unbound
|
||||||
|
state: restarted
|
|
@ -1,11 +1,13 @@
|
||||||
- name: Ensure /etc/unbound exists
|
# This role assumes that Unbound is already installed, fail early if it isn't.
|
||||||
become: yes
|
- name: Check that Unbound is installed
|
||||||
file:
|
stat:
|
||||||
path: /etc/unbound
|
path: /etc/unbound
|
||||||
state: directory
|
register: unbound_config
|
||||||
owner: root
|
|
||||||
group: root
|
- name: Ensure that Unbound is installed
|
||||||
mode: 0755
|
assert:
|
||||||
|
that:
|
||||||
|
- unbound_config.stat.exists
|
||||||
|
|
||||||
# ansible_default_ipv6 can either be undefined (no ipv6) or blank (no
|
# ansible_default_ipv6 can either be undefined (no ipv6) or blank (no
|
||||||
# routable address). We only want to use ipv6 if it's available &
|
# routable address). We only want to use ipv6 if it's available &
|
||||||
|
@ -24,9 +26,8 @@
|
||||||
when:
|
when:
|
||||||
- unbound_use_ipv6 is defined
|
- unbound_use_ipv6 is defined
|
||||||
set_fact:
|
set_fact:
|
||||||
primary_nameserver: '{{ primary_nameserver_v6 }}'
|
unbound_primary_nameserver: '{{ unbound_primary_nameserver_v6 }}'
|
||||||
secondary_nameserver: '{{ secondary_nameserver_v6 }}'
|
unbound_secondary_nameserver: '{{ unbound_secondary_nameserver_v6 }}'
|
||||||
|
|
||||||
|
|
||||||
# Fallback to default ipv4 if there is no ipv6 available as this
|
# Fallback to default ipv4 if there is no ipv6 available as this
|
||||||
# causes timeouts and failovers that are unnecesary.
|
# causes timeouts and failovers that are unnecesary.
|
||||||
|
@ -34,21 +35,25 @@
|
||||||
when:
|
when:
|
||||||
- unbound_use_ipv6 is not defined
|
- unbound_use_ipv6 is not defined
|
||||||
set_fact:
|
set_fact:
|
||||||
primary_nameserver: '{{ primary_nameserver_v4 }}'
|
unbound_primary_nameserver: '{{ unbound_primary_nameserver_v4 }}'
|
||||||
secondary_nameserver: '{{ secondary_nameserver_v4 }}'
|
unbound_secondary_nameserver: '{{ unbound_secondary_nameserver_v4 }}'
|
||||||
|
|
||||||
- name: Configure unbound fowarding
|
# TODO: Move this to /etc/unbound/conf.d ?
|
||||||
|
- name: Configure unbound forwarding
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
template:
|
||||||
dest: '/etc/unbound/forwarding.conf'
|
dest: /etc/unbound/forwarding.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
src: forwarding.conf.j2
|
src: forwarding.conf.j2
|
||||||
|
register: forwarding_config
|
||||||
|
notify:
|
||||||
|
- Restart unbound
|
||||||
|
|
||||||
- name: restart unbound
|
- name: Start unbound
|
||||||
become: yes
|
become: yes
|
||||||
service:
|
service:
|
||||||
name: unbound
|
name: unbound
|
||||||
state: restarted
|
state: started
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
|
@ -2,5 +2,5 @@
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "."
|
name: "."
|
||||||
forward-addr: {{ primary_nameserver }}
|
forward-addr: {{ unbound_primary_nameserver }}
|
||||||
forward-addr: {{ secondary_nameserver }}
|
forward-addr: {{ unbound_secondary_nameserver }}
|
||||||
|
|
|
@ -3,11 +3,38 @@
|
||||||
roles:
|
roles:
|
||||||
- role: configure-unbound
|
- role: configure-unbound
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Check for /etc/unbound/forwarding.conf
|
- name: Check that unbound is started
|
||||||
stat: path=/etc/unbound/forwarding.conf
|
become: yes
|
||||||
register: f
|
service:
|
||||||
- name: Check forwarding file
|
name: unbound
|
||||||
|
state: started
|
||||||
|
register: unbound_service
|
||||||
|
|
||||||
|
- name: Ensure that unbound is started
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- f.stat.exists
|
- not unbound_service | changed
|
||||||
- f.stat.isreg
|
|
||||||
|
# Until nodepool no longer embeds a forwarding.conf in the image, it is
|
||||||
|
# safe to assume that we'll be changing the forwarding configuration
|
||||||
|
# because the role has logic to use v6 *or* v4 nameservers while nodepool
|
||||||
|
# puts all four nameservers.
|
||||||
|
- name: Ensure that configuration was installed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- forwarding_config | changed
|
||||||
|
|
||||||
|
- name: Check if /etc/unbound/forwarding.conf exists
|
||||||
|
stat:
|
||||||
|
path: /etc/unbound/forwarding.conf
|
||||||
|
register: forwarding_file
|
||||||
|
|
||||||
|
- name: Ensure that configuration file exists
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- forwarding_file.stat.exists
|
||||||
|
|
||||||
|
# This is self-tested, no need to assert
|
||||||
|
- name: Do a host lookup (sanity check)
|
||||||
|
command: host openstack.org
|
||||||
|
changed_when: false
|
||||||
|
|
Loading…
Reference in New Issue