From 970212fc1c6451496c52bdc1b56764fcad3eacf2 Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Wed, 3 Jan 2018 17:53:34 +0000 Subject: [PATCH] Allow necessary write permissions for BIND zone creation By default on both Red Hat and Ubuntu BIND does not have the necessary file permissions to create new zones. Since we need to be able to do that for Designate to function, we need to tweak the permissions at deployment time. Previously this was done in puppet-openstack-integration, but for TripleO to deploy Designate we need it done in this module as TripleO doesn't use p-o-i. Change-Id: I09e8799f0b2a4113833983d67b3c4d40a0355933 bp designate-support --- manifests/backend/bind9.pp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/manifests/backend/bind9.pp b/manifests/backend/bind9.pp index 9042e656..2d4b465b 100644 --- a/manifests/backend/bind9.pp +++ b/manifests/backend/bind9.pp @@ -24,7 +24,7 @@ class designate::backend::bind9 ( $rndc_host = '127.0.0.1', $rndc_port = '953', $rndc_config_file = '/etc/rndc.conf', - $rndc_key_file = '/etc/rndc.key' + $rndc_key_file = '/etc/rndc.key', ) { include ::designate::deps @@ -43,4 +43,15 @@ class designate::backend::bind9 ( content => 'allow-new-zones yes;', order => '20', } + + # /var/named is root:named on RedHat and /var/cache/bind is root:bind on + # Debian. Both groups only have read access but require write permission in + # order to be able to use rndc addzone/delzone commands that Designate uses. + # NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with + # removing this from puppet-openstack-integration. Once that has been done + # the ensure_resource wrapper could be removed. + ensure_resource('file', $::dns::params::vardir, { + mode => 'g+w', + require => Package[$::dns::params::dns_server_package] + }) }