elements/ndoepool-base: only initially populate ipv4 nameservers

We are seeing a problem on Fedora where it appears on hosts without
configured ipv6 unbound chooses to send queries via the ipv6
forwarders and then returns DNS failures.

An upstream issue has been filed [1], but it remains unclear exactly
why this happens on Fedora but not other platforms.

However, having ipv6 forwarders is not always correct.  Not all our
platforms have glean support for ipv6 configuration, nor do all our
providers provide ipv6 transit.

Therefore, ipv4 is the lowest common denominator across all platforms.
Even those who are "ipv6 only" still provide ipv4 via NAT --
originally it was the unreliability of this NAT transit that lead to
unbound being used in the first place.  It should be noted that in
most all jobs, the configure-unbound role [2] called from the base-job
will re-write the forwarding information and configure ipv4/6
correctly during the base job depending on the node & provider
support.  Thus this only really affects some of the
openstack-zuul-jobs/system-config integration jobs, where we start out
without unbound configured because we're actually *testing* the
unbound configuration role.

An additional complication is that we want to keep backwards
compatability and populate the settings if
NODEPOOL_STATIC_NAMESERVER_V6 is explicitly set -- this is sometimes
required if you building infra-style images and are within a corporate
network that disallows outbound DNS queries for example.

Thus by default only populate ipv4 forwarders, unless explicitly asked
to add ipv6 with the new variable or the static v6 nameservers are
explicitly specified.

[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4188
[2] http://git.openstack.org/cgit/openstack-infra/openstack-zuul-jobs/tree/roles/configure-unbound

Change-Id: If060455e163266b2c3e72b4a2ac2838a61859496

nodepool/elements/nodepool-base/README.rst

@@ -6,14 +6,26 @@ Tasks to deal with image metadata and other Nodepool cloud specific tweaks.
 
 Environment variables:
 
-`NODEPOOL_SCRIPTDIR` path to copy Nodepool scripts from. It is set
+``NODEPOOL_SCRIPTDIR`` path to copy Nodepool scripts from. It is set
 automatically by Nodepool.  For local hacking override it to where your scripts
 are. Default:
-`$TMP_MOUNT_PATH/opt/git/openstack-infra/project-config/nodepool/scripts`.
+``$TMP_MOUNT_PATH/opt/git/openstack-infra/project-config/nodepool/scripts``.
+
+Name resolution
+---------------
 
 The image should have the unbound DNS resolver package installed, the
-nodepool-base element then configures it to forward DNS queries to:
-  `NODEPOOL_STATIC_NAMESERVER_V6`, default: `2620:0:ccc::2`
-  `NODEPOOL_STATIC_NAMESERVER_V4`, default: `208.67.222.222`
-  `NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK`, default: `2001:4860:4860::8888`
-  `NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK`, default: `8.8.8.8`.
+``nodepool-base`` element then configures it to forward DNS queries
+to:
+
+  ``NODEPOOL_STATIC_NAMESERVER_V4``, default: ``208.67.222.222``
+  ``NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK``, default: ``8.8.8.8``.
+
+If ``NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6`` is set to ``1`` then
+the following two servers will be configured as forwarders too
+
+ ``NODEPOOL_STATIC_NAMESERVER_V6``, default: ``2620:0:ccc::2``
+ ``NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK``, default: ``2001:4860:4860::8888``
+
+Note externally setting either of these values implies
+``NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6=1``

nodepool/elements/nodepool-base/finalise.d/89-unbound

@@ -21,11 +21,29 @@ if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
 fi
 set -e
 
-NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2}
+#
+# Note that in OpenStack infra, the configure-unbound role [1] that is
+# part of the base jobs will reconfigure unbound based on the host's
+# ipv6 support very early in the job setup.  Thus the following
+# forwarder setup is only relevant to the initial boot and some parts
+# of the integration-tests before configure-unbound role is used.
+#
+# [1] http://git.openstack.org/cgit/openstack-infra/openstack-zuul-jobs/tree/roles/configure-unbound
+#
+
 NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-208.67.222.222}
-NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888}
 NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8}
-dd of=/tmp/forwarding.conf <<EOF
+
+# Explicitly setting a v6 nameserver implies you want ipv6
+if [[ -n ${NODEPOOL_STATIC_NAMESERVER_V6:-} || -n ${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK} ]]; then
+    NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6=1
+fi
+
+if [[ ${NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6:-0} == 1 ]]; then
+    NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2}
+    NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888}
+
+    dd of=/tmp/forwarding.conf <<EOF
 forward-zone:
   name: "."
   forward-addr: $NODEPOOL_STATIC_NAMESERVER_V6
@@ -33,6 +51,18 @@ forward-zone:
   forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4
   forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK
 EOF
+else
+    # Otherwise, only populate ipv4 nameservers here.  We used to just
+    # do both, but we found it unreliable on hosts/platforms without
+    # ipv6 support (see
+    # https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4188).
+    dd of=/tmp/forwarding.conf <<EOF
+forward-zone:
+  name: "."
+  forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4
+  forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK
+EOF
+fi
 
 mv /tmp/forwarding.conf /etc/unbound/
 chown root:root /etc/unbound/forwarding.conf