Until now, whenever NetworkManager gets reloaded/restarted/lease
refresh, it would override the /etc/resolv.conf file with the
nameservers and related it gets from the network.
This patch ensures this won't happen ever again.
Note: this is a corrected version of
I92bc12b8f712e28962d24dd6474cfce22b81222c
that was reverted due to indentation + use of ConfigParser issues.
Change-Id: I48560641238911154cc9f353f707a9374613e51a
Bug in the inline Python's indentation levels. Please correct and
resubmit with more testing included where possible.
This reverts commit 368bb77ee3.
Change-Id: I20ed2c48bc223bd13d04c297e877f47c02141e4d
Until now, whenever NetworkManager gets reloaded/restarted/lease
refresh, it would override the /etc/resolv.conf file with the
nameservers and related it gets from the network.
This patch ensures this won't happen ever again.
Change-Id: I92bc12b8f712e28962d24dd6474cfce22b81222c
The previous patch[1] applied a partial context to the unbound.log file.
This patch applies a full context to resolve the "partial context" error, using semanage to make the file label persistent.
[1] https://review.opendev.org/c/openstack/project-config/+/841546
Change-Id: Ic15957fa4ef58355efd2e96f143386f393b0a59d
I4f3265c16320613d4ba74a02df1361c5d9cf2fb1 moved this file to
/var/lib/unbound on selinux systems, as it was getting permissions
errors trying to write into /var/log.
This turns out to make it harder to collect the logs from projects
like devstack. It's simpler if we just have the log file in a
consistent place. On selinux systems, set the context, and revert
things to just writing into /usr/log/unbound.log
Change-Id: I6bb58ef0d6bf4cbbb7fd4066e01b7a01d05009c3
As noted inline, the /etc/init.d directory appears to have been
somehow remove/no longer created with a recent update. I've added
this manually and the image builds, and the rc-local.service still
runs. Do this for now to unblock other builds.
Change-Id: I0b0b2e38951bad656bcfdb47b6470e033564db59
This removes trusty from the repo and thus from OpenDev.
Afterwards the AFS volume mirror.wheel.trustyx64 can be deleted.
Depends-On: https://review.opendev.org/702771
Depends-On: https://review.opendev.org/702818
Change-Id: I3fa4c26b0c8aeacf1af76f9046ea98edb2fcdbd0
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the openSUSE nodeset to use plain
iptables rather than injecting iptables rules into the SuSEfirewall2
service. This will work on both Tumbleweed and Leap nodesets.
openSUSE provides no iptables-service package the way the RHEL family
does, so we can't fall back to that. Rather than try to convert iptables
rules to firewalld syntax, this change leverages init.d to ensure
iptables rules are loaded at boot. The 89-unbound script has been
coopted for this purpose since it already creates
/etc/init.d/boot.local. Switched from `dd` to `cat` which makes
conditionally composing the file more natural.
[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd
CloudFlare's public recursive DNS resolvers are available at
multiple anycast addresses. For some reason 1.1.1.1 is unreachable
from parts of OVH's BHS1 region, but 1.0.0.1 seems to be
consistently reachable. Swap this for improved reliability.
Change-Id: I9a264282ea6c8239883d252f52e004deebca3edc
Use new locations following OpenDev changes.
Node: This changes the on-disk repo path to /opt/git/openstack/devstack
Change-Id: I7042913fefa64dcec4044779dbeb13f86daea858
This role now lives in opendev/base-jobs but we still have some usage
from ozj. We can clean that up by removing what appears to be the only
job doing that since it was tempoarary anyway.
Additioanlly point the nodepool element comments at the right role in
opendev/base-jobs
Change-Id: I1d73f543006d94a52fa1cfe38870391da959ae74
Ianw noticed problems on fedora29 with unbound. That resulted in a bug
filed upstream,
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug
the helpful unbound maintainers point out that OpenDNS servers are
having trouble with RRSIG records which leads to not validating dnssec
which we require in our unbound config.
Address this by switching to CloudFlare DNS which is suppsoed to be
super localized (aka responsive), and not record queries against it.
Also if we want to we can update our config to do dns over tls against
these servers.
Change-Id: I08ef6a6fba2706803d2e9de6197e0ef8d695e313
We are seeing a problem on Fedora where it appears on hosts without
configured ipv6 unbound chooses to send queries via the ipv6
forwarders and then returns DNS failures.
An upstream issue has been filed [1], but it remains unclear exactly
why this happens on Fedora but not other platforms.
However, having ipv6 forwarders is not always correct. Not all our
platforms have glean support for ipv6 configuration, nor do all our
providers provide ipv6 transit.
Therefore, ipv4 is the lowest common denominator across all platforms.
Even those who are "ipv6 only" still provide ipv4 via NAT --
originally it was the unreliability of this NAT transit that lead to
unbound being used in the first place. It should be noted that in
most all jobs, the configure-unbound role [2] called from the base-job
will re-write the forwarding information and configure ipv4/6
correctly during the base job depending on the node & provider
support. Thus this only really affects some of the
openstack-zuul-jobs/system-config integration jobs, where we start out
without unbound configured because we're actually *testing* the
unbound configuration role.
An additional complication is that we want to keep backwards
compatability and populate the settings if
NODEPOOL_STATIC_NAMESERVER_V6 is explicitly set -- this is sometimes
required if you building infra-style images and are within a corporate
network that disallows outbound DNS queries for example.
Thus by default only populate ipv4 forwarders, unless explicitly asked
to add ipv6 with the new variable or the static v6 nameservers are
explicitly specified.
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4188
[2] http://git.openstack.org/cgit/openstack-infra/openstack-zuul-jobs/tree/roles/configure-unbound
Change-Id: If060455e163266b2c3e72b4a2ac2838a61859496
On centos this seems to be part of the built in config, on ubuntu this
seems to not be configured but is unbounds default behavior there, on
gentoo it chroots per the default described in the manpage.
In order to force consistent behavior across all systems disable the
chroot when we configure our logfile path (so that the logfile's dir is
present and writeable) by setting chroot: "" across the board.
This should fix the unbound service on gentoo and be a noop for our
other platforms.
Change-Id: Ic1b66c1982c14759e8fd8370452df21d2b0d9510
Add rhel7 distrib in unbound and iptables script for nodepool-base, and
add haveged installation for infra-package-needs to ensure users could
use these elements to build rhel based image.
Change-Id: Ib0ad877369bafab64a1fd25cc331363d771d5753
As described in the inline comment, this ensures that on Bionic (and
any similar platform using systemd-resolved) we use a regular
/etc/resolv.conf file for nameserver configuration.
Depends-On: https://review.openstack.org/#/c/558362/
Change-Id: I1e1d285787f88370fec6e9e21701164cc232e153
This reverts commit da15523595.
systemd-resolved was not really involed in this. What seems to be
happening is that during the initial chroot creation there is no
/etc/resolv.conf file, and so the systemd postinst script creates one
pointing to the compatability files created by systemd-resolved.
This is not what we want, but dib doesn't really provide a way for us
to overwrite the file. That is covered in
Ie0e97d8072e2b21a54b053fa6fb07b62960c686d
We actually want systemd-resolved running -- it provides the dbus
nameserver api stuff that some tools may use. If /etc/resolv.conf is
a file, systemd-resolved leaves it alone and uses it for resolution as
you would expect. (we do, however, want to wait for the depends-on to
ensure the image has a correct /etc/resolv.conf before merging this).
Depends-On: https://review.openstack.org/557842/
Change-Id: Ie3cdc323bf8fb4fcee725f9a52bf53a4a6a01bbf
It seems with ubuntu-bionic, systemd-resolve boots by default. This is
then overwriting our /etc/resolv.conf file with its nameserver
address.
Change-Id: I3de217505cc0ba18a233e8712be49c5347a8e29b
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Because of missing selinux rules, unbound does not properly write
logging to /var/log/unbound.log. We can move the file into
/var/lib/unbound/unbound.log and selinux should be happy.
Change-Id: I4f3265c16320613d4ba74a02df1361c5d9cf2fb1
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
In Tumbleweed or newer the /etc/rc.d (deprecated) directory
was dropped so we ended up failing in the wrong case of
the pile of workarounds. With this patch we use the recommended
location for any opensuse distribution, which should
be fine for all opensuse flavors currently in the gate.
Change-Id: Ibd690aff18f2acca310e3beb900ce2f471c2f772
According to the unbound.conf manpage this value should no longer be
used. It creates lookaside queries for DNSSEC which introduces more
servers which can fail on us. This is no longer necessary beacuse root
servers have the appropriate DNSSEC configuration now.
Follow the unbound suggestion and make unbound more reliable by avoiding
DLV entirely.
Change-Id: Ib6c0cf83bfdeb1eb2f6f22951fd44ce9839cab92
On systemd systems, so everything except ubuntu-trusty. Set --no-dns
because we run a local unbound service and never want to use clouds
DNS servers.
Change-Id: I88c0c6aecfd026d32f3bab17e20e81f4201092d4
Depends-On: I0cfd83ab4208e3a35d7674c5fc34cd209d340074
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
the opensuse-minimal images include wickedd that set modification
of DNS via netconfig coming from DHCP by default. Disable that
and set the on-boot hook for resolv.conf overwrite to boot.local.
Change-Id: Ie20ab12eb336d8ddf7995188868a28e44bbd8ecc
Building an image for stretch results in the unbound configuration
script throwing an error, that it cannot know where to find rc.local.
This happens, because the file is missing in the installed image.
The script now checks for /etc/debian_version instead of erroring out.
This file is available on any debian system. If there's no rc.local and
/etc/debian_version is available, rc.local can just be created with the
appropriate content, /etc/rc.local is executed on Debian.
Change-Id: If98f7ef1657b4f538a4f79ba116c8cff991aefc7
It looks like fedora / centos / opensuse use /etc/unbound/conf.d.
Change-Id: I265a1cca37e6f86e5b85741ace534bbcf687402b
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
As a follow-on to Ib248c02b789cce1bc11fac27940e11b767c33399, this
needs to be under the "server:" tag else we get syntax errors starting
unbound.
Change-Id: I53c839f300f18972e2c7f5ad51953ab1668a1c72
We are having occasionally dns name resolution errors. These are hard to
debug without having logs for our dns caching forwarding resolver.
Address this by adding logging to the unbound config that will capture
only errors.
Change-Id: Ib248c02b789cce1bc11fac27940e11b767c33399
This change updates the default unbound resolvers to use OpenDNS first
then google for both IPv6 and IPv4
Change-Id: I500d9ecd9c1f8c5ecd08b47c00dc5256f01548f6
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Currently, some parts of unbound are configured on zuul workers via
puppet and other parts are configured via dib elements. As part of
reducing the nodepool image builds' dependency on puppet, this patch
moves the rest of what was done in the unbound puppet module to the
nodepool-base DIB element.
Note that while the puppet module explicitly calls for the defaults file
to exist before the package is installed[1], this does not apply for an
image built in a chroot where the service won't be started, so we can
stick that file in with the rest of the configuration.
[1] http://git.openstack.org/cgit/openstack-infra/puppet-unbound/tree/manifests/init.pp#n34
Change-Id: I3905be12acd85581a608d87ba5159cc883343a37
We have had some job runs overrun the journald ring buffer which is used
by default resulting in losing older logs during the job runs. Update
the journald configuration to persistently store the journal so that we
can reliably retrieve those logs when jobs complete.
Change-Id: I5626ce76878287be220a8803f9dfe9a9da950d5b
We currently re-run all the grub setup in 99-fix-grub-timeout which
shouldn't really be necessary (actually a little problematic; although
this is dib's fault, see Ibaaa81124098f3c6febe48e455d3e1cd0a5f1761)
Use the new timeout flag to set this in the bootloader element
directly.
I think it is also an advantage that if you build a testing image with
./tools/build_image.sh this is configurable now ... having to fiddle
the bootloader for debugging is something that happens more than you'd
like.
This is supported since dib 1.26.0
Change-Id: Iafc660a9a8c072af6bf1fd5e51c419abccef4d54
There's two things going on with rc.local setup that break Centos
and Fedora
On Centos, /etc/rc.local is provided as a symlink to
/etc/rc.d/rc.local, which is the actual file systemd's rc-local
service is looking to run at startup. Thus the rc.local contents get
written correctly.
However, centos's rc.local is a dummy file that file needs to have +x
permissions put on it before it will run (this is to prevent it being
part of normal startup, as it depends on the network and holds up
boot). Note Ubuntu/Debian ship a dummy /etc/rc.local with permissions
and just "exit 0". Adding +x therefore doesn't hurt globally so we do
that at the end.
Fedora doesn't have this symlink OR dummy file; thus the existing code
writes out /etc/rc.local which effecitvely does nothing. Thus we
modify things to add the file & symlink if it is not seen. I have
filed an upstream bug to at least bring it inline with centos [1]
which would avoid this work-around.
Copious comments added to help explain this very confusing situation
for the next sucker^W developer. Using rc.local like this is fairly
dangerous (something else might just overwrite it), but if it ain't
(too) broke...
This should fix the odd issues we see for centos & fedora on OSIC's
ipv6 only nodes. These nodes end up using google's ipv4 DNS servers
via their defualt setup, which breaks after neutron runs in devstack.
From that point on, you can't resolve names, but devstack doesn't
actually bail out till quite a bit later when it's installing tempest
from pip.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052
Change-Id: Ibe9dc34dd9bf3c8586f64e24b923d462a8c701c8
This commit adds Gentoo support to elements needed to build a Gentoo
nodepool image. The previous version of this commit had the default
section of the pkg-map in the wrong area, specifically in the following
file.
nodepool/elements/infra-package-needs/pkg-map
Change-Id: Ic686c325bc06564585a2e3ac50cadd7556612333
Our images have failed to build for the last 3 days, reverting until we can debug.
This reverts commit 4c515e2073.
Change-Id: I2e653bcd8a30a85ea46a9861bdf9f95413a76f64
Having non-shebang first line (empty one) leads to error on Xenial,
because systemd can't execute scripts without shebang, and rc.local
is not run (`status=203/EXEC`).
Change-Id: Icc2f01b89e6d582ad015009f6916379bee8af7b9
This commit adds Gentoo support to elements needed to build a Gentoo
nodepool image.
Change-Id: I2ceeb915748a11d8e729069566e722a3fe30ba99
Signed-off-by: Matthew Thode <mthode@mthode.org>