openstack
/
project-config
Code Issues Proposed changes
project-config/nodepool/elements/nodepool-base/finalise.d/89-unbound

177 lines
5.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright (C) 2011-2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
# dib-lint: disable=set setu setpipefail indent
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -e
NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2}
NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-208.67.222.222}
NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888}
NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8}
dd of=/tmp/forwarding.conf <<EOF
forward-zone:
name: "."
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V6
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4
forward-addr: $NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK
EOF
mv /tmp/forwarding.conf /etc/unbound/
chown root:root /etc/unbound/forwarding.conf
chmod a+r /etc/unbound/forwarding.conf
dd of=/tmp/unbound-logging.conf <<EOF
server:
logfile: "/var/log/unbound.log"
# Log only errors
verbosity: 0
EOF
if [[ "$DISTRO_NAME" =~ (centos|fedora|opensuse) ]] ; then
UNBOUND_CONFD=/etc/unbound/conf.d
else
UNBOUND_CONFD=/etc/unbound/unbound.conf.d
fi
mv /tmp/unbound-logging.conf $UNBOUND_CONFD
chown root:root $UNBOUND_CONFD/unbound-logging.conf
chmod a+r $UNBOUND_CONFD/unbound-logging.conf
touch /var/log/unbound.log
chown unbound /var/log/unbound.log
chmod 0644 /var/log/unbound.log
# You'd think rc.local would be simple ...
#
# On Redhat systems, systemd's rc-local service looks for an
# executable /etc/rc.d/rc.local file to run. On Debian/Ubuntu, the
# eqivalent file is /etc/rc.local, which is missing on Debian stretch.
#
# Centos' systemd package symlinks /etc/rc.local to /etc/rc.d/rc.local
# correctly. Fedora, however, does not come with an rc.local file at
# all. Thus if we have a rc.d directory, but no rc.local file, we
# need to create it (if you don't have an rc.d directory, and don't
# have /etc/rc.local, then it's not clear what platform you are on).
#
# Bug [1] is filed to bring Fedora in-line with Centos, and has more
# details on all this. As at 2016-10-18 is unresolved.
#
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052
if [[ ! -e /etc/rc.local ]] && [[ ! -e /etc/debian_version ]]; then
if [[ ! -d /etc/rc.d ]]; then
echo "No rc.local and no rc.d directory! See comments in 89-unbound"
exit 1
fi
touch /etc/rc.d/rc.local
ln -sf /etc/rc.d/rc.local /etc/rc.local
# permissions added below. selinux context will be fixed up at
# end of build.
fi
# And furthermore on SUSE systems rc.local is called /etc/init.d/boot.local
rclocal=/etc/rc.local
[ -f /etc/init.d/boot.local ] && rclocal=/etc/init.d/boot.local
# Overwrite /etc/resolv.conf at boot (let's hope nothing else is using
# rc.local...)
dd of=$rclocal <<EOF
#!/bin/bash
set -o xtrace
# Some providers inject dynamic network config statically. Work around this
# for DNS nameservers. This is expected to fail on some nodes so remove -e.
set +e
sed -i -e 's/^\(DNS[0-9]*=[.0-9]\+\)/#\1/g' /etc/sysconfig/network-scripts/ifcfg-*
sed -i -e 's/^NETCONFIG_DNS_POLICY=.*/NETCONFIG_DNS_POLICY=""/g' /etc/sysconfig/network/config
set -e
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
exit 0
EOF
# Debian/Ubuntu ship their dummy rc.local with +x permissions, but
# CentOS (and the file we created for Fedora) do not ... this is to
# avoid it holding up the boot as it relies on the network being up).
# Add +x so it runs.
chmod a+x $rclocal
echo 'include: /etc/unbound/forwarding.conf' >> /etc/unbound/unbound.conf
# Disable dlv. Per the unbound.conf manpage this should not be used
# anymore but is in use by some of our distros. The problem here is it
# does lookasides for DNSSEC which increases the number of queries and
# introduces more points of lookup failure. Disable it to avoid these
# problems.
sed -i -e 's/dlv-anchor-file:/#dlv-anchor-file:/g' /etc/unbound/unbound.conf
# This defaults file must be in place to work around this bug:
# https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/988513
# The issue is fixed for Xenial so this is only required for Trusty.
if [ "$DIB_RELEASE" == "trusty" ] ; then
cat > /etc/default/unbound <<EOF
UNBOUND_ENABLE=true
ROOT_TRUST_ANCHOR_UPDATE=true
ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
RESOLVCONF=true
RESOLVCONF_FORWARDERS=false
EOF
fi
# Tripleo uses dhcp
dhcp_file=''
if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
dhcp_file=/etc/dhcp/dhclient-eth0.conf
elif [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
dhcp_file=/etc/dhcp/dhclient.conf
fi
if [ -n "$dhcp_file" ] ; then
cat > $dhcp_file <<EOF
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name "<hostname>";
request subnet-mask, broadcast-address, routers,
interface-mtu, rfc3442-classless-static-routes;
supersede domain-name-servers 127.0.0.1;
supersede domain-search "";
supersede domain-name "";
EOF
fi
case "$DIB_INIT_SYSTEM" in
upstart)
# nothing to do
;;
systemd)
systemctl enable unbound.service
;;
openrc)
# let dib-init-system's postinstall handle enabling init scripts
;;
sysv)
# nothing to do
;;
*)
echo "Unsupported init system $DIB_INIT_SYSTEM"
exit 1
;;
esac
View Git Blame Copy Permalink