Puppet Class: designate::backend::bind9

Defined in:
manifests/backend/bind9.pp

Overview

Class designate::backend::bind9

Configure bind9 as backend

Parameters

rndc_config_file

(Optional) Location of the rndc configuration file. Defaults to ‘/etc/rndc.conf’

rndc_key_file

(Optional) Location of the rndc key file. Defaults to ‘/etc/rndc.key’

rndc_port

(Optional) RNDC Port. Defaults to 953.

rndc_controls

(Optional) Hash defining controls configuration for rndc. Defaults to undef, which uses the puppet-dns default

ns_records

(Optional) List of the NS records for zones hosted within this pool. This parameter takes hash value of <priority>:<host> mapping. Defaults to => ‘ns1.example.org.’

nameservers

(Optional) List out the nameservers for this pool. Defaults to [‘127.0.0,1’].

bind9_hosts

(Optional) Host running DNS service. Defaults to [‘127.0.0,1’].

dns_port

(Optional) TCP port to connect to DNS service. Defaults to 53.

mdns_hosts

(Optional) Array of hosts where designate-mdns service is running. Defaults to [‘127.0.0.1’].

mdns_port

(Optional) TCP Port to connect to designate-mdns service. Defaults to 5354.

configure_bind

(Optional) Enables running bind9/named configuration for hosts where designate and designate bind services are collocated. Defaults to true

manage_pool

(Optional) Manage pools.yaml and update pools by designate-manage command Defaults to true

Parameters:

  • rndc_config_file (Any) (defaults to: '/etc/rndc.conf')
  • rndc_key_file (Any) (defaults to: '/etc/rndc.key')
  • rndc_controls (Any) (defaults to: undef)
  • rndc_port (Any) (defaults to: 953)
  • ns_records (Any) (defaults to: {1 => 'ns1.example.org.'})
  • nameservers (Any) (defaults to: ['127.0.0.1'])
  • bind9_hosts (Any) (defaults to: ['127.0.0.1'])
  • dns_port (Any) (defaults to: 53)
  • mdns_hosts (Any) (defaults to: ['127.0.0.1'])
  • mdns_port (Any) (defaults to: 5354)
  • configure_bind (Any) (defaults to: true)
  • manage_pool (Any) (defaults to: true) 


57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'manifests/backend/bind9.pp', line 57

class designate::backend::bind9 (
  $rndc_config_file = '/etc/rndc.conf',
  $rndc_key_file    = '/etc/rndc.key',
  $rndc_controls    = undef,
  $rndc_port        = 953,
  $ns_records       = {1 => 'ns1.example.org.'},
  $nameservers      = ['127.0.0.1'],
  $bind9_hosts      = ['127.0.0.1'],
  $dns_port         = 53,
  $mdns_hosts       = ['127.0.0.1'],
  $mdns_port        = 5354,
  $configure_bind   = true,
  $manage_pool      = true,
) {

  include designate::deps
  include designate::params

  validate_legacy(Hash, 'validate_hash', $ns_records)
  validate_legacy(Array, 'validate_array', $nameservers)
  validate_legacy(Array, 'validate_array', $bind9_hosts)
  validate_legacy(Array, 'validate_array', $mdns_hosts)
  validate_legacy(Boolean, 'validate_bool', $configure_bind)
  validate_legacy(Boolean, 'validate_bool', $manage_pool)

  if $configure_bind {
    if $rndc_controls {
      class { 'dns':
        controls => $rndc_controls,
      }
    } else {
      include dns
    }
    concat::fragment { 'dns allow-new-zones':
      target  => $::dns::optionspath,
      content => 'allow-new-zones yes;',
      order   => '20',
    }

    # Recommended by Designate docs as a mitigation for potential cache
    # poisoning attacks:
    # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
    concat::fragment { 'dns minimal-responses':
      target  => $::dns::optionspath,
      content => 'minimal-responses yes;',
      order   => '21',
    }

    # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
    # Debian. Both groups only have read access but require write permission in
    # order to be able to use rndc addzone/delzone commands that Designate uses.
    # NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
    # removing this from puppet-openstack-integration.  Once that has been done
    # the ensure_resource wrapper could be removed.
    ensure_resource('file', $::dns::params::vardir, {
      mode    => 'g+w',
      require => Package[$::dns::params::dns_server_package]
    })
  }

  if $manage_pool {
    file { '/etc/designate/pools.yaml':
      ensure  => present,
      path    => '/etc/designate/pools.yaml',
      owner   => $designate::params::user,
      group   => $designate::params::group,
      mode    => '0640',
      content => template('designate/bind9-pools.yaml.erb'),
      require => Anchor['designate::config::begin'],
      before  => Anchor['designate::config::end'],
    }

    exec { 'designate-manage pool update':
      command     => 'designate-manage pool update',
      path        => '/usr/bin',
      user        => $designate::params::user,
      refreshonly => true,
      require     => Anchor['designate::service::end'],
      subscribe   => File['/etc/designate/pools.yaml'],
    }
  }
}