Skip to content
This repository has been archived by the owner on Feb 29, 2024. It is now read-only.

Commit

Permalink
Merge "Support additional IP so bind and unbound can collocate" into …
Browse files Browse the repository at this point in the history 
…stable/wallaby
  • Loading branch information
@openstack-gerrit
Zuul authored and openstack-gerrit committed Jul 1, 2021
2 parents d7f5654 + 4975823 commit 77db47a
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 1 deletion.
1 change: 1 addition & 0 deletions ci/environments/scenario003-standalone.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ parameter_defaults:
RpcPort: 31459
NotifyPort: 5672
ContainerCli: podman
UnboundListenIPs: ["192.168.24.20"]
ExtraFirewallRules:
'301 allow arbitrary tcp rule':
dport: 12345
Expand Down
75 changes: 74 additions & 1 deletion deployment/unbound/unbound-container-ansible.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,30 @@ parameters:
description: When true, Unbound will block certain queries that could
have security implications to the Unbound service.
type: boolean
UnboundDesignateIntegration:
default: true
description: When true, Unbound will be configured to listen on an
unique IP so it can co-exist with bind on same host. Set
to false to run unbound independently of designate
type: boolean
UnboundListenIPs:
default: []
description: A list of IPs to add to the externally accessible interface
(e.g. interface on the external network or the VIP interface
in standalone). If provided, the number of IPs must match the
number of deployed Unbound instances. If left empty,
the deployment will create additonal IPs using the external
network.
type: comma_delimited_list


conditions:

public_net_is_ctlplane:
equals:
- {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
- {get_param: [ServiceData, net_vip_map, ctlplane]}


resources:

Expand Down Expand Up @@ -119,9 +143,56 @@ outputs:
with_items:
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
external_deploy_tasks:
- name: Get list of provided listen ips
when:
- step|int == 1
set_fact:
unbound_listen_ips: { get_param: UnboundListenIPs }
- name: Distribute configured unbound listen IPs across nodes
when:
- step|int == 1
- unbound_listen_ips|length > 0
block:
- name: Set the unbound host ip fact
set_fact:
tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]"
delegate_to: "{{ item.1 }}"
delegate_facts: true
with_together:
- "{{ unbound_listen_ips }}"
- "{{ groups.unbound }}"

- name: Handle a bind and unbound collocated on the same host
when:
- step|int == 1
- unbound_listen_ips|length == 0
block:
- name: Create a neutron port for a new address
os_port:
state: present
network:
if:
- public_net_is_ctlplane
- 'ctlplane'
- { get_param: [ServiceNetMap, PublicNetwork] }
no_security_groups: True
name: "unbound-designate-{{ item }}-integration-port"
register: _unbound_designate_ports
with_items:
- "{{ groups.unbound }}"

- name: Set the unbound host ip fact
set_fact:
tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
delegate_to: "{{ item.item }}"
delegate_facts: true
with_items:
- "{{ _unbound_designate_ports.results }}"

deploy_steps_tasks:
- name: Configure Unbound
when: step|int == 0
when: step|int == 1
import_role:
name: tripleo_unbound
vars:
Expand All @@ -132,3 +203,5 @@ outputs:
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}

0 comments on commit 77db47a

Please sign in to comment.