3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# File 'modules/profile/manifests/dns/recursor.pp', line 3
class profile::dns::recursor (
Optional[Hash[String, Wmflib::Advertise_vip]] $advertise_vips = lookup('profile::bird::advertise_vips', {'default_value' => {}}),
Optional[String] $bind_service = lookup('profile::dns::recursor::bind_service', {'default_value' => undef}),
Optional[Stdlib::IP::Address::Nosubnet] $legacy_vip = lookup('profile::dns::recursor::legacy_vip', {'default_value' => undef}),
) {
include ::network::constants
include ::profile::base::firewall
include ::profile::bird::anycast
include ::profile::prometheus::pdns_rec_exporter
include ::profile::dns::check_dns_query
# The $legacy_vip is to support the old lvs recdns IP in codfw and eqiad
# temporarily, since there are a few trailing edge cases using it (a few
# PDUs that are difficult to reconfigure, and an odd service daemon or two
# that hasn't been restarted in a while). Will be removed later!
if $legacy_vip {
interface::ip { 'lo-legacy-vip':
ensure => present,
address => $legacy_vip,
interface => 'lo',
options => 'label lo:legacy',
before => Class['::dnsrecursor'],
}
$legacy_vips = [ $legacy_vip ]
} else {
$legacy_vips = []
}
$recdns_vips = $advertise_vips.filter |$vip_fqdn,$vip_params| { $vip_params['service_type'] == 'recdns' }
$recdns_addrs = $recdns_vips.map |$vip_fqdn,$vip_params| { $vip_params['address'] }
$listen_addrs = [
$facts['ipaddress'],
$facts['ipaddress6'],
$recdns_addrs,
] + $legacy_vips
class { '::dnsrecursor':
version_hostname => true,
allow_from => $network::constants::aggregate_networks,
listen_addresses => $listen_addrs,
allow_from_listen => false,
log_common_errors => 'no',
threads => $facts['physicalcorecount'],
bind_service => $bind_service,
}
ferm::service { 'udp_dns_recursor':
proto => 'udp',
notrack => true,
prio => '07',
port => '53',
drange => "(${listen_addrs.join(' ')})",
srange => "(${network::constants::aggregate_networks.join(' ')})",
}
ferm::service { 'tcp_dns_recursor':
proto => 'tcp',
notrack => true,
prio => '07',
port => '53',
drange => "(${listen_addrs.join(' ')})",
srange => "(${network::constants::aggregate_networks.join(' ')})",
}
::dnsrecursor::monitor { [ $facts['ipaddress'], $facts['ipaddress6'] ]: }
sudo::user { 'prometheus_sudo_for_pdns_recursor':
user => 'prometheus',
privileges => ['ALL=(root) NOPASSWD: /usr/bin/rec_control get-all'],
}
}
|