22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# File 'modules/profile/manifests/openstack/base/pdns/recursor/service.pp', line 22
class profile::openstack::base::pdns::recursor::service(
Stdlib::Fqdn $keystone_api_fqdn = lookup('profile::openstack::base::keystone_api_fqdn'),
$observer_user = lookup('profile::openstack::base::observer_user'),
$observer_password = lookup('profile::openstack::base::observer_password'),
$observer_project = lookup('profile::openstack::base::observer_project'),
$legacy_tld = lookup('profile::openstack::base::pdns::legacy_tld'),
$private_reverse_zones = lookup('profile::openstack::base::pdns::private_reverse_zones'),
$aliaser_extra_records = lookup('profile::openstack::base::pdns::recursor_aliaser_extra_records'),
Array[Stdlib::IP::Address] $extra_allow_from = lookup('profile::openstack::base::pdns::extra_allow_from', {default_value => []}),
Array[Stdlib::IP::Address] $monitoring_hosts = lookup('monitoring_hosts', {default_value => []}),
Array[OpenStack::ControlNode] $openstack_control_nodes = lookup('profile::openstack::base::openstack_control_nodes', {default_value => []}),
Array[Stdlib::IP::Address] $pdns_api_allow_from = lookup('profile::openstack::base::pdns::pdns_api_allow_from', {'default_value' => []}),
Optional[Stdlib::IP::Address::V4::Nosubnet] $bgp_vip = lookup('profile::openstack::base::pdns::recursor::bgp_vip', {'default_value' => undef}),
Array[Hash] $pdns_hosts = lookup('profile::openstack::base::pdns::hosts'),
) {
$this_host_entry = ($pdns_hosts.filter | $host | {$host['host_fqdn'] == $::fqdn})[0]
$query_local_address = $this_host_entry['auth_fqdn']
include ::network::constants
$allow_from = flatten([
$::network::constants::cloud_networks,
$extra_allow_from,
$monitoring_hosts,
$openstack_control_nodes.map |OpenStack::ControlNode $node| {
dnsquery::lookup($node['cloud_private_fqdn'], true)
}.flatten
])
# We need to alias some public IPs to their corresponding private IPs.
$aliaser_source = 'puppet:///modules/profile/openstack/base/pdns/recursor/labsaliaser.lua'
$aliaser_file = '/etc/powerdns/labs-ip-aliaser.lua'
file { $aliaser_file:
owner => 'root',
group => 'root',
mode => '0555',
source => $aliaser_source,
}
$lua_hooks = [$aliaser_file]
file { '/var/zones':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0444'
}
file { '/var/zones/labsdb':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/profile/openstack/base/pdns/recursor/labsdb.zone',
notify => Service['pdns-recursor'],
require => File['/var/zones']
}
$pdns_auth_addrs = $pdns_hosts.map |$item| { dnsquery::lookup($item['auth_fqdn'], true) }.flatten.sort.join(';')
$reverse_zone_rules = inline_template("<% @private_reverse_zones.each do |zone| %><%= zone %>=${pdns_auth_addrs}, <% end %>")
class { '::dnsrecursor':
listen_addresses => [$bgp_vip],
allow_from => $allow_from,
additional_forward_zones => "${legacy_tld}=${pdns_auth_addrs}, ${reverse_zone_rules}",
auth_zones => 'labsdb=/var/zones/labsdb',
lua_hooks => $lua_hooks,
max_negative_ttl => 30,
max_tcp_per_client => 10,
max_cache_entries => 3000000,
client_tcp_timeout => 1,
dnssec => 'off', # T226088 - off until 4.1.x
enable_webserver => debian::codename::ge('bullseye'),
api_allow_from => $pdns_api_allow_from,
query_local_address => dnsquery::lookup($query_local_address, true),
}
class { '::dnsrecursor::labsaliaser':
username => $observer_user,
password => $observer_password,
nova_api_url => "https://${keystone_api_fqdn}:25000/v3",
extra_records => $aliaser_extra_records,
observer_project_name => $observer_project,
}
firewall::service { 'recursor_udp_dns_rec':
proto => 'udp',
port => 53,
srange => $allow_from,
}
firewall::service { 'recursor_tcp_dns_rec':
proto => 'tcp',
port => 53,
srange => $allow_from,
}
ferm::rule { 'recursor_skip_dns_conntrack-out':
desc => 'Skip DNS outgoing connection tracking',
table => 'raw',
chain => 'OUTPUT',
rule => 'proto udp sport 53 NOTRACK;',
}
ferm::rule { 'recursor_skip_dns_conntrack-in':
desc => 'Skip DNS incoming connection tracking',
table => 'raw',
chain => 'PREROUTING',
rule => 'proto udp dport 53 NOTRACK;',
}
}
|