From b8b1fdde7507b6e90860cd2657686c154560d29b Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 8 Jan 2019 08:24:29 -0800
Subject: [PATCH] Nameservers are now managed with ansible
Remove the puppetry for managing nameservers as we now use ansible
configured name servers without puppet.
We will need to follow this up with deletion of the existing
ns*.openstack.org and adns1.openstack.org servers.
Change-Id: Id7ec8fa58c9e37ce94ec71e4562607914e5c3ea4
---
hiera/common.yaml | 6 +-
inventory/groups.yaml | 5 -
inventory/openstack.yaml | 24 ----
manifests/site.pp | 46 -------
modules.env | 1 -
.../manifests/master_nameserver.pp | 130 ------------------
.../test-fixtures/results.yaml | 5 +-
7 files changed, 5 insertions(+), 212 deletions(-)
delete mode 100644 modules/openstack_project/manifests/master_nameserver.pp
diff --git a/hiera/common.yaml b/hiera/common.yaml
index 545f35bb2e..649de28949 100644
--- a/hiera/common.yaml
+++ b/hiera/common.yaml
@@ -233,7 +233,7 @@ meetbot_channels:
- '#tripleo'
- '#zuul'
cacti_hosts:
-- adns1.openstack.org
+- adns1.opendev.org
- afs01.dfw.openstack.org
- afs02.dfw.openstack.org
- afs01.ord.openstack.org
@@ -302,8 +302,8 @@ cacti_hosts:
- nl02.openstack.org
- nl03.openstack.org
- nl04.openstack.org
-- ns1.openstack.org
-- ns2.openstack.org
+- ns1.opendev.org
+- ns2.opendev.org
- openstackid.org
- paste.openstack.org
- pbx.openstack.org
diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index a5b21af5b6..34656174ee 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -35,7 +35,6 @@ groups:
files: files[0-9]*.open*.org
firehose: firehose[0-9]*.open*.org
futureparser:
- - adns[0-9]*.openstack.org
- ask-staging[0-9]*.open*.org
- cacti[0-9]*.open*.org
- codesearch[0-9]*.open*.org
@@ -62,7 +61,6 @@ groups:
- mirror[0-9]*.*.*.open*.org
- nb[0-9]*.open*.org
- nl[0-9]*.open*.org
- - ns[0-9]*.openstack.org
- paste[0-9]*.open*.org
- pbx*.open*.org
- planet[0-9]*.open*.org
@@ -122,7 +120,6 @@ groups:
pbx:
- pbx*.open*.org
puppet:
- - adns1.openstack.org
- afs[0-9]*.open*.org
- afsdb[0-9]*.open*.org
- ask*.open*.org
@@ -152,8 +149,6 @@ groups:
- mirror[0-9]*.open*.org
- nb[0-9]*.open*.org
- nl[0-9]*.open*.org
- - ns1.openstack.org
- - ns2.openstack.org
- openstackid-dev*.open*.org
- openstackid.org
- paste[0-9]*.open*.org
diff --git a/inventory/openstack.yaml b/inventory/openstack.yaml
index 5e3ae9d0a2..d69ede3cf4 100644
--- a/inventory/openstack.yaml
+++ b/inventory/openstack.yaml
@@ -8,14 +8,6 @@ all:
private_v4: 10.209.134.4
public_v4: 104.239.146.24
public_v6: 2001:4800:7819:104:be76:4eff:fe04:43d0
- adns1.openstack.org:
- ansible_host: 2001:4801:7824:101:be76:4eff:fe10:c98e
- location:
- cloud: openstackci-rax
- region_name: ORD
- private_v4: 10.209.103.102
- public_v4: 23.253.63.149
- public_v6: 2001:4801:7824:101:be76:4eff:fe10:c98e
afs01.dfw.openstack.org:
ansible_host: 2001:4800:7818:103:be76:4eff:fe04:a376
location:
@@ -768,14 +760,6 @@ all:
private_v4: 10.209.133.154
public_v4: 104.239.140.165
public_v6: 2001:4800:7819:104:be76:4eff:fe04:38f0
- ns1.openstack.org:
- ansible_host: 2001:4800:7817:103:be76:4eff:fe04:3fc7
- location:
- cloud: openstackci-rax
- region_name: DFW
- private_v4: 10.208.160.121
- public_v4: 23.253.236.219
- public_v6: 2001:4800:7817:103:be76:4eff:fe04:3fc7
ns2.opendev.org:
ansible_host: 2604:e100:1:0:f816:3eff:fe2c:7447
location:
@@ -784,14 +768,6 @@ all:
private_v4: ''
public_v4: 162.253.55.16
public_v6: 2604:e100:1:0:f816:3eff:fe2c:7447
- ns2.openstack.org:
- ansible_host: 2604:e100:1:0:f816:3eff:fe53:ee69
- location:
- cloud: openstackci-vexxhost
- region_name: ca-ymq-1
- private_v4: ''
- public_v4: 162.253.55.139
- public_v6: 2604:e100:1:0:f816:3eff:fe53:ee69
openstackid-dev.openstack.org:
ansible_host: 2001:4800:7819:103:be76:4eff:fe05:3d
location:
diff --git a/manifests/site.pp b/manifests/site.pp
index afa74f1554..f1c0933108 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -696,52 +696,6 @@ node /^survey\d+\.open.*\.org$/ {
}
}
-# This is a hidden authoritative master nameserver, not publicly
-# accessible.
-# Node-OS: xenial
-node /^adns\d+\.open.*\.org$/ {
- $group = 'adns'
-
- class { 'openstack_project::server': }
-
- class { 'openstack_project::master_nameserver':
- tsig_key => hiera('tsig_key', {}),
- dnssec_keys => hiera_hash('dnssec_keys', {}),
- notifies => concat(dns_a('ns1.openstack.org'), dns_a('ns2.openstack.org')),
- }
-}
-
-# These are publicly accessible authoritative slave nameservers.
-# Node-OS: xenial
-node /^ns\d+\.open.*\.org$/ {
- $group = 'ns'
-
- class { 'openstack_project::server': }
-
- $tsig_key = hiera('tsig_key', {})
- if $tsig_key != {} {
- $tsig_name = 'tsig'
- nsd::tsig { 'tsig':
- algo => $tsig_key[algorithm],
- data => $tsig_key[secret],
- }
- } else {
- $tsig_name = undef
- }
-
- class { '::nsd':
- ip_addresses => [ $::ipaddress, $::ipaddress6 ],
- zones => {
- 'adns1_zones' => {
- allow_notify => dns_a('adns1.openstack.org'),
- masters => dns_a('adns1.openstack.org'),
- zones => ['zuul-ci.org', 'zuulci.org'],
- tsig_name => $tsig_name,
- }
- }
- }
-}
-
# Node-OS: xenial
node /^nl\d+\.open.*\.org$/ {
$group = 'nodepool'
diff --git a/modules.env b/modules.env
index 8d9fe1dda1..89464a0ef8 100644
--- a/modules.env
+++ b/modules.env
@@ -44,7 +44,6 @@ SOURCE_MODULES["https://github.com/dalen/puppet-dnsquery"]="2.0.1"
SOURCE_MODULES["https://github.com/deric/puppet-zookeeper"]="v0.5.5"
SOURCE_MODULES["https://github.com/duritong/puppet-sysctl"]="v0.0.11"
# initfact is a dep of biemond-wildfly
-SOURCE_MODULES["https://github.com/icann-dns/puppet-nsd"]="0.1.10"
SOURCE_MODULES["https://github.com/jethrocarr/puppet-initfact"]="1.0.1"
SOURCE_MODULES["https://github.com/jfryman/puppet-selinux"]="v0.2.5"
SOURCE_MODULES["https://github.com/maestrodev/puppet-wget"]="v1.6.0"
diff --git a/modules/openstack_project/manifests/master_nameserver.pp b/modules/openstack_project/manifests/master_nameserver.pp
deleted file mode 100644
index cb2ca0ccac..0000000000
--- a/modules/openstack_project/manifests/master_nameserver.pp
+++ /dev/null
@@ -1,130 +0,0 @@
-define openstack_project::master_zone (
- $source = undef,
-) {
- concat::fragment { "dns_zones+10_${name}.dns":
- target => $::dns::publicviewpath,
- content => template('openstack_project/nameserver/bind.zone.erb'),
- order => "10-${name}",
- }
- file { "/var/lib/bind/zones/${name}":
- ensure => directory,
- owner => 'bind',
- group => 'bind',
- mode => 'u+rwX,g+rX,o+rX',
- source => $source,
- recurse => remote,
- require => File['/var/lib/bind/zones'],
- notify => Exec['rndc_reload'],
- }
- file { "/etc/bind/keys/${name}":
- require => File['/etc/bind/keys'],
- ensure => directory,
- owner => 'root',
- group => 'bind',
- mode => '0750',
- }
-}
-
-define openstack_project::dnssec_key (
- $public = undef,
- $private = undef,
- $zone = undef,
-) {
- file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
- ensure => present,
- content => $public,
- owner => 'root',
- group => 'bind',
- mode => '0440',
- require => File["/etc/bind/keys/${zone}"],
- }
- file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
- ensure => present,
- content => $private,
- owner => 'root',
- group => 'bind',
- mode => '0440',
- require => File["/etc/bind/keys/${zone}"],
- }
-}
-
-define openstack_project::bind_key (
- $key = undef,
-) {
- file { "/etc/bind/${name}.key":
- require => Package[$::dns::dns_server_package],
- owner => 'root',
- group => 'bind',
- mode => '0440',
- content => template('openstack_project/nameserver/bind.key.erb'),
- }
-}
-
-class openstack_project::master_nameserver (
- $tsig_key = undef,
- $dnssec_keys = undef,
- $notifies = undef,
-) {
-
- $also_notify = join($notifies, ';')
-
- class { '::haveged': }
-
- class { '::dns':
- dns_notify => yes,
- listen_on_v6 => "${::ipaddress6}",
- additional_directives => [
- 'include "/etc/bind/tsig.key";',
- ],
- additional_options => {
- 'listen-on' => "{ ${::ipaddress}; }",
- # Notify requests can also be TSIG signed, but the current version
- # of the NSD puppet module doesn't let us configure that easily.
- 'also-notify' => "{ ${also_notify}; }",
- # Bind doesn't make it easy (or possible?) to restrict transfers by
- # ip address and TSIG, so we only use the TSIG key here.
- 'allow-transfer' => "{ key tsig; }",
- }
- }
-
- file { '/etc/bind/keys':
- require => Package[$::dns::dns_server_package],
- ensure => directory,
- owner => 'root',
- group => 'bind',
- mode => '0750',
- }
- file { '/var/lib/bind/zones':
- require => Package[$::dns::dns_server_package],
- ensure => directory,
- }
-
- openstack_project::bind_key { 'tsig':
- key => $tsig_key,
- }
-
- create_resources(openstack_project::dnssec_key, $dnssec_keys)
-
- # Per zone configuration
- vcsrepo { '/opt/zone-zuul-ci.org':
- ensure => latest,
- provider => git,
- revision => 'master',
- source => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
- }
- openstack_project::master_zone { 'zuul-ci.org':
- source => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
- require => Vcsrepo['/opt/zone-zuul-ci.org'],
- }
- openstack_project::master_zone { 'zuulci.org':
- source => 'file:///opt/zone-zuul-ci.org/zones/zuulci.org',
- require => Vcsrepo['/opt/zone-zuul-ci.org'],
- }
-
- exec { 'rndc_reload' :
- command => 'rndc reload',
- path => '/sbin:/usr/sbin:/bin:/usr/bin',
- refreshonly => true,
- }
-
-}
diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
index f5f43b59dd..fae6798bbc 100644
--- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
+++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
@@ -3,10 +3,9 @@
results:
- adns1.openstack.org:
+ adns1.opendev.org:
- adns
- - puppet
- - futureparser
+ - dns
afs01.dfw.openstack.org:
- afs