openstack/designate
Code Issues Proposed changes
master
designate/devstack/designate_plugins/backend-multipool-bind9
dekehn 0e9294aca1 Multi-pools implementation 
This sets up 2 pools with an instance of named running in both. The
second is denoted by /etc/bind-2 and var/cache/named-2 as its
locations. The build up of the /etc/designate/pools.yaml reflects
the changes.

Co-Authored-By: Don Kehn <dekehn@gmail.com>
Co-Authored-By: Omer Schwartz <oschwart@redhat.com>
Change-Id: Icf73e730b31ab26b8be65347239636c0137ab4bd
2024-08-09 18:06:54 +02:00

388 lines
13 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
# Configure the bind9 pool backend for a multi-pool implementation
# Enable with:
# DESIGNATE_BACKEND_DRIVER=multipool-bind9
# Dependencies:
# ``functions`` file
# ``designate`` configuration
# install_designate_backend - install any external requirements
# configure_designate_backend - make configuration changes, including those to other services
# init_designate_backend - initialize databases, etc.
# start_designate_backend - start any external services
# stop_designate_backend - stop any external services
# cleanup_designate_backend - remove transient data and cache
# Save trace setting
DP_BIND9_XTRACE=$(set +o | grep xtrace)
set +o xtrace
# Defaults
# --------
BIND2_DNS_PORT=${DESIGNATE_SERVICE_PORT2_DNS:-1053}
BIND_SERVICE_NAME=bind9
BIND2_SERVICE_NAME=bind9-2
BIND2_DEFAULT_FILE=/etc/default/named-2
BIND2_SERVICE_FILE=/etc/systemd/system/$BIND2_SERVICE_NAME.service
BIND_CFG_DIR=/etc/bind
BIND2_CFG_DIR=/etc/bind-2
BIND2_TSIGKEY_FILE=$BIND2_CFG_DIR/named.conf.tsigkeys
BIND_VAR_DIR=/var/cache/bind
BIND2_VAR_DIR=/var/cache/bind-2
BIND_RUN_DIR=/run/named
BIND2_RUN_DIR=/run/named-2
BIND_CFG_FILE=$BIND_CFG_DIR/named.conf.options
BIND2_CFG_FILE=$BIND2_CFG_DIR/named.conf.options
BIND_USER=bind
BIND_GROUP=bind
DESIGNATE_SERVICE_PORT_RNDC=${DESIGNATE_SERVICE_PORT_RNDC:-953}
DESIGNATE_SERVICE_PORT2_RNDC=${DESIGNATE_SERVICE_PORT2_RNDC:-1953}
if is_fedora; then
BIND_SERVICE_NAME=named
BIND2_SERVICE_NAME=named-2
BIND2_SERVICE_FILE=/etc/systemd/system/$BIND2_SERVICE_NAME.service
BIND_CFG_DIR=/etc/$BIND_SERVICE_NAME
BIND2_CFG_DIR=/etc/$BIND2_SERVICE_NAME
BIND_CFG_FILE=/etc/$BIND_SERVICE_NAME.conf
BIND2_CFG_FILE=/etc/$BIND2_SERVICE_NAME.conf
BIND_VAR_DIR=/var/$BIND_SERVICE_NAME
BIND2_VAR_DIR=/var/$BIND2_SERVICE_NAME
BIND_USER=named
BIND_GROUP=named
BIND2_UNIT_CFG_FILE=/etc/sysconfig/$BIND2_SERVICE_NAME
BIND2_TSIGKEY_FILE=$BIND2_CFG_DIR/named.conf.tsigkeys
fi
# Entry Points
# ------------
# install_designate_backend - install any external requirements
function install_designate_backend {
# The user that designate runs as needs to be member of **$BIND_GROUP** group.
# The designate bind9 backend needs read/write access to $BIND_VAR_DIR
sudo groupadd -f $BIND_GROUP
add_user_to_group $STACK_USER $BIND_GROUP
sudo mkdir -p $BIND2_CFG_DIR
sudo chown -R $STACK_USER:$BIND_GROUP $BIND2_CFG_DIR
sudo mkdir -p $BIND2_RUN_DIR
sudo chgrp $BIND_GROUP $BIND2_RUN_DIR
if is_ubuntu; then
install_package bind9
# generate a defaults/named2 file
sudo tee $BIND2_DEFAULT_FILE >/dev/null <<EOF
# startup options for the server
OPTIONS="-u bind -c $BIND2_CFG_DIR/named.conf -p $BIND2_DNS_PORT -D named-2"
EOF
# copy the default bind to the bind-2 & make sure the dirs are pointint to bind-2
sudo cp -a $BIND_CFG_DIR/named.conf $BIND2_CFG_DIR/named.conf
sudo sed -i 's/bind/bind-2/g' $BIND2_CFG_DIR/named.conf
# Copy the necessary configuration file and set the bind-2 directories
sudo cp -a $BIND_CFG_DIR/zones.rfc1918 $BIND2_CFG_DIR
sudo cp -a $BIND_CFG_DIR/named.conf.local $BIND2_CFG_DIR
sudo cp -a $BIND_CFG_DIR/named.conf.default-zones $BIND2_CFG_DIR
sudo sed -i 's/bind/bind-2/g' $BIND2_CFG_DIR/named.conf.local
sudo sed -i 's/bind/bind-2/g' $BIND2_CFG_DIR/named.conf.default-zones
# copy db files
for db_file in db.local db.127 db.0 db.255; do
cp -a $BIND_CFG_DIR/${db_file} $BIND2_CFG_DIR
done
# create a second service file
sudo cp -a /lib/systemd/system/named.service $BIND2_SERVICE_FILE
iniset -sudo $BIND2_SERVICE_FILE "Service" "EnvironmentFile" "$BIND2_DEFAULT_FILE"
iniset -sudo $BIND2_SERVICE_FILE "Service" "PIDFile" "$BIND2_RUN_DIR/named.pid"
iniset -sudo $BIND2_SERVICE_FILE "Install" "Alias" "$BIND2_SERVICE_NAME.service"
sudo chmod g+s $BIND2_CFG_DIR
elif is_fedora; then
install_package bind
set -o xtrace
# Copy the necessary configuration files and set the named-2 directories
for d in $(ls /etc/named.*); do
cpfile=$(echo $d | sed 's/named/named-2/')
sudo cp $d $cpfile
sudo chown -R $BIND_USER:$BIND_GROUP $cpfile
if [[ "$d" == *"named.conf"* ]]; then
sudo sed -i 's/port 53/port '$BIND2_DNS_PORT'/g' $cpfile
sudo sed -i 's/named/named-2/g' $cpfile
fi
sudo sed -i 's/bind/bind-2/g' $cpfile
done
# create a second service file & and set options into the units params file.
sudo cp /etc/sysconfig/named $BIND2_UNIT_CFG_FILE
sudo chown $STACK_USER:$BIND_GROUP $BIND2_UNIT_CFG_FILE
sudo chmod 644 $BIND2_UNIT_CFG_FILE
OPTIONS='OPTIONS="-p '$BIND2_DNS_PORT' -D '$BIND2_SERVICE_NAME'"'
NAMEDCONF="NAMEDCONF='$BIND2_CFG_FILE'"
sudo echo "$OPTIONS" >>$BIND2_UNIT_CFG_FILE
sudo echo "$NAMEDCONF" >>$BIND2_UNIT_CFG_FILE
sudo cp -a /lib/systemd/system/named.service $BIND2_SERVICE_FILE
# set the various declarations
iniset -sudo $BIND2_SERVICE_FILE "Service" "Environment=NAMEDCONF" "$BIND2_CFG_FILE"
iniset -sudo $BIND2_SERVICE_FILE "Service" "EnvironmentFile" "$BIND2_UNIT_CFG_FILE"
iniset -sudo $BIND2_SERVICE_FILE "Service" "Environment=KRB5_KTNAME" "$BIND2_CFG_DIR.keytab"
iniset -sudo $BIND2_SERVICE_FILE "Service" "PIDFile" "$BIND2_RUN_DIR/named.pid"
sudo chmod 750 $BIND2_CFG_DIR
fi
sudo chown -R $BIND_USER:$BIND_GROUP $BIND2_RUN_DIR
sudo chown -R $BIND_USER:$BIND_GROUP $BIND_RUN_DIR
# copy the /var/named default data
sudo cp -arf $BIND_VAR_DIR $BIND2_VAR_DIR
for cfg_dir in "$BIND_CFG_DIR" "$BIND2_CFG_DIR"; do
sudo chmod -R g+r $cfg_dir
done
for var_dir in "$BIND_VAR_DIR" "$BIND2_VAR_DIR"; do
sudo chmod -R g+rw $var_dir
done
# Customize Bind9 apparmor profile if installed, include the necessary bits
# for the second named instance, bind-2 and named-2
if [[ -d /etc/apparmor.d ]]; then
sudo tee /etc/apparmor.d/local/usr.sbin.named >/dev/null <<EOF
$DESIGNATE_STATE_PATH/bind9/** rw,
/etc/bind-2/** r,
/var/cache/bind-2/** lrw,
/var/cache/bind-2/_default.nzd-lock rwk,
/{,var/}run/named-2/named.pid w,
/{,var/}run/named-2/session.key w,
/var/log/named-2/** rw,
/var/log/named-2/ rw,
EOF
restart_service apparmor || :
fi
}
# configure_designate_backend - make configuration changes, including those to other services
function configure_designate_backend {
# Generate Designate pool.yaml file
sudo tee $DESIGNATE_CONF_DIR/pools.yaml >/dev/null <<EOF
---
- name: default
description: DevStack BIND Pool
attributes: {
"pool_level": "default"
}
ns_records:
- hostname: $DESIGNATE_DEFAULT_NS_RECORD
priority: 1
nameservers:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
port: $DESIGNATE_SERVICE_PORT_DNS
targets:
- type: bind9
description: BIND Instance
masters:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
port: $DESIGNATE_SERVICE_PORT_MDNS
options:
host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
port: $DESIGNATE_SERVICE_PORT_DNS
rndc_host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
rndc_port: $DESIGNATE_SERVICE_PORT_RNDC
rndc_config_file: $BIND_CFG_DIR/rndc.conf
- name: secondary_pool
description: DevStack BIND Pool 2
attributes: {
"pool_level": "secondary"
}
ns_records:
- hostname: $DESIGNATE_DEFAULT_NS2_RECORD
priority: 1
nameservers:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
port: $DESIGNATE_SERVICE_PORT2_DNS
targets:
- type: bind9
description: BIND Instance 2nd pool
masters:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
port: $DESIGNATE_SERVICE_PORT2_MDNS
options:
host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
port: $DESIGNATE_SERVICE_PORT2_DNS
rndc_host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
rndc_port: $DESIGNATE_SERVICE_PORT2_RNDC
rndc_config_file: $BIND2_CFG_DIR/rndc.conf
rndc_key_file: $BIND2_CFG_DIR/rndc.key
clean_zonefile: true
EOF
# Configure Bind #1 instance
sudo chown $STACK_USER $BIND_CFG_DIR
# create rndc key and config
sudo rndc-confgen -a -c $BIND_CFG_DIR/rndc.key
sudo chown $BIND_USER:$BIND_GROUP $BIND_CFG_DIR/rndc.key
sudo chmod g+r $BIND_CFG_DIR/rndc.key
sudo tee $BIND_CFG_FILE >/dev/null <<EOF
include "$BIND_CFG_DIR/rndc.key";
options {
directory "$BIND_VAR_DIR";
allow-new-zones yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on port $DESIGNATE_SERVICE_PORT_DNS { $HOST_IP; };
listen-on-v6 port $DESIGNATE_SERVICE_PORT_DNS { $HOST_IPV6; };
recursion no;
pid-file "$BIND_RUN_DIR/named.pid";
session-keyfile "$BIND_RUN_DIR/session.key";
minimal-responses yes;
};
controls {
inet $(ipv6_unquote $DESIGNATE_SERVICE_HOST) port $DESIGNATE_SERVICE_PORT_RNDC allow { $(ipv6_unquote $DESIGNATE_SERVICE_HOST); } keys { "rndc-key"; };
};
EOF
# Configure Bind #2 instance
sudo chown $STACK_USER $BIND2_CFG_DIR
# Create the tsigkeys for the secondary pool & add it to the bind-2
# named.conf file.
sudo rm -rf $BIND2_TSIGKEY_FILE
sudo tsig-keygen -a hmac-sha256 poolsecondarykey >$BIND2_TSIGKEY_FILE
NAME=$(cat $BIND2_TSIGKEY_FILE | grep 'key' |
awk '{split($0, a, " "); print a[2];}' |
sed -e 's/^"//' -e 's/"$//' |
awk '{split($0, a, "{"); print a[1];}')
sudo echo -e "server $HOST_IP {\n keys { $NAME };\n};" >>$BIND2_TSIGKEY_FILE
# create rndc key and config
sudo rndc-confgen -a -p $DESIGNATE_SERVICE_PORT2_RNDC -c $BIND2_CFG_DIR/rndc.key
sudo chown $BIND_USER:$BIND_GROUP $BIND2_CFG_DIR/rndc.key
sudo chmod g+r $BIND2_CFG_DIR/rndc.key
sudo tee $BIND2_CFG_FILE >/dev/null <<EOF
include "$BIND2_CFG_DIR/rndc.key";
options {
directory "$BIND2_VAR_DIR";
allow-new-zones yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on port $DESIGNATE_SERVICE_PORT2_DNS { $HOST_IP; };
listen-on-v6 port $DESIGNATE_SERVICE_PORT2_DNS { $HOST_IPV6; };
recursion no;
pid-file "$BIND2_RUN_DIR/named.pid";
session-keyfile "$BIND2_RUN_DIR/session.key";
minimal-responses yes;
};
controls {
inet $(ipv6_unquote $DESIGNATE_SERVICE_HOST2) port $DESIGNATE_SERVICE_PORT2_RNDC allow { $(ipv6_unquote $DESIGNATE_SERVICE_HOST2); } keys { "rndc-key"; };
};
include "$BIND2_TSIGKEY_FILE";
EOF
# Configure RNDC #1
sudo tee $BIND_CFG_DIR/rndc.conf >/dev/null <<EOF
include "$BIND_CFG_DIR/rndc.key";
options {
default-key "rndc-key";
default-server $(ipv6_unquote $DESIGNATE_SERVICE_HOST);
default-port $DESIGNATE_SERVICE_PORT_RNDC;
};
EOF
# Configure RNDC #r2
sudo tee $BIND2_CFG_DIR/rndc.conf >/dev/null <<EOF
include "$BIND2_CFG_DIR/rndc.key";
options {
default-key "rndc-key";
default-server $(ipv6_unquote $DESIGNATE_SERVICE_HOST);
default-port $DESIGNATE_SERVICE_PORT2_RNDC;
};
EOF
sudo chown $BIND_USER:$BIND_GROUP $BIND_CFG_FILE $BIND_CFG_DIR/rndc.conf
sudo chmod g+r $BIND_CFG_FILE $BIND_CFG_DIR/rndc.conf
sudo chown $BIND_USER:$BIND_GROUP $BIND2_CFG_FILE $BIND_CFG_DIR/rndc.conf
sudo chmod g+r $BIND_CFG_FILE $BIND2_CFG_DIR/rndc.conf
start_service $BIND2_SERVICE_NAME
restart_service $BIND_SERVICE_NAME
restart_service $BIND2_SERVICE_NAME
}
# init_designate_backend - initialize databases, etc.
function init_designate_backend {
:
}
# start_designate_backend - start any external services
function start_designate_backend {
start_service $BIND_SERVICE_NAME
start_service $BIND2_SERVICE_NAME
}
# stop_designate_backend - stop any external services
function stop_designate_backend {
stop_service $BIND_SERVICE_NAME
stop_service $BIND2_SERVICE_NAME
}
# cleanup_designate_backend - remove transient data and cache
function cleanup_designate_backend {
sudo sh -c "rm -rf $BIND_VAR_DIR/*.nzf"
sudo sh -c "rm -rf $BIND_VAR_DIR/slave.*"
sudo rm -f $BIND_CFG_DIR/rndc.key
sudo rm -f $BIND2_TSIGKEY_FILE
if [ -d $BIND2_CFG_DIR ]; then
sudo sh -c "rm -rf $BIND2_VAR_DIR/*.nzf"
sudo sh -c "rm -rf $BIND2_VAR_DIR/slave.*"
sudo rm -f $BIND2_CFG_DIR/rndc.key
# remove the tsigkey from named conf file.
sudo sed -i 'tsigkeys/d' $BIND2_CFG_DIR/named.conf
RM_CMD="sudo rm -rf"
RM_LIST="$BIND2_CFG_DIR* $BIND2_VAR_DIR $BIND2_RUN_DIR $BIND2_SERVICE_FILE"
for rc in $RM_LIST; do
echo "$RM_CMD $rc"
$RM_CMD $rc
done
if is_fedora; then
sudo rm -f $BIND2_UNIT_CFG_FILE
fi
fi
sudo systemctl reset-failed
}
# Restore xtrace
$DP_BIND9_XTRACE
View Git Blame Copy Permalink