Add unbound role

As mentioned in the README, this adds the dynamic configuration for
unbound on hosts. If there is a ipv6 route, it will set forwarding to
ipv6 servers, otherwise use ipv4. This is ported from the
configure_mirror.sh script.

We add a basic test to integration tests

Change-Id: I70b41e45f3d53b191742533c2f3b6c0b6e6c2339

roles/configure-unbound/README.rst

@@ -0,0 +1,27 @@
+An ansible role to dynamically configure DNS forwarders for the
+``unbound`` caching service.  IPv6 will be preferred when there is a
+usable IPv6 default route, otherwise IPv4.
+
+.. note:: This is not a standalone unbound configuration role.  Base
+          setup is done during image builds in
+          ``project-config:nodepool/elements/nodepool-base/finalise.d/89-unbound``;
+          here we just do dynamic configuration of forwarders based on
+          the interfaces available on the actual host.
+
+**Role Variables**
+
+.. zuul:rolevar:: primary_nameserver_v4
+
+   The primary IPv4 nameserver for fowarding requests
+
+.. zuul:rolevar:: primary_nameserver_v6
+
+   The primary IPv6 nameserver for fowarding requests
+
+.. zuul:rolevar:: secondary_nameserver_v4
+
+   The secondary IPv4 nameserver for fowarding requests
+
+.. zuul:rolevar:: secondary_nameserver_v6
+
+   The seconary IPv6 nameserver for fowarding requests

roles/configure-unbound/defaults/main.yaml

@@ -0,0 +1,7 @@
+# OpenDNS
+primary_nameserver_v6: "2620:0:ccc::2"
+primary_nameserver_v4: "208.67.222.222"
+
+# Google
+secondary_nameserver_v6: "2001:4860:4860::8888"
+secondary_nameserver_v4: "8.8.8.8"

roles/configure-unbound/tasks/main.yaml

@@ -0,0 +1,43 @@
+- name: Ensure /etc/unbound exists
+  become: yes
+  file:
+    path: /etc/unbound
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+# Use *only* ipv6 resolvers if ipv6 is present and routable
+# (ansible_default_ipv6 should only be defined for a global, routable
+# address). This avoids traversing potential NAT when using ipv4 which
+# can be unreliable.
+- name: Set IPv6 nameservers
+  when: ansible_default_ipv6.address is defined
+  set_fact:
+    primary_nameserver: '{{ primary_nameserver_v6 }}'
+    secondary_nameserver: '{{ secondary_nameserver_v6 }}'
+
+# Fallback to default ipv4 if there is no ipv6 available as this
+# causes timeouts and failovers that are unnecesary.
+- name: Set IPv4 nameservers
+  when:
+    - ansible_default_ipv6.address is not defined
+  set_fact:
+    primary_nameserver: '{{ primary_nameserver_v4 }}'
+    secondary_nameserver: '{{ secondary_nameserver_v4 }}'
+
+- name: Configure unbound fowarding
+  become: yes
+  template:
+    dest: '/etc/unbound/forwarding.conf'
+    owner: root
+    group: root
+    mode: 0644
+    src: forwarding.conf.j2
+
+- name: restart unbound
+  become: yes
+  service:
+    name: unbound
+    state: restarted
+    enabled: yes

roles/configure-unbound/templates/forwarding.conf.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+forward-zone:
+  name: "."
+  forward-addr: {{ primary_nameserver }}
+  forward-addr: {{ secondary_nameserver }}

tests/base.yaml

@@ -1,4 +1,4 @@
 # Roles that are part of the 'base' job
-
+- include: configure-unbound.yaml
 - include: mirror-info.yaml
 - include: configure-mirrors.yaml

tests/configure-unbound.yaml

@@ -0,0 +1,13 @@
+- name: Test the configure-unbound role
+  hosts: all
+  roles:
+    - role: configure-unbound
+  post_tasks:
+    - name: Check for /etc/unbound/forwarding.conf
+      stat: path=/etc/unbound/forwarding.conf
+      register: f
+    - name: Check forwarding file
+      assert:
+        that:
+          - f.stat.exists
+          - f.stat.isreg