[CORD-2270]
Support head node on Ubuntu 16.04 (Xenial)
Change-Id: Ic13ea784b8fa55a481f08d21f5187fd37d13499c
diff --git a/roles/dns-unbound/defaults/main.yml b/roles/dns-unbound/defaults/main.yml
index a3f4aa7..6dec81b 100644
--- a/roles/dns-unbound/defaults/main.yml
+++ b/roles/dns-unbound/defaults/main.yml
@@ -15,37 +15,34 @@
# dns-unbound/defaults/main.yml
-unbound_conf: "/etc/unbound/unbound.conf"
-unbound_group: "unbound"
-
-unbound_listen_on_default: False
-
-unbound_listen_all: True
-
-# NOTE - many of the below settings are shared with the dns-nsd role, and you
-# may need to update them in the defaults of both.
-
+# Shared settings
site_name: placeholder-sitename
site_suffix: "{{ site_name }}.test"
headnode_dns: head1
-# Management IP range from DHCP settings
-mgmt_ipv4_first_octets: "192.168.200"
-mgmt_name_reverse_unbound: "168.192.in-addr.arpa"
-
-unbound_interfaces:
- - "{{ mgmt_ipv4_first_octets }}.1/24"
+management_net_cidr: "192.168.200.0/24"
# node lists
head_lxd_list: []
physical_node_list: []
+# NOTE - many of the below settings are shared with the dns-nsd role, and you
+# may need to update them in the defaults of both.
+
+nsd_ip: 127.0.0.1
+
+unbound_conf: "/etc/unbound/unbound.conf"
+unbound_group: "unbound"
+
+unbound_listen_on_default: False
+unbound_listen_all: True
+unbound_listen_zones: True
+
# DNS settings for NSD/Unbound
nsd_zones:
- name: "{{ site_suffix }}"
- ipv4_first_octets: "{{ mgmt_ipv4_first_octets }}"
- name_reverse_unbound: "{{ mgmt_name_reverse_unbound }}"
+ cidr: "{{ management_net_cidr }}"
soa: ns1
ns:
- { name: ns1 }
diff --git a/roles/dns-unbound/tasks/main.yml b/roles/dns-unbound/tasks/main.yml
index d2fe1a6..c4672d0 100644
--- a/roles/dns-unbound/tasks/main.yml
+++ b/roles/dns-unbound/tasks/main.yml
@@ -23,6 +23,16 @@
cache_valid_time: 3600
with_items:
- unbound
+ register: unbound_install
+
+- name: Stop unbound until configured
+ when: unbound_install.changed
+ service:
+ name: unbound
+ enabled: no
+ state: stopped
+ tags:
+ - skip_ansible_lint # need to down service before configured
- name: create unbound.conf from template
template:
@@ -33,7 +43,6 @@
group: "{{ unbound_group }}"
# validate='unbound-checkconf %s' - can't use, checks path, not just config.
notify:
- - start-unbound
- reload-unbound
- name: flush unbound handlers
diff --git a/roles/dns-unbound/templates/unbound.conf.j2 b/roles/dns-unbound/templates/unbound.conf.j2
index 59c44e9..121a706 100644
--- a/roles/dns-unbound/templates/unbound.conf.j2
+++ b/roles/dns-unbound/templates/unbound.conf.j2
@@ -1,4 +1,4 @@
-
+# created by dns-unbound/templates/unbound.conf.j2
{#
Copyright 2017-present Open Networking Foundation
@@ -15,21 +15,21 @@
limitations under the License.
#}
-
-# unbound.conf (configured by Ansible)
-
server:
{% if unbound_listen_on_default %}
- interface: {{ ansible_default_ipv4.address }}
+ # created by unbound_listen_on_default
+ interface: {{ ansible_default_ipv4.address }}
{% endif %}
-{% if unbound_interfaces is defined %}
-{% for cidr_ipv4 in unbound_interfaces %}
- interface: {{ cidr_ipv4 | ipaddr('address') }}
+{% if unbound_listen_zones %}
+{% for zone in nsd_zones %}
+ # created by nsd_zones: {{ zone.name }}
+ interface: {{ zone.cidr | ipaddr('1') | ipaddr('address') }}
{% endfor %}
{% endif %}
verbosity: 1
port: 53
do-ip4: yes
+ do-ip6: no
do-udp: yes
do-tcp: yes
@@ -41,36 +41,29 @@
access-control: 0.0.0.0/0 allow
{% endif %}
-{% if unbound_listen_on_default %}
- # allow from default interfaces
- access-control: {{ ansible_default_ipv4.address }}/{{ (ansible_default_ipv4.address ~ "/" ~ ansible_default_ipv4.netmask) | ipaddr('prefix') }} allow
-{% endif %}
-
-{% if unbound_interfaces is defined %}
- # allow from local networks
-{% for cidr_ipv4 in unbound_interfaces %}
- access-control: {{ cidr_ipv4 | ipaddr('0') }} allow
+{% if nsd_zones %}
+ # allow from networks defined in zones
+{% for zone in nsd_zones %}
+ access-control: {{ zone.cidr | ipaddr('0') }} allow
{% endfor %}
-{% endif %}
-{% if nsd_zones is defined %}
# allow unbound to query localhost, where nsd is listening
do-not-query-localhost: no
# allow reverse queries for RFC1918 addresses
{% for zone in nsd_zones %}
-local-zone: "{{ zone.name_reverse_unbound }}." nodefault
+local-zone: "{{ zone.cidr | unbound_revdns }}" nodefault
{% endfor %}
# stub-zones zones that nsd is serving
{% for zone in nsd_zones %}
stub-zone:
name: "{{ zone.name }}"
- stub-addr: {{ nsd_ip | default("127.0.0.1") }}
+ stub-addr: {{ nsd_ip }}
stub-zone:
- name: "{{ zone.name_reverse_unbound }}."
- stub-addr: {{ nsd_ip | default("127.0.0.1") }}
+ name: "{{ zone.cidr | unbound_revdns }}"
+ stub-addr: {{ nsd_ip }}
{% endfor %}
{% endif %}