This repository has been archived by the owner on Feb 27, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathdns.yaml
181 lines (165 loc) · 6.01 KB
/
dns.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Copyright (C) Metaswitch Networks 2016
# If license terms are provided to you in a COPYING file in the root directory
# of the source code repository by which you are accessing this code, then
# the license outlined in that COPYING file applies to your use.
# Otherwise no rights are granted except for those provided to you by
# Metaswitch Networks in a separate written agreement.
heat_template_version: 2013-05-23
description: >
DNS server exposing dynamic DNS using DNSSEC
parameters:
public_mgmt_net_id:
type: string
description: ID of public management network
constraints:
- custom_constraint: neutron.network
description: Must be a valid network ID
private_mgmt_net_id:
type: string
description: ID of private management network
constraints:
- custom_constraint: neutron.network
description: Must be a valid network ID
public_sig_net_id:
type: string
description: ID of public signaling network
constraints:
- custom_constraint: neutron.network
description: Must be a valid network ID
private_sig_net_id:
type: string
description: ID of private signaling network
constraints:
- custom_constraint: neutron.network
description: Must be a valid network ID
private_sig_net_cidr:
type: string
description: Private signaling network address (CIDR notation)
default: 192.168.1.0/24
flavor:
type: string
description: Flavor to use
constraints:
- custom_constraint: nova.flavor
description: Must be a valid flavor name
image:
type: string
description: Name of image to use
constraints:
- custom_constraint: glance.image
description: Must be a valid image name
key_name:
type: string
description: Name of keypair to assign
constraints:
- custom_constraint: nova.keypair
description: Must be a valid keypair name
dns_security_group:
type: string
description: ID of security group for DNS nodes
zone:
type: string
description: DNS zone
default: example.com
dnssec_key:
type: string
description: DNSSEC private key (Base64-encoded)
resources:
mgmt_port:
type: OS::Neutron::Port
properties:
# Specify the network ID by string to work around OpenStack issues - see https://github.com/Metaswitch/clearwater-heat/issues/18.
network_id: { str_replace: { params: { x: { get_param: private_mgmt_net_id } }, template: x } }
security_groups:
- { get_param: dns_security_group }
mgmt_floating_ip:
type: OS::Neutron::FloatingIP
properties:
floating_network_id: { get_param: public_mgmt_net_id }
port_id: { get_resource: mgmt_port }
sig_port:
type: OS::Neutron::Port
properties:
# Specify the network ID by string to work around OpenStack issues - see https://github.com/Metaswitch/clearwater-heat/issues/18.
network_id: { str_replace: { params: { x: { get_param: private_sig_net_id } }, template: x } }
security_groups:
- { get_param: dns_security_group }
server:
type: OS::Nova::Server
properties:
name: { str_replace: { params: { __zone__: { get_param: zone } }, template: ns.__zone__ } }
image: { get_param: image }
flavor: { get_param: flavor }
key_name: { get_param: key_name }
networks:
- port: { get_resource: mgmt_port }
- port: { get_resource: sig_port }
user_data_format: RAW
user_data:
str_replace:
params:
__zone__: { get_param: zone }
__dnssec_key__: { get_param: dnssec_key }
__public_ip__: { get_attr: [ mgmt_floating_ip, floating_ip_address ] }
__private_sig_ip__: { get_attr: [ sig_port, fixed_ips, 0, ip_address ] }
__private_sig_cidr__: { get_param: private_sig_net_cidr }
template: |
#!/bin/bash
# Log all output to file.
exec > >(tee -a /var/log/clearwater-heat-dns.log) 2>&1
set -x
# Set up the signaling network interface
ip addr add __private_sig_ip__/$(echo __private_sig_cidr__ | cut -d / -f 2) dev eth1
ip link set dev eth1 up
# Install BIND.
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install bind9 --yes
# Update BIND configuration with the specified zone and key.
cat >> /etc/bind/named.conf.local << EOF
key __zone__. {
algorithm "HMAC-MD5";
secret "__dnssec_key__";
};
zone "__zone__" IN {
type master;
file "/var/lib/bind/db.__zone__";
allow-update {
key __zone__.;
};
};
EOF
# Function to give DNS record type and IP address for specified IP address
ip2rr() {
if echo $1 | grep -q -e '[^0-9.]' ; then
echo AAAA $1
else
echo A $1
fi
}
# Create basic zone configuration.
cat > /var/lib/bind/db.__zone__ << EOF
\$ORIGIN __zone__.
\$TTL 1h
@ IN SOA ns admin\@__zone__. ( $(date +%Y%m%d%H) 1d 2h 1w 30s )
@ NS ns
ns $(ip2rr __public_ip__)
EOF
chown root:bind /var/lib/bind/db.__zone__
# Now that BIND configuration is correct, kick it to reload.
service bind9 reload
outputs:
public_mgmt_ip:
description: IP address in public management network
value: { get_attr: [ mgmt_floating_ip, floating_ip_address ] }
private_mgmt_ip:
description: IP address in private signaling network
value: { get_attr: [ mgmt_port, fixed_ips, 0, ip_address ] }
private_sig_ip:
description: IP address in private signaling network
value: { get_attr: [ sig_port, fixed_ips, 0, ip_address ] }
zone:
description: DNS zone
value: { get_param: zone }
dnssec_key:
description: DNSSEC private key (Base64-encoded)
value: { get_param: dnssec_key }