1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
|
#!/usr/bin/env bash
# Configure the bind9 pool backend for a multi-pool implementation
# Enable with:
# DESIGNATE_BACKEND_DRIVER=multipool-bind9
# Dependencies:
# ``functions`` file
# ``designate`` configuration
# install_designate_backend - install any external requirements
# configure_designate_backend - make configuration changes, including those to other services
# init_designate_backend - initialize databases, etc.
# start_designate_backend - start any external services
# stop_designate_backend - stop any external services
# cleanup_designate_backend - remove transient data and cache
# Save trace setting
DP_BIND9_XTRACE=$(set +o | grep xtrace)
set +o xtrace
# Defaults
# --------
BIND2_DNS_PORT=${DESIGNATE_SERVICE_PORT2_DNS:-1053}
BIND_SERVICE_NAME=bind9
BIND2_SERVICE_NAME=bind9-2
BIND2_DEFAULT_FILE=/etc/default/named-2
BIND2_SERVICE_FILE=/etc/systemd/system/$BIND2_SERVICE_NAME.service
BIND_CFG_DIR=/etc/bind
BIND2_CFG_DIR=/etc/bind-2
BIND2_TSIGKEY_FILE=$BIND2_CFG_DIR/named.conf.tsigkeys
BIND_VAR_DIR=/var/cache/bind
BIND2_VAR_DIR=/var/cache/bind-2
BIND_RUN_DIR=/run/named
BIND2_RUN_DIR=/run/named-2
BIND_CFG_FILE=$BIND_CFG_DIR/named.conf.options
BIND2_CFG_FILE=$BIND2_CFG_DIR/named.conf.options
BIND_USER=bind
BIND_GROUP=bind
DESIGNATE_SERVICE_PORT_RNDC=${DESIGNATE_SERVICE_PORT_RNDC:-953}
DESIGNATE_SERVICE_PORT2_RNDC=${DESIGNATE_SERVICE_PORT2_RNDC:-1953}
if is_fedora; then
BIND_SERVICE_NAME=named
BIND2_SERVICE_NAME=named-2
BIND2_SERVICE_FILE=/etc/systemd/system/$BIND2_SERVICE_NAME.service
BIND_CFG_DIR=/etc/$BIND_SERVICE_NAME
BIND2_CFG_DIR=/etc/$BIND2_SERVICE_NAME
BIND_CFG_FILE=/etc/$BIND_SERVICE_NAME.conf
BIND2_CFG_FILE=/etc/$BIND2_SERVICE_NAME.conf
BIND_VAR_DIR=/var/$BIND_SERVICE_NAME
BIND2_VAR_DIR=/var/$BIND2_SERVICE_NAME
BIND_USER=named
BIND_GROUP=named
BIND2_UNIT_CFG_FILE=/etc/sysconfig/$BIND2_SERVICE_NAME
BIND2_TSIGKEY_FILE=$BIND2_CFG_DIR/named.conf.tsigkeys
fi
# Entry Points
# ------------
# install_designate_backend - install any external requirements
function install_designate_backend {
# The user that designate runs as needs to be member of **$BIND_GROUP** group.
# The designate bind9 backend needs read/write access to $BIND_VAR_DIR
sudo groupadd -f $BIND_GROUP
add_user_to_group $STACK_USER $BIND_GROUP
sudo mkdir -p $BIND2_CFG_DIR
sudo chown -R $STACK_USER:$BIND_GROUP $BIND2_CFG_DIR
sudo mkdir -p $BIND2_RUN_DIR
sudo chgrp $BIND_GROUP $BIND2_RUN_DIR
if is_ubuntu; then
install_package bind9
# generate a defaults/named2 file
sudo tee $BIND2_DEFAULT_FILE >/dev/null <<EOF
# startup options for the server
OPTIONS="-u bind -c $BIND2_CFG_DIR/named.conf -p $BIND2_DNS_PORT -D named-2"
EOF
# copy the default bind to the bind-2 & make sure the dirs are pointint to bind-2
sudo cp -a $BIND_CFG_DIR/named.conf $BIND2_CFG_DIR/named.conf
sudo sed -i 's/bind/bind-2/g' $BIND2_CFG_DIR/named.conf
# Copy the necessary configuration file and set the bind-2 directories
sudo cp -a $BIND_CFG_DIR/zones.rfc1918 $BIND2_CFG_DIR
sudo cp -a $BIND_CFG_DIR/named.conf.local $BIND2_CFG_DIR
sudo cp -a $BIND_CFG_DIR/named.conf.default-zones $BIND2_CFG_DIR
sudo sed -i 's/bind/bind-2/g' $BIND2_CFG_DIR/named.conf.local
sudo sed -i 's/bind/bind-2/g' $BIND2_CFG_DIR/named.conf.default-zones
# copy db files
for db_file in db.local db.127 db.0 db.255; do
cp -a $BIND_CFG_DIR/${db_file} $BIND2_CFG_DIR
done
# create a second service file
sudo cp -a /lib/systemd/system/named.service $BIND2_SERVICE_FILE
iniset -sudo $BIND2_SERVICE_FILE "Service" "EnvironmentFile" "$BIND2_DEFAULT_FILE"
iniset -sudo $BIND2_SERVICE_FILE "Service" "PIDFile" "$BIND2_RUN_DIR/named.pid"
iniset -sudo $BIND2_SERVICE_FILE "Install" "Alias" "$BIND2_SERVICE_NAME.service"
sudo chmod g+s $BIND2_CFG_DIR
elif is_fedora; then
install_package bind
set -o xtrace
# Copy the necessary configuration files and set the named-2 directories
for d in $(ls /etc/named.*); do
cpfile=$(echo $d | sed 's/named/named-2/')
sudo cp $d $cpfile
sudo chown -R $BIND_USER:$BIND_GROUP $cpfile
if [[ "$d" == *"named.conf"* ]]; then
sudo sed -i 's/port 53/port '$BIND2_DNS_PORT'/g' $cpfile
sudo sed -i 's/named/named-2/g' $cpfile
fi
sudo sed -i 's/bind/bind-2/g' $cpfile
done
# create a second service file & and set options into the units params file.
sudo cp /etc/sysconfig/named $BIND2_UNIT_CFG_FILE
sudo chown $STACK_USER:$BIND_GROUP $BIND2_UNIT_CFG_FILE
sudo chmod 644 $BIND2_UNIT_CFG_FILE
OPTIONS='OPTIONS="-p '$BIND2_DNS_PORT' -D '$BIND2_SERVICE_NAME'"'
NAMEDCONF="NAMEDCONF='$BIND2_CFG_FILE'"
sudo echo "$OPTIONS" >>$BIND2_UNIT_CFG_FILE
sudo echo "$NAMEDCONF" >>$BIND2_UNIT_CFG_FILE
sudo cp -a /lib/systemd/system/named.service $BIND2_SERVICE_FILE
# set the various declarations
iniset -sudo $BIND2_SERVICE_FILE "Service" "Environment=NAMEDCONF" "$BIND2_CFG_FILE"
iniset -sudo $BIND2_SERVICE_FILE "Service" "EnvironmentFile" "$BIND2_UNIT_CFG_FILE"
iniset -sudo $BIND2_SERVICE_FILE "Service" "Environment=KRB5_KTNAME" "$BIND2_CFG_DIR.keytab"
iniset -sudo $BIND2_SERVICE_FILE "Service" "PIDFile" "$BIND2_RUN_DIR/named.pid"
sudo chmod 750 $BIND2_CFG_DIR
fi
sudo chown -R $BIND_USER:$BIND_GROUP $BIND2_RUN_DIR
sudo chown -R $BIND_USER:$BIND_GROUP $BIND_RUN_DIR
# copy the /var/named default data
sudo cp -arf $BIND_VAR_DIR $BIND2_VAR_DIR
for cfg_dir in "$BIND_CFG_DIR" "$BIND2_CFG_DIR"; do
sudo chmod -R g+r $cfg_dir
done
for var_dir in "$BIND_VAR_DIR" "$BIND2_VAR_DIR"; do
sudo chmod -R g+rw $var_dir
done
# Customize Bind9 apparmor profile if installed, include the necessary bits
# for the second named instance, bind-2 and named-2
if [[ -d /etc/apparmor.d ]]; then
sudo tee /etc/apparmor.d/local/usr.sbin.named >/dev/null <<EOF
$DESIGNATE_STATE_PATH/bind9/** rw,
/etc/bind-2/** r,
/var/cache/bind-2/** lrw,
/var/cache/bind-2/_default.nzd-lock rwk,
/{,var/}run/named-2/named.pid w,
/{,var/}run/named-2/session.key w,
/var/log/named-2/** rw,
/var/log/named-2/ rw,
EOF
restart_service apparmor || :
fi
}
# configure_designate_backend - make configuration changes, including those to other services
function configure_designate_backend {
# Generate Designate pool.yaml file
sudo tee $DESIGNATE_CONF_DIR/pools.yaml >/dev/null <<EOF
---
- name: default
description: DevStack BIND Pool
attributes: {
"pool_level": "default"
}
ns_records:
- hostname: $DESIGNATE_DEFAULT_NS_RECORD
priority: 1
nameservers:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
port: $DESIGNATE_SERVICE_PORT_DNS
targets:
- type: bind9
description: BIND Instance
masters:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
port: $DESIGNATE_SERVICE_PORT_MDNS
options:
host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
port: $DESIGNATE_SERVICE_PORT_DNS
rndc_host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST)
rndc_port: $DESIGNATE_SERVICE_PORT_RNDC
rndc_config_file: $BIND_CFG_DIR/rndc.conf
- name: secondary_pool
description: DevStack BIND Pool 2
attributes: {
"pool_level": "secondary"
}
ns_records:
- hostname: $DESIGNATE_DEFAULT_NS2_RECORD
priority: 1
nameservers:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
port: $DESIGNATE_SERVICE_PORT2_DNS
targets:
- type: bind9
description: BIND Instance 2nd pool
masters:
- host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
port: $DESIGNATE_SERVICE_PORT2_MDNS
options:
host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
port: $DESIGNATE_SERVICE_PORT2_DNS
rndc_host: $(ipv6_unquote $DESIGNATE_SERVICE_HOST2)
rndc_port: $DESIGNATE_SERVICE_PORT2_RNDC
rndc_config_file: $BIND2_CFG_DIR/rndc.conf
rndc_key_file: $BIND2_CFG_DIR/rndc.key
clean_zonefile: true
EOF
# Configure Bind #1 instance
sudo chown $STACK_USER $BIND_CFG_DIR
# create rndc key and config
sudo rndc-confgen -a -c $BIND_CFG_DIR/rndc.key
sudo chown $BIND_USER:$BIND_GROUP $BIND_CFG_DIR/rndc.key
sudo chmod g+r $BIND_CFG_DIR/rndc.key
sudo tee $BIND_CFG_FILE >/dev/null <<EOF
include "$BIND_CFG_DIR/rndc.key";
options {
directory "$BIND_VAR_DIR";
allow-new-zones yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on port $DESIGNATE_SERVICE_PORT_DNS { $HOST_IP; };
listen-on-v6 port $DESIGNATE_SERVICE_PORT_DNS { $HOST_IPV6; };
recursion no;
pid-file "$BIND_RUN_DIR/named.pid";
session-keyfile "$BIND_RUN_DIR/session.key";
minimal-responses yes;
};
controls {
inet $(ipv6_unquote $DESIGNATE_SERVICE_HOST) port $DESIGNATE_SERVICE_PORT_RNDC allow { $(ipv6_unquote $DESIGNATE_SERVICE_HOST); } keys { "rndc-key"; };
};
EOF
# Configure Bind #2 instance
sudo chown $STACK_USER $BIND2_CFG_DIR
# Create the tsigkeys for the secondary pool & add it to the bind-2
# named.conf file.
sudo rm -rf $BIND2_TSIGKEY_FILE
sudo tsig-keygen -a hmac-sha256 poolsecondarykey >$BIND2_TSIGKEY_FILE
NAME=$(cat $BIND2_TSIGKEY_FILE | grep 'key' |
awk '{split($0, a, " "); print a[2];}' |
sed -e 's/^"//' -e 's/"$//' |
awk '{split($0, a, "{"); print a[1];}')
sudo echo -e "server $HOST_IP {\n keys { $NAME };\n};" >>$BIND2_TSIGKEY_FILE
# create rndc key and config
sudo rndc-confgen -a -p $DESIGNATE_SERVICE_PORT2_RNDC -c $BIND2_CFG_DIR/rndc.key
sudo chown $BIND_USER:$BIND_GROUP $BIND2_CFG_DIR/rndc.key
sudo chmod g+r $BIND2_CFG_DIR/rndc.key
sudo tee $BIND2_CFG_FILE >/dev/null <<EOF
include "$BIND2_CFG_DIR/rndc.key";
options {
directory "$BIND2_VAR_DIR";
allow-new-zones yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on port $DESIGNATE_SERVICE_PORT2_DNS { $HOST_IP; };
listen-on-v6 port $DESIGNATE_SERVICE_PORT2_DNS { $HOST_IPV6; };
recursion no;
pid-file "$BIND2_RUN_DIR/named.pid";
session-keyfile "$BIND2_RUN_DIR/session.key";
minimal-responses yes;
};
controls {
inet $(ipv6_unquote $DESIGNATE_SERVICE_HOST2) port $DESIGNATE_SERVICE_PORT2_RNDC allow { $(ipv6_unquote $DESIGNATE_SERVICE_HOST2); } keys { "rndc-key"; };
};
include "$BIND2_TSIGKEY_FILE";
EOF
# Configure RNDC #1
sudo tee $BIND_CFG_DIR/rndc.conf >/dev/null <<EOF
include "$BIND_CFG_DIR/rndc.key";
options {
default-key "rndc-key";
default-server $(ipv6_unquote $DESIGNATE_SERVICE_HOST);
default-port $DESIGNATE_SERVICE_PORT_RNDC;
};
EOF
# Configure RNDC #r2
sudo tee $BIND2_CFG_DIR/rndc.conf >/dev/null <<EOF
include "$BIND2_CFG_DIR/rndc.key";
options {
default-key "rndc-key";
default-server $(ipv6_unquote $DESIGNATE_SERVICE_HOST);
default-port $DESIGNATE_SERVICE_PORT2_RNDC;
};
EOF
sudo chown $BIND_USER:$BIND_GROUP $BIND_CFG_FILE $BIND_CFG_DIR/rndc.conf
sudo chmod g+r $BIND_CFG_FILE $BIND_CFG_DIR/rndc.conf
sudo chown $BIND_USER:$BIND_GROUP $BIND2_CFG_FILE $BIND_CFG_DIR/rndc.conf
sudo chmod g+r $BIND_CFG_FILE $BIND2_CFG_DIR/rndc.conf
start_service $BIND2_SERVICE_NAME
restart_service $BIND_SERVICE_NAME
restart_service $BIND2_SERVICE_NAME
}
# init_designate_backend - initialize databases, etc.
function init_designate_backend {
:
}
# start_designate_backend - start any external services
function start_designate_backend {
start_service $BIND_SERVICE_NAME
start_service $BIND2_SERVICE_NAME
}
# stop_designate_backend - stop any external services
function stop_designate_backend {
stop_service $BIND_SERVICE_NAME
stop_service $BIND2_SERVICE_NAME
}
# cleanup_designate_backend - remove transient data and cache
function cleanup_designate_backend {
sudo sh -c "rm -rf $BIND_VAR_DIR/*.nzf"
sudo sh -c "rm -rf $BIND_VAR_DIR/slave.*"
sudo rm -f $BIND_CFG_DIR/rndc.key
sudo rm -f $BIND2_TSIGKEY_FILE
if [ -d $BIND2_CFG_DIR ]; then
sudo sh -c "rm -rf $BIND2_VAR_DIR/*.nzf"
sudo sh -c "rm -rf $BIND2_VAR_DIR/slave.*"
sudo rm -f $BIND2_CFG_DIR/rndc.key
# remove the tsigkey from named conf file.
sudo sed -i 'tsigkeys/d' $BIND2_CFG_DIR/named.conf
RM_CMD="sudo rm -rf"
RM_LIST="$BIND2_CFG_DIR* $BIND2_VAR_DIR $BIND2_RUN_DIR $BIND2_SERVICE_FILE"
for rc in $RM_LIST; do
echo "$RM_CMD $rc"
$RM_CMD $rc
done
if is_fedora; then
sudo rm -f $BIND2_UNIT_CFG_FILE
fi
fi
sudo systemctl reset-failed
}
# Restore xtrace
$DP_BIND9_XTRACE
|
