Merge branch 'release/v0.7.0-ww.12.1'

Vagrantfile

@@ -8,7 +8,6 @@
 groups = {
   "zabbix-server" => ["zabbix-server"],
   "zabbix-proxy" => ["zabbix-proxy"],
-  "consul-master" => ["consul-master"],
   "cdh-worker" => ["cdh-worker"],
   "cdh-master" => ["cdh-master"],
   "cdh-manager" => ["cdh-manager"],
@@ -43,7 +42,7 @@ Vagrant.configure(2) do |config|
     ansible.skip_tags = "skip_on_vagrant"
   end
 
-  %w(cdh-manager cdh-worker cdh-master consul-master zabbix-proxy zabbix-web zabbix-server).each do |vmname|
+  %w(cdh-manager cdh-worker cdh-master zabbix-proxy zabbix-web zabbix-server).each do |vmname|
     config.vm.define vmname 
   end
 end

consul.yml

@@ -15,7 +15,7 @@
 
 ---
 #install consul agent on the master machines
-- hosts: consul-master
+- hosts: cdh-master
   vars_files:
     - defaults/consul.yml
     - defaults/proxy.yml

roles/consul_base_agent/tasks/main.yml

@@ -39,12 +39,12 @@
 
 - name: start the consul service
   service: name=consul state=started enabled=yes
-  when: "'consul-master' not in group_names"
+  when: "'cdh-master' not in group_names"
 
 - name: wait for local consul agent port 8301 to become accessible
   wait_for: host=localhost port=8301 timeout=10
-  when: "'consul-master' not in group_names"
+  when: "'cdh-master' not in group_names"
 
 - name: wait for consul port 8500 to become accessible and check cluster state
   uri: url=http://localhost:8500/v1/catalog/nodes
-  when: "'consul-master' not in group_names"
+  when: "'cdh-master' not in group_names"

roles/consul_base_agent/templates/base.j2

@@ -4,9 +4,9 @@
     "disable_update_check": true,
     "node_name": "{{ ansible_hostname }}",
     "retry_join": [
-      "{{ hostvars[groups['consul-master'][0]]['ansible_ssh_host'] }}",
-      "{{ hostvars[groups['consul-master'][1]]['ansible_ssh_host'] }}",
-      "{{ hostvars[groups['consul-master'][2]]['ansible_ssh_host'] }}"
+      "{{ hostvars[groups['cdh-master'][0]]['ansible_ssh_host'] }}",
+      "{{ hostvars[groups['cdh-master'][1]]['ansible_ssh_host'] }}",
+      "{{ hostvars[groups['cdh-master'][2]]['ansible_ssh_host'] }}"
     ],
     "advertise_addr": "{{ ansible_ssh_host }}"
 }

roles/consul_base_server/files/nginx_default.conf

@@ -5,6 +5,10 @@ upstream consul {
 server {
   listen 8080 default_server;
   access_log  /var/log/nginx/host.access.log  main;
+  satisfy any;
+  allow 10.10.5.11/32;
+  allow 192.168.5.201/32;
+  deny all;
   auth_basic           "closed site";
   auth_basic_user_file conf.d/htpasswd;
   location / {

roles/consul_base_server/handlers/main.yml

@@ -0,0 +1,24 @@
+# Copyright (c) 2015 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+- name: restart unbound
+  service: name=unbound state=restarted
+
+- name: restart consul
+  service: name=consul state=restarted
+  when: not consul_started.changed
+
+# vi:et:sw=2 ts=2 sts=2 ft=ansible

roles/consul_base_server/tasks/consul.yml

@@ -0,0 +1,41 @@
+# Copyright (c) 2015 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- name: make sure dns.json is removed
+  file: path=/etc/consul.d/dns.json state=absent
+  notify:
+    - restart consul
+
+- name: copy server.json
+  template: src=server.j2 dest=/etc/consul.d/server.json
+  register: server
+  notify:
+    - restart consul
+
+- name: start the consul service
+  service: name=consul state=started enabled=yes
+  register: consul_started
+
+- meta: flush_handlers
+
+- name: wait for consul port 8301 to become accessible
+  wait_for: host=localhost port=8301 timeout=10
+
+- name: wait for consul port 8500 to become accessible and check cluster state
+  uri: url=http://localhost:8500/v1/catalog/nodes
+  register: cluster_state
+  until: cluster_state|success
+  retries: 6
+  delay: 10

roles/consul_base_server/tasks/main.yml

@@ -13,46 +13,8 @@
 # limitations under the License.
 #
 
-- name: ensure custom facts directory exists
-  file: path=/etc/ansible/facts.d recurse=yes state=directory
+- include: consul.yml
 
-- name: distribute resolv info fact
-  copy: src=resolv.fact dest=/etc/ansible/facts.d/resolv.fact mode=0755
+- include: unbound.yml
 
-- name: reload ansible_local facts
-  setup: filter=ansible_local
-
-- name: copy dns.json
-  template: src=dns.j2 dest=/etc/consul.d/dns.json
-
-- name: copy server.json
-  template: src=server.j2 dest=/etc/consul.d/server.json
-  register: server
-
-- name: start the consul service
-  service: name=consul state=started enabled=yes
-
-- name: wait for consul port 8301 to become accessible
-  wait_for: host=localhost port=8301 timeout=10 
-
-- name: wait for consul port 8500 to become accessible and check cluster state
-  uri: url=http://localhost:8500/v1/catalog/nodes
-  register: cluster_state
-  until: cluster_state|success
-  retries: 6
-  delay: 10
-
-- name: Install python-passlib as dependency for htpasswd module
-  yum: pkg=python-passlib state=installed
-
-- name: Install nginx
-  yum: pkg=nginx state=installed enablerepo=nginx
-
-- name: create config
-  copy: src=nginx_default.conf dest=/etc/nginx/conf.d/default.conf
-
-- name: create htpasswd file
-  htpasswd: path=/etc/nginx/conf.d/htpasswd name=consuluser password={{ consul_proxy_pass }}
-
-- name: start nginx
-  service: name=nginx state=started enabled=yes
+- include: nginx.yml

roles/consul_base_server/tasks/nginx.yml

@@ -0,0 +1,29 @@
+# Copyright (c) 2015 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- name: Install python-passlib as dependency for htpasswd module
+  yum: pkg=python-passlib state=installed
+
+- name: Install nginx
+  yum: pkg=nginx state=installed enablerepo=nginx
+
+- name: create config
+  copy: src=nginx_default.conf dest=/etc/nginx/conf.d/default.conf
+
+- name: create htpasswd file
+  htpasswd: path=/etc/nginx/conf.d/htpasswd name=consuluser password={{ consul_proxy_pass }}
+
+- name: start nginx
+  service: name=nginx state=started enabled=yes

roles/consul_base_server/tasks/unbound.yml

@@ -0,0 +1,27 @@
+# Copyright (c) 2015 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install unbound package
+  yum: name=unbound state=latest
+
+- name: Copy service configuration
+  template: src=unbound.conf.j2 dest=/etc/unbound/unbound.conf
+  notify:
+    - restart unbound
+
+- name: Create pidfile firectory
+  file: path=/var/run/unbound state=directory mode=0755
+
+- name: Start the service
+  service: name=unbound state=started enabled=yes

roles/consul_base_server/templates/unbound.conf.j2

@@ -0,0 +1,114 @@
+#
+# See unbound.conf(5) man page.
+#
+# this is a comment.
+
+# The server clause sets the main parameters.
+server:
+  # verbosity number, 0 is least verbose. 1 is default.
+  verbosity: 1
+
+  # print statistics to the log (for every thread) every N seconds.
+  # Set to "" or 0 to disable. Default is disabled.
+  # Needed for munin plugin
+  statistics-interval: 3600
+
+  # enable cumulative statistics, without clearing them after printing.
+  # Needed for munin plugin
+  statistics-cumulative: no
+
+  # enable extended statistics (query types, answer codes, status)
+  # printed from unbound-control. default off, because of speed.
+  # Needed for munin plugin
+  extended-statistics: yes
+
+  # number of threads to create. 1 disables threading.
+  num-threads: 4
+
+  # specify the interfaces to answer queries from by ip-address.
+  interface: 0.0.0.0
+
+  # enable this feature to copy the source address of queries to reply.
+  interface-automatic: no
+
+  # the time to live (TTL) value lower bound, in seconds. Default 0.
+  # If more than an hour could easily give trouble due to stale data.
+  cache-min-ttl: 300
+
+  # the time to live (TTL) value cap for RRsets and messages in the
+  # cache. Items are not cached for longer. In seconds.
+  cache-max-ttl: 86400
+
+  # control which clients are allowed to make (recursive) queries
+  # to this server. Specify classless netblocks with /size and action.
+  # By default everything is refused, except for localhost.
+  # Choose deny (drop message), refuse (polite error reply),
+  # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+  access-control: 0.0.0.0/0 allow
+
+  # if given, a chroot(2) is done to the given directory.
+  chroot: ""
+
+  # if given, user privileges are dropped (after binding port),
+  # and the given username is assumed. Default is user "unbound".
+  # If you give "" no privileges are dropped.
+  username: "unbound"
+
+  # the working directory. The relative files in this config are
+  # relative to this directory. If you give "" the working directory
+  # is not changed.
+  directory: "/etc/unbound"
+
+  # the pid file. Can be an absolute path outside of chroot/work dir.
+  pidfile: "/var/run/unbound/unbound.pid"
+
+  # if yes, perform prefetching of almost expired message cache entries.
+  prefetch: yes
+
+  # if yes, Unbound rotates RRSet order in response.
+  rrset-roundrobin: yes
+
+  # if yes, Unbound doesn't insert authority/additional sections
+  # into response messages when those sections are not required.
+  minimal-responses: yes
+
+  # allow queries to local consul host
+  do-not-query-localhost: no
+
+  # allow reverse lookups
+  local-zone: "10.10.in-addr.arpa." transparent
+  local-zone: "168.192.in-addr.arpa." transparent
+
+# Remote control config section.
+remote-control:
+  # Enable remote control with unbound-control(8) here.
+  # set up the keys and certificates with unbound-control-setup.
+  # Note: required for unbound-munin package
+  control-enable: no
+
+# Forward zones
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of servers. These servers have to handle
+# recursion to other nameservers. List zero or more nameservers by hostname
+# or by ipaddress. Use an entry with name "." to forward all queries.
+# If you enable forward-first, it attempts without the forward if it fails.
+forward-zone:
+  name: "consul."
+  forward-addr: 127.0.0.1@8600
+
+stub-zone:
+  name: "10.10.in-addr.arpa."
+  stub-addr: 127.0.0.1@8600
+
+stub-zone:
+  name: "168.192.in-addr.arpa."
+  stub-addr: 127.0.0.1@8600
+
+forward-zone:
+  name: "."
+  {% if ansible_virtualization_type == 'xen' %}
+  forward-addr: 169.254.169.253
+  {% else %}
+  forward-addr: {{ openstack_dns1 }}
+  forward-addr: {{ openstack_dns2 }}
+  {% endif %}

roles/resolv_common/tasks/main.yml

@@ -17,8 +17,6 @@
 #the consul_server role uses them to determine upstream DNS!
 - name: copy resolv.conf
   template: src=resolv.j2 dest=/etc/resolv.conf
-  when: "'consul-master' not in group_names"
 
 - name: prevent dhclient from overwriting resolv.conf
   template: src=dhclient.j2 dest=/etc/dhcp/dhclient-enter-hooks mode=555
-  when: "'consul-master' not in group_names"