Faidon has submitted this change and it was merged. Change subject: Cleanup dns::auth-server ......................................................................
Cleanup dns::auth-server Not used anymore, get rid of it and associated files/templates. Change-Id: Ie136e12547e6da5cf21d093fcea4cb87026f8ac1 --- D files/powerdns/domain-maplist D files/powerdns/selective-answer.py D files/powerdns/wikimedia-task-dns-auth.pub M manifests/dns.pp M manifests/site.pp D templates/powerdns/pdns.conf.erb 6 files changed, 0 insertions(+), 364 deletions(-) Approvals: Faidon: Looks good to me, approved jenkins-bot: Verified diff --git a/files/powerdns/domain-maplist b/files/powerdns/domain-maplist deleted file mode 100644 index 2561adf..0000000 --- a/files/powerdns/domain-maplist +++ /dev/null @@ -1,14 +0,0 @@ -$wikimedia_langlist:wikimedia-lb.wikimedia.org. -$wikipedia_langlist:wikipedia-lb.wikimedia.org. -$wiktionary_langlist:wiktionary-lb.wikimedia.org. -$wikiquote_langlist:wikiquote-lb.wikimedia.org. -$wikibooks_langlist:wikibooks-lb.wikimedia.org. -$wikisource_langlist:wikisource-lb.wikimedia.org. -$wikinews_langlist:wikinews-lb.wikimedia.org. -$wikiversity_langlist:wikiversity-lb.wikimedia.org. -$mediawiki_langlist:mediawiki-lb.wikimedia.org. -$foundation_langlist:foundation-lb.wikimedia.org. -$wikidata_langlist:wikidata-lb.wikimedia.org. -$wikivoyage_langlist:wikivoyage-lb.wikimedia.org. -$mobile_langlist:mobile-lb.eqiad.wikimedia.org. -$langlist:text.wikimedia.org. \ No newline at end of file diff --git a/files/powerdns/selective-answer.py b/files/powerdns/selective-answer.py deleted file mode 100755 index 052eb1e..0000000 --- a/files/powerdns/selective-answer.py +++ /dev/null @@ -1,159 +0,0 @@ -#!/usr/bin/python -##################################################################### -### THIS FILE IS MANAGED BY PUPPET -### puppet:///files/powerdns/selective-answer.py -##################################################################### - -""" -Selective Answer -A PowerDNS Pipe backend, for selectively answering records -to certain resolvers. - -Copyright (C) 2008 by Mark Bergsma <m...@nedworks.org> - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see <http://www.gnu.org/licenses/>. -""" - -import radix -import stat -import sys - -ALWAYS, MATCH, NOMATCH = range(3) - -# Configuration variables -filename = "/etc/powerdns/participants" - -dnsRecords = { - 'upload.esams.wikimedia.org': [ - # (selectivity, qtype, ttl, content) - (ALWAYS, 'A', 3600, "91.198.174.234"), - (MATCH, 'AAAA', 3600, "2620:0:862:1::80:2"), - (MATCH, 'TXT', 3600, ( - "DNS resolver ip %(remoteip)s is listed as a AAAA participant. " - "Please contact i...@wikimedia.org if you see any problems.")), - (NOMATCH, 'TXT', 3600, ( - "DNS resolver ip %(remoteip)s is not listed as a AAAA " - "participant. Please contact i...@wikimedia.org if you would like " - "to join in this IPv6 experiment.")) - ] -} - - -def loadList(filename): - netlist = radix.Radix() - try: - for line in file(filename, 'r'): - line = line[:-1].strip() - if len(line) == 0 or line.startswith('#'): - continue # Skip empty lines & comments - net = line.split('#', 2)[0].strip() # Allow comments after the IP - netlist.add(net) - except: - print "LOG\tCould not (fully) load netlist file", filename - - return netlist - - -def answerRecord(qNameSet, (qName, qClass, qType, qId, remoteIp, localIp), netlist): - for record in qNameSet: - selectivity, rQType, ttl, content = record - if selectivity != ALWAYS: # no reason to search - ip_matched = (netlist.search_best(remoteIp) is not None) - - if qType in (rQType, 'ANY', 'AXFR'): - if (selectivity == ALWAYS - or (selectivity == MATCH and ip_matched) - or (selectivity == NOMATCH and not ip_matched)): - # Substitute values in the record content - content = content % {'qname': qName, - 'qtype': qType, - 'remoteip': remoteIp, - 'localip': localIp} - print ("DATA\t%s\t%s\t%s\t%d\t%d\t%s" % - (qName, 'IN', rQType, ttl, int(qId), content)) - - -def query((qName, qClass, qType, qId, remoteIp, localIp), dnsRecords, netlist): - if qClass == 'IN' and qName.lower() in dnsRecords: - answerRecord(dnsRecords[qName.lower()], (qName, qClass, qType, qId, remoteIp, localIp), netlist) - print "END" - - -def axfr(id): - for qName, qNameSet in dnsRecords.iteritems(): - answerRecord(qNameSet, (qName, "IN", "AXFR", id, "None", "None"), radix.Radix()) - print "END" - - -def main(): - netlist, lastMTime = radix.Radix(), 0 - # Do not use buffering - line = sys.stdin.readline() - while line: - line = line[:-1].strip() - words = line.split('\t') - try: - if words[0] == "HELO": - if words[1] != "2": - print "LOG\tUnknown version", words[1] - print "FAIL" - else: - print "OK\tSelective Answer" - elif words[0] == "Q": - query(words[1:7], dnsRecords, netlist) - elif words[0] == "AXFR": - axfr(words[1]) - elif words[0] == "PING": - pass # PowerDNS doesn't seem to do anything with this - else: - raise ValueError - except (IndexError, ValueError): - print "LOG\tPowerDNS sent an unparseable line: '%s'" % line - print "FAIL" # FAIL! - - sys.stdout.flush() - - # Reload the netlist file if it has changed - try: - curMTime = os.stat(filename)[stat.ST_MTIME] - except OSError: - pass - else: - if curMTime > lastMTime: - netlist = loadList(filename) - lastMTime = curMTime - - line = sys.stdin.readline() - -if __name__ == '__main__': - # We appear to end up with superfluous FDs, including pipes from other - # instances, forked from PowerDNS. This can keep us and others from - # exiting as the fd never gets closed. Close all fds we don't need. - try: - import resource - maxfds = resource.getrlimit(resource.RLIMIT_NOFILE)[1] + 1 - # OS-X reports 9223372036854775808. That's a lot of fds to close - if maxfds > 1024: - maxfds = 1024 - except: - maxfds = 256 - - import os - for fd in range(3, maxfds): - try: - os.close(fd) - except: - pass - - main() diff --git a/files/powerdns/wikimedia-task-dns-auth.pub b/files/powerdns/wikimedia-task-dns-auth.pub deleted file mode 100644 index 964ea31..0000000 --- a/files/powerdns/wikimedia-task-dns-auth.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAxwysYhVb1W0j0MyepYYNZrB0CG3t/4BsOeF3DDx+G0+lwTwdZxmPteHSe68vliz+h5DMN/47hAuvdRkEGtsv2yqXKOPh7dAHsWcG2Tzk4uHF+LQRx1I+9IaxQFnpZ3zphvxdN9yIsSc/44aeZ1PX+DyJIhT/EIIm7Bz7RTOzQikH9yaaRaoZKbYB4Io09gyRC3dSarQw6R8zpyLM6jhqZLu5u3xGwmSWykXb5/jOfZvD/KT0dv07gIhW+sTVvQnZd1YyGMIfDSt5gqnhAlKiuiDBOHWx/Q6zE7Vc7iNiJbSyTZXU5neFy3v7kzwsgkRA6tQaK5CTZYI/gHErogKQqa81Y/iar2Vamh7xG4iNInQGL9k7L81t/5zmPKzg8A6dSSjOfUyWAUtrmKiWyXbvOd6FfxkF7pkBkuCYm7TjtB1Md+VIzzVhRe1yxY1mUcVWlbjKUPk5dxnWkXKHcaUKjagNwbuIAjupKelQSK5vJc1Qt4G/WYK2SnPCk8RJor/+6Cauy5I7blEJhVz9Paaf7MKtQvTLnOyOsla5+ZicY+V8w5HdvYLd+CC4RI4JTVFJjtEQTyzeoNurvpSOe3YZMP12fjHXN6fAPJu97FTusLCABDtFTRAOFXrC2GJqG0eQKx7Npnzq5Cy09HwBwDkZ9AkCQOjdW2e1Z7HD2wqLW2s= root@sockpuppet diff --git a/manifests/dns.pp b/manifests/dns.pp index c83b096..6447ca7 100644 --- a/manifests/dns.pp +++ b/manifests/dns.pp @@ -38,120 +38,6 @@ } -class dns::auth-server($ipaddress=[], $soa_name="", $master="") { - $dns_auth_ipaddress = $ipaddress - # only used for AXFR and notifies, we don't really care - $dns_auth_query_address = $ipaddress[0] - $dns_auth_soa_name = $soa_name - $dns_auth_master = $master - - if ! $dns_auth_ipaddress { - fail("Parametmer $dns_auth_ipaddress not defined!") - } - - if ! $dns_auth_soa_name { - fail("Parameter $dns_auth_soa_name not defined!") - } - - if ! $dns_auth_master { - fail("Parameter $dns_auth_master not defined!") - } - - package { wikimedia-task-dns-auth: - ensure => latest; - } - - package { 'python-radix': - ensure => present - } - - system_role { "dns::auth-server": description => "Authoritative DNS server" } - - file { - "/etc/powerdns/pdns.conf": - require => Package[wikimedia-task-dns-auth], - owner => root, - group => root, - mode => 0444, - content => template("powerdns/pdns.conf.erb"), - ensure => present; - "/usr/local/lib/selective-answer.py": - owner => root, - group => root, - mode => 0555, - source => "puppet:///files/powerdns/selective-answer.py", - require => Package['python-radix'], - ensure => present; - "/etc/powerdns/participants": - require => Package[wikimedia-task-dns-auth], - ensure => present; - "/etc/powerdns/domain-maplist": - require => Package[wikimedia-task-dns-auth], - mode => 0444, - source => "puppet:///files/powerdns/domain-maplist"; - "/root/.ssh/wikimedia-task-dns-auth": - owner => root, - group => root, - mode => 0400, - source => "puppet:///private/powerdns/wikimedia-task-dns-auth", - ensure => present; - "/etc/powerdns/ip-map": - owner => pdns, - group => pdns, - mode => 0755, - recurse => true; - # Remove broken cron job - "/etc/cron.d/wikimedia-task-dns-auth": - ensure => absent; - } - - exec { authdns-local-update: - command => "/usr/sbin/authdns-local-update authdns@${dns_auth_master}", - require => [ File["/root/.ssh/wikimedia-task-dns-auth"], Package[wikimedia-task-dns-auth] ], - user => root, - path => "/usr/sbin", - returns => [ 0, 1 ], - refreshonly => true, - subscribe => Service[pdns], - timeout => 60; - } - - service { pdns: - require => [ Package[wikimedia-task-dns-auth], File["/etc/powerdns/pdns.conf"], Interface::Ip["dns::auth-server"] ], - subscribe => File["/etc/powerdns/pdns.conf"], - hasrestart => false, - ensure => running; - } - - # Publish service ip hostkeys - @@sshkey { $dns_auth_soa_name: - type => ssh-rsa, - key => $sshrsakey, - ensure => present; - } - @@sshkey { $dns_auth_ipaddress: - type => ssh-rsa, - key => $sshrsakey, - ensure => present; - } - - include dns::account - - # Update ip map file - - cron { "update ip map": - command => "rsync -qt 'rsync://countries-ns.mdc.dk/zone/zz.countries.nerd.dk.rbldnsd' /etc/powerdns/ip-map/zz.countries.nerd.dk.rbldnsd && pdns_control rediscover > /dev/null", - user => pdns, - hour => 4, - minute => 7, - ensure => present; - } - - # Monitoring - monitor_host { $dns_auth_soa_name: ip_address => $dns_auth_ipaddress[0] } - monitor_service { "auth dns": host => $dns_auth_soa_name, description => "Auth DNS", check_command => "check_dns!www.wikipedia.org" } -} - # Class: Dns::Recursor # Parameters: # - $listen_addresses: @@ -240,15 +126,4 @@ } include metrics -} - -class dns::account { - systemuser { authdns: name => "authdns", home => "/var/lib/authdns", shell => "/bin/sh" } - - ssh_authorized_key { wikimedia-task-dns-auth: - key => "AAAAB3NzaC1yc2EAAAABIwAAAgEAxwysYhVb1W0j0MyepYYNZrB0CG3t/4BsOeF3DDx+G0+lwTwdZxmPteHSe68vliz+h5DMN/47hAuvdRkEGtsv2yqXKOPh7dAHsWcG2Tzk4uHF+LQRx1I+9IaxQFnpZ3zphvxdN9yIsSc/44aeZ1PX+DyJIhT/EIIm7Bz7RTOzQikH9yaaRaoZKbYB4Io09gyRC3dSarQw6R8zpyLM6jhqZLu5u3xGwmSWykXb5/jOfZvD/KT0dv07gIhW+sTVvQnZd1YyGMIfDSt5gqnhAlKiuiDBOHWx/Q6zE7Vc7iNiJbSyTZXU5neFy3v7kzwsgkRA6tQaK5CTZYI/gHErogKQqa81Y/iar2Vamh7xG4iNInQGL9k7L81t/5zmPKzg8A6dSSjOfUyWAUtrmKiWyXbvOd6FfxkF7pkBkuCYm7TjtB1Md+VIzzVhRe1yxY1mUcVWlbjKUPk5dxnWkXKHcaUKjagNwbuIAjupKelQSK5vJc1Qt4G/WYK2SnPCk8RJor/+6Cauy5I7blEJhVz9Paaf7MKtQvTLnOyOsla5+ZicY+V8w5HdvYLd+CC4RI4JTVFJjtEQTyzeoNurvpSOe3YZMP12fjHXN6fAPJu97FTusLCABDtFTRAOFXrC2GJqG0eQKx7Npnzq5Cy09HwBwDkZ9AkCQOjdW2e1Z7HD2wqLW2s=", - type => ssh-rsa, - user => authdns, - ensure => present; - } } diff --git a/manifests/site.pp b/manifests/site.pp index e5f4c90..e250420 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -62,10 +62,6 @@ # Default variables $cluster = "misc" -# FIXME: move to realm.pp -# FIXME: check if this is still correct, this was temp for a migration -$dns_auth_master = "ns1.wikimedia.org" - # Node definitions (alphabetic order) node /^amslvs[1-4]\.esams\.wikimedia\.org$/ { diff --git a/templates/powerdns/pdns.conf.erb b/templates/powerdns/pdns.conf.erb deleted file mode 100644 index 95177f4..0000000 --- a/templates/powerdns/pdns.conf.erb +++ /dev/null @@ -1,61 +0,0 @@ -# This file is managed by puppet - don't edit it locally! -# -# PowerDNS configuration file for package wikimedia-task-dns-auth -# Written on 2006/12/13 by Mark Bergsma <m...@wikimedia.org> - -# Always bind to specific addresses - pdns complains when using INADDR_ANY. -# Change this to the external interface address -local-address=<%= dns_auth_ipaddress.join(',') %> -query-local-address=<%= dns_auth_query_address %> - -# Change this to the actual SOA name: -default-soa-name=<%= dns_auth_soa_name %> - -# A backend like geobackend can't make use of caching, since returned -# results will be different depending on "who's asking". -query-cache-ttl=0 -cache-ttl=0 -negquery-cache-ttl=300 - -# If just geobackend is used, multithreading is unnecessary, -# and may even impact performance. -distributor-threads=1 - -# We are not using wildcards -wildcards=no - -# Master for allowing AXFRs -master=yes -slave=no - -# Running privileged is unnecessary -setgid=pdns -setuid=pdns - -# Logging -logging-facility=6 -loglevel=6 -query-logging=no -log-dns-details=no - -# Backends to load -launch=pipe,bind,geo - -# Bind backend configuration -bind-config=/etc/powerdns/bind.conf - -# Geobackend configuration -geo-zone=wikimedia.org -geo-soa-values=ns0.wikimedia.org,hostmas...@wikimedia.org -geo-ns-records=ns0.wikimedia.org,ns1.wikimedia.org,ns2.wikimedia.org -geo-ip-map-zonefile=/etc/powerdns/ip-map/zz.countries.nerd.dk.rbldnsd -geo-maps=/etc/powerdns/geomaps/ -geo-ttl=600 -geo-ns-ttl=600 - -# Pipe backend configuration -pipe-command=/usr/local/lib/selective-answer.py -pipe-timeout=10000 -pipe-regex=^upload\.esams\.wikimedia\.org;(A|AAAA|TXT|ANY)$ -pipebackend-abi-version=2 - -- To view, visit https://gerrit.wikimedia.org/r/80344 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie136e12547e6da5cf21d093fcea4cb87026f8ac1 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon <fai...@wikimedia.org> Gerrit-Reviewer: Faidon <fai...@wikimedia.org> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
