Ayounsi has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391149 )
Change subject: [WIP] Have every rdns advertise a private anycast VIP ...................................................................... [WIP] Have every rdns advertise a private anycast VIP Change-Id: I56b16355ee33cd68a6246f08fc16c20f10da3df2 --- A hieradata/hosts/acamar.yaml M hieradata/role/common/dnsrecursor.yaml A modules/bird/manifests/init.pp A modules/bird/templates/bird.service.erb A modules/bird/templates/bird_anycast.conf.erb A modules/profile/manifests/bird/anycast.pp M modules/role/manifests/dnsrecursor.pp 7 files changed, 167 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/49/391149/1 diff --git a/hieradata/hosts/acamar.yaml b/hieradata/hosts/acamar.yaml new file mode 100644 index 0000000..219afcd --- /dev/null +++ b/hieradata/hosts/acamar.yaml @@ -0,0 +1,3 @@ +profile::bird::neighbors_list: + - 208.80.153.2 # cr1-codfw ae1:2001 + - 208.80.153.3 # cr2-codfw ae1:2001 diff --git a/hieradata/role/common/dnsrecursor.yaml b/hieradata/role/common/dnsrecursor.yaml index 49549d1..b2c2243 100644 --- a/hieradata/role/common/dnsrecursor.yaml +++ b/hieradata/role/common/dnsrecursor.yaml @@ -1 +1,6 @@ standard::has_ganglia: false + +profile::bird::advertise_vips: + rec-dns-anycast-vip: 10.3.0.1/32 + +profile::bird::bind_service: 'pdns-recursor.service' diff --git a/modules/bird/manifests/init.pp b/modules/bird/manifests/init.pp new file mode 100644 index 0000000..a114dba --- /dev/null +++ b/modules/bird/manifests/init.pp @@ -0,0 +1,52 @@ +# == Class: bird::base +# +# Installs Bird +# Let the option to "bindTo" the Bird service to another service (watchdog-like) +# +# +class bird( + $neighbors, + $bfd = true, + $bind_service = '', + $routerid= $::ipaddress, + ){ + + require_package('bird') + + if $bind_service != '' { + file { '/lib/systemd/system/bird.service': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => template('bird/bird.service.erb'), + require => Package['bird'], + } + exec { 'bird-systemd-reload': + command => 'systemctl daemon-reload', + path => [ '/usr/bin', '/bin', '/usr/sbin' ], + refreshonly => true, + } + } + + service { 'bird': + ensure => running, + enable => true, + require => Package['bird'], + } + + service { 'bird6': + ensure => stopped, + enable => false, + require => Package['bird'], + } + + file { '/etc/bird/bird.conf': + ensure => present, + owner => 'bird', + group => 'bird', + mode => '0640', + content => template('bird/bird_anycast.conf.erb'), + } + +} diff --git a/modules/bird/templates/bird.service.erb b/modules/bird/templates/bird.service.erb new file mode 100644 index 0000000..319ac98 --- /dev/null +++ b/modules/bird/templates/bird.service.erb @@ -0,0 +1,17 @@ +[Unit] +Description=BIRD Internet Routing Daemon (IPv4) + +After=<%= @bind_service %> +BindsTo=<%= @bind_service %> + +[Service] +EnvironmentFile=/etc/bird/envvars +ExecStartPre=/usr/lib/bird/prepare-environment +ExecStartPre=/usr/sbin/bird -p +ExecReload=/usr/sbin/birdc configure +ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS +Restart=on-abort + +[Install] +## https://github.com/systemd/systemd/issues/720 +WantedBy=<%= @bind_service %> diff --git a/modules/bird/templates/bird_anycast.conf.erb b/modules/bird/templates/bird_anycast.conf.erb new file mode 100644 index 0000000..f108d07 --- /dev/null +++ b/modules/bird/templates/bird_anycast.conf.erb @@ -0,0 +1,47 @@ + +router id <%= @routerid %>; + +protocol device { +} + +protocol kernel { + metric 64; + import none; +} + +protocol direct { + interface "*"; +} + +filter vips_filter{ + if ( net.len = 32 && net ~ 10.3.0.0/24 ) then { + accept; + } + else { + reject; + } +} + +<%- if @bfd -%> +protocol bfd { + interface "*" { + interval 300 ms; + multiplier 3; + }; +} +<%- end -%> + + +protocol bgp { + import none; + export filter vips_filter; + local as 64605; + check link yes; + <% @neighbors.each do |neighbor| %> + neighbor <%= @neighbor %> as 14907; + <% end %> + <%- if @bfd -%> + bfd yes; + <%- end -%> + +} diff --git a/modules/profile/manifests/bird/anycast.pp b/modules/profile/manifests/bird/anycast.pp new file mode 100644 index 0000000..b048a39 --- /dev/null +++ b/modules/profile/manifests/bird/anycast.pp @@ -0,0 +1,42 @@ +# == Class: bird::base +# +# Installs and configure Bird +# Configure Ferm +# +# +class profile::bird::anycast( + $bfd = hiera('profile::bird::bfd', true), + $neighbors_list = hiera('profile::bird::neighbors_list', []), + $bind_service = hiera('profile::bird::bind_service', ''), + $advertise_vips = hiera('profile::bird::advertise_vips', undef), +){ + + ferm::service { 'bird-bgp': + proto => 'tcp', + port => '179', + srange => $neighbors_list, + } + + # TODO not sure if we can allow a port range, allowing all UDP for now + # neighbors_list are trusted routers anyway + if $bfd { + ferm::service { 'bird-bfd': + proto => 'udp', + #port => '49152-65535', + srange => $neighbors_list, + } + } + + if $advertise_vips { + $vips_defaults = { + interface => 'lo', + } + create_resources(interface::ip, $advertise_vips, $vips_defaults) + } + + class { '::bird': + neighbors => $neighbors_list, + bind_service => $bind_service, + bfd => $bfd, + } +} diff --git a/modules/role/manifests/dnsrecursor.pp b/modules/role/manifests/dnsrecursor.pp index 2832abe..9ee326f 100644 --- a/modules/role/manifests/dnsrecursor.pp +++ b/modules/role/manifests/dnsrecursor.pp @@ -11,4 +11,5 @@ } include ::profile::dnsrecursor + include ::profile::bird::anycast } -- To view, visit https://gerrit.wikimedia.org/r/391149 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I56b16355ee33cd68a6246f08fc16c20f10da3df2 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ayounsi <ayou...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits