BBlack has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/391149 )
Change subject: Have every rdns advertise a private anycast VIP
......................................................................
Have every rdns advertise a private anycast VIP
Bug: T98006
Change-Id: I56b16355ee33cd68a6246f08fc16c20f10da3df2
---
A hieradata/role/codfw/dnsrecursor.yaml
M hieradata/role/common/dnsrecursor.yaml
A hieradata/role/eqiad/dnsrecursor.yaml
A hieradata/role/esams/dnsrecursor.yaml
A modules/bird/manifests/init.pp
A modules/bird/templates/bird.service.erb
A modules/bird/templates/bird_anycast.conf.erb
A modules/profile/manifests/bird/anycast.pp
M modules/profile/manifests/dnsrecursor.pp
M modules/role/manifests/dnsrecursor.pp
10 files changed, 205 insertions(+), 1 deletion(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/role/codfw/dnsrecursor.yaml
b/hieradata/role/codfw/dnsrecursor.yaml
new file mode 100644
index 0000000..219afcd
--- /dev/null
+++ b/hieradata/role/codfw/dnsrecursor.yaml
@@ -0,0 +1,3 @@
+profile::bird::neighbors_list:
+ - 208.80.153.2 # cr1-codfw ae1:2001
+ - 208.80.153.3 # cr2-codfw ae1:2001
diff --git a/hieradata/role/common/dnsrecursor.yaml
b/hieradata/role/common/dnsrecursor.yaml
index 49549d1..b2c2243 100644
--- a/hieradata/role/common/dnsrecursor.yaml
+++ b/hieradata/role/common/dnsrecursor.yaml
@@ -1 +1,6 @@
standard::has_ganglia: false
+
+profile::bird::advertise_vips:
+ rec-dns-anycast-vip: 10.3.0.1/32
+
+profile::bird::bind_service: 'pdns-recursor.service'
diff --git a/hieradata/role/eqiad/dnsrecursor.yaml
b/hieradata/role/eqiad/dnsrecursor.yaml
new file mode 100644
index 0000000..0e3bddd
--- /dev/null
+++ b/hieradata/role/eqiad/dnsrecursor.yaml
@@ -0,0 +1,3 @@
+profile::bird::neighbors_list:
+ - 208.80.154.2 # cr1-eqiad ae1:1001
+ - 208.80.154.3 # cr2-eqiad ae1:1001
diff --git a/hieradata/role/esams/dnsrecursor.yaml
b/hieradata/role/esams/dnsrecursor.yaml
new file mode 100644
index 0000000..4594144
--- /dev/null
+++ b/hieradata/role/esams/dnsrecursor.yaml
@@ -0,0 +1,3 @@
+profile::bird::neighbors_list:
+ - 91.198.174.2 # cr1-esams ae1:100
+ - 91.198.174.3 # cr2-esams ae1:100
diff --git a/modules/bird/manifests/init.pp b/modules/bird/manifests/init.pp
new file mode 100644
index 0000000..03c1699
--- /dev/null
+++ b/modules/bird/manifests/init.pp
@@ -0,0 +1,75 @@
+# == Class: bird
+#
+# Installs Bird
+#
+# Only supports v4 Bird instance but can be extended to support v6 when the
need arises.
+#
+# === Parameters
+#
+# [*neighbors*]
+# List of directly connected BGP neighbors (no-multihop)
+#
+# [*config_template*]
+# Specifiy which Bird config to use.
+# Only anycast exists for now, but it could be extended in the future.
+#
+# [*bfd*]
+# Enables BFD with the BGP peer (300ms*3)
+#
+# [*bind_service*]
+# Allows to bind the bird service to another service (watchdog-like)
+#
+# [*routerid*]
+# The router ID of the bird instance
+#
+#
+class bird(
+ $neighbors,
+ $config_template,
+ $bfd = true,
+ $bind_service = '',
+ $routerid= $::ipaddress,
+ ){
+
+ require_package('bird')
+
+ if $bind_service != '' {
+ exec { 'bird-systemd-reload':
+ command => 'systemctl daemon-reload',
+ path => [ '/usr/bin', '/bin', '/usr/sbin' ],
+ refreshonly => true,
+ }
+ file { '/lib/systemd/system/bird.service':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => template('bird/bird.service.erb'),
+ require => Package['bird'],
+ notify => Exec['bird-systemd-reload'],
+ }
+ }
+
+ service { 'bird':
+ enable => true,
+ restart => 'service bird reload',
+ require => Package['bird'],
+ }
+
+ service { 'bird6':
+ ensure => stopped,
+ enable => false,
+ restart => 'service bird6 reload',
+ require => Package['bird'],
+ }
+
+ file { '/etc/bird/bird.conf':
+ ensure => present,
+ owner => 'bird',
+ group => 'bird',
+ mode => '0640',
+ content => template($config_template),
+ notify => Service['bird'],
+ }
+
+}
diff --git a/modules/bird/templates/bird.service.erb
b/modules/bird/templates/bird.service.erb
new file mode 100644
index 0000000..319ac98
--- /dev/null
+++ b/modules/bird/templates/bird.service.erb
@@ -0,0 +1,17 @@
+[Unit]
+Description=BIRD Internet Routing Daemon (IPv4)
+
+After=<%= @bind_service %>
+BindsTo=<%= @bind_service %>
+
+[Service]
+EnvironmentFile=/etc/bird/envvars
+ExecStartPre=/usr/lib/bird/prepare-environment
+ExecStartPre=/usr/sbin/bird -p
+ExecReload=/usr/sbin/birdc configure
+ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS
+Restart=on-abort
+
+[Install]
+## https://github.com/systemd/systemd/issues/720
+WantedBy=<%= @bind_service %>
diff --git a/modules/bird/templates/bird_anycast.conf.erb
b/modules/bird/templates/bird_anycast.conf.erb
new file mode 100644
index 0000000..7f6f60c
--- /dev/null
+++ b/modules/bird/templates/bird_anycast.conf.erb
@@ -0,0 +1,47 @@
+
+router id <%= @routerid %>;
+
+protocol device {
+}
+
+protocol kernel {
+ metric 64;
+ import none;
+}
+
+protocol direct {
+ interface "*";
+}
+
+filter vips_filter{
+ if ( net.len = 32 && net ~ 10.3.0.0/24 ) then {
+ accept;
+ }
+ else {
+ reject;
+ }
+}
+
+<%- if @bfd -%>
+protocol bfd {
+ interface "*" {
+ interval 300 ms;
+ multiplier 3;
+ };
+}
+<%- end -%>
+
+
+protocol bgp {
+ import none;
+ export filter vips_filter;
+ local as 64605;
+ check link yes;
+ <% @neighbors.each do |neighbor| %>
+ neighbor <%= @neighbor %> as 14907;
+ <% end %>
+ <%- if @bfd -%>
+ bfd yes;
+ <%- end -%>
+
+}
diff --git a/modules/profile/manifests/bird/anycast.pp
b/modules/profile/manifests/bird/anycast.pp
new file mode 100644
index 0000000..cd32a61
--- /dev/null
+++ b/modules/profile/manifests/bird/anycast.pp
@@ -0,0 +1,47 @@
+# == Class: bird::base
+#
+# Installs and configure Bird
+# Configure Ferm
+#
+#
+class profile::bird::anycast(
+ $bfd = hiera('profile::bird::bfd', true),
+ $neighbors_list = hiera('profile::bird::neighbors_list', []),
+ $bind_service = hiera('profile::bird::bind_service', ''),
+ $advertise_vips = hiera('profile::bird::advertise_vips', undef),
+){
+
+ ferm::service { 'bird-bgp':
+ proto => 'tcp',
+ port => '179',
+ srange => $neighbors_list,
+ }
+
+ if $bfd {
+ ferm::service { 'bird-bfd-control':
+ proto => 'udp',
+ port => '3784',
+ srange => $neighbors_list,
+ }
+ ferm::service { 'bird-bfd-echo':
+ proto => 'udp',
+ port => '3785',
+ srange => $neighbors_list,
+ }
+ }
+
+ if $advertise_vips {
+ $vips_defaults = {
+ interface => 'lo',
+ options => 'label lo:anycast'
+ }
+ create_resources(interface::ip, $advertise_vips, $vips_defaults)
+ }
+
+ class { '::bird':
+ config_template => 'bird/bird_anycast.conf.erb',
+ neighbors => $neighbors_list,
+ bind_service => $bind_service,
+ bfd => $bfd,
+ }
+}
diff --git a/modules/profile/manifests/dnsrecursor.pp
b/modules/profile/manifests/dnsrecursor.pp
index 18ff727..580ce25 100644
--- a/modules/profile/manifests/dnsrecursor.pp
+++ b/modules/profile/manifests/dnsrecursor.pp
@@ -1,6 +1,8 @@
# A profile class for a dns recursor
-class profile::dnsrecursor {
+class profile::dnsrecursor (
+ $advertise_vips = hiera('profile::bird::advertise_vips', undef)
+ ) {
include ::network::constants
include ::base::firewall
include ::lvs::configuration
@@ -11,6 +13,7 @@
$facts['ipaddress'],
$facts['ipaddress6'],
$lvs::configuration::service_ips['dns_rec'][$::site],
+ $advertise_vips,
],
}
diff --git a/modules/role/manifests/dnsrecursor.pp
b/modules/role/manifests/dnsrecursor.pp
index 2832abe..9ee326f 100644
--- a/modules/role/manifests/dnsrecursor.pp
+++ b/modules/role/manifests/dnsrecursor.pp
@@ -11,4 +11,5 @@
}
include ::profile::dnsrecursor
+ include ::profile::bird::anycast
}
--
To view, visit https://gerrit.wikimedia.org/r/391149
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I56b16355ee33cd68a6246f08fc16c20f10da3df2
Gerrit-PatchSet: 9
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ayounsi <[email protected]>
Gerrit-Reviewer: Ayounsi <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
