Ayounsi has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/391149 )
Change subject: [WIP] Have every rdns advertise a private anycast VIP
......................................................................
[WIP] Have every rdns advertise a private anycast VIP
Change-Id: I56b16355ee33cd68a6246f08fc16c20f10da3df2
---
A hieradata/hosts/acamar.yaml
M hieradata/role/common/dnsrecursor.yaml
A modules/bird/manifests/init.pp
A modules/bird/templates/bird.service.erb
A modules/bird/templates/bird_anycast.conf.erb
A modules/profile/manifests/bird/anycast.pp
M modules/role/manifests/dnsrecursor.pp
7 files changed, 167 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/49/391149/1
diff --git a/hieradata/hosts/acamar.yaml b/hieradata/hosts/acamar.yaml
new file mode 100644
index 0000000..219afcd
--- /dev/null
+++ b/hieradata/hosts/acamar.yaml
@@ -0,0 +1,3 @@
+profile::bird::neighbors_list:
+ - 208.80.153.2 # cr1-codfw ae1:2001
+ - 208.80.153.3 # cr2-codfw ae1:2001
diff --git a/hieradata/role/common/dnsrecursor.yaml
b/hieradata/role/common/dnsrecursor.yaml
index 49549d1..b2c2243 100644
--- a/hieradata/role/common/dnsrecursor.yaml
+++ b/hieradata/role/common/dnsrecursor.yaml
@@ -1 +1,6 @@
standard::has_ganglia: false
+
+profile::bird::advertise_vips:
+ rec-dns-anycast-vip: 10.3.0.1/32
+
+profile::bird::bind_service: 'pdns-recursor.service'
diff --git a/modules/bird/manifests/init.pp b/modules/bird/manifests/init.pp
new file mode 100644
index 0000000..a114dba
--- /dev/null
+++ b/modules/bird/manifests/init.pp
@@ -0,0 +1,52 @@
+# == Class: bird::base
+#
+# Installs Bird
+# Let the option to "bindTo" the Bird service to another service
(watchdog-like)
+#
+#
+class bird(
+ $neighbors,
+ $bfd = true,
+ $bind_service = '',
+ $routerid= $::ipaddress,
+ ){
+
+ require_package('bird')
+
+ if $bind_service != '' {
+ file { '/lib/systemd/system/bird.service':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => template('bird/bird.service.erb'),
+ require => Package['bird'],
+ }
+ exec { 'bird-systemd-reload':
+ command => 'systemctl daemon-reload',
+ path => [ '/usr/bin', '/bin', '/usr/sbin' ],
+ refreshonly => true,
+ }
+ }
+
+ service { 'bird':
+ ensure => running,
+ enable => true,
+ require => Package['bird'],
+ }
+
+ service { 'bird6':
+ ensure => stopped,
+ enable => false,
+ require => Package['bird'],
+ }
+
+ file { '/etc/bird/bird.conf':
+ ensure => present,
+ owner => 'bird',
+ group => 'bird',
+ mode => '0640',
+ content => template('bird/bird_anycast.conf.erb'),
+ }
+
+}
diff --git a/modules/bird/templates/bird.service.erb
b/modules/bird/templates/bird.service.erb
new file mode 100644
index 0000000..319ac98
--- /dev/null
+++ b/modules/bird/templates/bird.service.erb
@@ -0,0 +1,17 @@
+[Unit]
+Description=BIRD Internet Routing Daemon (IPv4)
+
+After=<%= @bind_service %>
+BindsTo=<%= @bind_service %>
+
+[Service]
+EnvironmentFile=/etc/bird/envvars
+ExecStartPre=/usr/lib/bird/prepare-environment
+ExecStartPre=/usr/sbin/bird -p
+ExecReload=/usr/sbin/birdc configure
+ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS
+Restart=on-abort
+
+[Install]
+## https://github.com/systemd/systemd/issues/720
+WantedBy=<%= @bind_service %>
diff --git a/modules/bird/templates/bird_anycast.conf.erb
b/modules/bird/templates/bird_anycast.conf.erb
new file mode 100644
index 0000000..f108d07
--- /dev/null
+++ b/modules/bird/templates/bird_anycast.conf.erb
@@ -0,0 +1,47 @@
+
+router id <%= @routerid %>;
+
+protocol device {
+}
+
+protocol kernel {
+ metric 64;
+ import none;
+}
+
+protocol direct {
+ interface "*";
+}
+
+filter vips_filter{
+ if ( net.len = 32 && net ~ 10.3.0.0/24 ) then {
+ accept;
+ }
+ else {
+ reject;
+ }
+}
+
+<%- if @bfd -%>
+protocol bfd {
+ interface "*" {
+ interval 300 ms;
+ multiplier 3;
+ };
+}
+<%- end -%>
+
+
+protocol bgp {
+ import none;
+ export filter vips_filter;
+ local as 64605;
+ check link yes;
+ <% @neighbors.each do |neighbor| %>
+ neighbor <%= @neighbor %> as 14907;
+ <% end %>
+ <%- if @bfd -%>
+ bfd yes;
+ <%- end -%>
+
+}
diff --git a/modules/profile/manifests/bird/anycast.pp
b/modules/profile/manifests/bird/anycast.pp
new file mode 100644
index 0000000..b048a39
--- /dev/null
+++ b/modules/profile/manifests/bird/anycast.pp
@@ -0,0 +1,42 @@
+# == Class: bird::base
+#
+# Installs and configure Bird
+# Configure Ferm
+#
+#
+class profile::bird::anycast(
+ $bfd = hiera('profile::bird::bfd', true),
+ $neighbors_list = hiera('profile::bird::neighbors_list', []),
+ $bind_service = hiera('profile::bird::bind_service', ''),
+ $advertise_vips = hiera('profile::bird::advertise_vips', undef),
+){
+
+ ferm::service { 'bird-bgp':
+ proto => 'tcp',
+ port => '179',
+ srange => $neighbors_list,
+ }
+
+ # TODO not sure if we can allow a port range, allowing all UDP for now
+ # neighbors_list are trusted routers anyway
+ if $bfd {
+ ferm::service { 'bird-bfd':
+ proto => 'udp',
+ #port => '49152-65535',
+ srange => $neighbors_list,
+ }
+ }
+
+ if $advertise_vips {
+ $vips_defaults = {
+ interface => 'lo',
+ }
+ create_resources(interface::ip, $advertise_vips, $vips_defaults)
+ }
+
+ class { '::bird':
+ neighbors => $neighbors_list,
+ bind_service => $bind_service,
+ bfd => $bfd,
+ }
+}
diff --git a/modules/role/manifests/dnsrecursor.pp
b/modules/role/manifests/dnsrecursor.pp
index 2832abe..9ee326f 100644
--- a/modules/role/manifests/dnsrecursor.pp
+++ b/modules/role/manifests/dnsrecursor.pp
@@ -11,4 +11,5 @@
}
include ::profile::dnsrecursor
+ include ::profile::bird::anycast
}
--
To view, visit https://gerrit.wikimedia.org/r/391149
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I56b16355ee33cd68a6246f08fc16c20f10da3df2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ayounsi <ayou...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
