First cut at DNS ansible roles

[oybed]

What does this PR do?

Ansible roles for setting up a DNS server (bind/named) and allow for static DNS records to be added through the dns role (+ enables "nsupdate" for dynamic updates)

How should this be manually tested?

Use the files from the test directories to run the roles - i.e.:

• Update the dns-server role's test file with your desirable data for the dns-server
• run the dns-server role to configure the server

>> cd rhc-ose-ansible
>> cp roles/dns-server/test/role.yml .
>> [edit role.yml if desirable]
>> ansible-playbook role.yml

• run the dns role to add / remove / update static records

>> [cd rhc-ose-ansible]
>> cp roles/dns/test/records.yml .
>> [edit records.yml if desirable / to match the server config]
>> ansible-playbook records.yml

• use "dig" to test that the records are correctly populated - i.e.: if on a server with one ip, you can use the loopback address as the secondary view. (make sure the ACLs are correctly populated in the dns-server role to match your non-loopback IP for one of the views)

>> dig @<your_ip> <dns_name>
>> dig @127.0.0.1 <dns_name>

• Use "nsupdate" to add new "dynamic" records. i.e.: if on the actual server

>> nsupdate -k /var/named/<view>-<dns-domain>.key
server 127.0.0.1 # (or use the local ip)
update add <FQDN> 100 A <ip>
send

Is there a relevant Issue open for this?

N/A

Who would you like to review this?

/cc @etsauer @JayKayy @vvaldez @sabre1041

[JayKayy]

I was able to test this pretty well based off obedin's instructions. I tested many different hosts in all the zones. this is just an example output from one:

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @192.168.124.41 master.john.second.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10093
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.john.second.example.com.    IN  A

;; ANSWER SECTION:
master.john.second.example.com. 3600 IN A   10.8.88.20

;; AUTHORITY SECTION:
second.example.com. 3600    IN  NS  ns1.second.example.com.

;; ADDITIONAL SECTION:
ns1.second.example.com. 3600    IN  A   192.168.124.41

;; Query time: 0 msec
;; SERVER: 192.168.124.41#53(192.168.124.41)
;; WHEN: Wed Apr 20 09:36:16 EDT 2016
;; MSG SIZE  rcvd: 109

[root@localhost test]# dig @127.0.0.1 master.john.second.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @127.0.0.1 master.john.second.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2820
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.john.second.example.com.    IN  A

;; ANSWER SECTION:
master.john.second.example.com. 3600 IN A   10.8.88.20

;; AUTHORITY SECTION:
second.example.com. 3600    IN  NS  ns1.second.example.com.

;; ADDITIONAL SECTION:
ns1.second.example.com. 3600    IN  A   192.168.124.41

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 20 09:36:09 EDT 2016
;; MSG SIZE  rcvd: 109

set the dns record here:

...
- view: public
    zone: second.example.com
    entries:
  - type: A
    hostname: master.john
    ip: 10.8.88.20
  - type: A
    hostname: node1
    ip: 10.8.88.20
    ...

[etsauer]

@oybed i was able to run the tests you created against our openstack cloud. They were all successful. However i'm noticing a few odd behaviors.

First up...

# dig @10.3.8.92 node1.first.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @10.3.8.92 node1.first.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49654
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.first.example.com.   IN  A

;; ANSWER SECTION:
node1.first.example.com. 3600   IN  A   10.9.77.20

;; AUTHORITY SECTION:
first.example.com.  3600    IN  NS  ns1.first.example.com.

;; ADDITIONAL SECTION:
ns1.first.example.com.  3600    IN  A   172.16.252.41

;; Query time: 74 msec
;; SERVER: 10.3.8.92#53(10.3.8.92)
;; WHEN: Wed Apr 27 19:07:16 UTC 2016

the lookup returns the floating IP of the instance, but the nameserver address is in the private IP space. is this a result of the test, or does the role need adjustment?

[oybed]

@etsauer for the ns being in the different ip space - that's something I choose not to do anything about as I don't think it causes any misbehavior. I may be wrong, so if you'd like to have that change, we can work on it, but maybe in a follow-up PR? The tricky part about this is to know what IP to use. It's almost like we need the user to specify this, but in that case we need to specify a generic "flag" to indicate which IP to use as the IP isn't necessarily known up front...

[etsauer]

@oybed if you're not worried about it, then I won't worry about it.

As far as returning the right IP, wouldn't that depend on the ACL?

[etsauer]

lgtm