feat(stack): move post-create hook from api to nslord (cron every minute)

api/Dockerfile

@@ -16,8 +16,7 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . /usr/src/app
 RUN set -ex && \
-	rm -f desecapi/settings_local.py && \
-	ln -s /usr/src/app/desecapi/hooks/mock/domain_post_create.sh /usr/local/bin
+	rm -f desecapi/settings_local.py
 
 VOLUME /usr/src/app/desecapi/settings_local.py
 

api/desecapi/hooks/domain_post_create.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-echo -n "This is $0: "
-date
-
-if [ -z "$1" ]; then
-        exit 1
-fi
-
-ZONE=$1
-PARENT=${ZONE#*.}
-SALT=`head -c300 /dev/urandom | sha512sum | cut -b 1-16`
-
-filename=/tmp/`date -Ins`_$ZONE.log
-touch $filename
-chmod 640 $filename
-
-echo "signing $ZONE and updating serial"
-pdnsutil secure-zone $ZONE && pdnsutil set-nsec3 $ZONE "1 0 10 $SALT" && pdnsutil increase-serial $ZONE || exit 2
-
-echo "Setting DS records for $ZONE and put them in parent zone"
-DATA='{"rrsets": [ {"name": "'"$ZONE".'", "type": "DS", "ttl": 60, "changetype": "REPLACE", "records": '
-DATA+=`curl -sS -X GET -H "X-API-Key: $APITOKEN" http://127.0.0.1:8081/api/v1/servers/localhost/zones/$ZONE/cryptokeys \
-	| jq -c '[.[] | select(.active == true) | {content: .ds[]?, disabled: false}]'`
-DATA+=" } ] }"
-echo $DATA >> $filename
-curl -sSv -X PATCH --data "$DATA" -H "X-API-Key: $APITOKEN" http://127.0.0.1:8081/api/v1/servers/localhost/zones/$PARENT &>> $filename || exit 3
-
-echo -n "This was $0: "
-date

api/desecapi/hooks/mock/domain_post_create.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-echo Mockup hook for: $0 "$@"
-
-# Send 1M zero bytes to stdout
-# (large output of this script caused problems earlier)
-dd if=/dev/zero bs=1M count=1 2>/dev/null

api/desecapi/models.py

@@ -120,8 +120,6 @@ class Domain(models.Model):
         if r.status_code < 200 or r.status_code >= 300:
             raise Exception(r)
 
-        self.postCreateHook()
-
     def pdnsUpdate(self):
         if self.arecord:
             a = \
@@ -176,29 +174,6 @@ class Domain(models.Model):
         if r.status_code < 200 or r.status_code >= 300:
             raise Exception(r)
 
-    def hook(self, cmd):
-        if not self.name:
-            raise Exception
-
-        env = os.environ.copy()
-        env['APITOKEN'] = settings.POWERDNS_API_TOKEN
-
-        cmd = [cmd, self.name.lower()]
-        p_hook = subprocess.Popen(cmd,
-                                  stdin=subprocess.PIPE,
-                                  stdout=subprocess.PIPE,
-                                  stderr=subprocess.PIPE,
-                                  env=env)
-        stdout, stderr = p_hook.communicate()
-
-        if not p_hook.returncode == 0:
-            raise Exception((stdout, stderr))
-
-        return
-
-    def postCreateHook(self):
-        self.hook(cmd='domain_post_create.sh')
-
     class Meta:
         ordering = ('created',)
 

docker-compose.yml

@@ -46,6 +46,8 @@ services:
     build: nslord
     volumes:
     - ./nslord/conf:/etc/powerdns
+    - ./nslord/cronhook/insecure-zones.list:/root/cronhook/insecure-zones.list
+    - ./nslord/cronhook/my.cnf:/root/cronhook/my.cnf
     depends_on:
     - db
     networks:

nslord/Dockerfile

@@ -16,6 +16,19 @@ RUN set -ex \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
+# Post-create cron hook
+RUN set -ex && apt-get update && apt-get -y install cron curl jq mariadb-client && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /root/cronhook
+ADD ["cronhook/secure-zones.sh", "cronhook/crontab", "cronhook/start-cron.sh", "/root/cronhook/"]
+
+RUN crontab /root/cronhook/crontab
+RUN chmod +x /root/cronhook/start-cron.sh
+
+VOLUME /root/cronhook/insecure-zones.list
+VOLUME /root/cronhook/my.cnf
+# / Post-create cron hook
+
 VOLUME /etc/powerdns/
 
 COPY ./entrypoint.sh /root/

nslord/cronhook/.gitignore

@@ -0,0 +1,2 @@
+insecure-zones.list
+my.cnf

nslord/cronhook/crontab

@@ -0,0 +1 @@
+* * * * * /root/cronhook/secure-zones.sh >> /var/log/cron.log 2>&1

nslord/cronhook/secure-zones.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+APITOKEN=`pdns_control current-config | awk -F= -v key="api-key" '$1==key {print $2}'`
+
+cd /root/cronhook
+
+echo post-create cron hook: skipzones `wc -l $(pwd)/insecure-zones.list`
+
+for ZONE in `(echo "SELECT name FROM domains WHERE id NOT IN(SELECT domain_id FROM cryptokeys WHERE active = 1);" | mysql --defaults-file=my.cnf -N && sed 'p;p' insecure-zones.list) | sort | uniq -u`; do
+	set -ex
+
+	PARENT=${ZONE#*.}
+	SALT=`head -c300 /dev/urandom | sha512sum | cut -b 1-16`
+	pdnsutil secure-zone $ZONE && pdnsutil set-nsec3 $ZONE "1 0 10 $SALT" && pdnsutil increase-serial $ZONE
+
+	if [ "$PARENT" == "dedyn.io" ]; then
+		filename=/tmp/`date -Ins`_$ZONE.log
+		touch $filename
+		chmod 640 $filename
+
+		echo "Setting DS records for $ZONE and put them in parent zone"
+		DATA='{"rrsets": [ {"name": "'"$ZONE".'", "type": "DS", "ttl": 60, "changetype": "REPLACE", "records": '
+		DATA+=`curl -sS -X GET -H "X-API-Key: $APITOKEN" http://nslord:8081/api/v1/servers/localhost/zones/$ZONE/cryptokeys \
+			| jq -c '[.[] | select(.active == true) | {content: .ds[]?, disabled: false}]'`
+		DATA+=" } ] }"
+		echo $DATA >> $filename
+		curl -sSv -X PATCH --data "$DATA" -H "X-API-Key: $APITOKEN" http://nslord:8081/api/v1/servers/localhost/zones/$PARENT &>> $filename
+	fi
+done

nslord/cronhook/start-cron.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+# start-cron.sh
+
+touch /var/log/cron.log
+cron
+tail -F -v /var/log/cron.log

nslord/entrypoint.sh

@@ -2,4 +2,7 @@
 
 host=db; port=3306; n=120; i=0; while ! (echo > /dev/tcp/$host/$port) 2> /dev/null; do [[ $i -eq $n ]] && >&2 echo "$host:$port not up after $n seconds, exiting" && exit 1; echo "waiting for $host:$port to come up"; sleep 1; i=$((i+1)); done
 
+# Post-create cron hook
+/root/cronhook/start-cron.sh &
+
 pdns_server --daemon=no