I’m just doing this as a proof of concent, so calm down. How can we put the OpenStack service catalog into DNS? Maybe this is one way…
This is really me stumbing through learing about DNS while also implementing DNS-Based Service Discovery. It’s possible that I’m looking at this all wrong!
DNS SRV (RFC 2782) Service Types has a list of the service types and the key/value pairs for their TXT record. These are the service types I have added to facilitate discovery:
-
_os-regions._tcp to discover regions
-
_os-services._tcp to discover services
-
_os-[service type]._tcp for each service (e.g. _os-identity._tcp or _os-compute._tcp)
The service types that represent an OpenStack service have been modeled after the _http._tcp service type.
Given a service provider’s cloud example-cloud.local, how can I look at the catalog?
-
Let’s find some regions
[source,shell] ---- $ dig +noall +ans _os-regions._tcp.example-cloud.local PTR @104.239.230.39 _os-regions._tcp.example-cloud.local. 10 IN PTR RegionTwo.example-cloud.local. _os-regions._tcp.example-cloud.local. 10 IN PTR RegionOne.example-cloud.local. ----
-
Let’s find services in RegionOne
[source,shell] ---- $ dig +noall +ans _os-services._tcp.RegionOne.example-cloud.local PTR @104.239.230.39 _os-services._tcp.RegionOne.example-cloud.local. 10 IN PTR _os-compute._tcp.RegionOne.example-cloud.local. _os-services._tcp.RegionOne.example-cloud.local. 10 IN PTR _os-identity._tcp.RegionOne.example-cloud.local. ----
-
Let’s list the Nova endpoints for RegionOne
[source,shell] ---- $ dig +noall +ans _os-compute._tcp.RegionOne.example-cloud.local PTR @104.239.230.39 _os-compute._tcp.RegionOne.example-cloud.local. 10 IN PTR adminURL._os-compute._tcp.RegionOne.example-cloud.local. _os-compute._tcp.RegionOne.example-cloud.local. 10 IN PTR publicURL._os-compute._tcp.RegionOne.example-cloud.local. _os-compute._tcp.RegionOne.example-cloud.local. 10 IN PTR internalURL._os-compute._tcp.RegionOne.example-cloud.local. ----
-
Let’s list the details of Nova’s public endpoint in RegionOne
[source,shell] ---- $ dig +noall +ans publicURL._os-compute._tcp.RegionOne.example-cloud.local SRV @104.239.230.39 publicURL._os-compute._tcp.RegionOne.example-cloud.local. 10 IN SRV 0 0 8774 nova.RegionOne.example-cloud.local. $ dig +noall +ans publicURL._os-compute._tcp.RegionOne.example-cloud.local TXT @104.239.230.39 publicURL._os-compute._tcp.RegionOne.example-cloud.local. 10 IN TXT "path=/v2.1" "region=RegionOne" ----
-
Profit? Now we know that in RegionOne the public URL is https://nova.RegionOne.example-cloud.local:8774/v2.1
If know all the things already you can probably just do step #4?
Probably just the client. Maybe something like this https://review.openstack.org/#/c/232822/ … On the other hand that’s terrible looking code :-) I just wanted to prove that this could work.
Using only this small client hack I was able to get openstack client commands for nova and glance working without having to change anything in nova or glance.
There is still much work to be done:
-
Get rid of the hard coded DNS name
-
Stop the project/user id catalog substitution
-
plus lots more…
Word of warning- Don't use BIND. Seriously. It is horrible software which has effectively EOLing itself because BIND10 was canceled and there is no answer to moving BIND9 forward into the 20th century.
Other than that, DNS based service discovery is a great idea with lots of strengths. Replication of the DNS between primary and secondary servers is super powerful and allows you to build a very resilient service with fantastic availability to clients. Tooling to build DNS zone files are abundant and exist for nearly every language I can think of.
Using DNSSEC and other security tools built into the DNS would allow us to verify queries and be sure the data we've fetched is signed and correct from top to bottom. This would require a bit more configuration, but guides and BCPs abound for doing this. Having this assurance would be equivalent to using TLS for HTTP which most people seem to trust to a reasonable extent.
Finally, this could be a good opportunity to work with the Designate folks. I've been in contact with a few of them, and they seem like a great group.