Skip to content

Instantly share code, notes, and snippets.

@michaeltchapman

michaeltchapman/designate-neutron.md

Last active January 27, 2021 05:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save michaeltchapman/09927b7194b7b0559b6e442e0b5d3f0b to your computer and use it in GitHub Desktop.
Save michaeltchapman/09927b7194b7b0559b6e442e0b5d3f0b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
designate-neutron.md

neutron-designate integration

ML2 Extension Drivers

Doc says to first enable internal DNS support by enabling dns(-integration) or dns_domain_ports extensions, but devstack enables subnet-dns-publish-fixed-ip instead, which depends on dns-domain-ports, which depends on dns-integration. They're an inheritance chain with subnet-dns-publish-fixed-ip instead of separate extensions.

dns-integration appears to be an implementation agnostic api spec, with an accompanying implementation for ml2. DNS domain ports adds port-domain associations to the api, and subnet-dns-publish-fixed-ip then adds a bool to subnet objects that tells dns_integration.py to add records when updating ports in the external service.

dns-integration

Alias 'dns', lowest level of DNS extension

extensions/dns.py

inherits from neutron_lib.api.extensions.APIExtensionDescriptor

plugins/ml2/extensions/dns_integration.py

inherits from neutron_lib.plugins.ml2.api.ExtensionDriver

Where the actual work is done pushing DNS updates out to an external service when a port/network/subnet/floatingip is CRUDed.

neutron-lib/api/dns.py

Extends API:

  • Adds DNS name and assignment to ports
  • Adds DNS name and domain to floating ips
  • adds DNS domain to networks

dns-domain-ports

Adds DNS domain assignment to ports

subnet-dns-publish-fixed-ip

Adds a bool 'dns_publish_fixed_ip' to the subnet object, but the work is done in dns_integration.py

++ the api exension as well

Configuration

neutron.conf/[designate]

  • ipv4_ptr_zone_prefix_size defaults to 24 - why? and when to configure?
  • ipv6_ptr_zone_prefix_size defaults to 120 - why? and when to configure?
  • ca_cert is deprecated in favor of cafile, but cafile isn't listed as an option
    • register_auth_conf_options in keystoneauth1 used register
    • load_auth_from_conf_options in keystoneauth1 used to parse
    • this opt method used for comms with nova as well

Use case 1:

following this yields the default domain rather than the provided one on the internal port:

| dns_assignment          | fqdn='my-vm.openstackgate.local.', hostname='my-vm', ip_address='10.0.0.22'                                  |
|                         | fqdn='my-vm.openstackgate.local.', hostname='my-vm', ip_address='fd82:d6b9:4ad5:0:f816:3eff:fec2:6a4c'       |
| dns_domain              |                                                                                                              |
| dns_name                | my-vm

Probably because we haven't created the zone in designate. but this is failing silently - no errors in designate-central/api or neutron-server logs or any feedback to the user

Create example.org zone in designate:

We can't do an ANY query to see all the records for a zone because mdns refuses ANY requests:

[root@devstack neutron]# dig @192.168.122.236 -p 5354 example.org ANY

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.122.236 -p 5354 example.org ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34740
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;example.org.                   IN      ANY

;; Query time: 14 msec
;; SERVER: 192.168.122.236#5354(192.168.122.236)
;; WHEN: Fri Jan 22 03:10:09 UTC 2021
;; MSG SIZE  rcvd: 40

But we can confirm there's an NS and SOA record there by asking specifically:

[root@devstack neutron]# dig @192.168.122.236 -p 5354 example.org SOA

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.122.236 -p 5354 example.org SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3776
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;example.org.                   IN      SOA

;; ANSWER SECTION:
example.org.            3600    IN      SOA     ns1.devstack.org. admin.example.org. 1611283847 3560 600 86400 3600

;; Query time: 18 msec
;; SERVER: 192.168.122.236#5354(192.168.122.236)
;; WHEN: Fri Jan 22 03:10:26 UTC 2021
;; MSG SIZE  rcvd: 95

[root@devstack neutron]# dig @192.168.122.236 -p 5354 example.org NS

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.122.236 -p 5354 example.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34924
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;example.org.                   IN      NS

;; ANSWER SECTION:
example.org.            3600    IN      NS      ns1.devstack.org.

;; Query time: 13 msec
;; SERVER: 192.168.122.236#5354(192.168.122.236)
;; WHEN: Fri Jan 22 03:10:33 UTC 2021
;; MSG SIZE  rcvd: 67

in /var/named we can also see a file:

slave.example.org.635c1d20-c34b-46e3-b503-712b4bfa3640

and making the same query on the standard DNS port gives the same result, as our named slave responds:

[root@devstack neutron]# dig @192.168.122.236 example.org NS

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.122.236 example.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5276
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f455bf81ba3f5d0dd4315da4600a42ffff3cbd904144126e (good)
;; QUESTION SECTION:
;example.org.                   IN      NS

;; ANSWER SECTION:
example.org.            3600    IN      NS      ns1.devstack.org.

;; Query time: 0 msec
;; SERVER: 192.168.122.236#53(192.168.122.236)
;; WHEN: Fri Jan 22 03:14:07 UTC 2021
;; MSG SIZE  rcvd: 95

Interestingly, named does respond to the ANY request:

[root@devstack neutron]# dig @192.168.122.236 -p 53 example.org ANY
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.122.236 -p 53 example.org ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59385
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 15dc3549a978f6ec147305d9600a43492c298ba29fa074c8 (good)
;; QUESTION SECTION:
;example.org.                   IN      ANY

;; ANSWER SECTION:
example.org.            3600    IN      SOA     ns1.devstack.org. admin.example.org. 1611283847 3560 600 86400 3600
example.org.            3600    IN      NS      ns1.devstack.org.

;; Query time: 0 msec
;; SERVER: 192.168.122.236#53(192.168.122.236)
;; WHEN: Fri Jan 22 03:15:21 UTC 2021
;; MSG SIZE  rcvd: 137
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment