Last active
January 26, 2021 05:46
-
-
Save satishdotpatel/899b339225fa2a5585570ba12fdaedc9 to your computer and use it in GitHub Desktop.
openstack-ansible-designate-integration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ************* Install bind9 DNS in designate container | |
| yum install bind bind-utils | |
| ************* Configure bind9 DNS | |
| $ cat /etc/rndc.key | |
| key "designate" { | |
| algorithm hmac-md5; | |
| secret "O3P6S6Y2AmeDAIB98TLrNw=="; | |
| }; | |
| $ cat /etc/rndc.conf | |
| include "/etc/rndc.key"; | |
| options { | |
| default-key "designate"; | |
| default-server 127.0.0.1; | |
| default-port 953; | |
| }; | |
| $ cat /etc/named.conf | |
| // | |
| // named.conf | |
| // | |
| // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS | |
| // server as a caching only nameserver (as a localhost DNS resolver only). | |
| // | |
| // See /usr/share/doc/bind*/sample/ for example named configuration files. | |
| // | |
| options { | |
| listen-on port 53 { any; }; | |
| listen-on-v6 port 53 { ::1; }; | |
| directory "/var/named"; | |
| dump-file "/var/named/data/cache_dump.db"; | |
| statistics-file "/var/named/data/named_stats.txt"; | |
| memstatistics-file "/var/named/data/named_mem_stats.txt"; | |
| secroots-file "/var/named/data/named.secroots"; | |
| recursing-file "/var/named/data/named.recursing"; | |
| allow-query { localhost; }; | |
| request-ixfr no; | |
| allow-new-zones yes; | |
| /* | |
| - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. | |
| - If you are building a RECURSIVE (caching) DNS server, you need to enable | |
| recursion. | |
| - If your recursive DNS server has a public IP address, you MUST enable access | |
| control to limit queries to your legitimate users. Failing to do so will | |
| cause your server to become part of large scale DNS amplification | |
| attacks. Implementing BCP38 within your network would greatly | |
| reduce such attack surface | |
| */ | |
| recursion no; | |
| dnssec-enable yes; | |
| dnssec-validation yes; | |
| managed-keys-directory "/var/named/dynamic"; | |
| pid-file "/run/named/named.pid"; | |
| session-keyfile "/run/named/session.key"; | |
| /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ | |
| include "/etc/crypto-policies/back-ends/bind.config"; | |
| }; | |
| logging { | |
| channel default_debug { | |
| file "data/named.run"; | |
| severity dynamic; | |
| }; | |
| }; | |
| zone "." IN { | |
| type hint; | |
| file "named.ca"; | |
| }; | |
| controls { | |
| inet 0.0.0.0 port 953 | |
| allow { localhost; } keys { "designate"; }; | |
| }; | |
| include "/etc/named.rfc1912.zones"; | |
| include "/etc/named.root.key"; | |
| include "/etc/rndc.key"; | |
| $ chown named: /etc/rndc* | |
| $ chmod 600 /etc/rndc* | |
| $ systemctl restart named | |
| ************* Create pools.yaml file | |
| $ ln -s /openstack/venvs/designate-21.1.0.dev73/bin/designate-manage /usr/local/bin/ | |
| $ su -s /bin/sh -c "designate-manage pool update" designate | |
| ** Notes: use "designate-manage pool generate_file" command to generate pools.yaml file which has pool_id associated. | |
| If any issue then run "designate-manage pool update --delete" and verify on mysql database "select * from pools;" | |
| $ cat /etc/designate/pools.yaml | |
| # create new (replace hostname and IP address to your own environment) | |
| - name: default | |
| description: Default Pool | |
| attributes: {} | |
| ns_records: | |
| - hostname: ns1.example.com. # This is going to be your bind9/PowerDNS (trailing dot is required) | |
| priority: 1 | |
| nameservers: | |
| - host: 127.0.0.1 # This is your external bind9/PowerDNS | |
| port: 53 | |
| targets: | |
| - type: bind9 | |
| description: BIND9 Server | |
| masters: | |
| - host: 127.0.0.1 # This is python based mDNS | |
| port: 5354 | |
| options: | |
| host: 127.0.0.1 # This is to connect bind9/PowerDNS for control plane | |
| port: 53 | |
| rndc_host: 127.0.0.1 | |
| rndc_port: 953 | |
| rndc_key_file: /etc/rndc.key | |
| ************* Create and Verify first domain/zone in DNS | |
| ** Notes: if you see error "no_servers_configured" during zone create that means pools.yaml has some issue could be related to pool_id | |
| $ openstack zone create --email dnsmaster@bar.com bar.com. | |
| $ openstack recordset list bar.com. | |
| $ openstack recordset create --record '192.168.100.10' --type A bar.com. www | |
| $ openstack recordset list bar.com. | |
| ************* Edit neutron config to integrate designate | |
| $ cat /etc/openstack_deploy/user_variables.yml | |
| neutron_designate_enabled: True | |
| neutron_plugin_base: | |
| - dns | |
| neutron_dns_domain: . # This is very important (dot) means you can map any domain with network foo.com. or bar.com. | |
| ************* Let's verify neutron integration with designate | |
| $ neutron net-create net-bar --shared --provider:physical_network vlan --provider:network_type vlan --provider:segmentation_id 666 | |
| $ neutron subnet-create net-bar 192.168.1.0/28 --name sub-bar --allocation-pool start=192.168.1.2,end=192.168.1.5 --gateway=192.168.1.1 | |
| $ openstack network set a38da6af-f3d1-4558-87d0-ece98d011ee5 --dns-domain bar.com. | |
| $ openstack port create --network a38da6af-f3d1-4558-87d0-ece98d011ee5 --dns-name vm-bar vm-bar-www1 | |
| $ openstack recordset list bar.com. | |
| +--------------------------------------+----------------------+------+--------------------------------------------------------------------+--------+--------+ | |
| | id | name | type | records | status | action | | |
| +--------------------------------------+----------------------+------+--------------------------------------------------------------------+--------+--------+ | |
| | 80bc6f6b-35ca-4a9b-94d4-6b65fd188fcc | bar.com. | SOA | ns1.example.com. dnsmaster.bar.com. 1597264874 3592 600 86400 3600 | ACTIVE | NONE | | |
| | 8fa1fca1-1a1e-4b9d-b154-44fd549a983a | bar.com. | NS | ns1.example.com. | ACTIVE | NONE | | |
| | c2fbdd2e-9e34-4bc0-8e9c-56411f9eeb58 | vm-bar.bar.com. | A | 192.168.1.3 | ACTIVE | NONE | | |
| | ed07b285-3ba2-43ce-8d9b-b7ade32625be | vm-bar-www1.bar.com. | A | 192.168.1.5 | ACTIVE | NONE | | |
| +--------------------------------------+----------------------+------+--------------------------------------------------------------------+--------+--------+ | |
| ********** Multiple Slave PowerDNS configuration example ********* | |
| $ cat pools.yaml | |
| - attributes: {} | |
| description: Default pool | |
| name: default | |
| nameservers: | |
| - host: 10.65.0.10 | |
| port: 53 | |
| - host: 10.65.0.11 | |
| port: 53 | |
| ns_records: | |
| - hostname: ns1.os-lab.com. | |
| priority: 1 | |
| - hostname: ns2.os-lab.com. | |
| priority: 1 | |
| targets: | |
| - description: PowerDNS4 DNS Server | |
| masters: | |
| - host: 10.65.6.206 | |
| port: 5354 | |
| options: | |
| api_endpoint: http://10.65.0.10:8081 | |
| api_token: uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R | |
| host: 10.65.0.10 | |
| port: 53 | |
| type: pdns4 | |
| - description: PowerDNS4 DNS Server | |
| masters: | |
| - host: 10.65.6.207 | |
| port: 5354 | |
| options: | |
| api_endpoint: http://10.65.0.11:8081 | |
| api_token: uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R | |
| host: 10.65.0.11 | |
| port: 53 | |
| type: pdns4 | |
| ******** PowerDNS slave configuration ********* | |
| [root@pdns ~]# cat /etc/pdns/pdns.conf | |
| setuid=pdns | |
| setgid=pdns | |
| launch=bind | |
| allow-dnsupdate-from=127.0.0.0/8,10.0.0.0/8,::1 | |
| allow-notify-from=10.30.0.0/16,10.64.0.0/21 | |
| api=yes | |
| api-key=uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R | |
| disable-axfr=no | |
| dnsupdate=yes | |
| local-port=5300 | |
| log-dns-details=yes | |
| log-dns-queries=yes | |
| loglevel=999 | |
| master=no | |
| slave=yes | |
| slave-cycle-interval=60 | |
| webserver=yes | |
| webserver-address=10.65.0.11 | |
| webserver-allow-from=127.0.0.0/8,10.65.0.0/21,::1 | |
| webserver-password=SecretPassword | |
| launch=gmysql | |
| gmysql-host=127.0.0.1 | |
| gmysql-user=pdns-admin | |
| gmysql-password=Password123 | |
| gmysql-dbname=pdns | |
| *********** user_variables.yml ************* | |
| ## Designate DNS | |
| dns_hosts: | |
| - { ip: 10.65.0.10, name: ns1.tux.com, port: 5300 } | |
| - { ip: 10.65.0.11, name: ns2.tux.com, port: 5300 } | |
| _designate_pools_yaml_nameservers: | | |
| {% for item in dns_hosts %} | |
| - host: "{{ item.ip }}" | |
| port: {{ item.port }} | |
| {% endfor %} | |
| _designate_pools_yaml_ns_records: | | |
| {% for item in dns_hosts %} | |
| - hostname: "{{ item.name }}." | |
| priority: 1 | |
| {% endfor %} | |
| _designate_pools_yaml_targets: | | |
| {% for item in dns_hosts %} | |
| - type: pdns4 | |
| description: PowerDNS 4 | |
| masters: | |
| {% for mdns_item in groups['designate_mdns'] | map('extract', hostvars, 'container_address') | list %} | |
| - host: "{{ mdns_item }}" | |
| port: 5354 | |
| {% endfor %} | |
| options: | |
| host: "{{ item.ip }}" | |
| port: {{ item.port }} | |
| api_endpoint: http://{{ item.ip }}:8081 | |
| api_token: uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R | |
| {% endfor %} | |
| designate_pools_yaml: | |
| - name: "default" | |
| description: pool for PowerDNS running on infra hosts | |
| attributes: {} | |
| ns_records: "{{ _designate_pools_yaml_ns_records | from_yaml }}" | |
| nameservers: "{{ _designate_pools_yaml_nameservers | from_yaml }}" | |
| targets: "{{ _designate_pools_yaml_targets | from_yaml }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment