Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
openstack-ansible-designate-integration
************* Install bind9 DNS in designate container
yum install bind bind-utils
************* Configure bind9 DNS
$ cat /etc/rndc.key
key "designate" {
algorithm hmac-md5;
secret "O3P6S6Y2AmeDAIB98TLrNw==";
};
$ cat /etc/rndc.conf
include "/etc/rndc.key";
options {
default-key "designate";
default-server 127.0.0.1;
default-port 953;
};
$ cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };
request-ixfr no;
allow-new-zones yes;
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
controls {
inet 0.0.0.0 port 953
allow { localhost; } keys { "designate"; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";
$ chown named: /etc/rndc*
$ chmod 600 /etc/rndc*
$ systemctl restart named
************* Create pools.yaml file
$ ln -s /openstack/venvs/designate-21.1.0.dev73/bin/designate-manage /usr/local/bin/
$ su -s /bin/sh -c "designate-manage pool update" designate
** Notes: use "designate-manage pool generate_file" command to generate pools.yaml file which has pool_id associated.
If any issue then run "designate-manage pool update --delete" and verify on mysql database "select * from pools;"
$ cat /etc/designate/pools.yaml
# create new (replace hostname and IP address to your own environment)
- name: default
description: Default Pool
attributes: {}
ns_records:
- hostname: ns1.example.com. # This is going to be your bind9/PowerDNS (trailing dot is required)
priority: 1
nameservers:
- host: 127.0.0.1 # This is your external bind9/PowerDNS
port: 53
targets:
- type: bind9
description: BIND9 Server
masters:
- host: 127.0.0.1 # This is python based mDNS
port: 5354
options:
host: 127.0.0.1 # This is to connect bind9/PowerDNS for control plane
port: 53
rndc_host: 127.0.0.1
rndc_port: 953
rndc_key_file: /etc/rndc.key
************* Create and Verify first domain/zone in DNS
** Notes: if you see error "no_servers_configured" during zone create that means pools.yaml has some issue could be related to pool_id
$ openstack zone create --email dnsmaster@bar.com bar.com.
$ openstack recordset list bar.com.
$ openstack recordset create --record '192.168.100.10' --type A bar.com. www
$ openstack recordset list bar.com.
************* Edit neutron config to integrate designate
$ cat /etc/openstack_deploy/user_variables.yml
neutron_designate_enabled: True
neutron_plugin_base:
- dns
neutron_dns_domain: . # This is very important (dot) means you can map any domain with network foo.com. or bar.com.
************* Let's verify neutron integration with designate
$ neutron net-create net-bar --shared --provider:physical_network vlan --provider:network_type vlan --provider:segmentation_id 666
$ neutron subnet-create net-bar 192.168.1.0/28 --name sub-bar --allocation-pool start=192.168.1.2,end=192.168.1.5 --gateway=192.168.1.1
$ openstack network set a38da6af-f3d1-4558-87d0-ece98d011ee5 --dns-domain bar.com.
$ openstack port create --network a38da6af-f3d1-4558-87d0-ece98d011ee5 --dns-name vm-bar vm-bar-www1
$ openstack recordset list bar.com.
+--------------------------------------+----------------------+------+--------------------------------------------------------------------+--------+--------+
| id | name | type | records | status | action |
+--------------------------------------+----------------------+------+--------------------------------------------------------------------+--------+--------+
| 80bc6f6b-35ca-4a9b-94d4-6b65fd188fcc | bar.com. | SOA | ns1.example.com. dnsmaster.bar.com. 1597264874 3592 600 86400 3600 | ACTIVE | NONE |
| 8fa1fca1-1a1e-4b9d-b154-44fd549a983a | bar.com. | NS | ns1.example.com. | ACTIVE | NONE |
| c2fbdd2e-9e34-4bc0-8e9c-56411f9eeb58 | vm-bar.bar.com. | A | 192.168.1.3 | ACTIVE | NONE |
| ed07b285-3ba2-43ce-8d9b-b7ade32625be | vm-bar-www1.bar.com. | A | 192.168.1.5 | ACTIVE | NONE |
+--------------------------------------+----------------------+------+--------------------------------------------------------------------+--------+--------+
********** Multiple Slave PowerDNS configuration example *********
$ cat pools.yaml
- attributes: {}
description: Default pool
name: default
nameservers:
- host: 10.65.0.10
port: 53
- host: 10.65.0.11
port: 53
ns_records:
- hostname: ns1.os-lab.com.
priority: 1
- hostname: ns2.os-lab.com.
priority: 1
targets:
- description: PowerDNS4 DNS Server
masters:
- host: 10.65.6.206
port: 5354
options:
api_endpoint: http://10.65.0.10:8081
api_token: uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R
host: 10.65.0.10
port: 53
type: pdns4
- description: PowerDNS4 DNS Server
masters:
- host: 10.65.6.207
port: 5354
options:
api_endpoint: http://10.65.0.11:8081
api_token: uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R
host: 10.65.0.11
port: 53
type: pdns4
******** PowerDNS slave configuration *********
[root@pdns ~]# cat /etc/pdns/pdns.conf
setuid=pdns
setgid=pdns
launch=bind
allow-dnsupdate-from=127.0.0.0/8,10.0.0.0/8,::1
allow-notify-from=10.30.0.0/16,10.64.0.0/21
api=yes
api-key=uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R
disable-axfr=no
dnsupdate=yes
local-port=5300
log-dns-details=yes
log-dns-queries=yes
loglevel=999
master=no
slave=yes
slave-cycle-interval=60
webserver=yes
webserver-address=10.65.0.11
webserver-allow-from=127.0.0.0/8,10.65.0.0/21,::1
webserver-password=SecretPassword
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=pdns-admin
gmysql-password=Password123
gmysql-dbname=pdns
*********** user_variables.yml *************
## Designate DNS
dns_hosts:
- { ip: 10.65.0.10, name: ns1.tux.com, port: 5300 }
- { ip: 10.65.0.11, name: ns2.tux.com, port: 5300 }
_designate_pools_yaml_nameservers: |
{% for item in dns_hosts %}
- host: "{{ item.ip }}"
port: {{ item.port }}
{% endfor %}
_designate_pools_yaml_ns_records: |
{% for item in dns_hosts %}
- hostname: "{{ item.name }}."
priority: 1
{% endfor %}
_designate_pools_yaml_targets: |
{% for item in dns_hosts %}
- type: pdns4
description: PowerDNS 4
masters:
{% for mdns_item in groups['designate_mdns'] | map('extract', hostvars, 'container_address') | list %}
- host: "{{ mdns_item }}"
port: 5354
{% endfor %}
options:
host: "{{ item.ip }}"
port: {{ item.port }}
api_endpoint: http://{{ item.ip }}:8081
api_token: uHBRpbfYXbsPbxwSvrGf4ULdVgXt3qY4VCXKHmd35Z4UGyBHNJb8WqUr7qrKtz3R
{% endfor %}
designate_pools_yaml:
- name: "default"
description: pool for PowerDNS running on infra hosts
attributes: {}
ns_records: "{{ _designate_pools_yaml_ns_records | from_yaml }}"
nameservers: "{{ _designate_pools_yaml_nameservers | from_yaml }}"
targets: "{{ _designate_pools_yaml_targets | from_yaml }}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment