Categories

ID #1403

How do I integrate OpenStack Designate with my Bright 8.1 cluster and BIND DNS server?

Initial Bright Configuration (on the head node)

1. Create Bright OpenStack designate user.
# cmsh
% openstack
% users
% add designate
% set password <chosen_password>
% commit

2. Assign necessary role to designate user:
# cmsh
% openstack
% roleassignments
% add designate:service:admin
% set user designate
% set role admin
% set project service
% commit

3. Create Bright Openstack service for designate:
# cmsh
% openstack
% services
% add designate
% set type dns
% commit

4. Create API endpoints for designate:
# cmsh
% openstack
% endpoints
% add designate:admin
% set interface admin
% set region openstack
% set service designate
% set url http://oshaproxy:9001
% add designate:internal
% set interface internal
% set region openstack
% set service designate
% set url http://oshaproxy:9001
% add designate:public
% set interface public
% set region openstack
% set service designate
% set url http://oshaproxy:9001
% commit

 

5. Add the following entry to /etc/haproxy/haproxy.cfg beneath the Bright autogenerated section.  In this example, node008 and 10.141.0.1 are the hostname and IP address, respectively, of the Bright OpenStack controller node:
# END AUTOGENERATED SECTION   -- DO NOT REMOVE

listen designate
  bind 0.0.0.0:9001
  server auto-node008::10.141.0.1:9001      10.141.0.1:9001 check

Reload the haproxy configuration:
# systemctl reload haproxy

Configure BIND and RNDC

1. Make sure that the following options are set in /etc/named.conf on your BIND server:
options {
        ...
        allow-query     { any; };
        allow-new-zones yes;
        recursion no;
        ...
}

2. Generate the RNDC key on your BIND server:
# rndc-confgen -a -k designate -c /etc/rndc.key -r /dev/urandom

3. Add the key to /etc/named.conf on your BIND server above the options block.  In this example, 10.141.0.5 is the IP address of the BIND server, and 10.141.0.1 is the IP address of the Bright OpenStack controller node:
include "/etc/rndc.key";

controls {
        inet 10.141.0.5 allow { localhost; 10.141.0.1; } keys { "designate"; };
};

4. Add the following to /etc/rndc.conf on your BIND server.  If /etc/rndc.conf does not exist, create it either with your text editor or the touch command.  Again, in this example, 10.141.0.5 is the IP address of the BIND server:
include "/etc/rndc.key";
options {
        default-key "designate";
        default-server 10.141.0.5;
        default-port 953;
};

5. Verify that the appropriate permissions are set for /etc/rndc.conf and /etc/rndc.key:
# chown named:named /etc/rndc.conf
# chown named:named /etc/rndc.key

# chmod 600 /etc/rndc.key

If using SELinux, also run the following:
# setsebool -P named_write_master_zones on

6. Copy /etc/rndc.conf and /etc/rndc.key to the Bright OpenStack controller node.  In this example, node008 is the hostname of the controller node:
# scp /etc/rndc.* node008:/etc/

7. Restart the named daemon on your BIND server to use the new configuration:
# service named restart

8. On the controller node, verify that RNDC works:
# rndc status

The output should be similar to the following:
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: 9.9.4-RedHat-9.9.4-51.el7_4.1 <id:8f9657aa>
CPUs found: 4
worker threads: 4
UDP listeners per interface: 4
number of zones: 7
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running


Install and Configure Designate

1. Log into the OpenStack controller node.

2. Install the necessary yum repositories onto the controller node.
For CentOS, run:
# yum install centos-release-openstack-pike

For RHEL, run:
# yum install https://rdoproject.org/repos/rdo-release.rpm

3. Install the OpenStack designate packages onto the controller node:
# yum install openstack-designate\*

4. If using CentOS, disable the following yum repositories, which were setup by installing centos-release-openstack-pike.  They will likely contain conflicting packages:
CentOS-Ceph-Jewel.repo
CentOS-QEMU-EV.repo
CentOS-OpenStack-pike.repo


5. Create the database for designate in Galera:
# mysql -h oshaproxy -P 3308 -uroot -p
MariaDB [(none)]> CREATE DATABASE designate CHARACTER SET utf8 COLLATE utf8_general_ci;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'localhost' \
IDENTIFIED BY 'DESIGNATE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'%' \
IDENTIFIED BY 'DESIGNATE_DBPASS';
MariaDB [(none)]> quit;

6. Add the following settings to the [service:api] section in /etc/designate/designate.conf:
listen = 0.0.0.0:9001
auth_strategy = keystone
enable_api_v1 = True
api_base_uri = http://oshaproxy:9001/
enabled_extensions_v1 = quotas, reports
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports

7. Add the following settings to the [keystone_authtoken] section in designate.conf:
auth_host = oshaproxy
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = designate
admin_password = <chosen_password>

8. Add the following settings to the [service:worker] section in
designate.conf:
enabled = True
notify = True

9. Configure database access in the [storage:sqlalchemy] section in designate.conf:
connection = mysql+pymysql://designate:<chosen_password>@oshaproxy:3308/designate

10. Populate the designate database:
# su -s /bin/sh -c "designate-manage database sync" designate

11. Start the designate central and API services and configure them to start when the system boots:
# systemctl enable designate-central designate-api
# systemctl start designate-central designate-api

12. Create /etc/designate/pools.yaml with the following contents:
- name: default
  description: Default Pool

  attributes: {}


  ns_records:
    - hostname: node008.cm.cluster.
      priority: 1

  nameservers:
    - host: 10.141.0.5
      port: 53

  targets:
    - type: bind9
      description: BIND9 Server 1

      masters:
        - host: 10.141.0.1
          port: 5354

      options:
        host: 10.141.0.5
        port: 53
        rndc_host: 10.141.0.5
        rndc_port: 953
        rndc_key_file: /etc/rndc.key

Replace "node008.cm.cluster" with the fully-qualified domain name of your controller node, 10.141.0.5 with the IP address of your BIND DNS server, and 10.141.0.1 with the IP address of your controller node.

13. Update the pools:
# su -s /bin/sh -c "designate-manage pool update" designate

14. Start the designate and mDNS services and configure them to start when the system boots:
# systemctl enable designate-worker designate-producer designate-mdns
# systemctl start designate-worker designate-producer designate-mdns

15. If the controller node does not have its own software image, create such an image on the head node.  In this example, the current image associated with the controller node is default-image:
# cmsh
% softwareimage
% clone default-image controller-image
% commit

Once the controller-image image has been created, set the controller node to use it.  Again, using our previous examples, here node008 will represent the controller node:
% device use node008
% set softwareimage controller-image
% commit

16. Update the controller node's software image.  Again in our example, node008 will represent the controller node:
# cmsh
% device use node008
% grabimage -w

Verify that Designate Works (from your head node)
1. Check that the appropriate services are running properly:
# openstack dns service list
+--------------------------------------+----------+--------------+--------+-------+--------------+
| id                                   | hostname | service_name | status | stats | capabilities |
+--------------------------------------+----------+--------------+--------+-------+--------------+
| 2e88ab2f-606d-4461-a4d9-e3b192f271fa | node008  | api          | UP     | -     | -            |
| 4d2fb158-fe43-4679-8c60-a17a863b17c6 | node008  | central      | UP     | -     | -            |
| 1ab0ee99-6fcd-4b91-89e4-178173b3069d | node008  | worker       | UP     | -     | -            |
| 7db903c6-e1dd-4438-85d4-fac8a186f855 | node008  | mdns         | UP     | -     | -            |
| 9507f150-44d9-4bba-9cdf-9d06cdc2b7bb | node008  | producer     | UP     | -     | -            |
+--------------------------------------+----------+--------------+--------+-------+--------------+

2. Create a zone:
# openstack zone create --email me@example.org corp.example.org.
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| action         | CREATE                               |
| attributes     |                                      |
| created_at     | 2018-01-22T18:42:23.000000           |
| description    | None                                 |
| email          | me@example.org                       |
| id             | 7cbdeadd-0bf3-4220-9a4a-e36190e9926b |
| masters        |                                      |
| name           | corp.example.org.                   |
| pool_id        | 794ccc2c-d751-44fe-b57f-8894c9f5c842 |
| project_id     | 2aac6e3714934c61b189761f05a133c4     |
| serial         | 1516646543                           |
| status         | PENDING                              |
| transferred_at | None                                 |
| ttl            | 3600                                 |
| type           | PRIMARY                              |
| updated_at     | None                                 |
| version        | 1                                    |
+----------------+--------------------------------------+


3. Verify that the zone is now active:
# openstack zone show corp.example.org. -c name -c status
+--------+--------------------+
| Field  | Value              |
+--------+--------------------+
| name   | corp.example.org.  |
| status | ACTIVE             |
+--------+--------------------+

 

4. Test adding an A record to that zone:
# openstack recordset create corp.example.org. www --type A --records '198.51.100.10'
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| action      | CREATE                               |
| created_at  | 2018-01-22T18:49:41.000000           |
| description | None                                 |
| id          | ab093610-270e-4749-a816-9397b3a38618 |
| name        | www.corp.example.org.               |
| project_id  | 2aac6e3714934c61b189761f05a133c4     |
| records     | 198.51.100.10                        |
| status      | PENDING                              |
| ttl         | None                                 |
| type        | A                                    |
| updated_at  | None                                 |
| version     | 1                                    |
| zone_id     | 7cbdeadd-0bf3-4220-9a4a-e36190e9926b |
| zone_name   | corp.example.org.                   |
+-------------+--------------------------------------+

5. Verify that the A record is now active:
# openstack recordset list corp.example.org.
+--------------------------------------+------------------------+------+--------------------------------------------------------------------------------------+--------+--------+
| id                                   | name                   | type | records                                                                              | status | action |
+--------------------------------------+------------------------+------+--------------------------------------------------------------------------------------+--------+--------+
| 4d87f242-2120-4412-9f40-035245dab8d9 | corp.example.org.     | SOA  |
node008.cm.cluster. me@example.org. 1516646981 3529 600 86400 3600 | ACTIVE | NONE   |
| 837ee1ad-aa98-4876-a2ce-e568953f177a | corp.example.org.     | NS   | node008.cm.cluster.                                                                  | ACTIVE | NONE   |
| ab093610-270e-4749-a816-9397b3a38618 | www.corp.example.org. | A    | 198.51.100.10                                                                        | ACTIVE | NONE   |
+--------------------------------------+------------------------+------+--------------------------------------------------------------------------------------+--------+--------+

Tags: -

Related entries:

You cannot comment on this entry