openstack dns
Designate是一个多租户DNS即服务,包括用于域和记录管理的REST API,用于与Neutron集成的框架以及对Bind9的集成支持。
您可能需要考虑以下DNSaaS:
- 干净的REST API,用于管理区域和记录
- 自动生成记录(与OpenStack集成)
- 支持多个权威名称服务器
- 主持多个项目/组织
本文介绍了如何在CentOS或Red Hat Enterprise Linux 7(RHEL 7)上手动安装和配置最新版本的Designate服务,但是您可以在其他发行版上使用相同的配置。
在OpenStack上安装Designate
我具有用于绑定和指定的Ansible角色,这些角色演示了GitHub存储库中的设置。
此设置假定绑定服务在OpenStack控制器节点上是外部的(即使您可以在本地安装绑定)。
- 安装Designate的软件包并绑定(在OpenStack控制器上):
# yum install openstack-designate-* bind bind-utils -y
- 创建指定数据库和用户:
MariaDB [(none)]> CREATE DATABASE designate CHARACTER SET utf8 COLLATE utf8_general_ci;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO \
'designate'@'localhost' IDENTIFIED BY 'rhlab123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'%' \
IDENTIFIED BY 'rhlab123';
注意:必须在控制器端安装绑定程序包,远程名称守护程序控制(RNDC)才能正常运行。
配置绑定(DNS服务器)
- 生成RNDC文件:
rndc-confgen -a -k designate -c /etc/rndc.key -r /dev/urandom
cat <<EOF> etcrndc.conf
include "/etc/rndc.key";
options {
default-key "designate";
default-server {{ DNS_SERVER_IP }};
default-port 953;
};
EOF
- 将以下内容添加到named.conf中 :
include "/etc/rndc.key";
controls {
inet {{ DNS_SERVER_IP }} allow { localhost;{{ CONTROLLER_SERVER_IP }}; } keys { "designate"; };
};
在选项部分中,添加:
options {
...
allow-new-zones yes;
request-ixfr no;
listen-on port 53 { any; };
recursion no;
allow-query { 127.0.0.1; {{ CONTROLLER_SERVER_IP }}; };
};
添加正确的权限:
chown named:named /etc/rndc.key
chown named:named /etc/rndc.conf
chmod 600 /etc/rndc.key
chown -v root:named /etc/named.conf
chmod g+w /var/named
# systemctl restart named
# setsebool named_write_master_zones 1
- 将rndc.key和rndc.conf推入OpenStack控制器:
# scp -r /etc/rndc* {{ CONTROLLER_SERVER_IP }}:/etc/
创建OpenStack Designate服务和端点
输入:
# openstack user create --domain default --password-prompt designate
# openstack role add --project services --user designate admin
# openstack service create --name designate --description "DNS" dns
# openstack endpoint create --region RegionOne dns public http://{{ CONTROLLER_SERVER_IP }}:9001/
# openstack endpoint create --region RegionOne dns internal http://{{ CONTROLLER_SERVER_IP }}:9001/
# openstack endpoint create --region RegionOne dns admin http://{{ CONTROLLER_SERVER_IP }}:9001/
配置指定服务
- 编辑/etc/designate/designate.conf :
- 在[service:api]部分中,配置auth_strategy :
[service:api]
listen = 0.0.0.0:9001
auth_strategy = keystone
api_base_uri = http://{{ CONTROLLER_SERVER_IP }}:9001/
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports
- 在[keystone_authtoken]部分中,配置以下选项:
[keystone_authtoken]
auth_type = password
username = designate
password = rhlab123
project_name = service
project_domain_name = Default
user_domain_name = Default
www_authenticate_uri = http://{{ CONTROLLER_SERVER_IP }}:5000/
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000/
- 在[service:worker]部分中,启用worker模型:
enabled = True
notify = True
- 在[storage:sqlalchemy]部分中,配置数据库访问权限:
[storage:sqlalchemy]
connection = mysql+pymysql://designate:rhlab123@{{ CONTROLLER_SERVER_IP }}/designate
- 填充“指定”数据库:
# su -s /bin/sh -c "designate-manage database sync" designate
- 创建Designate的pools.yaml文件(具有目标和绑定详细信息):
- 编辑/etc/designate/pools.yaml :
- name: default
# The name is immutable. There will be no option to change the name after
# creation and the only way will to change it will be to delete it
# (and all zones associated with it) and recreate it.
description: Default Pool
attributes: {}
# List out the NS records for zones hosted within this pool
# This should be a record that is created outside of designate, that
# points to the public IP of the controller node.
ns_records:
- hostname: {{Controller_FQDN}}. # Thisis mDNS
priority: 1
# List out the nameservers for this pool. These are the actual BIND servers.
# We use these to verify changes have propagated to all nameservers.
nameservers:
- host: {{ DNS_SERVER_IP }}
port: 53
# List out the targets for this pool. For BIND there will be one
# entry for each BIND server, as we have to run rndc command on each server
targets:
- type: bind9
description: BIND9 Server 1
# List out the designate-mdns servers from which BIND servers should
# request zone transfers (AXFRs) from.
# This should be the IP of the controller node.
# If you have multiple controllers you can add multiple masters
# by running designate-mdns on them, and adding them here.
masters:
- host: {{ CONTROLLER_SERVER_IP }}
port: 5354
# BIND Configuration options
options:
host: {{ DNS_SERVER_IP }}
port: 53
rndc_host: {{ DNS_SERVER_IP }}
rndc_port: 953
rndc_key_file: /etc/rndc.key
rndc_config_file: /etc/rndc.conf
- 填充Designate的池:
su -s /bin/sh -c "designate-manage pool update" designate
- 开始指定中央和API服务:
systemctl enable --now designate-central designate-api
- 验证Designate的服务是否正常运行:
# openstack dns service list
+--------------+--------+-------+--------------+
| service_name | status | stats | capabilities |
+--------------+--------+-------+--------------+
| central | UP | - | - |
| api | UP | - | - |
| mdns | UP | - | - |
| worker | UP | - | - |
| producer | UP | - | - |
+--------------+--------+-------+--------------+
使用外部DNS配置OpenStack Neutron
- 为指定服务配置iptables:
# iptables -I INPUT -p tcp -m multiport --dports 9001 -m comment --comment "designate incoming" -j ACCEPT
# iptables -I INPUT -p tcp -m multiport --dports 5354 -m comment --comment "Designate mdns incoming" -j ACCEPT
# iptables -I INPUT -p tcp -m multiport --dports 53 -m comment --comment "bind incoming" -j ACCEPT
# iptables -I INPUT -p udp -m multiport --dports 53 -m comment --comment "bind/powerdns incoming" -j ACCEPT
# iptables -I INPUT -p tcp -m multiport --dports 953 -m comment --comment "rndc incoming - bind only" -j ACCEPT
# service iptables save; service iptables restart
# setsebool named_write_master_zones 1
- 编辑/etc/neutron/neutron.conf的[default]部分:
external_dns_driver = designate
- 在/_etc/_neutron/neutron.conf中添加[指定]部分:
[designate]
url = http://{{ CONTROLLER_SERVER_IP }}:9001/v2 ## This end point of designate
auth_type = password
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000
username = designate
password = rhlab123
project_name = services
project_domain_name = Default
user_domain_name = Default
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116
- 编辑dns_domain的在neutron.conf:
dns_domain = rhlab.dev.
# systemctl restart neutron-*
- 将dns添加到/etc/neutron/plugins/ml2/ml2_conf.ini中的Modular Layer 2(ML2)驱动程序列表中 :
extension_drivers=port_security,qos,dns
- 在“指定”中添加区域 :
# openstack zone create –email=admin@rhlab.dev rhlab.dev.
在rhlab.dev区域添加新记录: # openstack recordset create --record '192.168.1.230' --type A rhlab.dev. Test
现在应安装并配置“指定”。
翻译自: https://opensource.com/article/19/4/getting-started-openstack-designate
openstack dns
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
