Browse Source

Designate bind9 backend

Add bind9 backend for designate. It required worker
and bind9 services for correct work.

Change-Id: I79472fc80c1f48daaf64300f8a71ee50baa6ebd5
changes/21/442421/10
Peter Razumovsky 2 years ago
parent
commit
822cb58246

+ 13
- 0
docker/designate-backend-bind9/Dockerfile.j2 View File

@@ -0,0 +1,13 @@
1
+FROM {{ image_spec("designate-base") }}
2
+MAINTAINER {{ maintainer }}
3
+
4
+RUN apt-get update -y \
5
+    && apt-get install -y --no-install-recommends \
6
+       --no-install-suggests \
7
+       bind9
8
+
9
+RUN mkdir -p /var/run/named /etc/bind \
10
+    && chmod 775 /var/run/named \
11
+    && chown root:bind /var/run/named
12
+
13
+RUN apt-get clean

+ 1
- 1
docker/designate-base/Dockerfile.j2 View File

@@ -12,5 +12,5 @@ RUN useradd --user-group -G microservices designate \
12 12
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/microservices/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf
13 13
 
14 14
 COPY designate_sudoers /etc/sudoers.d/designate_sudoers
15
-RUN chmod 750 /etc/sudoers.d \
15
+RUN chmod 750 /etc/sudoers.d /etc/designate/rootwrap.d/ \
16 16
     && chmod 440 /etc/sudoers.d/designate_sudoers

+ 6
- 3
docker/designate-pool-manager/Dockerfile.j2 View File

@@ -2,8 +2,11 @@ FROM {{ image_spec("designate-base") }}
2 2
 MAINTAINER {{ maintainer }}
3 3
 
4 4
 #mysql-client only for provisioning need to be removed later
5
-RUN apt-get install -y --no-install-recommends \
6
-        mysql-client \
7
-    && apt-get clean
5
+RUN apt-get update -y \
6
+    && apt-get install -y --no-install-recommends mysql-client bind9 \
7
+    && apt-get clean \
8
+    && mkdir -p /etc/bind \
9
+    && chown -R designate:designate /etc/bind
8 10
 
9 11
 USER designate
12
+

+ 8
- 0
docker/designate-worker/Dockerfile.j2 View File

@@ -0,0 +1,8 @@
1
+FROM {{ image_spec("designate-base") }}
2
+MAINTAINER {{ maintainer }}
3
+
4
+RUN apt-get update -y \
5
+    && apt-get install -y --no-install-recommends bind9 \
6
+    && apt-get clean \
7
+    && mkdir -p /etc/bind \
8
+    && chown -R designate:designate /etc/bind

+ 62
- 1
service/designate-mdns.yaml View File

@@ -1,6 +1,11 @@
1 1
 dsl_version: 0.5.0
2 2
 service:
3 3
   name: designate-mdns
4
+  ports:
5
+    - {{ designate.bind_port }}
6
+    - {{ designate.worker_port }}
7
+    - {{ designate.mdns_port }}
8
+    - {{ designate.rndc_port }}
4 9
   containers:
5 10
     - name: designate-mdns
6 11
       image: designate-mdns
@@ -10,8 +15,64 @@ service:
10 15
         files:
11 16
           - designate-conf
12 17
         command: designate-mdns --config-file /etc/designate/designate.conf
13
-
18
+    - name: designate-backend-bind9
19
+      image: designate-backend-bind9
20
+      daemon:
21
+        files:
22
+          - named-conf-options
23
+          - rndc-conf
24
+          - named-conf
25
+          - rndc-key
26
+        command: /usr/sbin/named -g -c /etc/bind/named.conf -u bind
27
+    - name: designate-worker
28
+      image: designate-worker
29
+      pre:
30
+        - name: designate-pool-update
31
+          # {% if designate.backend == "bind9" %}
32
+          dependencies:
33
+            - designate-backend-bind9
34
+          # {% endif %}
35
+          files:
36
+            # {% if designate.backend == "bind9" %}
37
+            - bind9-pools
38
+            # {% else %}
39
+            - fake-pools
40
+            # {% endif %}
41
+            - designate-conf
42
+          type: local
43
+          command: designate-manage pool update --file /etc/designate/pools.yaml
44
+      daemon:
45
+        dependencies:
46
+          - designate-api
47
+        files:
48
+          # {% if designate.backend == "bind9" %}
49
+          - bind9-pools
50
+          # {% else %}
51
+          - fake-pools
52
+          # {% endif %}
53
+          - designate-conf
54
+          - rndc-conf
55
+          - rndc-key
56
+        command: designate-worker --config-file /etc/designate/designate.conf
14 57
 files:
58
+  rndc-conf:
59
+    path: /etc/bind/rndc.conf
60
+    content: rndc.conf.j2
61
+  named-conf-options:
62
+    path: /etc/bind/named.conf.options
63
+    content: named.conf.options.j2
64
+  named-conf:
65
+    path: /etc/bind/named.conf
66
+    content: named.conf.j2
67
+  rndc-key:
68
+    path: /etc/bind/rndc.key
69
+    content: rndc.key.j2
15 70
   designate-conf:
16 71
     path: /etc/designate/designate.conf
17 72
     content: designate.conf.j2
73
+  fake-pools:
74
+    path: /etc/designate/pools.yaml
75
+    content: pools.yaml.j2
76
+  bind9-pools:
77
+    path: /etc/designate/pools.yaml
78
+    content: bind9-pools.yaml.j2

+ 12
- 1
service/designate-pool-manager.yaml View File

@@ -24,7 +24,7 @@ service:
24 24
           command: designate-manage pool update --file /etc/designate/pools.yaml
25 25
         - name: designate-pool-sync
26 26
           dependencies:
27
-            - designate-pool-manager-db-create
27
+            - designate-pool-update
28 28
           files:
29 29
             - designate-conf
30 30
           type: single
@@ -34,6 +34,8 @@ service:
34 34
           - designate-api
35 35
         files:
36 36
           - designate-conf
37
+          - rndc-conf
38
+          - rndc-key
37 39
         command: designate-pool-manager --config-file /etc/designate/designate.conf
38 40
 
39 41
 files:
@@ -43,3 +45,12 @@ files:
43 45
   pools:
44 46
     path: /etc/designate/pools.yaml
45 47
     content: pools.yaml.j2
48
+  named-conf:
49
+    path: /etc/bind/named.conf.options
50
+    content: named.conf.options.j2
51
+  rndc-conf:
52
+    path: /etc/bind/rndc.conf
53
+    content: rndc.conf.j2
54
+  rndc-key:
55
+    path: /etc/bind/rndc.key
56
+    content: rndc.key.j2

+ 27
- 0
service/files/bind9-pools.yaml.j2 View File

@@ -0,0 +1,27 @@
1
+---
2
+- name: default
3
+  description: CCP BIND Pool
4
+  attributes: {}
5
+
6
+  ns_records:
7
+    - hostname: ns.ccp.org.
8
+      priority: 1
9
+
10
+  nameservers:
11
+    - host: {{ network_topology["private"]["address"] }}
12
+      port: {{ designate.bind_port.cont }}
13
+
14
+  targets:
15
+    - type: bind9
16
+      description: BIND Instance
17
+
18
+      masters:
19
+        - host: {{ network_topology["private"]["address"] }}
20
+          port: {{ designate.mdns_port.cont }}
21
+
22
+      options:
23
+        host: {{ network_topology["private"]["address"] }}
24
+        port: {{ designate.bind_port.cont }}
25
+        rndc_host: {{ network_topology["private"]["address"] }}
26
+        rndc_port: {{ designate.rndc_port.cont }}
27
+        rndc_key_file: /etc/bind/rndc.key

+ 11
- 2
service/files/defaults.yaml View File

@@ -3,13 +3,21 @@ configs:
3 3
     api_port:
4 4
       cont: 9001
5 5
       ingress: dns
6
-
7
-    debug: false
6
+    mdns_port:
7
+      cont: 5354
8
+    rndc_port:
9
+      cont: 953
10
+    bind_port:
11
+      cont: 53
12
+    worker_port:
13
+      cont: 5358
14
+    debug: true
8 15
     notification:
9 16
       driver: noop
10 17
       topics:
11 18
         enabled: false
12 19
         names: changeme
20
+    backend: bind9
13 21
     # options, allows to configure services particularly
14 22
     service:
15 23
       central:
@@ -36,6 +44,7 @@ configs:
36 44
 
37 45
 secret_configs:
38 46
   designate:
47
+    rndc_key_secret: fapwtRlIgYwYeQeyY3U1+Q==
39 48
     username: designate
40 49
     password: password
41 50
     db:

+ 12
- 3
service/files/designate.conf.j2 View File

@@ -19,12 +19,12 @@ notification_topics = {{ designate.notification.topics.names }}
19 19
 
20 20
 rabbit_userid = {{ rabbitmq.user }}
21 21
 rabbit_password = {{ rabbitmq.password }}
22
-rabbit_hosts = {{ address("rabbitmq", rabbitmq.port) }}
22
+rabbit_hosts = {{ address("rpc", rabbitmq.port) }}
23 23
 
24 24
 [oslo_messaging_rabbit]
25 25
 rabbit_userid = {{ rabbitmq.user }}
26 26
 rabbit_password = {{ rabbitmq.password }}
27
-rabbit_hosts = {{ address("rabbitmq", rabbitmq.port) }}
27
+rabbit_hosts = {{ address("rpc", rabbitmq.port) }}
28 28
 
29 29
 #--------------------
30 30
 # Keystone Middleware
@@ -55,6 +55,8 @@ enable_api_v1 = True
55 55
 enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch
56 56
 enable_api_v2 = True
57 57
 enabled_extensions_v2 = quotas, reports
58
+enable_api_admin = True
59
+listen = {{ address("designate-api", designate.api_port) }}
58 60
 
59 61
 #-------------
60 62
 # Sink Service
@@ -68,6 +70,7 @@ enabled_notification_handlers = nova_fixed, neutron_floatingip
68 70
 [service:mdns]
69 71
 workers = {{ designate.service.mdns.workers }}
70 72
 threads = {{ designate.service.mdns.threads }}
73
+all_tcp = True
71 74
 
72 75
 #--------------
73 76
 # Agent Service
@@ -75,6 +78,10 @@ threads = {{ designate.service.mdns.threads }}
75 78
 [service:agent]
76 79
 workers = {{ designate.service.agent.workers }}
77 80
 
81
+[service:worker]
82
+enabled = True
83
+notify = True
84
+
78 85
 #---------------------
79 86
 # Zone Manager Service
80 87
 #---------------------
@@ -99,6 +106,9 @@ threads = {{ designate.service.pool_manager.threads }}
99 106
 {% if designate.pool is defined %}
100 107
 pool_id = {{ designate.pool.pool_id }}
101 108
 {%- endif %}
109
+periodic_sync_interval = 1800
110
+periodic_recovery_interval = 120
111
+
102 112
 
103 113
 ###################################
104 114
 ## Pool Manager Cache Configuration
@@ -139,4 +149,3 @@ notification_topics = notifications
139 149
 control_exchange = 'neutron'
140 150
 format = '%(hostname)s.%(domain)s'
141 151
 
142
-

+ 12
- 0
service/files/named.conf.j2 View File

@@ -0,0 +1,12 @@
1
+include "/etc/bind/named.conf.options";
2
+include "/etc/bind/named.conf.local";
3
+include "/etc/bind/named.conf.default-zones";
4
+include "/etc/bind/rndc.key";
5
+
6
+controls {
7
+    inet * port {{ designate.rndc_port.cont }}
8
+    allow { any; } keys { "rndc-key"; };
9
+    inet * port {{ designate.bind_port.cont }}
10
+    allow { any; } keys { "rndc-key"; };
11
+};
12
+

+ 39
- 0
service/files/named.conf.options.j2 View File

@@ -0,0 +1,39 @@
1
+options {
2
+    directory "/var/cache/bind";
3
+
4
+    // If there is a firewall between you and nameservers you want
5
+    // to talk to, you may need to fix the firewall to allow multiple
6
+    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
7
+
8
+    // If your ISP provided one or more IP addresses for stable
9
+    // nameservers, you probably want to use them as forwarders.
10
+    // Uncomment the following block, and insert the addresses replacing
11
+    // the all-0's placeholder.
12
+
13
+    // forwarders {
14
+    //  0.0.0.0;
15
+    // };
16
+
17
+    //========================================================================
18
+    // If BIND logs error messages about the root key being expired,
19
+    // you will need to update your keys.  See https://www.isc.org/bind-keys
20
+    //========================================================================
21
+    dnssec-validation yes;
22
+    dnssec-enable yes;
23
+    auth-nxdomain no;    # conform to RFC1035
24
+    allow-new-zones yes;
25
+    request-ixfr no;
26
+    recursion no;
27
+    query-source address * port {{ designate.bind_port.cont }};
28
+    listen-on { any; };
29
+    listen-on-v6 { ipv-6-address; };
30
+    allow-query {
31
+       any;
32
+       10.233.0.0/16;
33
+    };
34
+    allow-notify {
35
+       any;
36
+       10.233.0.0/16;
37
+    };
38
+};
39
+

+ 8
- 0
service/files/rndc.conf.j2 View File

@@ -0,0 +1,8 @@
1
+include "/etc/bind/rndc.key";
2
+
3
+options {
4
+    default-key "rndc-key";
5
+    default-server {{ network_topology["private"]["address"] }};
6
+    default-port {{ designate.rndc_port.cont }};
7
+};
8
+

+ 4
- 0
service/files/rndc.key.j2 View File

@@ -0,0 +1,4 @@
1
+key "rndc-key" {
2
+        algorithm hmac-md5;
3
+        secret "{{ designate.rndc_key_secret }}";
4
+};

Loading…
Cancel
Save