Designate bind9 backend

Add bind9 backend for designate. It required worker
and bind9 services for correct work.

Change-Id: I79472fc80c1f48daaf64300f8a71ee50baa6ebd5
This commit is contained in:
Peter Razumovsky 2017-03-07 12:27:39 +00:00
parent 831a1b7f57
commit 822cb58246
13 changed files with 215 additions and 11 deletions

View File

@ -0,0 +1,13 @@
FROM {{ image_spec("designate-base") }}
MAINTAINER {{ maintainer }}
RUN apt-get update -y \
&& apt-get install -y --no-install-recommends \
--no-install-suggests \
bind9
RUN mkdir -p /var/run/named /etc/bind \
&& chmod 775 /var/run/named \
&& chown root:bind /var/run/named
RUN apt-get clean

View File

@ -12,5 +12,5 @@ RUN useradd --user-group -G microservices designate \
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/microservices/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/microservices/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf
COPY designate_sudoers /etc/sudoers.d/designate_sudoers COPY designate_sudoers /etc/sudoers.d/designate_sudoers
RUN chmod 750 /etc/sudoers.d \ RUN chmod 750 /etc/sudoers.d /etc/designate/rootwrap.d/ \
&& chmod 440 /etc/sudoers.d/designate_sudoers && chmod 440 /etc/sudoers.d/designate_sudoers

View File

@ -2,8 +2,11 @@ FROM {{ image_spec("designate-base") }}
MAINTAINER {{ maintainer }} MAINTAINER {{ maintainer }}
#mysql-client only for provisioning need to be removed later #mysql-client only for provisioning need to be removed later
RUN apt-get install -y --no-install-recommends \ RUN apt-get update -y \
mysql-client \ && apt-get install -y --no-install-recommends mysql-client bind9 \
&& apt-get clean && apt-get clean \
&& mkdir -p /etc/bind \
&& chown -R designate:designate /etc/bind
USER designate USER designate

View File

@ -0,0 +1,8 @@
FROM {{ image_spec("designate-base") }}
MAINTAINER {{ maintainer }}
RUN apt-get update -y \
&& apt-get install -y --no-install-recommends bind9 \
&& apt-get clean \
&& mkdir -p /etc/bind \
&& chown -R designate:designate /etc/bind

View File

@ -1,6 +1,11 @@
dsl_version: 0.5.0 dsl_version: 0.5.0
service: service:
name: designate-mdns name: designate-mdns
ports:
- {{ designate.bind_port }}
- {{ designate.worker_port }}
- {{ designate.mdns_port }}
- {{ designate.rndc_port }}
containers: containers:
- name: designate-mdns - name: designate-mdns
image: designate-mdns image: designate-mdns
@ -10,8 +15,64 @@ service:
files: files:
- designate-conf - designate-conf
command: designate-mdns --config-file /etc/designate/designate.conf command: designate-mdns --config-file /etc/designate/designate.conf
- name: designate-backend-bind9
image: designate-backend-bind9
daemon:
files:
- named-conf-options
- rndc-conf
- named-conf
- rndc-key
command: /usr/sbin/named -g -c /etc/bind/named.conf -u bind
- name: designate-worker
image: designate-worker
pre:
- name: designate-pool-update
# {% if designate.backend == "bind9" %}
dependencies:
- designate-backend-bind9
# {% endif %}
files:
# {% if designate.backend == "bind9" %}
- bind9-pools
# {% else %}
- fake-pools
# {% endif %}
- designate-conf
type: local
command: designate-manage pool update --file /etc/designate/pools.yaml
daemon:
dependencies:
- designate-api
files:
# {% if designate.backend == "bind9" %}
- bind9-pools
# {% else %}
- fake-pools
# {% endif %}
- designate-conf
- rndc-conf
- rndc-key
command: designate-worker --config-file /etc/designate/designate.conf
files: files:
rndc-conf:
path: /etc/bind/rndc.conf
content: rndc.conf.j2
named-conf-options:
path: /etc/bind/named.conf.options
content: named.conf.options.j2
named-conf:
path: /etc/bind/named.conf
content: named.conf.j2
rndc-key:
path: /etc/bind/rndc.key
content: rndc.key.j2
designate-conf: designate-conf:
path: /etc/designate/designate.conf path: /etc/designate/designate.conf
content: designate.conf.j2 content: designate.conf.j2
fake-pools:
path: /etc/designate/pools.yaml
content: pools.yaml.j2
bind9-pools:
path: /etc/designate/pools.yaml
content: bind9-pools.yaml.j2

View File

@ -24,7 +24,7 @@ service:
command: designate-manage pool update --file /etc/designate/pools.yaml command: designate-manage pool update --file /etc/designate/pools.yaml
- name: designate-pool-sync - name: designate-pool-sync
dependencies: dependencies:
- designate-pool-manager-db-create - designate-pool-update
files: files:
- designate-conf - designate-conf
type: single type: single
@ -34,6 +34,8 @@ service:
- designate-api - designate-api
files: files:
- designate-conf - designate-conf
- rndc-conf
- rndc-key
command: designate-pool-manager --config-file /etc/designate/designate.conf command: designate-pool-manager --config-file /etc/designate/designate.conf
files: files:
@ -43,3 +45,12 @@ files:
pools: pools:
path: /etc/designate/pools.yaml path: /etc/designate/pools.yaml
content: pools.yaml.j2 content: pools.yaml.j2
named-conf:
path: /etc/bind/named.conf.options
content: named.conf.options.j2
rndc-conf:
path: /etc/bind/rndc.conf
content: rndc.conf.j2
rndc-key:
path: /etc/bind/rndc.key
content: rndc.key.j2

View File

@ -0,0 +1,27 @@
---
- name: default
description: CCP BIND Pool
attributes: {}
ns_records:
- hostname: ns.ccp.org.
priority: 1
nameservers:
- host: {{ network_topology["private"]["address"] }}
port: {{ designate.bind_port.cont }}
targets:
- type: bind9
description: BIND Instance
masters:
- host: {{ network_topology["private"]["address"] }}
port: {{ designate.mdns_port.cont }}
options:
host: {{ network_topology["private"]["address"] }}
port: {{ designate.bind_port.cont }}
rndc_host: {{ network_topology["private"]["address"] }}
rndc_port: {{ designate.rndc_port.cont }}
rndc_key_file: /etc/bind/rndc.key

View File

@ -3,13 +3,21 @@ configs:
api_port: api_port:
cont: 9001 cont: 9001
ingress: dns ingress: dns
mdns_port:
debug: false cont: 5354
rndc_port:
cont: 953
bind_port:
cont: 53
worker_port:
cont: 5358
debug: true
notification: notification:
driver: noop driver: noop
topics: topics:
enabled: false enabled: false
names: changeme names: changeme
backend: bind9
# options, allows to configure services particularly # options, allows to configure services particularly
service: service:
central: central:
@ -36,6 +44,7 @@ configs:
secret_configs: secret_configs:
designate: designate:
rndc_key_secret: fapwtRlIgYwYeQeyY3U1+Q==
username: designate username: designate
password: password password: password
db: db:

View File

@ -19,12 +19,12 @@ notification_topics = {{ designate.notification.topics.names }}
rabbit_userid = {{ rabbitmq.user }} rabbit_userid = {{ rabbitmq.user }}
rabbit_password = {{ rabbitmq.password }} rabbit_password = {{ rabbitmq.password }}
rabbit_hosts = {{ address("rabbitmq", rabbitmq.port) }} rabbit_hosts = {{ address("rpc", rabbitmq.port) }}
[oslo_messaging_rabbit] [oslo_messaging_rabbit]
rabbit_userid = {{ rabbitmq.user }} rabbit_userid = {{ rabbitmq.user }}
rabbit_password = {{ rabbitmq.password }} rabbit_password = {{ rabbitmq.password }}
rabbit_hosts = {{ address("rabbitmq", rabbitmq.port) }} rabbit_hosts = {{ address("rpc", rabbitmq.port) }}
#-------------------- #--------------------
# Keystone Middleware # Keystone Middleware
@ -55,6 +55,8 @@ enable_api_v1 = True
enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch
enable_api_v2 = True enable_api_v2 = True
enabled_extensions_v2 = quotas, reports enabled_extensions_v2 = quotas, reports
enable_api_admin = True
listen = {{ address("designate-api", designate.api_port) }}
#------------- #-------------
# Sink Service # Sink Service
@ -68,6 +70,7 @@ enabled_notification_handlers = nova_fixed, neutron_floatingip
[service:mdns] [service:mdns]
workers = {{ designate.service.mdns.workers }} workers = {{ designate.service.mdns.workers }}
threads = {{ designate.service.mdns.threads }} threads = {{ designate.service.mdns.threads }}
all_tcp = True
#-------------- #--------------
# Agent Service # Agent Service
@ -75,6 +78,10 @@ threads = {{ designate.service.mdns.threads }}
[service:agent] [service:agent]
workers = {{ designate.service.agent.workers }} workers = {{ designate.service.agent.workers }}
[service:worker]
enabled = True
notify = True
#--------------------- #---------------------
# Zone Manager Service # Zone Manager Service
#--------------------- #---------------------
@ -99,6 +106,9 @@ threads = {{ designate.service.pool_manager.threads }}
{% if designate.pool is defined %} {% if designate.pool is defined %}
pool_id = {{ designate.pool.pool_id }} pool_id = {{ designate.pool.pool_id }}
{%- endif %} {%- endif %}
periodic_sync_interval = 1800
periodic_recovery_interval = 120
################################### ###################################
## Pool Manager Cache Configuration ## Pool Manager Cache Configuration
@ -139,4 +149,3 @@ notification_topics = notifications
control_exchange = 'neutron' control_exchange = 'neutron'
format = '%(hostname)s.%(domain)s' format = '%(hostname)s.%(domain)s'

View File

@ -0,0 +1,12 @@
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/rndc.key";
controls {
inet * port {{ designate.rndc_port.cont }}
allow { any; } keys { "rndc-key"; };
inet * port {{ designate.bind_port.cont }}
allow { any; } keys { "rndc-key"; };
};

View File

@ -0,0 +1,39 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation yes;
dnssec-enable yes;
auth-nxdomain no; # conform to RFC1035
allow-new-zones yes;
request-ixfr no;
recursion no;
query-source address * port {{ designate.bind_port.cont }};
listen-on { any; };
listen-on-v6 { ipv-6-address; };
allow-query {
any;
10.233.0.0/16;
};
allow-notify {
any;
10.233.0.0/16;
};
};

View File

@ -0,0 +1,8 @@
include "/etc/bind/rndc.key";
options {
default-key "rndc-key";
default-server {{ network_topology["private"]["address"] }};
default-port {{ designate.rndc_port.cont }};
};

View File

@ -0,0 +1,4 @@
key "rndc-key" {
algorithm hmac-md5;
secret "{{ designate.rndc_key_secret }}";
};