openstack dns
Designate是一个多租户DNS即服务,包括用于域和记录管理的REST API,用于与Neutron集成的框架以及对Bind9的集成支持。
您可能需要考虑以下DNSaaS:
- 干净的REST API,用于管理区域和记录
- 自动生成记录(与OpenStack集成)
- 支持多个权威名称服务器
- 主持多个项目/组织
本文介绍了如何在CentOS或Red Hat Enterprise Linux 7(RHEL 7)上手动安装和配置最新版本的Designate服务,但是您可以在其他发行版上使用相同的配置。
在OpenStack上安装Designate
我具有用于绑定和指定的Ansible角色,这些角色演示了GitHub存储库中的设置。
此设置假定绑定服务在OpenStack控制器节点上是外部的(即使您可以在本地安装绑定)。
- 安装Designate的软件包并绑定(在OpenStack控制器上):
# yum install openstack-designate-* bind bind-utils -y - 创建指定数据库和用户: MariaDB [(none)]> CREATE DATABASE designate CHARACTER SET utf8 COLLATE utf8_general_ci;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO \
'designate'@'localhost' IDENTIFIED BY 'rhlab123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'%' \
IDENTIFIED BY 'rhlab123';
注意:必须在控制器端安装绑定程序包,远程名称守护程序控制(RNDC)才能正常运行。
配置绑定(DNS服务器)
- 生成RNDC文件: rndc-confgen -a -k designate -c /etc/rndc.key -r /dev/urandom
cat <<EOF> etcrndc.conf
include "/etc/rndc.key";
options {
default-key "designate";
default-server {{ DNS_SERVER_IP }};
default-port 953;
};
EOF - 将以下内容添加到named.conf中 :
在选项部分中,添加:include "/etc/rndc.key"; controls { inet {{ DNS_SERVER_IP }} allow { localhost;{{ CONTROLLER_SERVER_IP }}; } keys { "designate"; }; };
添加正确的权限:options {
...
allow-new-zones yes;
request-ixfr no;
listen-on port 53 { any; };
recursion no;
allow-query { 127.0.0.1; {{ CONTROLLER_SERVER_IP }}; };
};chown named:named /etc/rndc.key
chown named:named /etc/rndc.conf
chmod 600 /etc/rndc.key
chown -v root:named /etc/named.conf
chmod g+w /var/named
# systemctl restart named
# setsebool named_write_master_zones 1 - 将rndc.key和rndc.conf推入OpenStack控制器:
# scp -r /etc/rndc* {{ CONTROLLER_SERVER_IP }}:/etc/
创建OpenStack Designate服务和端点
输入:
# openstack user create --domain default --password-prompt designate
# openstack role add --project services --user designate admin
# openstack service create --name designate --description "DNS" dns
# openstack endpoint create --region RegionOne dns public http://{{ CONTROLLER_SERVER_IP }}:9001/
# openstack endpoint create --region RegionOne dns internal http://{{ CONTROLLER_SERVER_IP }}:9001/
# openstack endpoint create --region RegionOne dns admin http://{{ CONTROLLER_SERVER_IP }}:9001/
配置指定服务
- 编辑/etc/designate/designate.conf :
- 在[service:api]部分中,配置auth_strategy : [service:api]
listen = 0.0.0.0:9001
auth_strategy = keystone
api_base_uri = http://{{ CONTROLLER_SERVER_IP }}:9001/
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports - 在[keystone_authtoken]部分中,配置以下选项: [keystone_authtoken]
auth_type = password
username = designate
password = rhlab123
project_name = service
project_domain_name = Default
user_domain_name = Default
www_authenticate_uri = http://{{ CONTROLLER_SERVER_IP }}:5000/
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000/ - 在[service:worker]部分中,启用worker模型: enabled = True
notify = True - 在[storage:sqlalchemy]部分中,配置数据库访问权限: [storage:sqlalchemy]
connection = mysql+pymysql://designate:rhlab123@{{ CONTROLLER_SERVER_IP }}/designate - 填充“指定”数据库:
# su -s /bin/sh -c "designate-manage database sync" designate
- 在[service:api]部分中,配置auth_strategy :
- 创建Designate的pools.yaml文件(具有目标和绑定详细信息):
- 编辑/etc/designate/pools.yaml : - name: default
# The name is immutable. There will be no option to change the name after
# creation and the only way will to change it will be to delete it
# (and all zones associated with it) and recreate it.
description: Default Pool
attributes: {}
# List out the NS records for zones hosted within this pool
# This should be a record that is created outside of designate, that
# points to the public IP of the controller node.
ns_records:
- hostname: {{Controller_FQDN}}. # Thisis mDNS
priority: 1
# List out the nameservers for this pool. These are the actual BIND servers.
# We use these to verify changes have propagated to all nameservers.
nameservers:
- host: {{ DNS_SERVER_IP }}
port: 53
# List out the targets for this pool. For BIND there will be one
# entry for each BIND server, as we have to run rndc command on each server
targets:
- type: bind9
description: BIND9 Server 1
# List out the designate-mdns servers from which BIND servers should
# request zone transfers (AXFRs) from.
# This should be the IP of the controller node.
# If you have multiple controllers you can add multiple masters
# by running designate-mdns on them, and adding them here.
masters:
- host: {{ CONTROLLER_SERVER_IP }}
port: 5354
# BIND Configuration options
options:
host: {{ DNS_SERVER_IP }}
port: 53
rndc_host: {{ DNS_SERVER_IP }}
rndc_port: 953
rndc_key_file: /etc/rndc.key
rndc_config_file: /etc/rndc.conf - 填充Designate的池:
su -s /bin/sh -c "designate-manage pool update" designate
- 编辑/etc/designate/pools.yaml :
- 开始指定中央和API服务:
systemctl enable --now designate-central designate-api - 验证Designate的服务是否正常运行: # openstack dns service list
+--------------+--------+-------+--------------+
| service_name | status | stats | capabilities |
+--------------+--------+-------+--------------+
| central | UP | - | - |
| api | UP | - | - |
| mdns | UP | - | - |
| worker | UP | - | - |
| producer | UP | - | - |
+--------------+--------+-------+--------------+
使用外部DNS配置OpenStack Neutron
- 为指定服务配置iptables: # iptables -I INPUT -p tcp -m multiport --dports 9001 -m comment --comment "designate incoming" -j ACCEPT
# iptables -I INPUT -p tcp -m multiport --dports 5354 -m comment --comment "Designate mdns incoming" -j ACCEPT
# iptables -I INPUT -p tcp -m multiport --dports 53 -m comment --comment "bind incoming" -j ACCEPT
# iptables -I INPUT -p udp -m multiport --dports 53 -m comment --comment "bind/powerdns incoming" -j ACCEPT
# iptables -I INPUT -p tcp -m multiport --dports 953 -m comment --comment "rndc incoming - bind only" -j ACCEPT
# service iptables save; service iptables restart
# setsebool named_write_master_zones 1 - 编辑/etc/neutron/neutron.conf的[default]部分:
external_dns_driver = designate - 在/_etc/_neutron/neutron.conf中添加[指定]部分: [designate]
url = http://{{ CONTROLLER_SERVER_IP }}:9001/v2 ## This end point of designate
auth_type = password
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000
username = designate
password = rhlab123
project_name = services
project_domain_name = Default
user_domain_name = Default
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116 - 编辑dns_domain的在neutron.conf: dns_domain = rhlab.dev.
# systemctl restart neutron-* - 将dns添加到/etc/neutron/plugins/ml2/ml2_conf.ini中的Modular Layer 2(ML2)驱动程序列表中 :
extension_drivers=port_security,qos,dns - 在“指定”中添加区域 :
在rhlab.dev区域添加新记录:# openstack zone create –email=admin@rhlab.dev rhlab.dev.# openstack recordset create --record '192.168.1.230' --type A rhlab.dev. Test
现在应安装并配置“指定”。
翻译自: https://opensource.com/article/19/4/getting-started-openstack-designate
openstack dns
扫一扫
4296
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
