Chapter 2. Installing DNSaaS for High Availability

This chapter describes how to install DNSaaS (designate) in a high availability configuration. In this configuration the DNSaaS service is installed on a primary node, and it configuration is replicated to secondary nodes. The high availability service is performed by redis, allowing a secondary node to take over in the event of a failure on the primary node. Note that memcached is not supported as the High Availability back-end.

Important

DNS-as-a-Service (DNSaaS), also known as Designate, is available in this release as a Technology Preview, and therefore is not fully supported by Red Hat. If you are interested in running DNSaaS in your production environment, please file a support ticket and mention the bug tracker BZ#1374002, so we can gauge the interest for this tool. For more information about Technology Preview features, see https://access.redhat.com/support/offerings/techpreview.

2.1. Install the DNS service

This section describes how to install the required DNS service. This can be a standalone server or co-located on an OpenStack controller: 

#!/bin/bash

yum install -y bind bind-utils

sed -i -e "s/listen-on port.*/listen-on port 53 { any; };/" /etc/named.conf
sed -i '/^options.*/i include "/etc/rndc.key"; controls {         inet * allow { any; } keys { "rndc-key"; }; };' /etc/named.conf
sed -i '/allow-query.*/d' /etc/named.conf
sed -i '/^options.*/a         allow-new-zones yes;         allow-query { any; };' /etc/named.conf

rndc-confgen -a

chmod g+w /var/named
setsebool named_write_master_zones 1

systemctl enable named
systemctl start named

2.2. Configure DNSaaS on the primary node

This section describes how to install and configure DNSaaS. Perform these steps on the primary (master) node:

  1. Install the DNSaaS packages. 

    yum install -y openstack-designate-api openstack-designate-central openstack-designate-sink openstack-designate-pool-manager openstack-designate-mdns openstack-designate-common python-designate python-designateclient openstack-designate-agent openstack-utils bind bind-utils python-redis

  2. Disable the named service: 

    systemctl disable named
  3. Source your openstackrc file, as the following steps interact with OpenStack services.

  4. To ease the deployment process, this guide relies on a number of variables; you will need to populate the values accordingly: 

    CONTROLLER_IP_ADDRESS=192.168.2.1
ZONE_NAME=testzone.example.com
INTERNAL_NET_NAME=net_internal
INSTANCES_PROJECT_NAME=myinstancesproject
SERVICES_PROJECT_NAME=service
DESIGNATE_PASSWORD=SecureDesignatePassword
EXTERNAL_DNS_SERVER_IP=$CONTROLLER_IP_ADDRESS
EXTERNAL_DNS_SERVER_FQDN=`hostname`
DESIGNATE_VIP_IP=$CONTROLLER_IP_ADDRESS
RABBIT_SERVER_IP=$CONTROLLER_IP_ADDRESS
REDIS_SERVER_IP=$CONTROLLER_IP_ADDRESS
MYSQL_SERVER_IP=$CONTROLLER_IP_ADDRESS
KEYSTONE_SERVER_IP=$CONTROLLER_IP_ADDRESS
DESIGNATE_SERVER_1=$CONTROLLER_IP_ADDRESS

SERVICES_TENANT_ID=`openstack project show $SERVICES_PROJECT_NAME -f value -c id`
INSTANCES_TENANT_ID=`openstack project show $INSTANCES_PROJECT_NAME -f value -c id`

DEFAULT_NAMESERVER_ID=$(uuidgen)
DEFAULT_TARGET_ID=$(uuidgen)
INTERNAL_NET_ID=`openstack network show $INTERNAL_NET_NAME -f value -c id`

  5. Configure redis-sentinel:

    1. Ensure the /etc/redis.conf file contains a bind clause pointing to the external IP address.

    2. Edit /etc/redis-sentinel.conf and change the localhost IP address to the Primary Controller public IP address. Remember to do this on each participating controller, and specify the same IP address in every redis-sentinel node. 

      sed -i "s/sentinel monitor mymaster 127.0.0.1 6379 2/sentinel monitor mymaster $REDIS_SERVER_IP 6379 2/g" /etc/redis-sentinel.conf

  6. Enable and start the redis and redis-sentinel services: 

    # systemctl enable redis redis-sentinel
# systemctl start redis redis-sentinel
  7. Copy /etc/redis-sentinel.conf to the other OpenStack controllers that run redis and repeat step 3.

  8. Export the redis-sentinel cluster name: 

    REDIS_SENTINEL_NAME=`grep -v \\# /etc/redis-sentinel.conf | grep "sentinel monitor" | awk '{print $3}'`

  9. Create the backend database: 

    mysql -u root << EOF
CREATE DATABASE designate;
GRANT ALL ON designate.* TO 'designate'@'%' IDENTIFIED BY '$DESIGNATE_PASSWORD';
GRANT ALL ON designate.* TO 'designate'@'localhost' IDENTIFIED BY '$DESIGNATE_PASSWORD';
CREATE DATABASE designate_pool_manager;
GRANT ALL ON designate_pool_manager.* TO 'designate'@'%' IDENTIFIED BY '$DESIGNATE_PASSWORD';
GRANT ALL ON designate_pool_manager.* TO 'designate'@'localhost' IDENTIFIED BY '$DESIGNATE_PASSWORD';
FLUSH PRIVILEGES;
quit
EOF

  10. Create the DNSaaS service account in keystone: 

    openstack user create designate --password $DESIGNATE_PASSWORD --email designate@localhost

  11. Add the DNSaaS account to the service project: 

    openstack role add --project $SERVICES_TENANT_ID --user designate admin

  12. Create the DNSaaS service: 

    openstack service create dns --name designate --description "Designate DNS Service"

  13. Create the DNSaaS endpoint: 

    openstack endpoint create --region RegionOne --publicurl http://$DESIGNATE_VIP_IP:9001 --internalurl http://$DESIGNATE_VIP_IP:9001 --adminurl http://$DESIGNATE_VIP_IP:9001 designate

  14. Add the keystone token settings to the DNSaaS configuration: 

    crudini --set /etc/designate/designate.conf keystone_authtoken auth_uri http://$KEYSTONE_SERVER_IP:5000/v2.0
crudini --set /etc/designate/designate.conf keystone_authtoken identity_uri http://$KEYSTONE_SERVER_IP:35357/
crudini --set /etc/designate/designate.conf keystone_authtoken admin_tenant_name $SERVICES_PROJECT_NAME
crudini --set /etc/designate/designate.conf keystone_authtoken project_name $SERVICES_PROJECT_NAME
crudini --set /etc/designate/designate.conf keystone_authtoken admin_user designate
crudini --set /etc/designate/designate.conf keystone_authtoken admin_password $DESIGNATE_PASSWORD

  15. Configure the API extensions for DNSaaS: 

    crudini --set /etc/designate/designate.conf service:api enabled_extensions_v1 "diagnostics, quotas, reports, sync, touch"
crudini --set /etc/designate/designate.conf service:api enabled_extensions_v2 "quotas, reports"

  16. Configure DNSaaS to integrate with the Instances project: 

    crudini --set /etc/designate/designate.conf service:central managed_resource_tenant_id $INSTANCES_TENANT_ID

  17. Add the connection to the backend database: 

    crudini --set /etc/designate/designate.conf storage:sqlalchemy connection mysql+pymysql://designate:$DESIGNATE_PASSWORD@$MYSQL_SERVER_IP/designate
crudini --set /etc/designate/designate.conf pool_manager_cache:sqlalchemy connection mysql+pymysql://designate:$DESIGNATE_PASSWORD@$MYSQL_SERVER_IP/designate_pool_manager

  18. Add the Messaging endpoint: 

    crudini --set /etc/designate/designate.conf oslo_messaging_rabbit rabbit_hosts $RABBIT_SERVER_IP:5672

  19. Add the redis-sentinel connection: 

    crudini --set /etc/designate/designate.conf coordination backend_url redis://$REDIS_SERVER_IP:26379?sentinel=$REDIS_SENTINEL_NAME

  20. Populate and prepare the Designate MySQL database: 

    su -s /bin/sh -c "designate-manage database sync" designate
su -s /bin/sh -c "designate-manage pool-manager-cache sync" designate

  21. Enable and start only the central and api designate services: 

    systemctl enable designate-central designate-api
systemctl start designate-central designate-api

  22. Create the following file as /etc/designate/pools.yaml. Remember that you need to change the variables EXTERNAL_DNS_SERVER_FQDN, EXTERNAL_DNS_SERVER_IP and DESIGNATE_SERVER_1. There are provisions for additional DNS servers, if needed: 

    - name: default
  description: Default BIND9 Pool

  attributes:
    external: true
  ns_records:
    - hostname: $EXTERNAL_DNS_SERVER_FQDN.
      priority: 1
  nameservers:
    - host: $EXTERNAL_DNS_SERVER_IP
      port: 53

  targets:
    - type: bind9
      description: BIND9 Server 1
      masters:
        - host: $DESIGNATE_SERVER_1
          port: 5354
        - host: $DESIGNATE_SERVER_2
          port: 5354
        - host: $DESIGNATE_SERVER_3
          port: 5354
      options:
        host: $EXTERNAL_DNS_SERVER_IP
        port: 53
        rndc_host: $EXTERNAL_DNS_SERVER_IP
        rndc_port: 953
        rndc_key_file: /etc/designate/rndc.key

  23. Copy /etc/rndc.key to /etc/designate/rndc.key. Remember to set permissions accordingly: 

    chown designate:designate /etc/designate/rndc.key

  24. Load the above YAML file into the DNSaaS runtime configuration: 

    su -s /bin/sh -c "designate-manage pool update" designate

  25. Start the remaining DNSaaS services: 

    systemctl enable designate-pool-manager designate-mdns designate-sink
systemctl start designate-pool-manager designate-mdns designate-sink

    NOTE: Do not close your SSH session, as you will need the populated variables in the following sections.

2.3. Add secondary nodes

You can add secondary nodes that will participate in the redis cluster. Perform these steps on the secondary nodes:

  1. Install the DNSaaS packages. 

    yum install -y openstack-designate-api openstack-designate-central openstack-designate-sink openstack-designate-pool-manager openstack-designate-mdns openstack-designate-common python-designate python-designateclient openstack-designate-agent openstack-utils bind bind-utils python-redis

  2. Disable the named service: 

    systemctl disable named

  3. Configure Redis Sentinel:

    1. Esure that in /etc/redis.conf the bind clause points to the this controller external IP address.

    2. Copy the redis-sentinel configuration from your master node. Leave the IP address unchanged: 

      scp designate-1:/etc/redis-sentinel.conf /etc

  4. Enable and start the redis and redis-sentinel services: 

    # systemctl enable redis redis-sentinel
# systemctl start redis redis-sentinel
  5. Repeat steps 1 to 3 for each controller that is running redis.

  6. Test the redis-sentinel functionality: 

    # redis-cli -h <PRIMARY CONTROLLER IP ADDRESS> -p 26379
192.168.122.10:26379> sentinel master mymaster
 1) "name"
 2) "mymaster"
 3) "ip"
 4) "192.168.122.10"
 5) "port"
 6) "6379"
 7) "runid"
 8) "1865a0b3b237d20954a4e5fae14c6c7c932b0cf5"
 9) "flags"
10) "master"
11) "link-pending-commands"
12) "0"
13) "link-refcount"
14) "1"
15) "last-ping-sent"
16) "0"
17) "last-ok-ping-reply"
18) "459"
19) "last-ping-reply"
20) "459"
21) "down-after-milliseconds"
22) "30000"
23) "info-refresh"
24) "7024"
25) "role-reported"
26) "master"
27) "role-reported-time"
28) "509706"
29) "config-epoch"
30) "0"
31) "num-slaves"
32) "1"
33) "num-other-sentinels"
34) "0"
35) "quorum"
36) "2"
37) "failover-timeout"
38) "180000"
39) "parallel-syncs"
40) "1"
192.168.122.10:26379>

  7. Copy your DNSaaS configuration from your master node: 

    scp designate-1:/etc/designate/* /etc/designate

  8. Start the only needed services. NOTE: Do not start the pool agent in the standby nodes. 

    systemctl enable designate-api designate-central designate-mdns designate-sink
systemctl start designate-api designate-central designate-mdns designate-sink

2.4. Configure neutron integration

Perform this procedure on the primary node.

  1. Create the DNS zone: 

    ZONE_ID=`openstack zone create --email admin@$ZONE_NAME $ZONE_NAME. -f value -c id`
crudini --set /etc/designate/designate.conf handler:nova_fixed domain_id $ZONE_ID
crudini --set /etc/designate/designate.conf handler:neutron_floatingip domain_id $ZONE_ID

  2. Copy the configuration to the remaining designate cluster members. For example: 

    scp /etc/designate/* designate-2:/etc/designate
scp /etc/designate/* designate-3:/etc/designate

  3. For the primary node only: restart the designate services: 

    for i in api central mdns pool-manager sink ; do
    systemctl restart designate-$i
done

  4. On the remaining nodes, restart the designate services: 

    for i in api central mdns sink ; do
    systemctl restart designate-$i
done

  5. On the primary node, configure the neutron integration: 

    crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security,dns

crudini --set /etc/neutron/neutron.conf DEFAULT dns_domain $ZONE_NAME.
crudini --set /etc/neutron/neutron.conf DEFAULT external_dns_driver designate

crudini --set /etc/neutron/neutron.conf designate url http://$DESIGNATE_VIP_IP:9001/v2
crudini --set /etc/neutron/neutron.conf designate admin_auth_url http://$DESIGNATE_VIP_IP:35357/v2.0
crudini --set /etc/neutron/neutron.conf designate admin_username designate
crudini --set /etc/neutron/neutron.conf designate admin_password $DESIGNATE_PASSWORD
crudini --set /etc/neutron/neutron.conf designate admin_tenant_name $SERVICES_PROJECT_NAME
crudini --set /etc/neutron/neutron.conf designate allow_reverse_dns_lookup True
crudini --set /etc/neutron/neutron.conf designate ipv4_ptr_zone_prefix_size 24
crudini --set /etc/neutron/neutron.conf designate ipv6_ptr_zone_prefix_size 116
crudini --set /etc/neutron/neutron.conf designate insecure true
  6. Copy the /etc/neutron/plugins/ml2/ml2_conf.ini and /etc/neutron/neutron.conf configuration to the other participating controllers.

  7. Once the files have finished copying, restart the neutron service: 

    openstack-service restart neutron

  8. Make the neutron service aware that all instances within the internal network are now part of the DNS domain managed by designate: 

    neutron net-update $INTERNAL_NET_ID  --dns_domain $ZONE_NAME.