了解如何为OpenStack安装和配置一个多租户的DNS-as-a-service (DNSaaS)
该服务包括用于域和记录管理的REST API、用于与Neutron集成的框架和对Bind9的集成支持服务。
你可以考虑以下DNSaaS:
1.用于管理区和记录的规范的REST API
2.自动生成的记录(使用OpenStack集成)
3.支持多个权限域名服务器
4.主持多个项目/组织
本文解释了如何在CentOS或Red Hat Enterprise Linux 7 (RHEL 7)上手动安装和配置最新版本Designate service,但是您可以在其他发行版上进行相同的安装和配置。
在OpenStack上安装Designate
我为bind和designate匹配了一些Ansible role,用于演示我的GitHub存储库中的设置。此设置假定bind服务是OpenStack控制器节点上的外部服务(即使您可以在本地安装bind)。
第一步:在OpenStack控制器上安装Designate 和 Bind:
# yum install openstack-designate-* bind bind-utils -y第二步:创建Designate数据库和用户:
MariaDB [(none)]> CREATE DATABASE designate CHARACTER SET utf8 COLLATE utf8_general_ci;MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO
'designate'@'localhost' IDENTIFIED BY 'rhlab123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'%'
IDENTIFIED BY 'rhlab123';
注意:要使Remote Name Daemon Control (RNDC)正常工作,必须将Bind包安装在控制器端。
配置bind(DNS 服务器)
第一步:创建RNDC文件:
rndc-confgen -a -k designate -c /etc/rndc.key -r /dev/urandom
cat <<EOF> etcrndc.conf
include "/etc/rndc.key";
options {
default-key "designate";
default-server {{ DNS_SERVER_IP }};
default-port 953;
};
EOF
第二步:在name .conf中添加以下内容:
include "/etc/rndc.key"; controls { inet {{ DNS_SERVER_IP }} allow { localhost;{{ CONTROLLER_SERVER_IP }}; } keys { "designate"; }; };在Option部分,添加:
options {
...
allow-new-zones yes;
request-ixfr no;
listen-on port 53 { any; };
recursion no;
allow-query { 127.0.0.1; {{ CONTROLLER_SERVER_IP }}; };
};添加正确的权限:
chown named:named /etc/rndc.key
chown named:named /etc/rndc.conf
chmod 600 /etc/rndc.key
chown -v root:named /etc/named.conf
chmod g+w /var/namedsystemctl restart named
setsebool named_write_master_zones 1
第三步:将rndc.key和rndc.conf放入OpenStack控制器中:
# scp -r /etc/rndc*}:/etc/创建OpenStack Designate服务和端点
输入:
# openstack user create --domain default --password-prompt designateopenstack role add --project services --user designate admin
openstack service create --name designate --description "DNS" dns
openstack endpoint create --region RegionOne dns public http://}:9001/
openstack endpoint create --region RegionOne dns internal http://}:9001/
openstack endpoint create --region RegionOne dns admin http://}:9001/
配置Designate服务
第一步:编辑/etc/designate/designate.conf:
在[service:api]部分,配置auth_strategy:
[service:api]
listen = 0.0.0.0:9001
auth_strategy = keystone
api_base_uri = http://{{ CONTROLLER_SERVER_IP }}:9001/
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports
在[keystone_authtoken]部分中,配置以下选项:
[keystone_authtoken]
auth_type = password
username = designate
password = rhlab123
project_name = service
project_domain_name = Default
user_domain_name = Default
www_authenticate_uri = http://{{ CONTROLLER_SERVER_IP }}:5000/
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000/在[service:worker]部分,启用worker模型:
enabled = True
notify = True在[storage:sqlalchemy]部分,配置数据库访问:
[storage:sqlalchemy]
connection = mysql+pymysql://designate CONTROLLER_SERVER_IP }}/designate填充Designate数据库:
# su -s /bin/sh -c "designate-manage database sync" designate第二步:创建 Designate的 pools.yaml 文件 (有 target and bind 细节):
编辑/etc/designate/pools.yaml:
- name: defaultThe name is immutable. There will be no option to change the name after
creation and the only way will to change it will be to delete it
(and all zones associated with it) and recreate it.
description: Default Pool
attributes: {}
List out the NS records for zones hosted within this pool
This should be a record that is created outside of designate, that
points to the public IP of the controller node.
ns_records:
- hostname: {{Controller_FQDN}}. # Thisis mDNS
priority: 1List out the nameservers for this pool. These are the actual BIND servers.
We use these to verify changes have propagated to all nameservers.
nameservers:
- host: {{ DNS_SERVER_IP }}
port: 53List out the targets for this pool. For BIND there will be one
entry for each BIND server, as we have to run rndc command on each server
targets:
- type: bind9
description: BIND9 Server 1# List out the designate-mdns servers from which BIND servers should # request zone transfers (AXFRs) from. # This should be the IP of the controller node. # If you have multiple controllers you can add multiple masters # by running designate-mdns on them, and adding them here. masters: - host: {{ CONTROLLER_SERVER_IP }} port: 5354 # BIND Configuration options options: host: {{ DNS_SERVER_IP }} port: 53 rndc_host: {{ DNS_SERVER_IP }} rndc_port: 953 rndc_key_file: /etc/rndc.key rndc_config_file: /etc/rndc.conf</code></pre></div></div><p>填充Designate库:</p><div class="rno-markdown-code"><div class="rno-markdown-code-toolbar"><div class="rno-markdown-code-toolbar-info"><div class="rno-markdown-code-toolbar-item is-type"><span class="is-m-hidden">代码语言:</span>javascript</div></div><div class="rno-markdown-code-toolbar-opt"><div class="rno-markdown-code-toolbar-copy"><i class="icon-copy"></i><span class="is-m-hidden">复制</span></div></div></div><div class="developer-code-block"><pre class="prism-token token line-numbers language-javascript"><code class="language-javascript" style="margin-left:0">su -s /bin/sh -c "designate-manage pool update" designate</code></pre></div></div><p>第三步:开始Designate central 和 API服务:</p><div class="rno-markdown-code"><div class="rno-markdown-code-toolbar"><div class="rno-markdown-code-toolbar-info"><div class="rno-markdown-code-toolbar-item is-type"><span class="is-m-hidden">代码语言:</span>javascript</div></div><div class="rno-markdown-code-toolbar-opt"><div class="rno-markdown-code-toolbar-copy"><i class="icon-copy"></i><span class="is-m-hidden">复制</span></div></div></div><div class="developer-code-block"><pre class="prism-token token line-numbers language-javascript"><code class="language-javascript" style="margin-left:0">systemctl enable --now designate-central designate-api</code></pre></div></div><p>第四步:验证Designate 服务已开启:</p><div class="rno-markdown-code"><div class="rno-markdown-code-toolbar"><div class="rno-markdown-code-toolbar-info"><div class="rno-markdown-code-toolbar-item is-type"><span class="is-m-hidden">代码语言:</span>javascript</div></div><div class="rno-markdown-code-toolbar-opt"><div class="rno-markdown-code-toolbar-copy"><i class="icon-copy"></i><span class="is-m-hidden">复制</span></div></div></div><div class="developer-code-block"><pre class="prism-token token line-numbers language-javascript"><code class="language-javascript" style="margin-left:0"># openstack dns service list
+--------------+--------+-------+--------------+
| service_name | status | stats | capabilities |
+--------------+--------+-------+--------------+
| central | UP | - | - |
| api | UP | - | - |
| mdns | UP | - | - |
| worker | UP | - | - |
| producer | UP | - | - |
+--------------+--------+-------+--------------+
使用外部DNS配置OpenStack Neutron
第一步:为 Designate 服务配置iptables:
# iptables -I INPUT -p tcp -m multiport --dports 9001 -m comment --comment "designate incoming" -j ACCEPTiptables -I INPUT -p tcp -m multiport --dports 5354 -m comment --comment "Designate mdns incoming" -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports 53 -m comment --comment "bind incoming" -j ACCEPT
iptables -I INPUT -p udp -m multiport --dports 53 -m comment --comment "bind/powerdns incoming" -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports 953 -m comment --comment "rndc incoming - bind only" -j ACCEPT
service iptables save; service iptables restart
setsebool named_write_master_zones 1
第二步:编辑/etc/neutron/neutron.conf的[default]部分:
external_dns_driver = designate第三步:将[designate]部分加入/_etc/_neutron/neutron.conf:
[designate]
url = http://{{ CONTROLLER_SERVER_IP }}:9001/v2 ## This end point of designate
auth_type = password
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000
username = designate
password = rhlab123
project_name = services
project_domain_name = Default
user_domain_name = Default
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116
第四步:在neutron.conf:里编辑dns_domain:
dns_domain = rhlab.dev.
systemctl restart neutron-*
第五步:在/etc/neutron/plugins/ml2/ml2_conf.ini模块层2 (ML2)驱动列表中添加dns:
extension_drivers=port_security,qos,dns第六步:在Designate 中添加区:
# openstack zone create –email=admin@rhlab.dev rhlab.dev.在rhlab.dev区添加一个新的记录:
# openstack recordset create --record '192.168.1.230' --type A rhlab.dev. TestDesignate现在就安装和配置完成了
