Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / designate / refs/heads/release/2019.98.1 / . / README.rst
blob: 5dd98dd057059db3f70e188963327ce5e92f5f54 [file] [log] [blame]
=================
Designate formula
=================
Designate provides DNSaaS services for OpenStack.
Sample pillars
==============
For Designate with BIND9 local backend:
.. code:: yaml
designate:
server:
enabled: true
region: RegionOne
domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
version: ocata
backend:
bind9:
rndc_key: 4pc+X4PDqb2q+5o72dISm72LM1Ds9X2EYZjqg+nmsS7FhdTwzFFY8l/iEDmHxnyjkA33EQC8H+z0fLLBunoitw==
rndc_algorithm: hmac-sha512
api:
base_uri: 'http://127.0.0.1:9001'
quotas_verify_project_id: False
admin_api:
enabled: true
enabled_extensions_admin: quotas
bind:
api:
address: 127.0.0.1
database:
engine: mysql
host: 127.0.0.1
port: 3306
name:
main_database: designate
pool_manager: designate_pool_manager
user: designate
password: passw0rd
identity:
engine: keystone
host: 127.0.0.1
port: 35357
tenant: service
user: designate
password: passw0rd
mdns:
address: 0.0.0.0
port: 5354
message_queue:
engine: rabbitmq
members:
- host: 127.0.0.1
user: openstack
password: password
virtual_host: '/openstack'
pools:
default:
description: 'default pool'
attributes:
service_tier: GOLD
ns_records:
- hostname: 'ns1.example.org.'
priority: 10
nameservers:
- host: 127.0.0.1
port: 53
targets:
default_target:
type: bind9
description: 'default target'
masters:
- host: 127.0.0.1
port: 5354
options:
host: 127.0.0.1
port: 53
rndc_host: 127.0.0.1
rndc_port: 953
rndc_key_file: /etc/designate/rndc.key
quota:
zones: 40
worker:
enabled: true
.. note::
*domain_id* parameter is UUID of DNS zone managed by designate-sink service. This zone will
be populated by A records for fixed and floating ip addresses of spawned VMs. After designate
is deployed and zone is created, this parameter should be updated accordingly to UUID of
newly created zone. Then designate state should be reapplied.
.. note::
*server:api:base_uri* allows to set URL which is returned in designate-api responses, it is
useful in cases when, designate-api is deployed under proxy server. If not overriden in reclass,
it defaults to http://*server:bind:api:address*:9001/.
.. note::
*server:mdns:address* and *server:mdns:port* options allow to change MDNS listening address and
port. Changes to server:pools:*:targets will be also required if the MDNS's address and port are
being used there.
.. note::
*worker:enabled* sets worker role and installs designate-worker and designate-producer packages
which services will push changes to backend DNS servers.
*pool_manager:enabled* should be a default role for older releases of OpenStack, older than
Newton in which designate-worker and designate-producer were represented.
In releases starting from Newton, only Designate pool manager service still allows live syncs
with Power DNS server for now.
.. note::
*server:quota:zones* allows to set default value for zones quota for all projects and users.
In case with Designate tempest plugin (0.2.0) zones quota should be increased to 40, so all
tests can pass.
.. note::
*server:api:quotas_verify_project_id* allows to enable project id verification when setting quotas
for project, when Designate will ask Keystone if the project id is valid
Pools pillar for BIND9 master and multiple slaves setup:
.. code:: yaml
pools:
default:
description: 'default pool'
attributes:
service_tier: GOLD
ns_records:
- hostname: 'ns1.example.org.'
priority: 10
nameservers:
- host: 192.168.0.1
port: 53
- host: 192.168.0.2
port: 53
- host: 192.168.0.3
port: 53
targets:
default_target:
type: bind9
description: 'default target'
masters:
- host: 192.168.0.4
port: 5354
options:
host: 192.168.0.4
port: 53
rndc_host: 192.168.0.4
rndc_port: 953
rndc_key_file: /etc/designate/rndc.key
Enhanced logging with logging.conf
----------------------------------
By default logging.conf is disabled.
That is possible to enable per-binary logging.conf with new variables:
* openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
* openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
Only WatchedFileHandler and FluentHandler are available.
Also it is possible to configure this with pillar:
.. code-block:: yaml
designate:
server:
logging:
log_appender: true
log_handlers:
watchedfile:
enabled: true
fluentd:
enabled: true
Usage
=====
Create server
.. code:: bash
designate server-create --name ns.example.com.
Create domain
.. code:: bash
designate domain-create --name example.com. --email mail@example.com
Create record
.. code:: bash
designate record-create example.com. --name test.example.com. --type A --data 10.2.14.15
Test it
.. code:: bash
dig @127.0.0.1 test.example.com.
Enable x509 and ssl communication between Designate and Galera cluster.
---------------------
By default communication between Designate and Galera is unsecure.
designate:
server:
database:
x509:
enabled: True
You able to set custom certificates in pillar:
designate:
server:
database:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
Enable x509 and ssl communication between Designate and Rabbitmq.
---------------------
By default communication between Designate and Rabbitmq is unsecure.
.. code-block:: yaml
designate:
server:
message_queue:
x509:
enabled: True
You able to set custom certificates in pillar:
.. code-block:: yaml
designate:
server:
message_queue:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
You can read more about it here:
https://docs.openstack.org/security-guide/messaging/security.html
Using designate client to create zones and install client packages
-------------------------------------------------------------------
designate:
client:
enabled: true
resources:
v2:
enabled: true
cloud_name: admin_identity
zones:
test_zone:
name: test.zone.
email: admin@test.zone
Upgrades
========
Each openstack formula provide set of phases (logical bloks) that will help to
build flexible upgrade orchestration logic for particular components. The list
of phases might and theirs descriptions are listed in table below:
+-------------------------------+------------------------------------------------------+
| State | Description |
+===============================+======================================================+
| <app>.upgrade.service_running | Ensure that all services for particular application |
| | are enabled for autostart and running |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.service_stopped | Ensure that all services for particular application |
| | disabled for autostart and dead |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
| | are installed to latest available version. |
| | This will not upgrade data plane packages like qemu |
| | and openvswitch as usually minimal required version |
| | in openstack services is really old. The data plane |
| | packages should be upgraded separately by `apt-get |
| | upgrade` or `apt-get dist-upgrade` |
| | Applying this state will not autostart service. |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
| | cloud before running upgrade. |
| | Only non destructive actions will be applied during |
| | this phase. Perform service built in service check |
| | like (keystone-manage doctor and nova-status upgrade)|
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
| | phase resources will be gracefully removed from |
| | current node if it is allowed. Services for upgraded |
| | application will be set to admin disabled state to |
| | make sure node will not participate in resources |
| | scheduling. For example on gtw nodes this will set |
| | all agents to admin disable state and will move all |
| | routers to other agents. |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.upgrade | This state will basically upgrade application on |
| | particular target. Stop services, render |
| | configuration, install new packages, run offline |
| | dbsync (for ctl), start services. Data plane should |
| | not be affected, only OpenStack python services. |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.upgrade.post | Add services back to scheduling. |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.post | This phase should be launched only when upgrade of |
| | the cloud is completed. Cleanup temporary files, |
| | perform other post upgrade tasks. |
+-------------------------------+------------------------------------------------------+
| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
| | operations, verify do not have dead network |
| | agents/compute services) |
+-------------------------------+------------------------------------------------------+
Upgrade pillar example:
.. code-block:: yaml
designate:
upgrade:
enabled: true
old_release: pike
new_release: queens
verify:
zone:
enabled: true
name: upgradetest.com.
.. note::
During upgrade zone creation testing is disabled by default,
because conditions for zone successfull creation, are very specific to each environment.
When enabling zone testing, allowed tlds in Designate should be considered.
More details about TLDS - https://docs.openstack.org/designate/pike/admin/tlds.html
Documentation and Bugs
======================
To learn how to install and update salt-formulas, consult the documentation
available online at:
http://salt-formulas.readthedocs.io/
In the unfortunate event that bugs are discovered, they should be reported to
the appropriate issue tracker. Use Github issue tracker for specific salt
formula:
https://github.com/salt-formulas/salt-formula-letsencrypt/issues
For feature requests, bug reports or blueprints affecting entire ecosystem,
use Launchpad salt-formulas project:
https://launchpad.net/salt-formulas
You can also join salt-formulas-users team and subscribe to mailing list:
https://launchpad.net/~salt-formulas-users
Developers wishing to work on the salt-formulas projects should always base
their work on master branch and submit pull request against specific formula.
https://github.com/salt-formulas/salt-formula-letsencrypt
Any questions or feedback is always welcome so feel free to join our IRC
channel:
#salt-formulas @ irc.freenode.net