Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 1 | |
Aleš Komárek | 53c944b | 2017-02-06 14:08:15 +0100 | [diff] [blame] | 2 | ================= |
| 3 | Designate formula |
| 4 | ================= |
| 5 | |
| 6 | Designate provides DNSaaS services for OpenStack. |
| 7 | |
| 8 | Sample pillars |
| 9 | ============== |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 10 | |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 11 | For Designate with BIND9 local backend: |
| 12 | |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 13 | .. code:: yaml |
| 14 | |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 15 | designate: |
| 16 | server: |
| 17 | enabled: true |
| 18 | region: RegionOne |
| 19 | domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc |
| 20 | version: ocata |
| 21 | backend: |
| 22 | bind9: |
| 23 | rndc_key: 4pc+X4PDqb2q+5o72dISm72LM1Ds9X2EYZjqg+nmsS7FhdTwzFFY8l/iEDmHxnyjkA33EQC8H+z0fLLBunoitw== |
| 24 | rndc_algorithm: hmac-sha512 |
Mykyta Karpin | b251931 | 2017-08-08 13:24:22 +0300 | [diff] [blame] | 25 | api: |
| 26 | base_uri: 'http://127.0.0.1:9001' |
Pavlo Shchelokovskyy | f605cef | 2018-08-22 16:39:55 +0300 | [diff] [blame] | 27 | quotas_verify_project_id: False |
Mykyta Karpin | 96a3f43 | 2017-12-19 14:17:08 +0200 | [diff] [blame] | 28 | admin_api: |
| 29 | enabled: true |
| 30 | enabled_extensions_admin: quotas |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 31 | bind: |
| 32 | api: |
| 33 | address: 127.0.0.1 |
Ivan Berezovskiy | 29ef1fd | 2019-11-19 17:07:51 +0400 | [diff] [blame] | 34 | concurrency: |
| 35 | lock_path: '/var/lib/designate' |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 36 | database: |
| 37 | engine: mysql |
| 38 | host: 127.0.0.1 |
| 39 | port: 3306 |
| 40 | name: |
| 41 | main_database: designate |
| 42 | pool_manager: designate_pool_manager |
| 43 | user: designate |
| 44 | password: passw0rd |
| 45 | identity: |
| 46 | engine: keystone |
| 47 | host: 127.0.0.1 |
| 48 | port: 35357 |
| 49 | tenant: service |
| 50 | user: designate |
| 51 | password: passw0rd |
Ivan Udovichenko | a35a07d | 2017-09-29 14:50:10 +0300 | [diff] [blame] | 52 | mdns: |
| 53 | address: 0.0.0.0 |
| 54 | port: 5354 |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 55 | message_queue: |
| 56 | engine: rabbitmq |
| 57 | members: |
| 58 | - host: 127.0.0.1 |
| 59 | user: openstack |
| 60 | password: password |
| 61 | virtual_host: '/openstack' |
| 62 | pools: |
| 63 | default: |
| 64 | description: 'default pool' |
| 65 | attributes: |
| 66 | service_tier: GOLD |
| 67 | ns_records: |
| 68 | - hostname: 'ns1.example.org.' |
| 69 | priority: 10 |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 70 | nameservers: |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 71 | - host: 127.0.0.1 |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 72 | port: 53 |
| 73 | targets: |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 74 | default_target: |
| 75 | type: bind9 |
| 76 | description: 'default target' |
| 77 | masters: |
| 78 | - host: 127.0.0.1 |
| 79 | port: 5354 |
| 80 | options: |
| 81 | host: 127.0.0.1 |
| 82 | port: 53 |
| 83 | rndc_host: 127.0.0.1 |
| 84 | rndc_port: 953 |
| 85 | rndc_key_file: /etc/designate/rndc.key |
Mykyta Karpin | f728b07 | 2017-10-31 13:39:11 +0200 | [diff] [blame] | 86 | quota: |
| 87 | zones: 40 |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 88 | worker: |
| 89 | enabled: true |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 90 | .. note:: |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 91 | *domain_id* parameter is UUID of DNS zone managed by designate-sink service. This zone will |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 92 | be populated by A records for fixed and floating ip addresses of spawned VMs. After designate |
| 93 | is deployed and zone is created, this parameter should be updated accordingly to UUID of |
| 94 | newly created zone. Then designate state should be reapplied. |
| 95 | |
Mykyta Karpin | b251931 | 2017-08-08 13:24:22 +0300 | [diff] [blame] | 96 | .. note:: |
| 97 | *server:api:base_uri* allows to set URL which is returned in designate-api responses, it is |
| 98 | useful in cases when, designate-api is deployed under proxy server. If not overriden in reclass, |
| 99 | it defaults to http://*server:bind:api:address*:9001/. |
| 100 | |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 101 | .. note:: |
Ivan Udovichenko | a35a07d | 2017-09-29 14:50:10 +0300 | [diff] [blame] | 102 | *server:mdns:address* and *server:mdns:port* options allow to change MDNS listening address and |
| 103 | port. Changes to server:pools:*:targets will be also required if the MDNS's address and port are |
| 104 | being used there. |
| 105 | |
| 106 | .. note:: |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 107 | *worker:enabled* sets worker role and installs designate-worker and designate-producer packages |
| 108 | which services will push changes to backend DNS servers. |
| 109 | *pool_manager:enabled* should be a default role for older releases of OpenStack, older than |
| 110 | Newton in which designate-worker and designate-producer were represented. |
| 111 | In releases starting from Newton, only Designate pool manager service still allows live syncs |
| 112 | with Power DNS server for now. |
| 113 | |
Mykyta Karpin | f728b07 | 2017-10-31 13:39:11 +0200 | [diff] [blame] | 114 | .. note:: |
| 115 | *server:quota:zones* allows to set default value for zones quota for all projects and users. |
| 116 | In case with Designate tempest plugin (0.2.0) zones quota should be increased to 40, so all |
| 117 | tests can pass. |
| 118 | |
Pavlo Shchelokovskyy | f605cef | 2018-08-22 16:39:55 +0300 | [diff] [blame] | 119 | .. note:: |
| 120 | *server:api:quotas_verify_project_id* allows to enable project id verification when setting quotas |
| 121 | for project, when Designate will ask Keystone if the project id is valid |
| 122 | |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 123 | Pools pillar for BIND9 master and multiple slaves setup: |
| 124 | |
| 125 | .. code:: yaml |
| 126 | |
| 127 | pools: |
| 128 | default: |
| 129 | description: 'default pool' |
| 130 | attributes: |
| 131 | service_tier: GOLD |
| 132 | ns_records: |
| 133 | - hostname: 'ns1.example.org.' |
| 134 | priority: 10 |
| 135 | nameservers: |
| 136 | - host: 192.168.0.1 |
| 137 | port: 53 |
| 138 | - host: 192.168.0.2 |
| 139 | port: 53 |
| 140 | - host: 192.168.0.3 |
| 141 | port: 53 |
| 142 | targets: |
| 143 | default_target: |
| 144 | type: bind9 |
| 145 | description: 'default target' |
| 146 | masters: |
| 147 | - host: 192.168.0.4 |
| 148 | port: 5354 |
| 149 | options: |
| 150 | host: 192.168.0.4 |
| 151 | port: 53 |
| 152 | rndc_host: 192.168.0.4 |
| 153 | rndc_port: 953 |
| 154 | rndc_key_file: /etc/designate/rndc.key |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 155 | |
sgarbuz | b718889 | 2018-05-08 13:26:42 +0300 | [diff] [blame] | 156 | Enhanced logging with logging.conf |
| 157 | ---------------------------------- |
| 158 | |
| 159 | By default logging.conf is disabled. |
| 160 | |
| 161 | That is possible to enable per-binary logging.conf with new variables: |
| 162 | * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services; |
| 163 | * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services. |
| 164 | |
| 165 | Only WatchedFileHandler and FluentHandler are available. |
| 166 | |
| 167 | Also it is possible to configure this with pillar: |
| 168 | |
| 169 | .. code-block:: yaml |
| 170 | |
| 171 | designate: |
| 172 | server: |
| 173 | logging: |
| 174 | log_appender: true |
| 175 | log_handlers: |
| 176 | watchedfile: |
| 177 | enabled: true |
| 178 | fluentd: |
| 179 | enabled: true |
| 180 | |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 181 | Usage |
Aleš Komárek | 53c944b | 2017-02-06 14:08:15 +0100 | [diff] [blame] | 182 | ===== |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 183 | |
| 184 | Create server |
| 185 | |
| 186 | .. code:: bash |
| 187 | |
| 188 | designate server-create --name ns.example.com. |
| 189 | |
| 190 | Create domain |
| 191 | |
| 192 | .. code:: bash |
| 193 | |
| 194 | designate domain-create --name example.com. --email mail@example.com |
| 195 | |
| 196 | Create record |
| 197 | |
| 198 | .. code:: bash |
| 199 | |
| 200 | designate record-create example.com. --name test.example.com. --type A --data 10.2.14.15 |
| 201 | |
| 202 | Test it |
| 203 | |
| 204 | .. code:: bash |
| 205 | |
| 206 | dig @127.0.0.1 test.example.com. |
Filip Pytloun | bfa7211 | 2017-02-02 13:17:47 +0100 | [diff] [blame] | 207 | |
Oleksandr Shyshko | c7d4827 | 2018-08-31 12:22:41 +0300 | [diff] [blame] | 208 | Enable x509 and ssl communication between Designate and Galera cluster. |
| 209 | --------------------- |
| 210 | By default communication between Designate and Galera is unsecure. |
| 211 | |
| 212 | designate: |
| 213 | server: |
| 214 | database: |
| 215 | x509: |
| 216 | enabled: True |
| 217 | |
| 218 | You able to set custom certificates in pillar: |
| 219 | |
| 220 | designate: |
| 221 | server: |
| 222 | database: |
| 223 | x509: |
| 224 | cacert: (certificate content) |
| 225 | cert: (certificate content) |
| 226 | key: (certificate content) |
| 227 | |
| 228 | You can read more about it here: |
| 229 | https://docs.openstack.org/security-guide/databases/database-access-control.html |
| 230 | |
Oleksandr Shyshko | b988699 | 2018-09-21 12:44:35 +0300 | [diff] [blame] | 231 | Enable x509 and ssl communication between Designate and Rabbitmq. |
| 232 | --------------------- |
| 233 | By default communication between Designate and Rabbitmq is unsecure. |
| 234 | |
| 235 | .. code-block:: yaml |
| 236 | |
| 237 | designate: |
| 238 | server: |
| 239 | message_queue: |
| 240 | x509: |
| 241 | enabled: True |
| 242 | |
| 243 | You able to set custom certificates in pillar: |
| 244 | |
| 245 | .. code-block:: yaml |
| 246 | |
| 247 | designate: |
| 248 | server: |
| 249 | message_queue: |
| 250 | x509: |
| 251 | cacert: (certificate content) |
| 252 | cert: (certificate content) |
| 253 | key: (certificate content) |
| 254 | |
| 255 | You can read more about it here: |
| 256 | https://docs.openstack.org/security-guide/messaging/security.html |
Pavel Cizinsky | bac79ca | 2018-12-12 12:01:25 +0100 | [diff] [blame] | 257 | |
Mykyta Karpin | 70405bc | 2018-11-07 17:28:06 +0000 | [diff] [blame] | 258 | Using designate client to create zones and install client packages |
| 259 | ------------------------------------------------------------------- |
| 260 | |
| 261 | designate: |
| 262 | client: |
| 263 | enabled: true |
| 264 | resources: |
| 265 | v2: |
| 266 | enabled: true |
| 267 | cloud_name: admin_identity |
| 268 | zones: |
| 269 | test_zone: |
| 270 | name: test.zone. |
| 271 | email: admin@test.zone |
| 272 | |
Oleksandr Pidrepnyi | 4f886d8 | 2019-05-24 13:37:57 +0300 | [diff] [blame] | 273 | Change default options using configmap template settings |
| 274 | ======================================================== |
| 275 | |
| 276 | .. code-block:: yaml |
| 277 | |
| 278 | designate: |
| 279 | server: |
| 280 | configmap: |
| 281 | DEFAULT: |
| 282 | default_soa_refresh_min: 3500 |
| 283 | default_soa_refresh_max: 3600 |
| 284 | default_soa_minimum: 3600 |
| 285 | 'network_api:neutron': |
| 286 | admin_username: admin |
| 287 | admin_password: password |
| 288 | admin_tenant_name: tenant1 |
| 289 | |
Martin Polreich | e8fcdd1 | 2019-11-18 16:27:29 +0100 | [diff] [blame] | 290 | Change default service policy configuration |
| 291 | =========================================== |
| 292 | |
| 293 | .. code-block:: yaml |
| 294 | |
| 295 | designate: |
| 296 | server: |
| 297 | policy: |
| 298 | admin: 'role:admin' |
| 299 | primary_zone: 'target.zone_type:PRIMARY' |
| 300 | # Add key without value to remove line from policy.json |
| 301 | get_quotas: |
| 302 | |
Mykyta Karpin | c71b5f4 | 2018-12-14 12:46:36 +0200 | [diff] [blame] | 303 | Upgrades |
| 304 | ======== |
| 305 | |
| 306 | Each openstack formula provide set of phases (logical bloks) that will help to |
| 307 | build flexible upgrade orchestration logic for particular components. The list |
| 308 | of phases might and theirs descriptions are listed in table below: |
| 309 | |
| 310 | +-------------------------------+------------------------------------------------------+ |
| 311 | | State | Description | |
| 312 | +===============================+======================================================+ |
| 313 | | <app>.upgrade.service_running | Ensure that all services for particular application | |
| 314 | | | are enabled for autostart and running | |
| 315 | +-------------------------------+------------------------------------------------------+ |
| 316 | | <app>.upgrade.service_stopped | Ensure that all services for particular application | |
| 317 | | | disabled for autostart and dead | |
| 318 | +-------------------------------+------------------------------------------------------+ |
| 319 | | <app>.upgrade.pkgs_latest | Ensure that packages used by particular application | |
| 320 | | | are installed to latest available version. | |
| 321 | | | This will not upgrade data plane packages like qemu | |
| 322 | | | and openvswitch as usually minimal required version | |
| 323 | | | in openstack services is really old. The data plane | |
| 324 | | | packages should be upgraded separately by `apt-get | |
| 325 | | | upgrade` or `apt-get dist-upgrade` | |
| 326 | | | Applying this state will not autostart service. | |
| 327 | +-------------------------------+------------------------------------------------------+ |
| 328 | | <app>.upgrade.render_config | Ensure configuration is rendered actual version. + |
| 329 | +-------------------------------+------------------------------------------------------+ |
| 330 | | <app>.upgrade.pre | We assume this state is applied on all nodes in the | |
| 331 | | | cloud before running upgrade. | |
| 332 | | | Only non destructive actions will be applied during | |
| 333 | | | this phase. Perform service built in service check | |
| 334 | | | like (keystone-manage doctor and nova-status upgrade)| |
| 335 | +-------------------------------+------------------------------------------------------+ |
| 336 | | <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this | |
| 337 | | | phase resources will be gracefully removed from | |
| 338 | | | current node if it is allowed. Services for upgraded | |
| 339 | | | application will be set to admin disabled state to | |
| 340 | | | make sure node will not participate in resources | |
| 341 | | | scheduling. For example on gtw nodes this will set | |
| 342 | | | all agents to admin disable state and will move all | |
| 343 | | | routers to other agents. | |
| 344 | +-------------------------------+------------------------------------------------------+ |
| 345 | | <app>.upgrade.upgrade | This state will basically upgrade application on | |
| 346 | | | particular target. Stop services, render | |
| 347 | | | configuration, install new packages, run offline | |
| 348 | | | dbsync (for ctl), start services. Data plane should | |
| 349 | | | not be affected, only OpenStack python services. | |
| 350 | +-------------------------------+------------------------------------------------------+ |
| 351 | | <app>.upgrade.upgrade.post | Add services back to scheduling. | |
| 352 | +-------------------------------+------------------------------------------------------+ |
| 353 | | <app>.upgrade.post | This phase should be launched only when upgrade of | |
| 354 | | | the cloud is completed. Cleanup temporary files, | |
| 355 | | | perform other post upgrade tasks. | |
| 356 | +-------------------------------+------------------------------------------------------+ |
| 357 | | <app>.upgrade.verify | Here we will do basic health checks (API CRUD | |
| 358 | | | operations, verify do not have dead network | |
| 359 | | | agents/compute services) | |
| 360 | +-------------------------------+------------------------------------------------------+ |
| 361 | |
| 362 | |
| 363 | Upgrade pillar example: |
| 364 | |
| 365 | .. code-block:: yaml |
| 366 | |
| 367 | designate: |
| 368 | upgrade: |
| 369 | enabled: true |
| 370 | old_release: pike |
| 371 | new_release: queens |
| 372 | verify: |
| 373 | zone: |
| 374 | enabled: true |
| 375 | name: upgradetest.com. |
| 376 | |
| 377 | .. note:: |
| 378 | During upgrade zone creation testing is disabled by default, |
| 379 | because conditions for zone successfull creation, are very specific to each environment. |
| 380 | When enabling zone testing, allowed tlds in Designate should be considered. |
| 381 | More details about TLDS - https://docs.openstack.org/designate/pike/admin/tlds.html |