Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 1 | |
Aleš Komárek | 53c944b | 2017-02-06 14:08:15 +0100 | [diff] [blame] | 2 | ================= |
| 3 | Designate formula |
| 4 | ================= |
| 5 | |
| 6 | Designate provides DNSaaS services for OpenStack. |
| 7 | |
| 8 | Sample pillars |
| 9 | ============== |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 10 | |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 11 | For Designate with BIND9 local backend: |
| 12 | |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 13 | .. code:: yaml |
| 14 | |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 15 | designate: |
| 16 | server: |
| 17 | enabled: true |
| 18 | region: RegionOne |
| 19 | domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc |
| 20 | version: ocata |
| 21 | backend: |
| 22 | bind9: |
| 23 | rndc_key: 4pc+X4PDqb2q+5o72dISm72LM1Ds9X2EYZjqg+nmsS7FhdTwzFFY8l/iEDmHxnyjkA33EQC8H+z0fLLBunoitw== |
| 24 | rndc_algorithm: hmac-sha512 |
Mykyta Karpin | b251931 | 2017-08-08 13:24:22 +0300 | [diff] [blame] | 25 | api: |
| 26 | base_uri: 'http://127.0.0.1:9001' |
Pavlo Shchelokovskyy | f605cef | 2018-08-22 16:39:55 +0300 | [diff] [blame] | 27 | quotas_verify_project_id: False |
Mykyta Karpin | 96a3f43 | 2017-12-19 14:17:08 +0200 | [diff] [blame] | 28 | admin_api: |
| 29 | enabled: true |
| 30 | enabled_extensions_admin: quotas |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 31 | bind: |
| 32 | api: |
| 33 | address: 127.0.0.1 |
| 34 | database: |
| 35 | engine: mysql |
| 36 | host: 127.0.0.1 |
| 37 | port: 3306 |
| 38 | name: |
| 39 | main_database: designate |
| 40 | pool_manager: designate_pool_manager |
| 41 | user: designate |
| 42 | password: passw0rd |
| 43 | identity: |
| 44 | engine: keystone |
| 45 | host: 127.0.0.1 |
| 46 | port: 35357 |
| 47 | tenant: service |
| 48 | user: designate |
| 49 | password: passw0rd |
Ivan Udovichenko | a35a07d | 2017-09-29 14:50:10 +0300 | [diff] [blame] | 50 | mdns: |
| 51 | address: 0.0.0.0 |
| 52 | port: 5354 |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 53 | message_queue: |
| 54 | engine: rabbitmq |
| 55 | members: |
| 56 | - host: 127.0.0.1 |
| 57 | user: openstack |
| 58 | password: password |
| 59 | virtual_host: '/openstack' |
| 60 | pools: |
| 61 | default: |
| 62 | description: 'default pool' |
| 63 | attributes: |
| 64 | service_tier: GOLD |
| 65 | ns_records: |
| 66 | - hostname: 'ns1.example.org.' |
| 67 | priority: 10 |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 68 | nameservers: |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 69 | - host: 127.0.0.1 |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 70 | port: 53 |
| 71 | targets: |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 72 | default_target: |
| 73 | type: bind9 |
| 74 | description: 'default target' |
| 75 | masters: |
| 76 | - host: 127.0.0.1 |
| 77 | port: 5354 |
| 78 | options: |
| 79 | host: 127.0.0.1 |
| 80 | port: 53 |
| 81 | rndc_host: 127.0.0.1 |
| 82 | rndc_port: 953 |
| 83 | rndc_key_file: /etc/designate/rndc.key |
Mykyta Karpin | f728b07 | 2017-10-31 13:39:11 +0200 | [diff] [blame] | 84 | quota: |
| 85 | zones: 40 |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 86 | worker: |
| 87 | enabled: true |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 88 | .. note:: |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 89 | *domain_id* parameter is UUID of DNS zone managed by designate-sink service. This zone will |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 90 | be populated by A records for fixed and floating ip addresses of spawned VMs. After designate |
| 91 | is deployed and zone is created, this parameter should be updated accordingly to UUID of |
| 92 | newly created zone. Then designate state should be reapplied. |
| 93 | |
Mykyta Karpin | b251931 | 2017-08-08 13:24:22 +0300 | [diff] [blame] | 94 | .. note:: |
| 95 | *server:api:base_uri* allows to set URL which is returned in designate-api responses, it is |
| 96 | useful in cases when, designate-api is deployed under proxy server. If not overriden in reclass, |
| 97 | it defaults to http://*server:bind:api:address*:9001/. |
| 98 | |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 99 | .. note:: |
Ivan Udovichenko | a35a07d | 2017-09-29 14:50:10 +0300 | [diff] [blame] | 100 | *server:mdns:address* and *server:mdns:port* options allow to change MDNS listening address and |
| 101 | port. Changes to server:pools:*:targets will be also required if the MDNS's address and port are |
| 102 | being used there. |
| 103 | |
| 104 | .. note:: |
Ivan Udovichenko | 53fd311 | 2017-09-07 14:07:09 +0300 | [diff] [blame] | 105 | *worker:enabled* sets worker role and installs designate-worker and designate-producer packages |
| 106 | which services will push changes to backend DNS servers. |
| 107 | *pool_manager:enabled* should be a default role for older releases of OpenStack, older than |
| 108 | Newton in which designate-worker and designate-producer were represented. |
| 109 | In releases starting from Newton, only Designate pool manager service still allows live syncs |
| 110 | with Power DNS server for now. |
| 111 | |
Mykyta Karpin | f728b07 | 2017-10-31 13:39:11 +0200 | [diff] [blame] | 112 | .. note:: |
| 113 | *server:quota:zones* allows to set default value for zones quota for all projects and users. |
| 114 | In case with Designate tempest plugin (0.2.0) zones quota should be increased to 40, so all |
| 115 | tests can pass. |
| 116 | |
Pavlo Shchelokovskyy | f605cef | 2018-08-22 16:39:55 +0300 | [diff] [blame] | 117 | .. note:: |
| 118 | *server:api:quotas_verify_project_id* allows to enable project id verification when setting quotas |
| 119 | for project, when Designate will ask Keystone if the project id is valid |
| 120 | |
Mykyta Karpin | 8bda8df | 2017-06-08 14:48:55 +0300 | [diff] [blame] | 121 | Pools pillar for BIND9 master and multiple slaves setup: |
| 122 | |
| 123 | .. code:: yaml |
| 124 | |
| 125 | pools: |
| 126 | default: |
| 127 | description: 'default pool' |
| 128 | attributes: |
| 129 | service_tier: GOLD |
| 130 | ns_records: |
| 131 | - hostname: 'ns1.example.org.' |
| 132 | priority: 10 |
| 133 | nameservers: |
| 134 | - host: 192.168.0.1 |
| 135 | port: 53 |
| 136 | - host: 192.168.0.2 |
| 137 | port: 53 |
| 138 | - host: 192.168.0.3 |
| 139 | port: 53 |
| 140 | targets: |
| 141 | default_target: |
| 142 | type: bind9 |
| 143 | description: 'default target' |
| 144 | masters: |
| 145 | - host: 192.168.0.4 |
| 146 | port: 5354 |
| 147 | options: |
| 148 | host: 192.168.0.4 |
| 149 | port: 53 |
| 150 | rndc_host: 192.168.0.4 |
| 151 | rndc_port: 953 |
| 152 | rndc_key_file: /etc/designate/rndc.key |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 153 | |
sgarbuz | b718889 | 2018-05-08 13:26:42 +0300 | [diff] [blame] | 154 | Enhanced logging with logging.conf |
| 155 | ---------------------------------- |
| 156 | |
| 157 | By default logging.conf is disabled. |
| 158 | |
| 159 | That is possible to enable per-binary logging.conf with new variables: |
| 160 | * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services; |
| 161 | * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services. |
| 162 | |
| 163 | Only WatchedFileHandler and FluentHandler are available. |
| 164 | |
| 165 | Also it is possible to configure this with pillar: |
| 166 | |
| 167 | .. code-block:: yaml |
| 168 | |
| 169 | designate: |
| 170 | server: |
| 171 | logging: |
| 172 | log_appender: true |
| 173 | log_handlers: |
| 174 | watchedfile: |
| 175 | enabled: true |
| 176 | fluentd: |
| 177 | enabled: true |
| 178 | |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 179 | Usage |
Aleš Komárek | 53c944b | 2017-02-06 14:08:15 +0100 | [diff] [blame] | 180 | ===== |
Pavel Cizinsky | 8236144 | 2016-11-25 14:26:47 +0100 | [diff] [blame] | 181 | |
| 182 | Create server |
| 183 | |
| 184 | .. code:: bash |
| 185 | |
| 186 | designate server-create --name ns.example.com. |
| 187 | |
| 188 | Create domain |
| 189 | |
| 190 | .. code:: bash |
| 191 | |
| 192 | designate domain-create --name example.com. --email mail@example.com |
| 193 | |
| 194 | Create record |
| 195 | |
| 196 | .. code:: bash |
| 197 | |
| 198 | designate record-create example.com. --name test.example.com. --type A --data 10.2.14.15 |
| 199 | |
| 200 | Test it |
| 201 | |
| 202 | .. code:: bash |
| 203 | |
| 204 | dig @127.0.0.1 test.example.com. |
Filip Pytloun | bfa7211 | 2017-02-02 13:17:47 +0100 | [diff] [blame] | 205 | |
Oleksandr Shyshko | c7d4827 | 2018-08-31 12:22:41 +0300 | [diff] [blame] | 206 | Enable x509 and ssl communication between Designate and Galera cluster. |
| 207 | --------------------- |
| 208 | By default communication between Designate and Galera is unsecure. |
| 209 | |
| 210 | designate: |
| 211 | server: |
| 212 | database: |
| 213 | x509: |
| 214 | enabled: True |
| 215 | |
| 216 | You able to set custom certificates in pillar: |
| 217 | |
| 218 | designate: |
| 219 | server: |
| 220 | database: |
| 221 | x509: |
| 222 | cacert: (certificate content) |
| 223 | cert: (certificate content) |
| 224 | key: (certificate content) |
| 225 | |
| 226 | You can read more about it here: |
| 227 | https://docs.openstack.org/security-guide/databases/database-access-control.html |
| 228 | |
Oleksandr Shyshko | b988699 | 2018-09-21 12:44:35 +0300 | [diff] [blame] | 229 | Enable x509 and ssl communication between Designate and Rabbitmq. |
| 230 | --------------------- |
| 231 | By default communication between Designate and Rabbitmq is unsecure. |
| 232 | |
| 233 | .. code-block:: yaml |
| 234 | |
| 235 | designate: |
| 236 | server: |
| 237 | message_queue: |
| 238 | x509: |
| 239 | enabled: True |
| 240 | |
| 241 | You able to set custom certificates in pillar: |
| 242 | |
| 243 | .. code-block:: yaml |
| 244 | |
| 245 | designate: |
| 246 | server: |
| 247 | message_queue: |
| 248 | x509: |
| 249 | cacert: (certificate content) |
| 250 | cert: (certificate content) |
| 251 | key: (certificate content) |
| 252 | |
| 253 | You can read more about it here: |
| 254 | https://docs.openstack.org/security-guide/messaging/security.html |
Pavel Cizinsky | bac79ca | 2018-12-12 12:01:25 +0100 | [diff] [blame] | 255 | |
Mykyta Karpin | 70405bc | 2018-11-07 17:28:06 +0000 | [diff] [blame] | 256 | Using designate client to create zones and install client packages |
| 257 | ------------------------------------------------------------------- |
| 258 | |
| 259 | designate: |
| 260 | client: |
| 261 | enabled: true |
| 262 | resources: |
| 263 | v2: |
| 264 | enabled: true |
| 265 | cloud_name: admin_identity |
| 266 | zones: |
| 267 | test_zone: |
| 268 | name: test.zone. |
| 269 | email: admin@test.zone |
| 270 | |
Mykyta Karpin | c71b5f4 | 2018-12-14 12:46:36 +0200 | [diff] [blame] | 271 | Upgrades |
| 272 | ======== |
| 273 | |
| 274 | Each openstack formula provide set of phases (logical bloks) that will help to |
| 275 | build flexible upgrade orchestration logic for particular components. The list |
| 276 | of phases might and theirs descriptions are listed in table below: |
| 277 | |
| 278 | +-------------------------------+------------------------------------------------------+ |
| 279 | | State | Description | |
| 280 | +===============================+======================================================+ |
| 281 | | <app>.upgrade.service_running | Ensure that all services for particular application | |
| 282 | | | are enabled for autostart and running | |
| 283 | +-------------------------------+------------------------------------------------------+ |
| 284 | | <app>.upgrade.service_stopped | Ensure that all services for particular application | |
| 285 | | | disabled for autostart and dead | |
| 286 | +-------------------------------+------------------------------------------------------+ |
| 287 | | <app>.upgrade.pkgs_latest | Ensure that packages used by particular application | |
| 288 | | | are installed to latest available version. | |
| 289 | | | This will not upgrade data plane packages like qemu | |
| 290 | | | and openvswitch as usually minimal required version | |
| 291 | | | in openstack services is really old. The data plane | |
| 292 | | | packages should be upgraded separately by `apt-get | |
| 293 | | | upgrade` or `apt-get dist-upgrade` | |
| 294 | | | Applying this state will not autostart service. | |
| 295 | +-------------------------------+------------------------------------------------------+ |
| 296 | | <app>.upgrade.render_config | Ensure configuration is rendered actual version. + |
| 297 | +-------------------------------+------------------------------------------------------+ |
| 298 | | <app>.upgrade.pre | We assume this state is applied on all nodes in the | |
| 299 | | | cloud before running upgrade. | |
| 300 | | | Only non destructive actions will be applied during | |
| 301 | | | this phase. Perform service built in service check | |
| 302 | | | like (keystone-manage doctor and nova-status upgrade)| |
| 303 | +-------------------------------+------------------------------------------------------+ |
| 304 | | <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this | |
| 305 | | | phase resources will be gracefully removed from | |
| 306 | | | current node if it is allowed. Services for upgraded | |
| 307 | | | application will be set to admin disabled state to | |
| 308 | | | make sure node will not participate in resources | |
| 309 | | | scheduling. For example on gtw nodes this will set | |
| 310 | | | all agents to admin disable state and will move all | |
| 311 | | | routers to other agents. | |
| 312 | +-------------------------------+------------------------------------------------------+ |
| 313 | | <app>.upgrade.upgrade | This state will basically upgrade application on | |
| 314 | | | particular target. Stop services, render | |
| 315 | | | configuration, install new packages, run offline | |
| 316 | | | dbsync (for ctl), start services. Data plane should | |
| 317 | | | not be affected, only OpenStack python services. | |
| 318 | +-------------------------------+------------------------------------------------------+ |
| 319 | | <app>.upgrade.upgrade.post | Add services back to scheduling. | |
| 320 | +-------------------------------+------------------------------------------------------+ |
| 321 | | <app>.upgrade.post | This phase should be launched only when upgrade of | |
| 322 | | | the cloud is completed. Cleanup temporary files, | |
| 323 | | | perform other post upgrade tasks. | |
| 324 | +-------------------------------+------------------------------------------------------+ |
| 325 | | <app>.upgrade.verify | Here we will do basic health checks (API CRUD | |
| 326 | | | operations, verify do not have dead network | |
| 327 | | | agents/compute services) | |
| 328 | +-------------------------------+------------------------------------------------------+ |
| 329 | |
| 330 | |
| 331 | Upgrade pillar example: |
| 332 | |
| 333 | .. code-block:: yaml |
| 334 | |
| 335 | designate: |
| 336 | upgrade: |
| 337 | enabled: true |
| 338 | old_release: pike |
| 339 | new_release: queens |
| 340 | verify: |
| 341 | zone: |
| 342 | enabled: true |
| 343 | name: upgradetest.com. |
| 344 | |
| 345 | .. note:: |
| 346 | During upgrade zone creation testing is disabled by default, |
| 347 | because conditions for zone successfull creation, are very specific to each environment. |
| 348 | When enabling zone testing, allowed tlds in Designate should be considered. |
| 349 | More details about TLDS - https://docs.openstack.org/designate/pike/admin/tlds.html |