blob: e9d466645bc01c2fc5dd3760e0bba38cdfb24a06 [file] [log] [blame]
Pavel Cizinsky82361442016-11-25 14:26:47 +01001
Aleš Komárek53c944b2017-02-06 14:08:15 +01002=================
3Designate formula
4=================
5
6Designate provides DNSaaS services for OpenStack.
7
8Sample pillars
9==============
Pavel Cizinsky82361442016-11-25 14:26:47 +010010
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030011For Designate with BIND9 local backend:
12
Pavel Cizinsky82361442016-11-25 14:26:47 +010013.. code:: yaml
14
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030015 designate:
16 server:
17 enabled: true
18 region: RegionOne
19 domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
20 version: ocata
21 backend:
22 bind9:
23 rndc_key: 4pc+X4PDqb2q+5o72dISm72LM1Ds9X2EYZjqg+nmsS7FhdTwzFFY8l/iEDmHxnyjkA33EQC8H+z0fLLBunoitw==
24 rndc_algorithm: hmac-sha512
Mykyta Karpinb2519312017-08-08 13:24:22 +030025 api:
26 base_uri: 'http://127.0.0.1:9001'
Pavlo Shchelokovskyyf605cef2018-08-22 16:39:55 +030027 quotas_verify_project_id: False
Mykyta Karpin96a3f432017-12-19 14:17:08 +020028 admin_api:
29 enabled: true
30 enabled_extensions_admin: quotas
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030031 bind:
32 api:
33 address: 127.0.0.1
Ivan Berezovskiye751e252019-11-19 17:07:51 +040034 concurrency:
35 lock_path: '/var/lib/designate'
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030036 database:
37 engine: mysql
38 host: 127.0.0.1
39 port: 3306
40 name:
41 main_database: designate
42 pool_manager: designate_pool_manager
43 user: designate
44 password: passw0rd
45 identity:
46 engine: keystone
47 host: 127.0.0.1
48 port: 35357
49 tenant: service
50 user: designate
51 password: passw0rd
Ivan Udovichenkoa35a07d2017-09-29 14:50:10 +030052 mdns:
53 address: 0.0.0.0
54 port: 5354
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030055 message_queue:
56 engine: rabbitmq
57 members:
58 - host: 127.0.0.1
59 user: openstack
60 password: password
61 virtual_host: '/openstack'
62 pools:
63 default:
64 description: 'default pool'
65 attributes:
66 service_tier: GOLD
67 ns_records:
68 - hostname: 'ns1.example.org.'
69 priority: 10
Pavel Cizinsky82361442016-11-25 14:26:47 +010070 nameservers:
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030071 - host: 127.0.0.1
Pavel Cizinsky82361442016-11-25 14:26:47 +010072 port: 53
73 targets:
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030074 default_target:
75 type: bind9
76 description: 'default target'
77 masters:
78 - host: 127.0.0.1
79 port: 5354
80 options:
81 host: 127.0.0.1
82 port: 53
83 rndc_host: 127.0.0.1
84 rndc_port: 953
85 rndc_key_file: /etc/designate/rndc.key
Mykyta Karpinf728b072017-10-31 13:39:11 +020086 quota:
87 zones: 40
Ivan Udovichenko53fd3112017-09-07 14:07:09 +030088 worker:
89 enabled: true
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030090.. note::
Ivan Udovichenko53fd3112017-09-07 14:07:09 +030091 *domain_id* parameter is UUID of DNS zone managed by designate-sink service. This zone will
Mykyta Karpin8bda8df2017-06-08 14:48:55 +030092 be populated by A records for fixed and floating ip addresses of spawned VMs. After designate
93 is deployed and zone is created, this parameter should be updated accordingly to UUID of
94 newly created zone. Then designate state should be reapplied.
95
Mykyta Karpinb2519312017-08-08 13:24:22 +030096.. note::
97 *server:api:base_uri* allows to set URL which is returned in designate-api responses, it is
98 useful in cases when, designate-api is deployed under proxy server. If not overriden in reclass,
99 it defaults to http://*server:bind:api:address*:9001/.
100
Ivan Udovichenko53fd3112017-09-07 14:07:09 +0300101.. note::
Ivan Udovichenkoa35a07d2017-09-29 14:50:10 +0300102 *server:mdns:address* and *server:mdns:port* options allow to change MDNS listening address and
103 port. Changes to server:pools:*:targets will be also required if the MDNS's address and port are
104 being used there.
105
106.. note::
Ivan Udovichenko53fd3112017-09-07 14:07:09 +0300107 *worker:enabled* sets worker role and installs designate-worker and designate-producer packages
108 which services will push changes to backend DNS servers.
109 *pool_manager:enabled* should be a default role for older releases of OpenStack, older than
110 Newton in which designate-worker and designate-producer were represented.
111 In releases starting from Newton, only Designate pool manager service still allows live syncs
112 with Power DNS server for now.
113
Mykyta Karpinf728b072017-10-31 13:39:11 +0200114.. note::
115 *server:quota:zones* allows to set default value for zones quota for all projects and users.
116 In case with Designate tempest plugin (0.2.0) zones quota should be increased to 40, so all
117 tests can pass.
118
Pavlo Shchelokovskyyf605cef2018-08-22 16:39:55 +0300119.. note::
120 *server:api:quotas_verify_project_id* allows to enable project id verification when setting quotas
121 for project, when Designate will ask Keystone if the project id is valid
122
Mykyta Karpin8bda8df2017-06-08 14:48:55 +0300123Pools pillar for BIND9 master and multiple slaves setup:
124
125.. code:: yaml
126
127 pools:
128 default:
129 description: 'default pool'
130 attributes:
131 service_tier: GOLD
132 ns_records:
133 - hostname: 'ns1.example.org.'
134 priority: 10
135 nameservers:
136 - host: 192.168.0.1
137 port: 53
138 - host: 192.168.0.2
139 port: 53
140 - host: 192.168.0.3
141 port: 53
142 targets:
143 default_target:
144 type: bind9
145 description: 'default target'
146 masters:
147 - host: 192.168.0.4
148 port: 5354
149 options:
150 host: 192.168.0.4
151 port: 53
152 rndc_host: 192.168.0.4
153 rndc_port: 953
154 rndc_key_file: /etc/designate/rndc.key
Pavel Cizinsky82361442016-11-25 14:26:47 +0100155
sgarbuzb7188892018-05-08 13:26:42 +0300156Enhanced logging with logging.conf
157----------------------------------
158
159By default logging.conf is disabled.
160
161That is possible to enable per-binary logging.conf with new variables:
162 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
163 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
164
165Only WatchedFileHandler and FluentHandler are available.
166
167Also it is possible to configure this with pillar:
168
169.. code-block:: yaml
170
171 designate:
172 server:
173 logging:
174 log_appender: true
175 log_handlers:
176 watchedfile:
177 enabled: true
178 fluentd:
179 enabled: true
180
Pavel Cizinsky82361442016-11-25 14:26:47 +0100181Usage
Aleš Komárek53c944b2017-02-06 14:08:15 +0100182=====
Pavel Cizinsky82361442016-11-25 14:26:47 +0100183
184Create server
185
186.. code:: bash
187
188 designate server-create --name ns.example.com.
189
190Create domain
191
192.. code:: bash
193
194 designate domain-create --name example.com. --email mail@example.com
195
196Create record
197
198.. code:: bash
199
200 designate record-create example.com. --name test.example.com. --type A --data 10.2.14.15
201
202Test it
203
204.. code:: bash
205
206 dig @127.0.0.1 test.example.com.
Filip Pytlounbfa72112017-02-02 13:17:47 +0100207
Oleksandr Shyshkoc7d48272018-08-31 12:22:41 +0300208Enable x509 and ssl communication between Designate and Galera cluster.
209---------------------
210By default communication between Designate and Galera is unsecure.
211
212designate:
213 server:
214 database:
215 x509:
216 enabled: True
217
218You able to set custom certificates in pillar:
219
220designate:
221 server:
222 database:
223 x509:
224 cacert: (certificate content)
225 cert: (certificate content)
226 key: (certificate content)
227
228You can read more about it here:
229 https://docs.openstack.org/security-guide/databases/database-access-control.html
230
Oleksandr Shyshkob9886992018-09-21 12:44:35 +0300231Enable x509 and ssl communication between Designate and Rabbitmq.
232---------------------
233By default communication between Designate and Rabbitmq is unsecure.
234
235.. code-block:: yaml
236
237designate:
238 server:
239 message_queue:
240 x509:
241 enabled: True
242
243You able to set custom certificates in pillar:
244
245.. code-block:: yaml
246
247designate:
248 server:
249 message_queue:
250 x509:
251 cacert: (certificate content)
252 cert: (certificate content)
253 key: (certificate content)
254
255You can read more about it here:
256 https://docs.openstack.org/security-guide/messaging/security.html
Pavel Cizinskybac79ca2018-12-12 12:01:25 +0100257
Mykyta Karpin70405bc2018-11-07 17:28:06 +0000258Using designate client to create zones and install client packages
259-------------------------------------------------------------------
260
261designate:
262 client:
263 enabled: true
264 resources:
265 v2:
266 enabled: true
267 cloud_name: admin_identity
268 zones:
269 test_zone:
270 name: test.zone.
271 email: admin@test.zone
272
Oleksandr Pidrepnyi6f65d882019-05-24 13:37:57 +0300273Change default options using configmap template settings
274========================================================
275
276.. code-block:: yaml
277
278 designate:
279 server:
280 configmap:
281 DEFAULT:
282 default_soa_refresh_min: 3500
283 default_soa_refresh_max: 3600
284 default_soa_minimum: 3600
285 'network_api:neutron':
286 admin_username: admin
287 admin_password: password
288 admin_tenant_name: tenant1
289
Martin Polreicheca44582019-11-18 16:27:29 +0100290Change default service policy configuration
291===========================================
292
293.. code-block:: yaml
294
295 designate:
296 server:
297 policy:
298 admin: 'role:admin'
299 primary_zone: 'target.zone_type:PRIMARY'
300 # Add key without value to remove line from policy.json
301 get_quotas:
302
Taras Khlivnyak494596f2021-08-19 13:45:09 +0300303
304Change files/directories permissions for designate service:
305=======================================
306In order to change file permissions the following should be set:
307
308'files' - block to set permissions for files.
309- full path to file
310- user ( default value is 'root' ) this parameter is optional.
311- group ( default value is 'designate' ) this parameter is optional
312- mode ( default value is '0640' ) this parameter is optional
313
314'directories' - block to set permissions for directories.
315- full path to directory
316- user ( default value is 'root' ) this parameter is optional
317- group ( default value is 'designate' ) this parameter is optional
318- mode ( default value is '0750' ) this parameter is optional
319
320.. code-block:: yaml
321
322 designate:
323 files:
324 /etc/designate/designate.conf:
325 user: 'root'
326 group: 'designate'
327 mode: '0750'
328 directories:
329 /etc/designate:
330 user: 'root'
331 group: 'designate'
332 mode: '0750'
333
334
Mykyta Karpinc71b5f42018-12-14 12:46:36 +0200335Upgrades
336========
337
338Each openstack formula provide set of phases (logical bloks) that will help to
339build flexible upgrade orchestration logic for particular components. The list
340of phases might and theirs descriptions are listed in table below:
341
342+-------------------------------+------------------------------------------------------+
343| State | Description |
344+===============================+======================================================+
345| <app>.upgrade.service_running | Ensure that all services for particular application |
346| | are enabled for autostart and running |
347+-------------------------------+------------------------------------------------------+
348| <app>.upgrade.service_stopped | Ensure that all services for particular application |
349| | disabled for autostart and dead |
350+-------------------------------+------------------------------------------------------+
351| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
352| | are installed to latest available version. |
353| | This will not upgrade data plane packages like qemu |
354| | and openvswitch as usually minimal required version |
355| | in openstack services is really old. The data plane |
356| | packages should be upgraded separately by `apt-get |
357| | upgrade` or `apt-get dist-upgrade` |
358| | Applying this state will not autostart service. |
359+-------------------------------+------------------------------------------------------+
360| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
361+-------------------------------+------------------------------------------------------+
362| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
363| | cloud before running upgrade. |
364| | Only non destructive actions will be applied during |
365| | this phase. Perform service built in service check |
366| | like (keystone-manage doctor and nova-status upgrade)|
367+-------------------------------+------------------------------------------------------+
368| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
369| | phase resources will be gracefully removed from |
370| | current node if it is allowed. Services for upgraded |
371| | application will be set to admin disabled state to |
372| | make sure node will not participate in resources |
373| | scheduling. For example on gtw nodes this will set |
374| | all agents to admin disable state and will move all |
375| | routers to other agents. |
376+-------------------------------+------------------------------------------------------+
377| <app>.upgrade.upgrade | This state will basically upgrade application on |
378| | particular target. Stop services, render |
379| | configuration, install new packages, run offline |
380| | dbsync (for ctl), start services. Data plane should |
381| | not be affected, only OpenStack python services. |
382+-------------------------------+------------------------------------------------------+
383| <app>.upgrade.upgrade.post | Add services back to scheduling. |
384+-------------------------------+------------------------------------------------------+
385| <app>.upgrade.post | This phase should be launched only when upgrade of |
386| | the cloud is completed. Cleanup temporary files, |
387| | perform other post upgrade tasks. |
388+-------------------------------+------------------------------------------------------+
389| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
390| | operations, verify do not have dead network |
391| | agents/compute services) |
392+-------------------------------+------------------------------------------------------+
393
394
395Upgrade pillar example:
396
397.. code-block:: yaml
398
399designate:
400 upgrade:
401 enabled: true
402 old_release: pike
403 new_release: queens
404 verify:
405 zone:
406 enabled: true
407 name: upgradetest.com.
408
409.. note::
410 During upgrade zone creation testing is disabled by default,
411 because conditions for zone successfull creation, are very specific to each environment.
412 When enabling zone testing, allowed tlds in Designate should be considered.
413 More details about TLDS - https://docs.openstack.org/designate/pike/admin/tlds.html