社区编辑申请
注册/登录
用OpenStack Designate构建一个DNS即服务(DNSaaS)
运维 系统运维 SaaS OpenStack
学习如何安装和配置 Designate,这是一个 OpenStack 的多租户 DNS 即服务(DNSaaS)。

用OpenStack Designate构建一个DNS即服务(DNSaaS)

学习如何安装和配置 Designate,这是一个 OpenStack 的多租户 DNS 即服务(DNSaaS)。

Designate 是一个多租户的 DNS 即服务,它包括一个用于域名和记录管理的 REST API 和集成了 Neutron 的框架,并支持 Bind9。

DNSaaS 可以提供:

  • 一个管理区域和记录的干净利落的 REST API
  • 自动生成记录(集成 OpenStack)
  • 支持多个授权名字服务器
  • 可以托管多个项目/组织

Designate's architecture

Designate's architecture

这篇文章解释了如何在 CentOS 和 RHEL 上手动安装和配置 Designate 的当前版本,但是同样的配置也可以用在其它发行版上。

在 OpenStack 上安装 Designate

在我的 GitHub 仓库里,我已经放了 Ansible 的 bind 和 Designate 角色的示范设置。

这个设置假定 bing 服务是安装 OpenStack 控制器节点之外(即使你可以在本地安装 bind)。

1、在 OpenStack 控制节点上安装 Designate 和 bind 软件包:

  1. # yum install openstack-designate-* bind bind-utils -y

2、创建 Designate 数据库和用户:

  1. MariaDB [(none)]> CREATE DATABASE designate CHARACTER SET utf8 COLLATE utf8_general_ci;
  2. MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO \
  3. 'designate'@'localhost' IDENTIFIED BY 'rhlab123';
  4.  
  5. MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'%' \
  6. IDENTIFIED BY 'rhlab123';

注意:bind 包必须安装在控制节点之外才能使远程名字服务控制Remote Name Daemon Control(RNDC)功能正常。

配置 bind(DNS 服务器)

1、生成 RNDC 文件:

  1. rndc-confgen -a -k designate -c /etc/rndc.key -r /dev/urandom
  2.  
  3. cat <<EOF> etcrndc.conf
  4. include "/etc/rndc.key";
  5. options {
  6. default-key "designate";
  7. default-server {{ DNS_SERVER_IP }};
  8. default-port 953;
  9. };
  10. EOF

2、将下列配置添加到 named.conf

  1. include "/etc/rndc.key";
  2. controls {
  3. inet {{ DNS_SERVER_IP }} allow { localhost;{{ CONTROLLER_SERVER_IP }}; } keys { "designate"; };
  4. };

option 节中,添加:

  1. options {
  2. ...
  3. allow-new-zones yes;
  4. request-ixfr no;
  5. listen-on port 53 { any; };
  6. recursion no;
  7. allow-query { 127.0.0.1; {{ CONTROLLER_SERVER_IP }}; };
  8. };

添加正确的权限:

  1. chown named:named /etc/rndc.key
  2. chown named:named /etc/rndc.conf
  3. chmod 600 /etc/rndc.key
  4. chown -v root:named /etc/named.conf
  5. chmod g+w /var/named
  6.  
  7. # systemctl restart named
  8. # setsebool named_write_master_zones 1

3、把 rndc.keyrndc.conf 推入 OpenStack 控制节点:

  1. # scp -r /etc/rndc* {{ CONTROLLER_SERVER_IP }}:/etc/

创建 OpenStack Designate 服务和端点

输入:

  1. # openstack user create --domain default --password-prompt designate
  2. # openstack role add --project services --user designate admin
  3. # openstack service create --name designate --description "DNS" dns
  4.  
  5. # openstack endpoint create --region RegionOne dns public http://{{ CONTROLLER_SERVER_IP }}:9001/
  6. # openstack endpoint create --region RegionOne dns internal http://{{ CONTROLLER_SERVER_IP }}:9001/
  7. # openstack endpoint create --region RegionOne dns admin http://{{ CONTROLLER_SERVER_IP }}:9001/

配置 Designate 服务

1、编辑 /etc/designate/designate.conf

[service:api] 节配置 auth_strategy

  1. [service:api]
  2. listen = 0.0.0.0:9001
  3. auth_strategy = keystone
  4. api_base_uri = http://{{ CONTROLLER_SERVER_IP }}:9001/
  5. enable_api_v2 = True
  6. enabled_extensions_v2 = quotas, reports

[keystone_authtoken] 节配置下列选项:

  1. [keystone_authtoken]
  2. auth_type = password
  3. username = designate
  4. password = rhlab123
  5. project_name = service
  6. project_domain_name = Default
  7. user_domain_name = Default
  8. www_authenticate_uri = http://{{ CONTROLLER_SERVER_IP }}:5000/
  9. auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000/

[service:worker] 节,启用 worker 模型:

  1. enabled = True
  2. notify = True

[storage:sqlalchemy] 节,配置数据库访问:

  1. [storage:sqlalchemy]
  2. connection = mysql+pymysql://designate:rhlab123@{{ CONTROLLER_SERVER_IP }}/designate

填充 Designate 数据库:

  1. # su -s /bin/sh -c "designate-manage database sync" designate

2、 创建 Designate 的 pools.yaml 文件(包含 target 和 bind 细节):

编辑 /etc/designate/pools.yaml

  1. - name: default
  2. # The name is immutable. There will be no option to change the name after
  3. # creation and the only way will to change it will be to delete it
  4. # (and all zones associated with it) and recreate it.
  5. description: Default Pool
  6.  
  7. attributes: {}
  8.  
  9. # List out the NS records for zones hosted within this pool
  10. # This should be a record that is created outside of designate, that
  11. # points to the public IP of the controller node.
  12. ns_records:
  13. - hostname: {{Controller_FQDN}}. # Thisis mDNS
  14. priority: 1
  15.  
  16. # List out the nameservers for this pool. These are the actual BIND servers.
  17. # We use these to verify changes have propagated to all nameservers.
  18. nameservers:
  19. - host: {{ DNS_SERVER_IP }}
  20. port: 53
  21.  
  22. # List out the targets for this pool. For BIND there will be one
  23. # entry for each BIND server, as we have to run rndc command on each server
  24. targets:
  25. - type: bind9
  26. description: BIND9 Server 1
  27.  
  28. # List out the designate-mdns servers from which BIND servers should
  29. # request zone transfers (AXFRs) from.
  30. # This should be the IP of the controller node.
  31. # If you have multiple controllers you can add multiple masters
  32. # by running designate-mdns on them, and adding them here.
  33. masters:
  34. - host: {{ CONTROLLER_SERVER_IP }}
  35. port: 5354
  36.  
  37. # BIND Configuration options
  38. options:
  39. host: {{ DNS_SERVER_IP }}
  40. port: 53
  41. rndc_host: {{ DNS_SERVER_IP }}
  42. rndc_port: 953
  43. rndc_key_file: /etc/rndc.key
  44. rndc_config_file: /etc/rndc.conf

填充 Designate 池:

  1. su -s /bin/sh -c "designate-manage pool update" designate

3、启动 Designate 中心和 API 服务:

  1. systemctl enable --now designate-central designate-api

4、验证 Designate 服务运行:

  1. # openstack dns service list
  2.  
  3. +--------------+--------+-------+--------------+
  4. | service_name | status | stats | capabilities |
  5. +--------------+--------+-------+--------------+
  6. | central | UP | - | - |
  7. | api | UP | - | - |
  8. | mdns | UP | - | - |
  9. | worker | UP | - | - |
  10. | producer | UP | - | - |
  11. +--------------+--------+-------+--------------+

用外部 DNS 配置 OpenStack Neutron

1、为 Designate 服务配置 iptables:

  1. # iptables -I INPUT -p tcp -m multiport --dports 9001 -m comment --comment "designate incoming" -j ACCEPT
  2. # iptables -I INPUT -p tcp -m multiport --dports 5354 -m comment --comment "Designate mdns incoming" -j ACCEPT
  3. # iptables -I INPUT -p tcp -m multiport --dports 53 -m comment --comment "bind incoming" -j ACCEPT
  4. # iptables -I INPUT -p udp -m multiport --dports 53 -m comment --comment "bind/powerdns incoming" -j ACCEPT
  5. # iptables -I INPUT -p tcp -m multiport --dports 953 -m comment --comment "rndc incoming - bind only" -j ACCEPT
  6. # service iptables save; service iptables restart
  7. # setsebool named_write_master_zones 1

2、 编辑 /etc/neutron/neutron.conf[default] 节:

  1. external_dns_driver = designate

3、 在 /etc/neutron/neutron.conf 中添加 [designate] 节:

  1. [designate]
  2. url = http://{{ CONTROLLER_SERVER_IP }}:9001/v2 ## This end point of designate
  3. auth_type = password
  4. auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000
  5. username = designate
  6. password = rhlab123
  7. project_name = services
  8. project_domain_name = Default
  9. user_domain_name = Default
  10. allow_reverse_dns_lookup = True
  11. ipv4_ptr_zone_prefix_size = 24
  12. ipv6_ptr_zone_prefix_size = 116

4、编辑 neutron.confdns_domain

  1. dns_domain = rhlab.dev.

重启:

  1. # systemctl restart neutron-*

5、在 /etc/neutron/plugins/ml2/ml2_conf.ini 中的组成层 2(ML2)中添加 dns

  1. extension_drivers=port_security,qos,dns

6、在 Designate 中添加区域:

  1. # openstack zone create email=admin@rhlab.dev rhlab.dev.

rhlab.dev 区域中添加记录:

  1. # openstack recordset create --record '192.168.1.230' --type A rhlab.dev. Test

Designate 现在就安装和配置好了。

 

责任编辑:庞桂玉 来源: Linux中国
相关推荐

2017-09-27 23:14:29

OPENSTACKDRaaS

2013-01-08 10:59:14

IBMdW

2014-11-27 15:32:31

openstacknetworkovs

2015-08-07 15:57:59

2016-02-29 16:54:10

2015-05-28 11:17:37

2012-05-16 09:59:30

2015-07-13 10:34:52

2015-09-17 13:50:47

2011-10-31 10:32:14

2015-07-17 16:49:13

OpenStack开源云平台云计算

2015-04-30 10:12:13

2018-11-05 17:06:02

2014-12-03 13:10:10

openstacknetworkneutron

2013-09-16 15:46:50

OpenStack云计算

同话题下的热门内容

Sentry日志监控系统基本介绍及部署使用

编辑推荐

六个人如何运维一万台服务器?Linux下如何使用minicom USB串口Linux中7个判断文件系统类型的方法从美团程序员的灾难,看美团外卖自动化运维体系建设如何限制SSH用户访问Linux中指定的目录
我收藏的内容
点赞
收藏

51CTO技术栈公众号