From 822cb58246042dbb9054468d593dc7f34076985e Mon Sep 17 00:00:00 2001 From: Peter Razumovsky Date: Tue, 7 Mar 2017 12:27:39 +0000 Subject: [PATCH] Designate bind9 backend Add bind9 backend for designate. It required worker and bind9 services for correct work. Change-Id: I79472fc80c1f48daaf64300f8a71ee50baa6ebd5 --- docker/designate-backend-bind9/Dockerfile.j2 | 13 ++++ docker/designate-base/Dockerfile.j2 | 2 +- docker/designate-pool-manager/Dockerfile.j2 | 9 ++- docker/designate-worker/Dockerfile.j2 | 8 +++ service/designate-mdns.yaml | 63 +++++++++++++++++++- service/designate-pool-manager.yaml | 13 +++- service/files/bind9-pools.yaml.j2 | 27 +++++++++ service/files/defaults.yaml | 13 +++- service/files/designate.conf.j2 | 15 ++++- service/files/named.conf.j2 | 12 ++++ service/files/named.conf.options.j2 | 39 ++++++++++++ service/files/rndc.conf.j2 | 8 +++ service/files/rndc.key.j2 | 4 ++ 13 files changed, 215 insertions(+), 11 deletions(-) create mode 100644 docker/designate-backend-bind9/Dockerfile.j2 create mode 100644 docker/designate-worker/Dockerfile.j2 create mode 100644 service/files/bind9-pools.yaml.j2 create mode 100644 service/files/named.conf.j2 create mode 100644 service/files/named.conf.options.j2 create mode 100644 service/files/rndc.conf.j2 create mode 100644 service/files/rndc.key.j2 diff --git a/docker/designate-backend-bind9/Dockerfile.j2 b/docker/designate-backend-bind9/Dockerfile.j2 new file mode 100644 index 0000000..c743614 --- /dev/null +++ b/docker/designate-backend-bind9/Dockerfile.j2 @@ -0,0 +1,13 @@ +FROM {{ image_spec("designate-base") }} +MAINTAINER {{ maintainer }} + +RUN apt-get update -y \ + && apt-get install -y --no-install-recommends \ + --no-install-suggests \ + bind9 + +RUN mkdir -p /var/run/named /etc/bind \ + && chmod 775 /var/run/named \ + && chown root:bind /var/run/named + +RUN apt-get clean diff --git a/docker/designate-base/Dockerfile.j2 b/docker/designate-base/Dockerfile.j2 index f6b8025..7e593dd 100644 --- a/docker/designate-base/Dockerfile.j2 +++ b/docker/designate-base/Dockerfile.j2 @@ -12,5 +12,5 @@ RUN useradd --user-group -G microservices designate \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/microservices/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf COPY designate_sudoers /etc/sudoers.d/designate_sudoers -RUN chmod 750 /etc/sudoers.d \ +RUN chmod 750 /etc/sudoers.d /etc/designate/rootwrap.d/ \ && chmod 440 /etc/sudoers.d/designate_sudoers diff --git a/docker/designate-pool-manager/Dockerfile.j2 b/docker/designate-pool-manager/Dockerfile.j2 index 150f9f9..09b4fa4 100644 --- a/docker/designate-pool-manager/Dockerfile.j2 +++ b/docker/designate-pool-manager/Dockerfile.j2 @@ -2,8 +2,11 @@ FROM {{ image_spec("designate-base") }} MAINTAINER {{ maintainer }} #mysql-client only for provisioning need to be removed later -RUN apt-get install -y --no-install-recommends \ - mysql-client \ - && apt-get clean +RUN apt-get update -y \ + && apt-get install -y --no-install-recommends mysql-client bind9 \ + && apt-get clean \ + && mkdir -p /etc/bind \ + && chown -R designate:designate /etc/bind USER designate + diff --git a/docker/designate-worker/Dockerfile.j2 b/docker/designate-worker/Dockerfile.j2 new file mode 100644 index 0000000..1493962 --- /dev/null +++ b/docker/designate-worker/Dockerfile.j2 @@ -0,0 +1,8 @@ +FROM {{ image_spec("designate-base") }} +MAINTAINER {{ maintainer }} + +RUN apt-get update -y \ + && apt-get install -y --no-install-recommends bind9 \ + && apt-get clean \ + && mkdir -p /etc/bind \ + && chown -R designate:designate /etc/bind diff --git a/service/designate-mdns.yaml b/service/designate-mdns.yaml index 063739a..0b275e2 100644 --- a/service/designate-mdns.yaml +++ b/service/designate-mdns.yaml @@ -1,6 +1,11 @@ dsl_version: 0.5.0 service: name: designate-mdns + ports: + - {{ designate.bind_port }} + - {{ designate.worker_port }} + - {{ designate.mdns_port }} + - {{ designate.rndc_port }} containers: - name: designate-mdns image: designate-mdns @@ -10,8 +15,64 @@ service: files: - designate-conf command: designate-mdns --config-file /etc/designate/designate.conf - + - name: designate-backend-bind9 + image: designate-backend-bind9 + daemon: + files: + - named-conf-options + - rndc-conf + - named-conf + - rndc-key + command: /usr/sbin/named -g -c /etc/bind/named.conf -u bind + - name: designate-worker + image: designate-worker + pre: + - name: designate-pool-update + # {% if designate.backend == "bind9" %} + dependencies: + - designate-backend-bind9 + # {% endif %} + files: + # {% if designate.backend == "bind9" %} + - bind9-pools + # {% else %} + - fake-pools + # {% endif %} + - designate-conf + type: local + command: designate-manage pool update --file /etc/designate/pools.yaml + daemon: + dependencies: + - designate-api + files: + # {% if designate.backend == "bind9" %} + - bind9-pools + # {% else %} + - fake-pools + # {% endif %} + - designate-conf + - rndc-conf + - rndc-key + command: designate-worker --config-file /etc/designate/designate.conf files: + rndc-conf: + path: /etc/bind/rndc.conf + content: rndc.conf.j2 + named-conf-options: + path: /etc/bind/named.conf.options + content: named.conf.options.j2 + named-conf: + path: /etc/bind/named.conf + content: named.conf.j2 + rndc-key: + path: /etc/bind/rndc.key + content: rndc.key.j2 designate-conf: path: /etc/designate/designate.conf content: designate.conf.j2 + fake-pools: + path: /etc/designate/pools.yaml + content: pools.yaml.j2 + bind9-pools: + path: /etc/designate/pools.yaml + content: bind9-pools.yaml.j2 diff --git a/service/designate-pool-manager.yaml b/service/designate-pool-manager.yaml index bffd34a..52e657d 100644 --- a/service/designate-pool-manager.yaml +++ b/service/designate-pool-manager.yaml @@ -24,7 +24,7 @@ service: command: designate-manage pool update --file /etc/designate/pools.yaml - name: designate-pool-sync dependencies: - - designate-pool-manager-db-create + - designate-pool-update files: - designate-conf type: single @@ -34,6 +34,8 @@ service: - designate-api files: - designate-conf + - rndc-conf + - rndc-key command: designate-pool-manager --config-file /etc/designate/designate.conf files: @@ -43,3 +45,12 @@ files: pools: path: /etc/designate/pools.yaml content: pools.yaml.j2 + named-conf: + path: /etc/bind/named.conf.options + content: named.conf.options.j2 + rndc-conf: + path: /etc/bind/rndc.conf + content: rndc.conf.j2 + rndc-key: + path: /etc/bind/rndc.key + content: rndc.key.j2 diff --git a/service/files/bind9-pools.yaml.j2 b/service/files/bind9-pools.yaml.j2 new file mode 100644 index 0000000..4f54280 --- /dev/null +++ b/service/files/bind9-pools.yaml.j2 @@ -0,0 +1,27 @@ +--- +- name: default + description: CCP BIND Pool + attributes: {} + + ns_records: + - hostname: ns.ccp.org. + priority: 1 + + nameservers: + - host: {{ network_topology["private"]["address"] }} + port: {{ designate.bind_port.cont }} + + targets: + - type: bind9 + description: BIND Instance + + masters: + - host: {{ network_topology["private"]["address"] }} + port: {{ designate.mdns_port.cont }} + + options: + host: {{ network_topology["private"]["address"] }} + port: {{ designate.bind_port.cont }} + rndc_host: {{ network_topology["private"]["address"] }} + rndc_port: {{ designate.rndc_port.cont }} + rndc_key_file: /etc/bind/rndc.key diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml index 3f13db9..faa8f9f 100644 --- a/service/files/defaults.yaml +++ b/service/files/defaults.yaml @@ -3,13 +3,21 @@ configs: api_port: cont: 9001 ingress: dns - - debug: false + mdns_port: + cont: 5354 + rndc_port: + cont: 953 + bind_port: + cont: 53 + worker_port: + cont: 5358 + debug: true notification: driver: noop topics: enabled: false names: changeme + backend: bind9 # options, allows to configure services particularly service: central: @@ -36,6 +44,7 @@ configs: secret_configs: designate: + rndc_key_secret: fapwtRlIgYwYeQeyY3U1+Q== username: designate password: password db: diff --git a/service/files/designate.conf.j2 b/service/files/designate.conf.j2 index 0454033..c9e364c 100644 --- a/service/files/designate.conf.j2 +++ b/service/files/designate.conf.j2 @@ -19,12 +19,12 @@ notification_topics = {{ designate.notification.topics.names }} rabbit_userid = {{ rabbitmq.user }} rabbit_password = {{ rabbitmq.password }} -rabbit_hosts = {{ address("rabbitmq", rabbitmq.port) }} +rabbit_hosts = {{ address("rpc", rabbitmq.port) }} [oslo_messaging_rabbit] rabbit_userid = {{ rabbitmq.user }} rabbit_password = {{ rabbitmq.password }} -rabbit_hosts = {{ address("rabbitmq", rabbitmq.port) }} +rabbit_hosts = {{ address("rpc", rabbitmq.port) }} #-------------------- # Keystone Middleware @@ -55,6 +55,8 @@ enable_api_v1 = True enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch enable_api_v2 = True enabled_extensions_v2 = quotas, reports +enable_api_admin = True +listen = {{ address("designate-api", designate.api_port) }} #------------- # Sink Service @@ -68,6 +70,7 @@ enabled_notification_handlers = nova_fixed, neutron_floatingip [service:mdns] workers = {{ designate.service.mdns.workers }} threads = {{ designate.service.mdns.threads }} +all_tcp = True #-------------- # Agent Service @@ -75,6 +78,10 @@ threads = {{ designate.service.mdns.threads }} [service:agent] workers = {{ designate.service.agent.workers }} +[service:worker] +enabled = True +notify = True + #--------------------- # Zone Manager Service #--------------------- @@ -99,6 +106,9 @@ threads = {{ designate.service.pool_manager.threads }} {% if designate.pool is defined %} pool_id = {{ designate.pool.pool_id }} {%- endif %} +periodic_sync_interval = 1800 +periodic_recovery_interval = 120 + ################################### ## Pool Manager Cache Configuration @@ -139,4 +149,3 @@ notification_topics = notifications control_exchange = 'neutron' format = '%(hostname)s.%(domain)s' - diff --git a/service/files/named.conf.j2 b/service/files/named.conf.j2 new file mode 100644 index 0000000..e86169a --- /dev/null +++ b/service/files/named.conf.j2 @@ -0,0 +1,12 @@ +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; +include "/etc/bind/rndc.key"; + +controls { + inet * port {{ designate.rndc_port.cont }} + allow { any; } keys { "rndc-key"; }; + inet * port {{ designate.bind_port.cont }} + allow { any; } keys { "rndc-key"; }; +}; + diff --git a/service/files/named.conf.options.j2 b/service/files/named.conf.options.j2 new file mode 100644 index 0000000..21c8995 --- /dev/null +++ b/service/files/named.conf.options.j2 @@ -0,0 +1,39 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation yes; + dnssec-enable yes; + auth-nxdomain no; # conform to RFC1035 + allow-new-zones yes; + request-ixfr no; + recursion no; + query-source address * port {{ designate.bind_port.cont }}; + listen-on { any; }; + listen-on-v6 { ipv-6-address; }; + allow-query { + any; + 10.233.0.0/16; + }; + allow-notify { + any; + 10.233.0.0/16; + }; +}; + diff --git a/service/files/rndc.conf.j2 b/service/files/rndc.conf.j2 new file mode 100644 index 0000000..da3fd01 --- /dev/null +++ b/service/files/rndc.conf.j2 @@ -0,0 +1,8 @@ +include "/etc/bind/rndc.key"; + +options { + default-key "rndc-key"; + default-server {{ network_topology["private"]["address"] }}; + default-port {{ designate.rndc_port.cont }}; +}; + diff --git a/service/files/rndc.key.j2 b/service/files/rndc.key.j2 new file mode 100644 index 0000000..a598ae1 --- /dev/null +++ b/service/files/rndc.key.j2 @@ -0,0 +1,4 @@ +key "rndc-key" { + algorithm hmac-md5; + secret "{{ designate.rndc_key_secret }}"; +};