Get to know OpenStack DNS (Designate) as a SaaS

————————————————————————-

DNS (Designate) is one of the well known open source services in OpenStack. This project offers DNS as a Service also known as DNSaaS and also offers common, open API for programming DNS.

Same as all the OpenStack APIs, the Designate is proposed by and combines with the authorization method of Keystone authentication. The third party DNS providers like PowerDNS, Infoblox, etc. supply power to the API. The multicast DNS also referred to as mDNS, which have batteries included, are implemented by OpenStack.

Advantages of OpenStack Designate:

There are many benefits of incorporating DNS Designate into your cloud:

1. When Designate is integrated with your cloud environment, it provides you an opportunity to normalize the application of DNS services inside OpenStack.
2. As mentioned earlier Designate is an open source and community supported the project, it prevents vendor seal up and dependency on a specific DNS application.
3. For controlling DNS records and zones, DNS Designate offers a REST API.
4. DNS Designate is a multi-project service which means it allows hosting of more than one project and also tries to maintain the security of the associated resources.
5. DNS Designate makes sure that users should utilize the similar DNS backend inside their personal project apart from running into each other.
6. An important characteristic of starting a self-serving quality of the DNS services inside a cloud makes sure that domains of the users from various OpenStack projects are not able to broadcast any similar sub DNS name or super DNS name.
7. The DNS Designate permits specific application teams to handle the records for the SaaS applications which belong to DNS service, without including IT.
8. As mentioned earlier, there is a minimum involvement of the IT while handling the records for Saas, which helps in decreasing the required heading for the production.

It is possible for you to install Designate inside your configuration in addition to the several other OpenStack Services, and you can also set it up in such a way that its configuration will use your own DNS backend. Designate supports users in creating their personal DNS records at the same time makes it sure that these DNS records will not collapse with each other or run into each other.

There is a networking service in OpenStack known as Neutron, with which DNS Designate can integrate very well. Inside a DNS Designate, it is possible for a user to allocate DNS names to distinct dynamic IPs which are developed inside Neutron and then these dynamic IPs can be connected with any event. At the same time, it is possible to assign those DNS names or domain names to the various networks inside the Neutron, thereby all the actions taking place on the specific network can use the subdomains for directing/addressing. In other words, we can say that the entire virtual machines which are linked to that network will get a distinct DNS name on the basis of the domain name which has been allocated previously to that network.

Designate as SaaS using Platform9:

The Managed OpenStack of the Platform9 includes various services and Designate is one of those services. In this case, users of the Platform9 just only set up their DNS backend and then link it to the DNS API of the Platform9. Simply a onetime setup is performed by the administrators for connecting their DNS to the OpenStack of platform9 and it can also encourage their development teams to use it instantly. Then the Platform9 manages the upgrades and scrutinizing of the OpenStack services. As a result of this preplanning, a DNS name or domain becomes as easy as preplanning a work share network with the help of Neutron along with OpenStack Platform9.

Install and Configure a DNS-as-a-service with OpenStack Designate

As discussed earlier, DNS Designate is a multi-project DNS-as-a-Service which involves a REST API for management of domain and record, it is also a framework for integrating with Neutron.

Following are the reasons due to which users consider a DNSaaS:

• It provides a REST API for handling the DNS zones and DNS records.
• As it is integrated with OpenStack, it possible to automatically generate the records.
• It offers support to the more than one authoritative name servers.
• It provides support for hosting more than one project.

In this section, we are going to explain how to install and configure the current version of Designate service on CentOS or on Red Hat Enterprise Linux7. But it is also possible to use the same process of configuration on other types of distributions.

Installation of Designate on OpenStack:

Note:

We have Ansible roles for bind and Designate which shows the setup in our GitHub repository. This setup assumes that bind is an external service on the controller node of the OpenStack, still, if you want, you can locally install bind.

• Use the yum command for Installation of bind and packages of Designate on the OpenStack controller:

# yum install openstack-designate-* bind bind-utils -y

• Use the following commands for Creating a Designate database and a user:

MariaDB [(none)]> CREATE DATABASE designate CHARACTER SET utf8 COLLATE utf8_general_ci;
       
MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO \
‘designate’@’localhost’ IDENTIFIED BY ‘rhlab123’;

MariaDB [(none)]> GRANT ALL PRIVILEGES ON designate.* TO ‘designate’@’%’ \
IDENTIFIED BY ‘rhlab123’;

Important Note:

For the RNDC or Remote Name Daemon Control to work appropriately, it is important to install Bind packages on the controller side.

• Configuration of bind For DNS server:
• Using following commands generate RNDC files:

rndc-confgen -a -k designate -c /etc/rndc.key -r /dev/urandom

cat <<EOF> etcrndc.conf
include “/etc/rndc.key”;
options {
   default-key “designate”;
   default-server {{ DNS_SERVER_IP }};
   default-port 953;
};
EOF

• Add the following code into named.conf:

include “/etc/rndc.key”; controls { inet {{ DNS_SERVER_IP }} allow { localhost;{{ CONTROLLER_SERVER_IP }}; } keys { “designate”; }; };

In the option section, add:

options {
…
 allow-new-zones yes;
 request-ixfr no;
 listen-on port 53 { any; };
 recursion no;
 allow-query { 127.0.0.1; {{ CONTROLLER_SERVER_IP }}; };
};

• Next step is to add the right permissions as follows:

 chown named:named /etc/rndc.key
 chown named:named /etc/rndc.conf
 chmod 600 /etc/rndc.key
 chown -v root:named /etc/named.conf
 chmod g+w /var/named


# systemctl restart named
# setsebool named_write_master_zones 1

• Using the following commands, insert the rndc.key and rndc.conf into the OpenStack controller:

# scp -r /etc/rndc* {{ CONTROLLER_SERVER_IP }}:/etc/

• Then create OpenStack Designate service and endpoints as shown below:

Enter:

# openstack user create –domain default –password-prompt designate
# openstack role add –project services –user designate admin
# openstack service create –name designate –description “DNS” dns

# openstack endpoint create –region RegionOne dns public http://{{ CONTROLLER_SERVER_IP }}:9001/
# openstack endpoint create –region RegionOne dns internal http://{{ CONTROLLER_SERVER_IP }}:9001/  
# openstack endpoint create –region RegionOne dns admin http://{{ CONTROLLER_SERVER_IP }}:9001/

Also read,

Learning OpenStack Message (Zaqar) with authenticating Token and sending requests to API

Configure Designate service:

Modify/edit /etc/designate/designate.conf as follows:

• In the [service:api] section, configure auth_strategy:

[service:api]
listen = 0.0.0.0:9001
auth_strategy = keystone
api_base_uri = http://{{ CONTROLLER_SERVER_IP }}:9001/
enable_api_v2 = True
enabled_extensions_v2 = quotas, reports

• Inside the [keystone_authtoken] section, setup or configure  the following options:

[keystone_authtoken]
auth_type = password
username = designate
password = rhlab123
project_name = service
project_domain_name = Default
user_domain_name = Default
www_authenticate_uri = http://{{ CONTROLLER_SERVER_IP }}:5000/
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000/

• Inside  the [service:worker] section, start/ enable the worker model as follows:

enabled = True
notify = True

• Inside the [storage:sqlalchemy] section, setup / configure database access as shown below:

[storage:sqlalchemy]
connection = mysql+pymysql://designate:rhlab123@{{ CONTROLLER_SERVER_IP }}/designate

• Once the database access is setup, it’s time to populate the Designate database by using following command:

# su -s /bin/sh -c “designate-manage database sync” designate

• Then create pools.yaml file of Designate which has target and bind details as follows:

Edit /etc/designate/pools.yaml:

– name: default
  # The name is immutable. There will be no option to change the name after
  # creation and the only way will to change it will be to delete it
  # (and all zones associated with it) and recreate it.
  description: Default Pool

  attributes: {}

  # List out the NS records for zones hosted within this pool
  # This should be a record that is created outside of designated, that
  # points to the public IP of the controller node.
  ns_records:
    – hostname: {{Controller_FQDN}}. # This is mDNS
      priority: 1

  # List out the nameservers for this pool. These are the actual BIND servers.
  # We use these to verify changes have propagated to all nameservers.
  nameservers:
    – host: {{ DNS_SERVER_IP }}
      port: 53

  # List out the targets for this pool. For BIND there will be one
  # entry for each BIND server, as we have to run an rndc command on each server
  targets:
    – type: bind9
      description: BIND9 Server 1

      # List out the designate-mdns servers from which BIND servers should
      # request zone transfers (AXFRs) from.
      # This should be the IP of the controller node.
      # If you have multiple controllers you can add multiple masters
      # by running designate-mdns on them, and adding them here.
      masters:
        – host: {{ CONTROLLER_SERVER_IP }}
          port: 5354

      # BIND Configuration options
      options:
        host: {{ DNS_SERVER_IP }}
        port: 53
        rndc_host: {{ DNS_SERVER_IP }}
        rndc_port: 953
        rndc_key_file: /etc/rndc.key
        rndc_config_file: /etc/rndc.conf

–  Again populate the pools of Designate as follows:

su -s /bin/sh -c “designate-manage pool update” designate

• Then start the central and API services of Designate by using systemctl command as follows:

systemctl enable –now designate-central designate-api

• Check/Verify whether the Designate’ services are up or not:

# openstack dns service list

+————–+——–+——-+————–+
| service_name | status | stats | capabilities |
+————–+——–+——-+————–+
| central      | UP     | –     | –            |
| api          | UP     | –     | –            |
| mdns         | UP     | –     | –            |
| worker       | UP     | –     | –            |
| producer     | UP     | –     | –            |
+————–+——–+——-+————–+

Configure OpenStack Neutron with external DNS

• Configure/setup the iptables for Designate services as follows:

# iptables -I INPUT -p tcp -m multiport –dports 9001 -m comment –comment “designate incoming” -j ACCEPT
       
# iptables -I INPUT -p tcp -m multiport –dports 5354 -m comment –comment “Designate mdns incoming” -j ACCEPT
       
# iptables -I INPUT -p tcp -m multiport –dports 53 -m comment –comment “bind incoming” -j ACCEPT
       
        
# iptables -I INPUT -p udp -m multiport –dports 53 -m comment –comment “bind/powerdns incoming” -j ACCEPT
       
# iptables -I INPUT -p tcp -m multiport –dports 953 -m comment –comment “rndc incoming – bind only” -j ACCEPT
       
# service iptables save; service iptables restart
# setsebool named_write_master_zones 1

• Modify / edit the [default] section of /etc/neutron/neutron.conf as shown below:

external_dns_driver = designate

• Then add the [designate] section in /_etc/_neutron/neutron.conf as follows:

[designate]
url = http://{{ CONTROLLER_SERVER_IP }}:9001/v2  ## This end point of designate
auth_type = password
auth_url = http://{{ CONTROLLER_SERVER_IP }}:5000
username = designate
password = rhlab123
project_name = services
project_domain_name = Default
user_domain_name = Default
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116

• Then modify / edit the dns_domain in neutron.conf as follows:

dns_domain = rhlab.dev.

# systemctl restart neutron-*

• Add dns to the list of Modular Layer 2 (ML2) drivers in /etc/neutron/plugins/ml2/ml2_conf.ini as shown below:

extension_drivers=port_security,qos,dns

• Then add/create zone in Designate as follows:

# openstack zone create –email=admin@rhlab.dev rhlab.dev.

• Create / add a new record in zone rhlab.dev as shown below:

# openstack recordset create –record ‘192.168.1.230’ –type A rhlab.dev. Test

Now the Designate must be installed and configured.

Summary:

Today we have tried to get the information about a new component of OpenStack i.e. DNS (Designate) and how does Designate works as SaaS using Platform9 and how to install and configure DNS-as-a-service with OpenStack Designate. I think you find this information helpful. Thank you for reading the blog and if you have any queries related to today’s topic, please do not hesitate to ask in the comment section below. If you want to suggest anything, you are always welcome! Please leave a comment in the comment section below. See you soon with another interesting blog!

---