get your instance by name integration of nova, neutron and designate
TRANSCRIPT
Get your instance by name: integration of Nova, Neutron and Designate@CarlNBaldwin [email protected]
Kiall Mac Innes [email protected] Lavalle [email protected]
Agenda● Background and motivation to integrate Neutron, Nova and Designate
○ DNS in Neutron in Kilo version● Designate overview● How was the integration accomplished● Demo● Experience in cross project collaboration
Background and Motivation● The error that started it all (I still see this everywhere)
● Floated the idea around in Atlanta and found that there was a lot of interest○ “I'm mostly so in love with where this is going that I want to marry it.”
■ … a prominent spec reviewer
● So, why did it get stalled for so long?
ubuntu@docker20140518: ~ $ sudo idsudo: unable to resolve host docker20140518uid=0(root) gid=0(root) groups=0(root)
Other DNS anomalies in VM’s● In following VM:
$ hostnamemy-vm
● Other commands don’t work:$ hostname -f hostname: my-vm: Unknown host
$ nslookup my-vmServer: 10.0.0.2Address 1: 10.0.0.2 host-10-0-0-2.openstacklocal
nslookup: can't resolve 'my-vm'
Neutron’s internal DNS
Neutron’s internal DNS
$ neutron port-create ...
ReST API RPCNeutron Server
DHCPAgent
dnsmasq
{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “mac_address”: “fa:16:3e:c9:cb:f0”}
SIGHUP
fa:16:3e:c9:cb:f010.0.0.4host-10-0-0-4host-10-0-0-4.openstacklocal.
Agenda● Background and motivation to integrate Neutron, Nova and Designate● Designate overview
○ A 10,000ft view○ Architecture○ The Basics○ So, what can you use Designate for?○ What’s this “Sink” thing?
● How was the integration accomplished● Demo● Experience in cross project collaboration
Designate, a 10,000ft view● OpenStack REST API for managing DNS● Architecturally similar to Nova/Trove/etc - We’re not a DNS server, we just
manage them● Support for two deployment models:
○ On premise - You manage and maintain the DNS servers (PowerDNS or BIND)○ 3rd party - Support for pushing zone contents to Akamai or DynECT
Designate Architecture
CentralSink DB
Pool Manager
Mini DNS
Customer Facing DNS
Servers
Backend
Nova /Neutron
Zone Manager
API
(Old)(New)
Designate ComponentsSince this isn't a Designate talk, we're going to gloss over most components
● Central - The workhorse, all DB interactions (okay, most) and business logic● API - End user facing API, a shim to Central that understands REST● Mini DNS - A pure python DNS server, used exclusively interact with other
DNS servers - i.e. to push content to the end user facing DNS servers● Sink - An old Nova/Neutron event listener, with plugins to act upon
notifications like "compute.instance.create" - more on this later● Customer Facing DNS Servers - BIND, PowerDNS, Akamai, DynECT etc
So, what can you use Designate for?● At its most basic, a REST API to manage DNS zones on a per tenant/project
basis● Acts as a gateway to the DNS server or 3rd parties, making “single tenant”
DNS servers multi-tenant● Slave zones from customer nameservers - i.e. “federate” zones from a
customer’s corp NS to the providers pool of NS’s● Most importantly, it lets you integrate DNS into your cloud provisioning
workflow, using the same style of API as Compute, Networking, and so on
What’s this “Sink” thing?● Designate Sink provided some really basic Nova/Neutron integration● Listens in on the notification events, usually used for ceilometer● Dispatches the events to registered plugins, which have access to Designate’
s internal RPC APIs● It was fundamentally flawed as RabbitMQ / oslo.messaging notifications
come with no real delivery guarantees, though the trade off was acceptable to some deployments
Agenda● Background and motivation to integrate Neutron, Nova and Designate
○ DNS in Neutron in Kilo version
● Designate overview● How was the integration accomplished● Demo● Experience in cross project collaboration
Neutron’s internal DNS: Liberty
$ neutron port-create … --dns_name my-name
ReST API RPCNeutron Server
DHCPAgent
dnsmasq
{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “mac_address”: “fa:16:3e:c9:cb:f0”, “dns_name”: “my-name”, “dns_assignment”: { “hostname”: “my-name”, “ip_address”: “10.0.0.4”, “fqdn”: “my-name.my-domain.org.” }}
SIGHUP
fa:16:3e:c9:cb:f010.0.0.4my-namemy-name.my-domain.org.
dns_domain = my-domain.org.
neutron.conf
Neutron’s internal DNS with Nova: Mitaka
$ neutron port-create … --dns_name instance.hostname
ReST API RPCNeutron Server
DHCPAgent
dnsmasq
{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “mac_address”: “fa:16:3e:c9:cb:f0”, “dns_name”: “my-vm”, “dns_assignment”: { “hostname”: “my-vm”, “ip_address”: “10.0.0.4”, “fqdn”: “my-vm.my-domain.org.” }}
SIGHUP
fa:16:3e:c9:cb:f010.0.0.4my-vmmy-vm.my-domain.org.
dns_domain = my-domain.org.
neutron.conf
Nova compute managercreating instance my_vm
DNS anomalies in VM’s solved● In following VM:
$ hostnamemy-vm
● Commands work correctly:$ sudo iduid=0(root) gid=0(root) groups=0(root),10(wheel)
$ hostname -f my-vm
$ nslookup my-vmnslookup my-vmServer: 10.0.0.2Address 1: 10.0.0.2 host-10-0-0-2.my-domain.org
Name: my-vmAddress 1: fdfa:152b:bc96:0:f816:3eff:fedc:1780 my-vm.my-domain.orgAddress 2: 10.0.0.4 my-vm.my-domain.org
Neutron and Designate integration Use case 1: name and domain belong to instance / port
$ neutron net-create my-net --dns_domain my-domain.org.
ReST API Neutron Designate
{“network”: ... “name”: “my-net”, “dns_domain”: “my-domain.org.”, “id”: “b06b4967-ba73-4567-b060-cf6a9d7ecac6: ... }
ReST API
ReST API Neutron DesignateReST API
$ neutron port-create … --dns_name instance.hostname
Nova compute managercreating instance my_vm
{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “id”: “b9a82377-a89f-4b02-93ec-3573333f70c6”, “dns_name”: “my-vm”, “dns_assignment”: { “hostname”: “my-vm”, “ip_address”: “10.0.0.4”, “fqdn”: “my-vm.my-domain.org.” }}
Neutron and Designate integration Use case 1: name and domain belong to instance / port
ReST API Neutron DesignateReST API
$ neutron floatingip-create … --port_id b9a82377-a89f-4b02-93ec-3573333f70c6 {“floatingip”:
“dns_domain”: “”, “dns_name”: “”, “fixed_ip_address”: “10.0.0.4”, “floating_ip_address”: “172.24.4.3”, ...}
In zone my-domain.org.: record type: A name: my-vm.my-domain.org. data: 172.24.4.3
In zone 4.24.172.in-addr.arpa. record type: PTR name: 3.4.24.172.in-addr.arpa. data: my-vm.my-domain.org.
Neutron and Designate integration Use case 1: name and domain belong to instance / port
ReST API Neutron DesignateReST API
$ neutron floatingip-create … --port_id b9a82377-a89f-4b02-93ec-3573333f70c6 --dns_name my-fip --dns_domain my-other-domain.org.
{“floatingip”: “dns_domain”: “my-other-domain.org”, “dns_name”: “my-fip”, “fixed_ip_address”: “10.0.0.4”, “floating_ip_address”: “172.24.4.4”, ...}
In zone my-other-domain.org.: record type: A name: my-fip.my-domain.org. data: 172.24.4.4
In zone 4.24.172.in-addr.arpa. record type: PTR name: 4.4.24.172.in-addr.arpa. data: my-fip.my-domain.org.
Neutron and Designate integration Use case 2: name and domain belong to floating ip
Neutron and Designate integration Implementation
Neutron server
ExternalDNSService
get_instancecreate_record_setdelete_record_set
Designate
create_record_setdelete_record_set
● Design allows the implementation of different external DNS services drivers. The reference implementation is with Designate
● get_instance loads the driver configured in neutron.conf
● Designate driver uses the Designate python client v2.0 to send requests and receive responses
● create_record_set and delete_record_set in Designate driver instantiate two Designate clients (V2.0):
○ One with the token present in the
user request. This client is used to create A and AAAA records
○ The second with admin privileges to handle PTR records
Neutron and Designate integration Configuration
● All the configuration is done in neutron.conf● The external DNS service driver is configured in the [default] section
○ Parameter external_dns_driver○ The Designate driver is: neutron.services.externaldns.drivers.designate.driver.Designate
● The [designate] section contains the following parameters○ url: the Designate end point, for example http://23.253.217.34:9001/v2○ For the admin user / tenant used for the client that handles PTR records:
■ admin_auth_url: the Keystone end point for admin users authentication, for example http://23.253.217.34:35357/v2.0
■ admin_username■ admin_password■ admin_tenant_id■ admin_tenant_name
○ allow_reverse_dns_lookup to enable (True) or disable (False) the creation of PTR records
Agenda● Background and motivation to integrate Neutron, Nova and Designate
○ DNS in Neutron in Kilo version
● Designate overview● How was the integration accomplished● Demo● Experience in cross project collaboration
Agenda● Background and motivation to integrate Neutron, Nova and Designate
○ DNS in Neutron in Kilo version
● Designate overview● How was the integration accomplished● Demo● Experience in cross project collaboration
Two stages● Divided the work into two stages to avoid coupling three projects together● Stage One
○ Getting Nova and Neutron to agree on the instance’s name○ The IP address hangs off the port. It made sense to us the port as the integration point.
● Stage Two○ Getting Neutron and Designate to talk
■ Could be any DNS service. It can work along with pluggable IPAM.○ Neutron Network is associated with the Designate domain
Working with Nova● Nova is a very large project, as is Neutron● Uncertainty around Nova-net and Neutron● Nova may have bad bigger fish to fry
○ DNS integration spec, being relatively small, “fell through the cracks” during Liberty
Working with Designate● “Why haven’t we just done this yet?” - Paraphrased from Kiall in Vancouver● Smaller team looking to grow traction● DNS is what they do. They were naturally interested.● From the Neutron developer who wrote the integration with Designate:
○ Designate always available and ready to answer questions and provide guidance
○ The Designate team created a fixed topic in their weekly IRC meeting to track progress, which was very helpful to maintain coordination
Working with Neutron● Who in their right mind… ;)● Miguel and Carl have been excellent!● Miguel consistently dropped by the weekly Designate IRC meeting to update
the Designate team on progress