Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. - - PowerPoint PPT Presentation

Operators Deep Dive

Graham Hayes / HP Ron Rickard / eBay Inc.

Graham Hayes - HP Cloud

Ron Rickard

• Sr. Cloud Engineer, eBay Inc.

rrickard@ebaysf.com irc.freenode.net: rjrjr

Agenda

Designate Overview Designate REST API Designate and Neutron Designate Central Designate Sink

Designate Overview

Designate Overview

• Designate is the DNS as-a-service component in OpenStack.
• Designate consists of: REST API, Central, and Sink.
• Internal and external Designate communication use the message queue.
• A designate client will allow you to manage servers, domains, and records.

○ More functionality is available in the REST API.

• Designate is the source of record for DNS records for the domains it manages.
• Domains are owned by tenants.
• Additional information:

○ http://designate.readthedocs.org

Designate Architecture

Database DNS Server Backend Central API AMQP Keystone User

Designate REST API

Designate REST API

• Version 1 allows management of:

○ Servers ○ Domains ○ Records

• Experimental Version 2 adds:

○ Zone import/export ○ Top-Level Domains (TLDs) ○ Zone blacklists ○ Managed Floating IP PTR Records

• Additional information:

○ http://designate.readthedocs.org/en/latest/rest.html

Designate Client

• Provides a command-line interface (CLI) like Keystone and Nova CLIs.
• Functionality is a subset of entire Designate API:

○ Servers ○ Domains ○ Records

Zone Import/Export

GET/POST - /v2/zones/<id> - Content-Type text/dns

• Use the API to:

○ import zones in zonefile format ○ export zones in zonefile format

• A zoneextractor.py tool assists with generating the zonefile format for

imports

Top-Level Domains (TLDs)

GET/POST/PATCH - /v2/tlds/<id>

• Use the API to managed TLDs
• By default no TLDs exist and any domain name can be created
• Presence of TLDs causes domain creation checks:

○ last label in domain name must be a TLD ○ the entire domain name cannot be a TLD

Zone Blacklists

GET/POST/PATCH - /v2/blacklists/<id>

• Use the API to manage blacklists
• Blacklist are regular expressions used to block domains from being created

○ Example to prevent example.com. domain from being created: ■ ^example\\.com\\.$ ○ Example to prevent example.com. and subdomains of example.com. from being created: ■ ^([A-Za-z0-9_\-]+\\.)*example\\.com\\.$

Designate and Neutron

Floating IP Reverse DNS

Floating IP Pointers

GET/PATCH - /v2/reverse/floatingips/<id>

• Manage reverse DNS (PTR records) for Neutron Floating IPs
• Allow Operators to delegate the *.in-addr.arpa zone to Designate

○ Users can manage their own DNS, without support ○ Users can only set PTRs for IPs currently associated with their tenant

Designate Central

Designate Central

• Contains the core code for Designate.
• Uses pluggable storage driver for persisting data:

○ SQLAlchemy

• Uses pluggable backend driver for DNS operations:

○ PowerDNS ○ NSD4 ○ FreeIPA ○ DynECT ○ BIND (needs work)

Backend Drivers

• Currently, backend drivers need to implement functions for:

○ Create, update, delete TSIG keys ○ Create, update, delete domains ○ Create, update, delete record set ○ Create, update, delete records

• Coming is a mini-DNS in Designate. Mini-DNS will:

○ Pushes data using zone transfers (AXFR/IXFR) ○ Simplify backend drivers

• Additional Information:

○ http://designate.readthedocs.org/en/latest/backends.html

Backends - MiniDNS

Database Central MiniDNS Customer Facing DNS Server Backend / Manager API

Designate Sink

Automatic Record Creation

Designate Sink

• Designate Sink consumes events from Nova, Neutron, and other services and

turns those events into DNS operations.

• What events and what DNS operations are performed are determined by

custom notification handlers.

• Designate ships with sample notification handlers:

○ Nova handler ○ Neutron handler

Events

compute.instance.create.start/.error/. end compute.instance.delete.start/.end compute.instance.update compute.instance.rebuild.start/.end

• rchestration.stack.create.start/.error/.end
• rchestration.stack.update.start/.error/.end
• rchestration.stack.delete.start/.error/.end

network.create network.delete network.port.create network.port.delete floatingip.update.end floatingip.delete.start trove.instance.create trove.instance.delete

Payload

{"state_description": "", "availability_zone": null, "terminated_at": "", "ephemeral_gb": 0, "instance_type_id": 2, "message": "Success", "deleted_at": "", "reservation_id": "r-0fhyl6wq", "instance_id": "192c1697-bc90-483f-bffc-6f461dd793cc", "user_id": "7101d930ff084aab9136db2b359719e2", "fixed_ips": [{"floating_ips": [], "label": "private", "version": 4, "meta": {}, "address": "10.0.0.2", "type": "fixed"}], "hostname": "rontest", "state": "active", "launched_at": "2014-02-24T23:16:43.058572", "metadata": [], "node": "frodo", "ramdisk_id": "", "access_ip_v6": null, "disk_gb": 1, "access_ip_v4": null, "kernel_id": "", "image_name": "cirros-0.3.0-x86_64-disk", "host": "frodo", "display_name": "rontest", "image_ref_url": "http://192.168.56.35:9292/images/afd10e78-d2e2-41cf-b1f7-573d7c89ac18", "root_gb": 1, "tenant_id": "c8344a592b574589b531fe8956ef7ec1", "created_at": "2014-02-24T23:16:37.000000", "memory_mb": 512, "instance_type": "m1.tiny", "vcpus": 1, "image_meta": {"min_disk": "1", "container_format": "bare", "min_ram": "0", "disk_format": "qcow2", "base_image_ref": "afd10e78-d2e2-41cf-b1f7-573d7c89ac18"}, "architecture": null, "os_type": null, "instance_flavor_id": "1"}

Notification Handler Code

class NotificationHandler(ExtensionPlugin): … @abc.abstractmethod def get_exchange_topics(self): """ Returns a tuple of (exchange, list(topics)) this handler wishes to receive notifications from. """

Notification Handler Code (continued)

@abc.abstractmethod def get_event_types(self): """ Returns a list of event types this handler is capable of processing """ @abc.abstractmethod def process_notification(self, context, event_type, payload): """ Processes a given notification """ ...

Designate Sink at eBay Inc.

Evolving custom notification handler: ○ Initial design: ■ Granular with a single forward and reverse zone per tenant ■ Context (user, tenant, token) taken from notification message ○ Final design: ■ VPC - Virtual Private Cloud (dev, prod, ext) ■ VPCs are implemented as special tenant (not seen by user):

• admin_extcos
• admin_devcos
• admin_prodcos

■ tenants grouped into VPCs ■ many forward and reverse zones associated with VPC tenants

Designate Sink at eBay Inc. (continued)

○ Final design (continued): ■ Nova instance metadata:

• zone - forward zone for A record
• hostname - hostname portion of FQDN for A record
• VPC name

■ VPC name is mapped to VPC tenant in designate.conf:

• network_host_tenants = ext:admin_extcos,dev:admin_devcos,prod:

admin_prodcos ■ service account is member of VPC tenants and used to add A and PTR records to Designate

def process_notification(self, context, event_type, payload): domain_id = self.central_api.find_option(context, “default_domain”) recordset = self.central_api.create_recordset(context, domain_id, {'name': name, 'type': type, 'ttl': ttl,}) address = {'version': 4, 'address': payload['floatingip']['floating_ip_address']} record_values = {'data': address['address']} self.central_api.create_record(context, domain_id, recordset['id'], record_values)

Workshop B314 @ 13:30

Make sure you have installed: VirtualBox (4.x) Vagrant (Latest)