Get your instance by name integration of nova, neutron and designate

Get your instance by name: integration of Nova, Neutron and Designate@CarlNBaldwin [email protected]

Kiall Mac Innes [email protected] Lavalle [email protected]

mailto:[email protected]



Agenda● Background and motivation to integrate Neutron, Nova and Designate

○ DNS in Neutron in Kilo version● Designate overview● How was the integration accomplished● Demo● Experience in cross project collaboration

Background and Motivation● The error that started it all (I still see this everywhere)

● Floated the idea around in Atlanta and found that there was a lot of interest○ “I'm mostly so in love with where this is going that I want to marry it.”

■ … a prominent spec reviewer

● So, why did it get stalled for so long?

ubuntu@docker20140518: ~ $ sudo idsudo: unable to resolve host docker20140518uid=0(root) gid=0(root) groups=0(root)

Other DNS anomalies in VM’s● In following VM:

$ hostnamemy-vm

● Other commands don’t work:$ hostname -f hostname: my-vm: Unknown host

$ nslookup my-vmServer: 10.0.0.2Address 1: 10.0.0.2 host-10-0-0-2.openstacklocal

nslookup: can't resolve 'my-vm'

Neutron’s internal DNS

Neutron’s internal DNS

$ neutron port-create ...

ReST API RPCNeutron Server

DHCPAgent

dnsmasq

{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “mac_address”: “fa:16:3e:c9:cb:f0”}

SIGHUP

fa:16:3e:c9:cb:f010.0.0.4host-10-0-0-4host-10-0-0-4.openstacklocal.

Agenda● Background and motivation to integrate Neutron, Nova and Designate● Designate overview

○ A 10,000ft view○ Architecture○ The Basics○ So, what can you use Designate for?○ What’s this “Sink” thing?

● How was the integration accomplished● Demo● Experience in cross project collaboration

Designate, a 10,000ft view● OpenStack REST API for managing DNS● Architecturally similar to Nova/Trove/etc - We’re not a DNS server, we just

manage them● Support for two deployment models:

○ On premise - You manage and maintain the DNS servers (PowerDNS or BIND)○ 3rd party - Support for pushing zone contents to Akamai or DynECT

Designate Architecture

CentralSink DB

Pool Manager

Mini DNS

Customer Facing DNS

Servers

Backend

Nova /Neutron

Zone Manager

API

(Old)(New)

Designate ComponentsSince this isn't a Designate talk, we're going to gloss over most components

● Central - The workhorse, all DB interactions (okay, most) and business logic● API - End user facing API, a shim to Central that understands REST● Mini DNS - A pure python DNS server, used exclusively interact with other

DNS servers - i.e. to push content to the end user facing DNS servers● Sink - An old Nova/Neutron event listener, with plugins to act upon

notifications like "compute.instance.create" - more on this later● Customer Facing DNS Servers - BIND, PowerDNS, Akamai, DynECT etc

So, what can you use Designate for?● At its most basic, a REST API to manage DNS zones on a per tenant/project

basis● Acts as a gateway to the DNS server or 3rd parties, making “single tenant”

DNS servers multi-tenant● Slave zones from customer nameservers - i.e. “federate” zones from a

customer’s corp NS to the providers pool of NS’s● Most importantly, it lets you integrate DNS into your cloud provisioning

workflow, using the same style of API as Compute, Networking, and so on

What’s this “Sink” thing?● Designate Sink provided some really basic Nova/Neutron integration● Listens in on the notification events, usually used for ceilometer● Dispatches the events to registered plugins, which have access to Designate’

s internal RPC APIs● It was fundamentally flawed as RabbitMQ / oslo.messaging notifications

come with no real delivery guarantees, though the trade off was acceptable to some deployments


○ DNS in Neutron in Kilo version

● Designate overview● How was the integration accomplished● Demo● Experience in cross project collaboration

Neutron’s internal DNS: Liberty

$ neutron port-create … --dns_name my-name


DHCPAgent

dnsmasq

{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “mac_address”: “fa:16:3e:c9:cb:f0”, “dns_name”: “my-name”, “dns_assignment”: { “hostname”: “my-name”, “ip_address”: “10.0.0.4”, “fqdn”: “my-name.my-domain.org.” }}

SIGHUP

fa:16:3e:c9:cb:f010.0.0.4my-namemy-name.my-domain.org.

dns_domain = my-domain.org.

neutron.conf

Neutron’s internal DNS with Nova: Mitaka

$ neutron port-create … --dns_name instance.hostname


DHCPAgent

dnsmasq

{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “mac_address”: “fa:16:3e:c9:cb:f0”, “dns_name”: “my-vm”, “dns_assignment”: { “hostname”: “my-vm”, “ip_address”: “10.0.0.4”, “fqdn”: “my-vm.my-domain.org.” }}

SIGHUP

fa:16:3e:c9:cb:f010.0.0.4my-vmmy-vm.my-domain.org.

dns_domain = my-domain.org.

neutron.conf

Nova compute managercreating instance my_vm

DNS anomalies in VM’s solved● In following VM:

$ hostnamemy-vm

● Commands work correctly:$ sudo iduid=0(root) gid=0(root) groups=0(root),10(wheel)

$ hostname -f my-vm

$ nslookup my-vmnslookup my-vmServer: 10.0.0.2Address 1: 10.0.0.2 host-10-0-0-2.my-domain.org

Name: my-vmAddress 1: fdfa:152b:bc96:0:f816:3eff:fedc:1780 my-vm.my-domain.orgAddress 2: 10.0.0.4 my-vm.my-domain.org

Neutron and Designate integration Use case 1: name and domain belong to instance / port

$ neutron net-create my-net --dns_domain my-domain.org.

ReST API Neutron Designate

{“network”: ... “name”: “my-net”, “dns_domain”: “my-domain.org.”, “id”: “b06b4967-ba73-4567-b060-cf6a9d7ecac6: ... }

ReST API

ReST API Neutron DesignateReST API

$ neutron port-create … --dns_name instance.hostname

Nova compute managercreating instance my_vm

{“port”: “fixed_ips”: [ {“subnet_id”: ... “ip_address”: “10.0.0.4” } ], “id”: “b9a82377-a89f-4b02-93ec-3573333f70c6”, “dns_name”: “my-vm”, “dns_assignment”: { “hostname”: “my-vm”, “ip_address”: “10.0.0.4”, “fqdn”: “my-vm.my-domain.org.” }}



$ neutron floatingip-create … --port_id b9a82377-a89f-4b02-93ec-3573333f70c6 {“floatingip”:

“dns_domain”: “”, “dns_name”: “”, “fixed_ip_address”: “10.0.0.4”, “floating_ip_address”: “172.24.4.3”, ...}

In zone my-domain.org.: record type: A name: my-vm.my-domain.org. data: 172.24.4.3

In zone 4.24.172.in-addr.arpa. record type: PTR name: 3.4.24.172.in-addr.arpa. data: my-vm.my-domain.org.



$ neutron floatingip-create … --port_id b9a82377-a89f-4b02-93ec-3573333f70c6 --dns_name my-fip --dns_domain my-other-domain.org.

{“floatingip”: “dns_domain”: “my-other-domain.org”, “dns_name”: “my-fip”, “fixed_ip_address”: “10.0.0.4”, “floating_ip_address”: “172.24.4.4”, ...}

In zone my-other-domain.org.: record type: A name: my-fip.my-domain.org. data: 172.24.4.4

In zone 4.24.172.in-addr.arpa. record type: PTR name: 4.4.24.172.in-addr.arpa. data: my-fip.my-domain.org.

Neutron and Designate integration Use case 2: name and domain belong to floating ip

Neutron and Designate integration Implementation

Neutron server

ExternalDNSService

get_instancecreate_record_setdelete_record_set

Designate

create_record_setdelete_record_set

● Design allows the implementation of different external DNS services drivers. The reference implementation is with Designate

● get_instance loads the driver configured in neutron.conf

● Designate driver uses the Designate python client v2.0 to send requests and receive responses

● create_record_set and delete_record_set in Designate driver instantiate two Designate clients (V2.0):

○ One with the token present in the

user request. This client is used to create A and AAAA records

○ The second with admin privileges to handle PTR records

Neutron and Designate integration Configuration

● All the configuration is done in neutron.conf● The external DNS service driver is configured in the [default] section

○ Parameter external_dns_driver○ The Designate driver is: neutron.services.externaldns.drivers.designate.driver.Designate

● The [designate] section contains the following parameters○ url: the Designate end point, for example http://23.253.217.34:9001/v2○ For the admin user / tenant used for the client that handles PTR records:

■ admin_auth_url: the Keystone end point for admin users authentication, for example http://23.253.217.34:35357/v2.0

■ admin_username■ admin_password■ admin_tenant_id■ admin_tenant_name

○ allow_reverse_dns_lookup to enable (True) or disable (False) the creation of PTR records

http://23.253.217.34:9001/v2

http://23.253.217.34:35357/v2.0

http://23.253.217.34:35357/v2.0







Two stages● Divided the work into two stages to avoid coupling three projects together● Stage One

○ Getting Nova and Neutron to agree on the instance’s name○ The IP address hangs off the port. It made sense to us the port as the integration point.

● Stage Two○ Getting Neutron and Designate to talk

■ Could be any DNS service. It can work along with pluggable IPAM.○ Neutron Network is associated with the Designate domain

Working with Nova● Nova is a very large project, as is Neutron● Uncertainty around Nova-net and Neutron● Nova may have bad bigger fish to fry

○ DNS integration spec, being relatively small, “fell through the cracks” during Liberty

Working with Designate● “Why haven’t we just done this yet?” - Paraphrased from Kiall in Vancouver● Smaller team looking to grow traction● DNS is what they do. They were naturally interested.● From the Neutron developer who wrote the integration with Designate:

○ Designate always available and ready to answer questions and provide guidance

○ The Designate team created a fixed topic in their weekly IRC meeting to track progress, which was very helpful to maintain coordination

Working with Neutron● Who in their right mind… ;)● Miguel and Carl have been excellent!● Miguel consistently dropped by the weekly Designate IRC meeting to update

the Designate team on progress

Get your instance by name integration of nova, neutron and designate

Software