From f8106699eb9157797f27157b62aef83cacb02791 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Mon, 4 Dec 2017 10:38:44 +0100 Subject: Fix and cleanup not required dns bits * Do not manage hostnames for openstack cloud provider, let cloud-init to do its job. * Make python-dns / dnspython dependency check conditional. * Drop not used dns node flavor and image. * Do not manage dns nodes and sec groups in heat stacks. * Keep supporting dynamic updates for private DNS records, yet only limited to an external DNS managed elsewhere (not deployed by the openshift_openstack provider). So users may still benefit from this feature, sending nsupdates to private and public servers as they want it. * Fix openstack default for external nsupdate keys. It should be undefined by default as the dns-populate logic is based on that. * Fix dns records generation for openstack provider's populate-dns * Update docs --- playbooks/openstack/advanced-configuration.md | 67 ++----------- .../openstack/openshift-cluster/provision.yml | 3 - roles/openshift_openstack/defaults/main.yml | 6 -- .../tasks/check-prerequisites.yml | 4 +- roles/openshift_openstack/tasks/hostname.yml | 26 ----- .../tasks/node-configuration.yml | 2 - roles/openshift_openstack/tasks/populate-dns.yml | 10 +- .../templates/heat_stack.yaml.j2 | 105 --------------------- 8 files changed, 14 insertions(+), 209 deletions(-) delete mode 100644 roles/openshift_openstack/tasks/hostname.yml diff --git a/playbooks/openstack/advanced-configuration.md b/playbooks/openstack/advanced-configuration.md index cb8af4a9e..cdb1229a4 100644 --- a/playbooks/openstack/advanced-configuration.md +++ b/playbooks/openstack/advanced-configuration.md @@ -23,35 +23,14 @@ There are no additional dependencies for the cluster nodes. Required configuration steps are done by Heat given a specific user data config that normally should not be changed. -## Required galaxy modules - -In order to pull in external dependencies for DNS configuration steps, -the following commads need to be executed: - - ansible-galaxy install \ - -r openshift-ansible-contrib/playbooks/provisioning/openstack/galaxy-requirements.yaml \ - -p openshift-ansible-contrib/roles - -Alternatively you can install directly from github: - - ansible-galaxy install git+https://github.com/redhat-cop/infra-ansible,master \ - -p openshift-ansible-contrib/roles - -Notes: -* This assumes we're in the directory that contains the clonned -openshift-ansible-contrib repo in its root path. -* When trying to install a different version, the previous one must be removed first -(`infra-ansible` directory from [roles](https://github.com/openshift/openshift-ansible-contrib/tree/master/roles)). -Otherwise, even if there are differences between the two versions, installation of the newer version is skipped. - - ## Accessing the OpenShift Cluster ### Configure DNS -OpenShift requires two DNS records to function fully. The first one points to +OpenShift requires a two public DNS records to function fully. The first one points to the master/load balancer and provides the UI/API access. The other one is a -wildcard domain that resolves app route requests to the infra node. +wildcard domain that resolves app route requests to the infra node. A private DNS +server and records are not required and not managed here. If you followed the default installation from the README section, there is no DNS configured. You should add two entries to the `/etc/hosts` file on the @@ -187,8 +166,8 @@ That sudomain can be set as well by the `openshift_openstack_app_subdomain` vari the inventory. The `openstack__hostname` is a set of variables used for customising -hostnames of servers with a given role. When such a variable stays commented, -default hostname (usually the role name) is used. +public names of Nova servers provisioned with a given role. When such a variable stays commented, +default value (usually the role name) is used. The `openshift_openstack_dns_nameservers` is a list of DNS servers accessible from all the created Nova servers. These will provide the internal name resolution for @@ -203,7 +182,7 @@ When Network Manager is enabled for provisioned cluster nodes, which is normally the case, you should not change the defaults and always deploy dnsmasq. `openshift_openstack_external_nsupdate_keys` describes an external authoritative DNS server(s) -processing dynamic records updates in the public and private cluster views: +processing dynamic records updates in the public only cluster view: openshift_openstack_external_nsupdate_keys: public: @@ -211,10 +190,6 @@ processing dynamic records updates in the public and private cluster views: key_algorithm: 'hmac-md5' key_name: 'update-key' server: - private: - key_secret: - key_algorithm: 'hmac-sha256' - server: Here, for the public view section, we specified another key algorithm and optional `key_name`, which normally defaults to the cluster's DNS domain. @@ -222,24 +197,6 @@ This just illustrates a compatibility mode with a DNS service deployed by OpenShift on OSP10 reference architecture, and used in a mixed mode with another external DNS server. -Another example defines an external DNS server for the public view -additionally to the in-stack DNS server used for the private view only: - - openshift_openstack_external_nsupdate_keys: - public: - key_secret: - key_algorithm: 'hmac-sha256' - server: - -Here, updates matching the public view will be hitting the given public -server IP. While updates matching the private view will be sent to the -auto evaluated in-stack DNS server's **public** IP. - -Note, for the in-stack DNS server, private view updates may be sent only -via the public IP of the server. You can not send updates via the private -IP yet. This forces the in-stack private server to have a floating IP. -See also the [security notes](#security-notes) - ## Flannel networking In order to configure the @@ -376,18 +333,6 @@ be the case for development environments. When turned off, the servers will be provisioned omitting the ``yum update`` command. This brings security implications though, and is not recommended for production deployments. -### DNS servers security options - -Aside from `openshift_openstack_node_ingress_cidr` restricting public access to in-stack DNS -servers, there are following (bind/named specific) DNS security -options available: - - named_public_recursion: 'no' - named_private_recursion: 'yes' - -External DNS servers, which is not included in the 'dns' hosts group, -are not managed. It is up to you to configure such ones. - ## Configure the OpenShift parameters Finally, you need to update the DNS entry in diff --git a/playbooks/openstack/openshift-cluster/provision.yml b/playbooks/openstack/openshift-cluster/provision.yml index 36d8c8215..9d75e515a 100644 --- a/playbooks/openstack/openshift-cluster/provision.yml +++ b/playbooks/openstack/openshift-cluster/provision.yml @@ -27,9 +27,6 @@ setup: -# NOTE(shadower): the (internal) DNS must be functional at this point!! -# That will have happened in provision.yml if nsupdate was configured. - # TODO(shadower): consider splitting this up so people can stop here # and configure their DNS if they have to. - name: Populate the DNS entries diff --git a/roles/openshift_openstack/defaults/main.yml b/roles/openshift_openstack/defaults/main.yml index e72e7a9df..929b76f54 100644 --- a/roles/openshift_openstack/defaults/main.yml +++ b/roles/openshift_openstack/defaults/main.yml @@ -7,7 +7,6 @@ openshift_openstack_lb_ingress_cidr: 0.0.0.0/0 openshift_openstack_num_etcd: 0 openshift_openstack_num_masters: 1 openshift_openstack_num_nodes: 1 -openshift_openstack_num_dns: 0 openshift_openstack_num_infra: 1 openshift_openstack_dns_nameservers: [] openshift_openstack_nodes_to_remove: [] @@ -44,7 +43,6 @@ openshift_openstack_container_storage_setup: # populate-dns openshift_openstack_dns_records_add: [] -openshift_openstack_external_nsupdate_keys: {} openshift_openstack_full_dns_domain: "{{ (openshift_openstack_clusterid|trim == '') | ternary(openshift_openstack_public_dns_domain, openshift_openstack_clusterid + '.' + openshift_openstack_public_dns_domain) }}" openshift_openstack_app_subdomain: "apps" @@ -59,20 +57,17 @@ openshift_openstack_infra_hostname: infra-node openshift_openstack_node_hostname: app-node openshift_openstack_lb_hostname: lb openshift_openstack_etcd_hostname: etcd -openshift_openstack_dns_hostname: dns openshift_openstack_keypair_name: openshift openshift_openstack_lb_flavor: "{{ openshift_openstack_default_flavor }}" openshift_openstack_etcd_flavor: "{{ openshift_openstack_default_flavor }}" openshift_openstack_master_flavor: "{{ openshift_openstack_default_flavor }}" openshift_openstack_node_flavor: "{{ openshift_openstack_default_flavor }}" openshift_openstack_infra_flavor: "{{ openshift_openstack_default_flavor }}" -openshift_openstack_dns_flavor: "{{ openshift_openstack_default_flavor }}" openshift_openstack_master_image: "{{ openshift_openstack_default_image_name }}" openshift_openstack_infra_image: "{{ openshift_openstack_default_image_name }}" openshift_openstack_node_image: "{{ openshift_openstack_default_image_name }}" openshift_openstack_lb_image: "{{ openshift_openstack_default_image_name }}" openshift_openstack_etcd_image: "{{ openshift_openstack_default_image_name }}" -openshift_openstack_dns_image: "{{ openshift_openstack_default_image_name }}" openshift_openstack_provider_network_name: null openshift_openstack_external_network_name: null openshift_openstack_private_network: >- @@ -88,6 +83,5 @@ openshift_openstack_master_volume_size: "{{ openshift_openstack_docker_volume_si openshift_openstack_infra_volume_size: "{{ openshift_openstack_docker_volume_size }}" openshift_openstack_node_volume_size: "{{ openshift_openstack_docker_volume_size }}" openshift_openstack_etcd_volume_size: 2 -openshift_openstack_dns_volume_size: 1 openshift_openstack_lb_volume_size: 5 openshift_openstack_ephemeral_volumes: false diff --git a/roles/openshift_openstack/tasks/check-prerequisites.yml b/roles/openshift_openstack/tasks/check-prerequisites.yml index 57c7238d1..0ef60459f 100644 --- a/roles/openshift_openstack/tasks/check-prerequisites.yml +++ b/roles/openshift_openstack/tasks/check-prerequisites.yml @@ -32,10 +32,12 @@ command: python -c "import dns" ignore_errors: yes register: pythondns_result + when: openshift_openstack_external_nsupdate_keys is defined - name: Check if python-dns is installed assert: that: 'pythondns_result.rc == 0' msg: "Python module python-dns is not installed" + when: openshift_openstack_external_nsupdate_keys is defined # Check jinja2 - name: Try to import jinja2 module @@ -92,7 +94,6 @@ - "{{ openshift_openstack_node_image }}" - "{{ openshift_openstack_lb_image }}" - "{{ openshift_openstack_etcd_image }}" - - "{{ openshift_openstack_dns_image }}" # Check that custom flavors are available - include: custom_flavor_check.yaml @@ -102,4 +103,3 @@ - "{{ openshift_openstack_node_flavor }}" - "{{ openshift_openstack_lb_flavor }}" - "{{ openshift_openstack_etcd_flavor }}" - - "{{ openshift_openstack_dns_flavor }}" diff --git a/roles/openshift_openstack/tasks/hostname.yml b/roles/openshift_openstack/tasks/hostname.yml deleted file mode 100644 index e1a18425f..000000000 --- a/roles/openshift_openstack/tasks/hostname.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Setting Hostname Fact - set_fact: - new_hostname: "{{ custom_hostname | default(inventory_hostname_short) }}" - -- name: Setting FQDN Fact - set_fact: - new_fqdn: "{{ new_hostname }}.{{ openshift_openstack_full_dns_domain }}" - -- name: Setting hostname and DNS domain - hostname: name="{{ new_fqdn }}" - -- name: Check for cloud.cfg - stat: path=/etc/cloud/cloud.cfg - register: cloud_cfg - -- name: Prevent cloud-init updates of hostname/fqdn (if applicable) - lineinfile: - dest: /etc/cloud/cloud.cfg - state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ - set_hostname', line: '# - set_hostname' } - - { regexp: '^ - update_hostname', line: '# - update_hostname' } - when: cloud_cfg.stat.exists == True diff --git a/roles/openshift_openstack/tasks/node-configuration.yml b/roles/openshift_openstack/tasks/node-configuration.yml index 89e58d830..53e3bb28c 100644 --- a/roles/openshift_openstack/tasks/node-configuration.yml +++ b/roles/openshift_openstack/tasks/node-configuration.yml @@ -4,8 +4,6 @@ msg: "SELinux is required for OpenShift and has been detected as '{{ ansible_selinux.config_mode }}'" when: ansible_selinux.config_mode != "enforcing" -- include: hostname.yml - - include: container-storage-setup.yml - include: node-network.yml diff --git a/roles/openshift_openstack/tasks/populate-dns.yml b/roles/openshift_openstack/tasks/populate-dns.yml index b5c4da532..eae4967f7 100644 --- a/roles/openshift_openstack/tasks/populate-dns.yml +++ b/roles/openshift_openstack/tasks/populate-dns.yml @@ -30,7 +30,6 @@ nsupdate_key_algorithm_private: "{{ openshift_openstack_external_nsupdate_keys['private']['key_algorithm'] }}" nsupdate_private_key_name: "{{ openshift_openstack_external_nsupdate_keys['private']['key_name']|default('private-' + openshift_openstack_full_dns_domain) }}" when: - - openshift_openstack_external_nsupdate_keys is defined - openshift_openstack_external_nsupdate_keys['private'] is defined @@ -44,6 +43,8 @@ key_secret: "{{ nsupdate_key_secret_private }}" key_algorithm: "{{ nsupdate_key_algorithm_private | lower }}" entries: "{{ private_records }}" + when: + - openshift_openstack_external_nsupdate_keys['private'] is defined - name: "Generate list of public A records" set_fact: @@ -78,7 +79,6 @@ nsupdate_key_algorithm_public: "{{ openshift_openstack_external_nsupdate_keys['public']['key_algorithm'] }}" nsupdate_public_key_name: "{{ openshift_openstack_external_nsupdate_keys['public']['key_name']|default('public-' + openshift_openstack_full_dns_domain) }}" when: - - openshift_openstack_external_nsupdate_keys is defined - openshift_openstack_external_nsupdate_keys['public'] is defined - name: "Generate the public Add section for DNS" @@ -91,11 +91,13 @@ key_secret: "{{ nsupdate_key_secret_public }}" key_algorithm: "{{ nsupdate_key_algorithm_public | lower }}" entries: "{{ public_records }}" + when: + - openshift_openstack_external_nsupdate_keys['public'] is defined - name: "Generate the final openshift_openstack_dns_records_add" set_fact: - openshift_openstack_dns_records_add: "{{ private_named_records + public_named_records }}" + openshift_openstack_dns_records_add: "{{ private_named_records|default([]) + public_named_records|default([]) }}" - name: "Add DNS A records" @@ -111,7 +113,7 @@ # TODO(shadower): add a cleanup playbook that removes these records, too! state: present with_subelements: - - "{{ openshift_openstack_dns_records_add | default({}) }}" + - "{{ openshift_openstack_dns_records_add | default([]) }}" - entries register: nsupdate_add_result until: nsupdate_add_result|succeeded diff --git a/roles/openshift_openstack/templates/heat_stack.yaml.j2 b/roles/openshift_openstack/templates/heat_stack.yaml.j2 index ec488941e..8d13eb81e 100644 --- a/roles/openshift_openstack/templates/heat_stack.yaml.j2 +++ b/roles/openshift_openstack/templates/heat_stack.yaml.j2 @@ -54,23 +54,6 @@ outputs: description: Floating IPs of the nodes value: { get_attr: [ infra_nodes, floating_ip ] } -{% if openshift_openstack_num_dns|int > 0 %} - dns_name: - description: Name of the DNS - value: - get_attr: - - dns - - name - - dns_floating_ips: - description: Floating IPs of the DNS - value: { get_attr: [ dns, floating_ip ] } - - dns_private_ips: - description: Private IPs of the DNS - value: { get_attr: [ dns, private_ip ] } -{% endif %} - conditions: no_floating: {% if openshift_openstack_provider_network_name %}true{% else %}false{% endif %} @@ -436,43 +419,6 @@ resources: port_range_min: 443 port_range_max: 443 -{% if openshift_openstack_num_dns|int > 0 %} - dns-secgrp: - type: OS::Neutron::SecurityGroup - properties: - name: - str_replace: - template: openshift-ansible-cluster_id-dns-secgrp - params: - cluster_id: {{ openshift_openstack_stack_name }} - description: - str_replace: - template: Security group for cluster_id cluster DNS - params: - cluster_id: {{ openshift_openstack_stack_name }} - rules: - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 - remote_ip_prefix: {{ openshift_openstack_node_ingress_cidr }} - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 - remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24" - - direction: ingress - protocol: tcp - port_range_min: 53 - port_range_max: 53 - remote_ip_prefix: {{ openshift_openstack_node_ingress_cidr }} - - direction: ingress - protocol: tcp - port_range_min: 53 - port_range_max: 53 - remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24" -{% endif %} - {% if openshift_openstack_num_masters|int > 1 %} lb-secgrp: type: OS::Neutron::SecurityGroup @@ -818,54 +764,3 @@ resources: depends_on: - interface {% endif %} - -{% if openshift_openstack_num_dns|int > 0 %} - dns: - type: OS::Heat::ResourceGroup - properties: - count: {{ openshift_openstack_num_dns }} - resource_def: - type: server.yaml - properties: - name: - str_replace: - template: k8s_type-%index%.cluster_id - params: - cluster_id: {{ openshift_openstack_stack_name }} - k8s_type: {{ openshift_openstack_dns_hostname }} - cluster_env: {{ openshift_openstack_public_dns_domain }} - cluster_id: {{ openshift_openstack_stack_name }} - group: - str_replace: - template: k8s_type.cluster_id - params: - k8s_type: dns - cluster_id: {{ openshift_openstack_stack_name }} - type: dns - image: {{ openshift_openstack_dns_image }} - flavor: {{ openshift_openstack_dns_flavor }} - key_name: {{ openshift_openstack_keypair_name }} -{% if openshift_openstack_provider_network_name %} - net: {{ openshift_openstack_provider_network_name }} - net_name: {{ openshift_openstack_provider_network_name }} -{% else %} - net: { get_resource: net } - subnet: { get_resource: subnet } - net_name: - str_replace: - template: openshift-ansible-cluster_id-net - params: - cluster_id: {{ openshift_openstack_stack_name }} -{% endif %} - secgrp: - - { get_resource: dns-secgrp } - - { get_resource: common-secgrp } -{% if not openshift_openstack_provider_network_name %} - floating_network: {{ openshift_openstack_external_network_name }} -{% endif %} - volume_size: {{ openshift_openstack_dns_volume_size }} -{% if not openshift_openstack_provider_network_name %} - depends_on: - - interface -{% endif %} -{% endif %} -- cgit v1.2.3