Open Stack

Hi Jaime,

What you want to do should be possible, but will require some custom
code to investigate.

See inline for a few suggestions.

On 27/07/15 16:32, Jaime Fernández wrote:
> I would like to register DNS records with the following format:
> <name>.<interface>.<projectName>.<baseDomain>
> to avoid collision between IP addresses for the same host but on
> different interfaces, and to reserve a domain per project. However, it's
> not an easy task.

In keystone you can set up notifications (like nova), so when a project
(or tenant) is created / deleted you can get a similar event.

(http://docs.openstack.org/developer/keystone/event_notifications.html)

It does not look like it gives back out the project name though - you
might need to call the keystone API to get it.

You could use this to trigger a Designate domain create / delete, using
the "X-Auth-Sudo-Project-ID" Header to impersonate the project (which
would make the new project the owner of the domain)

There may be issues with users creating a domain that is a subdomain of
another designate managed domain (e.g. <baseDomain>).

If you do not need to have Designate manage this domain you could set
<baseDomain> to be a tld (blocking all users from creating this domain
in designate).

With the v2 client bindings there is also "zone transfer requests"
which allows domains to be moved between tenants / projects.

If you need the <baseDomain> to be managed as part of Designate you
could do the following:

Create Domain (in Admin Project)
   |
   V
Create a Zone Transfer Request (in Admin Project)
   |
   V
Accept the Zone Transfer Request (in newly created project,
using the X-Auth-Sudo-Project-ID header)

It is a bit long winded, but should work.

> The notifications received by designate-sink report the tenant-id (but
> not project name) apart from other valuable information to register a
> virtual machine.
> 
> After reading nova (see
> https://github.com/openstack/designate/blob/master/designate/notification_handler/nova.py)
> and neutron handlers, these handlers register the IP addresses as
> "managed" records, associating the resource_id (i.e. host instance_id).
> It simplifies the process of removing the records when the host is removed.
> 
> I would like to register (via designate-api) a domain per project (or
> tenant) using the project name, and to assign the tenant_id when
> registering the domain. When a host is created, designate-sink receives
> a notification with its tenant_id, and we could search the domain by
> tenant_id in order to register the host record. However, I'm afraid that
> these "managed" attributes are not available via REST API (only by
> Python API).

You can edit managed records with the "edit_managed_records" URL
parameter, or the "X-Designate-Edit-Managed-Records" HTTP Header

(http://docs.openstack.org/developer/designate/rest.html#http-headers)

The newer versions of the client support this as a flag as well.

Unfortunately this will not allow you to set the managed_* fields, just
edit the record data.

> It would be nice to have the possibility to register or access these
> managed attributes via REST API. Otherwise, I don't know how to proceed
> with registered hosts. I don't think it's feasible to request for
> reinstalling these virtual hosts. I would prefer to register manually,
> via designate-api, those hosts that were already registered but with the
> "managed" attribute "resource_id" so that when designate-sink receives
> the notification about VM destruction, it is capable to unregister the
> host entry searching by its resource_id.

As a one off, starter you could write a script that uses the internal
RPCAPI to create these, but that could prove problematic to maintain,
and could end up being a significant amount of work.

> Do you have any suggestion about how to proceed to configure a subdomain
> for each project?

I hope this helps!

 - Graham