 Hi So welcome to the designate why and how so we intend to tell you a bit about designate why it was created and Sorry And how you can use it So my name is Graham Hayes. I'm the PTL for designate. I've been PTL for two cycles And I'm staying on for the Ocata cycle as well On my left we have Tim Simmons. He's a designate core And we have comic Guinness who is also a designate core on the my predecessor as PTL so DNS It's not that hard, right? It it's only the two biggest problems the two hardest problems in computer science. I And as we've seen last week when it fails it tends to fail really badly and things go really really wrong So part of that is part of what we want to designate to do is to help manage DNS and help you Run your own DNS potentially or integrate with multiple third-party providers so We always have to have an architecture slide. I This is the gist of what we have for designate. We have an API service obviously We have a central which is equivalent to a conductor So it's what talks to the database and does all the access and then we have Workers which just scale out horizontally depending on your workload and for periodic tasks We have a producer which just kicks off periodic tasks and sends them to the workers All of it is with pluggable back-end. So we support multiple DNS servers by 9 pair DNS nsd Akamai Dinect and Microsoft DNS, there's the ones at the top of my head and this is the back-end Section that here that's just pluggable and that plugs into the workers for controlling the DNS information on the servers We run a mini DNS service Which all it does is send zone transfer information to the customer facing DNS servers It's not supposed to be hit by your customers. It's a small python DNS service It's designed for one thing and one thing only So for the public cloud use case Tim Simmons from rockspace gonna talk about it. Hello, so Assuming you've already stood up your public cloud, which is totally fine. Everybody's already done that I'm gonna tell you why you might need DNS as a service for it and why you should probably use designate So first of all your customers They're gonna want DNS names for all of their cloud resources You know floating appease no instances tropes with buckets all that stuff. You're gonna want They're gonna want to have an actual DNS name. They're not gonna want to be addressing it by an IP address or something like that This is hopefully obvious Customers want to use clicky clicky in the UI. They want to have a rest API CLI's Orchestration all that stuff. These are all things that designate has so, you know, they want to be able to actually Touch and feel in very many ways They're gonna want to spin up spin down rapidly. This is the kind of thing that you're gonna need these API CLI's etc for And for customers, obviously DNS is really important for their business, right? You don't you don't want to mess up As we've all seen you don't want to mess up where your DNS points and have it go down or anything like that and Being able to have you know labs dot company calm or whatever for all of your testing And being able to separate that clearly from the actual business is really important and a lot of customers I'm not a lot, but some customers will also Integrate DNS tightly into their business, you know giving every customer every one of their customers a sub domain or something like that and You know if you're you the operator of this open stack cloud You want it for all the same reasons, right? Like good luck have fun if you're trying to stand up a an open stack cloud without being able to Rapidly change DNS records and address things by name Designate is a pretty simple stable Performing control plane for managing DNS, which is super important. There's pretty good administrative tools for managing What's allowed to be created by who you can get pretty granular with you know, what you're gonna allow people to do and The limits on what people can actually do and how many things they're allowed to create etc stuff like that You're running a public cloud you're gonna have to extend something somewhere you're gonna have something That's special that not everybody needs so designate is You know oversimplification, but it's plugins all the way down, right? So if you need to add new API endpoints new administrative API functionality new business logic Different DNS server drivers custom drivers all that stuff you can do So it's really good if you're you've got your own cloud and you have something something weird off on the side that you've got to do Configuration is very flexible We'll talk about this a little bit more as I get into what a public cloud might look like but you can do If you can dream it you can do it, right? So you you might have some really weird DNS configuration Everybody's weird right like nobody's DNS configuration how they deploy DNS servers is the same And obviously you don't want to manage DNS with a ticket, right? Like I think everybody's sent a support ticket to somebody before Asking if you can change the IP for this thing to this and then they fat finger it and it's it's a hassle It's terrible So let me tell you about one of the biggest features about designate is is server pools. So pools are logically separate corpuses of DNS data That are completely separate sets of servers. So you might have a pool Pool a and pool B that serve different purposes I guess an example might be if you've ever used a diner AWS surround 53 That when you create a zone you'll have some level or some number of DNS Name server records that you get back like, you know ns one two three oh ns six eight five co UK Whatever these are all different pools of servers that your zone might be created in and you should have many of them so that you can Distribute to your load of zones across them and hopefully when one of them has a problem not all your customers have a problem Designate makes this really easy to configure so you can You know, you can have as many pools as you want or as little pools as you want Scheduling zones across pools is relatively simple. There's a operator configurable scheduler that lets you write your own filters So whatever logic you want to apply when you're trying to decide where to distribute zones among DNS servers, you can do that A pool is usually made up of some number of DNS servers may be two four six eight a hundred whatever And they'll have their own ns records generally so when you create a zone in a pool you'll get the ns records back for just that pool This is good for if you're trying to have maybe disparate feature sets across You know different DNS pools or something like that you might have some pools with you know certain features here Or you know running different software here So this is kind of an example of how you might have a public cloud setup, you know, you've got three regions You know designate control plane running active and then in one region and running in disaster recovery or passive in another region And then in this example, we're gonna have four pools a b c and d So a and b are just kind of your simple everyday pools. They're running in one region This would be super cheap whatever Pool C is running in three three regions. So a little bit more redundancy maybe a few more features and then Pool D is going to be a DNS vendor so if you think of You know kind of service levels here pool a and b are kind of your standard maybe free pools They have all the basic DNS features that you would expect. I make a query. I resolve everybody's happy You might combine buying nine and power DNS or kind of our most popular drivers So that when buying has a CVE, you know, not all of your fleet is affected Your customer zones would probably be evenly distributed across these two pools for in your kind of standard rate Me, you know, maybe you offer this as a free option for mom and pop run in their WordPress site So for the next level you might have Maybe a gold type pool. So I don't know. Maybe you're running nsd or not or something cool Although maybe you don't want your DNS to be super cool. I don't know So you'll run it in more regions have different ns records, you know Maybe you offer some advanced features like secondary DNS, which is the thing designate does more regions, you know, charge them Charge them a dime or whatever This is kind of the standard This is how anyone who actually runs a DNS service themselves. They're gonna run it in all of their regions that they possibly can And then maybe you have pool D. So pool D is super platinum intensive enterprise, whatever you want to call it You can this is all operated by one designate control plane, but you're gonna be reselling a vendor So maybe dine or Akamai that allows you to designate has drivers to push out zones to those Kind of worldwide infrastructures tons of pops and stuff like that. You have super cool features, you know Okay, Akamai has everything in the world. Dine has pretty cool stuff traffic management Generally, they do a pretty good job of mitigating DDoS attacks and You know, but a lot better than you're gonna do it. I promise you So that would be kind of the most, you know high service level and you know what you would sell to your biggest scariest customers So if everybody wants to take out their phone and take a picture of this then we can only get okay So I know I've made this down super easy But managing managing anything at as a public cloud is gonna be hard and especially DNS We've kind of seen that in the past week so, you know designate what doesn't it we're trying to you know make DNS great again and So that it's not a disaster believe me So you might I'm sorry These are some a few things that you might actually want to consider when You know you're trying to run DNS in your own cloud is that you're gonna have to mitigate some sort of DDoS at some point You know, it'll probably just be a customer with a runaway script or whatever But some something is gonna come up. That's a lot and that's that you're gonna have to handle You might want to rate limit API requests so that customers don't go nuts. You're gonna monitor all the things At some point you're gonna have to write something custom, you know every every cloud that has ever clouded has Had something somewhere that is weird or out of band Luckily designates gonna let you do that and You know customers are just awful they're gonna do bad things and you know, they're gonna they're gonna annoy you and whatever So it's just something to consider When you're trying to run a public cloud I think Kyle is gonna talk about private cloud Thank you, Tim Hey, so private clouds We're gonna talk through a use case one particular use case for private clouds where you might have a sort of medium-large enterprise They either have their cloud deployed or not and they're trying to move all of their dev test Qe Maybe even their production workloads into this cloud They're sick of managing servers like cattle sick of managing servers like pets and want to manage them like cattle so We've got some demands that are kind of unique to a private cloud or an enterprise cloud So we have existing corporate infrastructure. It is old It is been there a long time and you are never going to get it to change Typically these are things like Microsoft Active Directory DNS bind or IPAM solutions like info box So as I said, there's no such thing as Greenfield Everything's always out all of the DNS and IPAM systems are in place We can change them and we cannot expect customers to replace them They're almost always considered vital. So You know, people don't want to touch that existing system They're really afraid to allow something like designator of the cloud to start messing with their corporate DNS infrastructure So we need to start slow and build up confidence as we go there So, what do we do? Oh one more slide there different QoS and change control so Some services internally. You don't really care about your dev test Qa labs. Nobody cares if they go down. That's that's okay Pretty production. We kind of care production, you know, we should care That one needs to kind of stay up We also have change controls so production stuff. Nobody should be allowed to get in there besides a small set of people Dev test Qe do whatever you want So one of the other unique factors is the small number of top-level zones So most corporates will have company.com company.net. Maybe one or two internal domains They use like HPE corp.net that we use Typically within these it's highly unstructured. You have a mix of sometimes they'll delegate a BU will have a subzone Sometimes a site will have a subzone Sometimes they just won't create subsets and it will just be a mess of records and it's very difficult to try and get some structure in on this and There's not a huge amount. You can do it a little bit of refractoring there, but hopefully we can make this a little bit easier So how do we do it? We start by replacing everything. We'll replace kidding There's absolutely no way we're gonna do that in a private cloud in a private cloud or enterprise environment. Yeah, excuse me Get some water Okay So a private cloud environment. We're gonna start with a couple of phases You're gonna start with your phase zero that's deploy open stack and get the designate control plane running We're then gonna move on to a phase one two three and maybe some future stuff. I'll talk these through So phase one You've already got your cloud. You've got the designate control plane up and You don't want to touch your existing infrastructure You're gonna stand up by and or parody in s or something small and easy over at the side You then gonna take some subs zones like labs dot my company calm and delegate them over From there your customers or your cloud users can start creating my project of labs dot company calm This allows you to build a trust so you're able to slowly start seeing you know non-critical workloads Actually using it you haven't had to touch your existing infrastructure and your users are starting to get used to it as You do this you're gonna want to do things like customize the designate policy So you would want to ensure that all zones are actually under labs dot my company calm You don't want people creating something else. It's it's not gonna work. So you want to make sure it's a good user experience So we've kind of got these first three pieces here done Once you've built up some confidence you can move forward with the integration So as Tim was talking about we have this idea of pools So you'll create a second pool the second pool will be tied into your active directory or your info box or whatever it is You're running You'll put tight ACLs on that so that only a few people can use it to start And then you'll start building up a little bit of trust by moving some customers into that So maybe you'll move some pre-production workloads while leaving the labs labs on by the meridian s The process to actually move stuff that might have been in your Existing DNS infrastructure. We need a little bit of a better story for this But right now it's exported from your old import it to the new That works when you're going from let's say the ad over to binder power DNS But if you're wanting to move from old management system that pushed into ad to new management system designate that pushes into ad You can have a little bit of an issue there where you're exporting from one side and importing in and it's going to overwrite What's on the far side so it's not going to be a zero downtime? But we're going to do this with pre-production workloads. So It should be reasonably okay to do So we've now got two pools find a parody in s Microsoft ad or info box or whatever else you're running At this point you might want to start shutting down bind and parody in s Maybe you're you're sick of running two different DNS systems So we're going to go ahead and deprecate the designate owned bind and parody in s So to do that the very first step will do is we'll just go ahead and customize policy again And we'll say nobody's allowed create his own on this pool. So existing stuff is there you can still work with it But nothing new can go You're going to start asking users to migrate over to the Microsoft ad pool or whatever else you've got on the side As you're doing this you're going to start probably wanting to move some of the more Important zones production zones as I said, we don't have a great story there for that right now but yes, you can do it if you're willing to go into the database and Work out a sequel to actually dump your dump everything in there and go over to your exist Go over to your existing side and update the name servers. It sucks. It's something we have to work towards fixing So you've now got only one pool left Microsoft ad and info box At this point you can get rid of the support ticket-based DNS. It's gone Everyone should be able to log into your horizon or whatever your UI is and start making changes Whatever the policy is they'll be allowed to if they're allowed create sub zones They'll be allowed to that if they're allowed create records in a big shared zone. They'll be allowed to that You can then go on further and let's say you've got some really important production things like www.mycompany.com public-facing stuff You might want to start bringing that in as well So this is where you might turn around and have Akamai or Dinect as a pool and those would handle your Public non-private stuff, but you want to try and keep them all managed together. So you can do that here You can also if there's a public cloud out there that's offering this and I don't think one is yet But you can also tie in a designated designate driver same way we can push to Akamai. We can push to to another designate instance And at that point you've got Microsoft ad info box and potentially an Akamai or Dinect pool sitting at the side for the highest value domains so Kind of short sorry about that, but a private cloud use cases are Different there. They typically involve tying in with existing systems They typically involve a whole level of tiers of service and it can be quite difficult to do it all on one go So the takeaway there is just start small You know, you're not going to move your entire company into Nova out of flick of a switch Why would you do the same for designate? So at this point I'll hand over to Graham. He's going to talk a little bit about sort of a university style use case Hi, so in a previous job, I dealt a lot with higher education And so a lot of how the internal university and college IT systems worked And the gist of it is a lot of them have really weird setups They've sort of grown organically with random vendors brought in every couple of years to update things and There's always that weird students finally a project that's running some critical system We don't know about and nobody knows it affects But as we as cloud has started getting bigger and more and more universities are moving towards it students are demanding it they need to have workloads for classes and to learn the new way developing and learning about treating servers like cattle and and as part of that DNS is a major major thing for allowing them to have a My name dot student dot institute dot edu Access to their servers and to show it off So there's it can be very fragmented. There's multiple different groups of users. So you have the standard IT IS systems You have administrative systems things like the student record systems timetables all these sort of things The content management system that runs pretty much everything inside universities these days You have academic staff because they always want their own webpage They don't believe in uploading their stuff to a central place. It has to be on their own webpage and more and more We need we have students who have a need from DNS so what designate provides is Different ways for these different users to push records into a single place So we have automatic records if you use that we have an integration with neutron So when you create floating IPs, we can automatically assign DNS records with that floating IP address And the reverse DNS for us you have users obviously through we have horizon plugins and our API is actually It's rather be simple. So if people want to create their own custom control panel, it can be done and then we have also automation through our API and the very few of the libraries and We also support the the computer science department in every university have ever been to always has a weird setup that They know what they're doing in there. They demand that they wanted to run their way and we actually support bringing in that information as well So How do we do it? So for the as I said for the automatic we have Records we have the new Nova Neutral integration. We also have a designate sync component Which listens to the event stream out of all of the all the different projects cross-oven stack So It's again. It's plug-in based like everything else in designate So you can write your own plug-in to listen to the event stream and create and delete records as you see fit so The we was before we had the Nova Neutron integration. This is how we did automatic creation of Records for VMs. We listen to the Nova Neutron event queue and say, okay, a server has been created What's it's a peteris and create the name? But it also allows you to do that. You can listen to the trove queue as Sahara or any of the other myriad of projects out there you can listen to their events and Do do a task based on that? information we horizon panels we have a CLI with the designate client. That's currently tied in with the Opensack client As a plug-in to Opensack clients. You can do open stock zone create information shade which is a Sort of it's a Client library for a lot of open stock. It makes the interaction a lot simpler We all this designate support in there and as part of that there's ansible to support as well for creating records If you have ansible as part of your workflow We also we have the feature out for the weird DNS setup is we support secondary zone So if you have your own DNS server at the side We can just zone transfer the information off of that DNS server pull it into the designate database and push it out to the designate servers so this allows if people have their own custom provisioning systems that are pushing to a Dear pair DNS or bind or whatever we can pull the DNS records information straight off them and put them in our database They won't be able to be you can't edit them obviously In designate the CLI won't will stop you from doing any updates, but as soon as a new information is pushed to the Server will again do his own transfer and push the new records So for students as we said we have where our policy is the policy engine is pretty concise So we can say that students don't get to create zones They are given a pre-created zone of their ID their student number or their UNIX ID And they can create as many records as what they want in there Administrative systems you can tie in to the the API you can try if you're using Ansible for administrative systems It's fine for the ITIS systems You've obviously migrated all of your stuff to the cloud first and your dog feeding your own product So you can just use the Nova Neutron integration In theory and academic staff we can give them Permission to create whatever the zones they want under the staff dot university dot edu And all of this The all of this gives us a decent use case for all the different cohorts we have in a university level And again, it's a single manage control space so it's very easy for the IT administrators to look at all of the DNS records and Because we have integration with search light if you have search light in your cloud Searching for an IP address will give you the flooding IP address this the Nova server and the DNS records associated with it So it gives a great single plan of glass for managing your infrastructure So with that do we have any questions? The question was do we know if anyone integrating with Elbas? Not yet. There is an open ticket against Neutron Elbas to literally when Neutron Elbas creates the bit port all they have to do is set an attribute on the port on it'll work With an overnight integration. I'm I plan on chasing down a few of them this week Actually for what you could do for the time being The new the Elbas V2 API allows you to pass in a port to it So if you pre-create the port and put the set the DNS name attribute on it, that'll do the integration No, there's a Pretty is there any particular record you're interested in We support Yes, yes, we support all those Yep, if somebody wants yet We yeah, we support all those adding a record is a very simple operation to do for us If anyone has suggestions, we just create a new record new object and it'll add the records to designate Features such as failover Into the horizon dashboard Yeah, it was a little close to my heart Cosmos was supposed to fix that and unfortunately it never really launched There's been requests for it. The problem is Is if we are we doing the monitoring at which point we're not a monitoring system Or is something like salameter or any of those doing the monitoring and calling or a switch over API We're open to suggestions for it There is a blueprint open. I think with For a while, but we haven't come across a solution that we agree on yet for which Yeah, so private pools was the sorry the question was is there any plans to support private DNS I like the VPC DNS and AWS it's on the road map definitely I I'm going to a design summer session after this about how we create service VMs and open stock But it's on the long road map. It's a big feature. There is also the existing Neutron work, which was done to integrate with designate So neutral has two sides to their their DNS integration. The first one is internal DNS Where any machine you boot will be given whatever the name you've given it your subnet will have a Suffix on it the tool be combined and your fixed IP will then be resolvable across all of your machines So if you're just talking about the instance names themselves and not arbitrary extra records Then Neutron has built that in as part of the designate integration But that doesn't actually get pushed to designate they handle that through the the DNS mask instance That's run for each network Yeah, okay Any other questions So the question is do we support different IP addresses for different records are different views in the DNS like split horizon And with with pools. Yes, you can do I You can have multiple Records for the same multiple data for the same record in different pools but you got to create the zone in each pool and Manually do the replication across all the pools right now Again, that was something on the road map in the future, but again, it's just it's a harder problem than Automating that Yeah, but the biggest problem we've found we're trying to get things like geo IP Automatic failover and these kind of more advanced things is always port bind power DNS info box Akamai din Microsoft DNS NSD and a few of us and it's incredibly difficult to find Even let's say geo IP none of them actually support us like this There's virtually no standard DNS server out there that supports us if you try and use views with bind I see we'll tell you don't do that and It's difficult to guess these kind of things right across all of them Yeah, I'd say tune on if you have any ideas, but how we can do it, please come tell us because we're all open for ideas When you build a new instance With these did you say did you say with these or just Yes, so with the designate neutron integration any time Designate Nova neutron integration you can create a VM if you attach it to a network with Domain name associated with it the name will be combined for the subnet given to neutron on the port and that port will then say because it's got Because it's attached to the appropriate network will figure out the full name and send it over to us and designate So as you've heard an instance that whatever you whatever net whatever the network is called And whatever your instance is called we combine to give you another name before it's even booted up Oh Automatically right now no with with heat you can do it you can have this heat resources for designate Where you could feed the information in to to generate the multiple records you need Or just any of the API clients and so on if if you're standing at the new service on an instance Nothing an open stack really knows that you're doing that So you have to you have to push that information out That might be to heat or just directly to death Can we automatically create a zone with the project name as a project is great? Right now It depends what you're using You know you if you could do a designate sink you'd have to write your own handler You'd have to write a plug in for it right now because the event doesn't have the project name The metadata coming out of it. No, but don't it only has the ID seat off to go get the name from Keystone and Insert it, but it's it that API through the plug-in points of rather to be simple there We don't have any name. We don't have any standards now or policy for it. Unfortunately You've had your hand up a while on kilo We've run it a production and we've run kilo production we did Obviously, we don't run the public cloud anymore, but we ran designated production there for many or three or four years from its earliest versions Yes, it needed some TLC back in those days it has got a lot more stable One of these things about designate is there's really no requirement for you to run a kilo designate with kilo rest of open stack. We don't have a huge amount of hard-coded integrations for the other services Our API has been mostly stable all of the interactions happen over the API. So at the end of the day if you want to run Newton with your kilo cloud There really shouldn't be any problem doing that as long as you're putting them on different machines because pipe and version dependency in Yeah, killer should be okay. The problem is you're not going to get any more bug fixes that branch is gone Liberty No, you won't be yet. No, that'll be a world soon though Yes, sorry distributions will potentially maintain different branches a lot longer I'm I'm not I can't remember what the LTS for Havana was the LTS Savannah kilo and Mataka For Ubuntu, I think yeah So they'll get they'll get patches from the Ubuntu internal repositories For a longer period of time Disturals considered designate as production ready. Although I mean had had for example big big big big big say this revealed attack reveal Yeah HP HP side us for the last three Beginning the helium side it's since since one oh, yeah I know there's this there's so many different projects And I think a lot of the enterprise distros have been taking what is traditionally the integrated release Nova Neutron Glance Cinder They're adding Absolutely critical things like monitoring so salamander has kind of come in because it was it was deemed very critical a lot of the Ancillary services that have been around for quite some time have been stable But haven't been brought into those are being brought into those and they're being tagged preview mostly because they don't Those companies haven't they're not familiar with they don't know how to operate this at scale They don't know how to support is running it and that experience is vital in it in your distro before you're able to turn around And say look this production ready go migrate everything to it if you want to share your enterprise vendor to go provide Developers into designate feel free Best way to get So we support you providing us things like SPF and DKIM records will host those We don't currently do DNS There's nothing preventing you using things like Akamai's signing Our DNS is automatic signing and a bunch of other provide bunch of other name servers do that kind of thing And we'll handle it at the front end We haven't tied that directly into designate at least like that. It's it that's on the very long tail because of I Am kind of allergic to write in my own crypto code And it's it's it's significantly difficult to do Yeah, yeah, and we it wasn't a critical feature for a lot of people. I So nobody was willing to pump to pull up the devs to do it Rightly as in you you can provide the content of those records to us and we'll happily serve them out We won't generate things like you did come signing keys or Not that I know of at this point There's very few companies that do that for open-stack projects. The only one I can think of is to Sora for Trove I Haven't seen any I Haven't seen any other companies that do that. I haven't definitely haven't seen anything designate Okay, any last question before we get kicked out of the room. I think that's it. Okay. Thank you guys for coming