Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
ansible Changes needed to deploy this osp-dns in our environment. Feb 23, 2018


DNS Service for OpenStack with Heat

This repository contains deprecated scripts and ansible playbooks. Refer to the official documentation Deploying and Managing OpenShift 3.9 on Red Hat OpenStack Platform 10

This repository defines a simple distributed DNS service within an OpenStack Heat stack. The goal is to de-mystify DNS services and deployments for low level delegated sub-domains. It is NOT to provide enterprise scale and quality DNS services.

The service consists of BIND in a master/slave configuration set up with dynamic updates defined in RFC 2136.


  • Ansible

  • python-openstackclient

  • bind-utils

Deployment Procedure

The stack is deployed using an Ansible playbook. Internally, Heat creates the VMs, networks, etc. and Ansible then installs and configures the packages.

Get the GIT repository

Clone the Heat and Ansible repositories
git clone https://github.com/openshift/openshift-ansible-contrib.git
cd openshift-ansible-contrib/reference-architecture/osp-dns

Input Values

Ansible Input File

To deploy the DNS service, you need to provide some values first. Create a vars.yaml file. This file will be passed to Ansible later on.

See vars.sample.yaml for an example configuration.

Required Values


The DNS zone to be served
Type: string
Example: ocp3.example.com


The upstream DNS servers. Any domain outside of the domain_name above will be forwarded to one of these servers.
Type: list
Example: [,]

If you're not sure what to put here, the values from your own
`/etc/resolv.conf` might be a good start:
$ grep '^\s*nameserver.*$' /etc/resolv.conf | awk '{print $2}'

A symmetric key value for dynamic DNS updates
Type: string
This is a BASE64 encoded MD5 hash, randomly generated by ddns-confgen(8) (bundled with bind-utils) or rndc-confgen(8) (bundled with bind).

To generate the key, you can do this:
$ ddns-confgen -r /dev/urandom | grep secret
The key should look something like this:
NOTE: anyone with this key will be able to update the entries in your
DNS server. Treat it as secret.

The name of an existing Neutron network in the OSP environment which allows inbound and outbound traffic.
Type: string
Example: ext-net


The name of a Glance image that will be used to for the DNS virtual machines.
Type: string
Example: centos7


The username you can SSH as into the deployed VMs. This depends on the image you’re using. For RHEL, it’s cloud-user, for CentOS it’s centos, for Fedora it’s fedora.
Type: string
Example: centos


The name of an existing Nova keypair
Type: string
Example: ocp_key

Optional Values


The name of the Heat stack
Type: string
Default: dns-service


The number of the BIND slave servers
Type: number
Default: 3


List of OpenStack Nova policies applied on the slave servers. The default value places every VM in a different Nova Compute node. For small/all-in-one environments, you can change this to affinity
Type: array
Default: ['anti-affinity']


The OpenStack Nova flavor the VMs will use
Type: string
Default: m1.small


The email address that will serve in the DNS' contact for the given zone/domain.
Type: string
Default: admin@ocp3.example.com

Optional Values for Red Hat Enterprise Linux Images

The following values are all optional and only useful if your guest images use Red Hat Enterprise Linux. They are used to register your VMs with RHN.


Type: string
Default: None


Type: string
Default: None


Type: string
Default: None


Type: string
Default: None


Type: string
Default: None


Type: string
Default: None

Deploying the DNS service

The deployment uses the vars.yaml configuration file created in the previous section.

The authentication variables for talking to the OpenStack services (e.g. OS_USERNAME and OS_AUTH_URL) must be loaded (so running openstack stack list succeeds).

Ansible must also be aware of the private SSH key for connecting to the deployed VMs. The key should either be in a default location such as ~/.ssh/id_rsa, passed to the Ansible invocation via --private-key=path/to/key or added to the SSH agent vith ssh-add path/to/key.

If you plan to delete and re-create the VMs multiple times (e.g. for testing or development) you may want to export ANSIBLE_HOST_KEY_CHECKING=False or prune your ~/.ssh/known_hosts regularly. Otherwise SSH will fail if two VMs from different runs happen to receive the same IP address.
$ ansible-playbook deploy-dns.yaml -e @vars.yaml

The playbook takes three distinct actions:

  1. Create a heat stack with network connectivity and instances created and named to specification

  2. Query the instances for hostname and IP address and create an inventory for Ansible

  3. Install the packages and configure the DNS service