Commit 6ea8e9ae authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

docs: Rewrite snf-network-dnshook

Mention correctly when it runs and be more informative wrt
nsupdate authentication methods supported (TSIG for bind9
and GSS-TSIG for AD).
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent 84a92e7b
...@@ -216,25 +216,35 @@ neighbor proxy entry related to an instance's IPv6 on the source node. ...@@ -216,25 +216,35 @@ neighbor proxy entry related to an instance's IPv6 on the source node.
Otherwise the traffic would continue to go via the source node since Otherwise the traffic would continue to go via the source node since
there would be two nodes proxy-ing this IP. there would be two nodes proxy-ing this IP.
.. _snf-network-dnshook:
snf-network-dnshook snf-network-dnshook
""""""""""""""""""" """""""""""""""""""
Installed under `instance-stop-post.d`, `instance-rename-post.d` and Installed under `instance-add-post.d`, `instance-rename-post.d`,
`instance-remove-post.d` hook dirs. `instance-remove-post.d` and `instance-modify-post.d` hook dirs.
This hook updates an external `DDNS <https://wiki.debian.org/DDNS>`_ Currently it supports dynamic updates against a BIND server or
setup via ``nsupdate``. To do so, the path to a valid keyfile, along secure Microsoft DNS (Active Directory) by using the `nsupdate`
with the nameserver must be added in settings command (found in `dnsutils` debian package).
(/etc/default/snf-network).
To authenticate against an AD controller using Kerberos, snf-network uses On both cases, to enable it, the admin must set the SERVER (the IP of
the -g option of nsupdate (GSS-TSIG mode). Prior to that it uses "k5start the DNS server) and FZONE (the domain of the instances) variables found
-H" to ensure there is a happy ticket (stored under /var/lib/snf-network; in `/etc/default/snf-network`. Please note that currenlty only one
see KERBEROS_TICKET default option), otherwise use a keytab containing domain is supported for the instances.
the password to obtain a ticket automatically (password-less). The
keytab with the corresponding service principal must already exist and In case of BIND (e.g `DDNS <https://wiki.debian.org/DDNS>`_),
both should be mentioned in the settings. the KEYFILE variable in `/etc/default/snf-network` must point to
the .private file created by dnssec-keygen.
To authenticate against an AD controller using Kerberos, snf-network
uses the -g option of nsupdate (GSS-TSIG mode). Prior to that, it uses
"k5start -H" to ensure there is a happy ticket (stored under
/var/lib/snf-network; see KERBEROS_TICKET default option). In case the
ticket is invalid, it will use a keytab containing the password and it
will try to obtain a ticket automatically (password-less). The keytab
with the corresponding service principal must already exist and both
should be mentioned in the settings.
To add a valid keytab one can use: To add a valid keytab one can use:
...@@ -242,15 +252,17 @@ To add a valid keytab one can use: ...@@ -242,15 +252,17 @@ To add a valid keytab one can use:
ktutil -v add -V 1 -e aes256-cts -p SYNNEFO.NSUPDATE ktutil -v add -V 1 -e aes256-cts -p SYNNEFO.NSUPDATE
``dnsutils`` debian packages includes ``nsupdate`` client while
``kstart`` and ``heimdal-clients`` packages are required in case ``kstart`` and ``heimdal-clients`` packages are required in case
kerberos authentication is desired. kerberos authentication is desired.
Since we add/remove entries during ifup/ifdown In general this hook relies on the exported enviroment and according to
scripts, we use this only during instance remove/shutdown/rename. It the opcode it updates the external DNS server.
does not rely on exported environment but it queries first the DNS
server to obtain current entries and then it invokes the necessary Upon instance modification it first queries the DNS server to obtain
commands to remove them (and the relevant reverse ones too). current entries, then removes them (along with their reverse ones) and
then re-adds any entries needed. This is done, because currently the
environment exported by Ganeti includes the whole instance's state and
does not explicitly mention the changes made.
.. _setups: .. _setups:
...@@ -327,12 +339,8 @@ dns ...@@ -327,12 +339,8 @@ dns
snf-network can update an external `DDNS snf-network can update an external `DDNS
<https://wiki.debian.org/DDNS>`_ server. If the `dns` network tag is <https://wiki.debian.org/DDNS>`_ server. If the `dns` network tag is
found, `snf-network-dnshook` will use `nsupdate` and add/remove entries found, `snf-network-dnshook` will use `nsupdate` and add/remove entries
related to the interface that is being managed. To enable it the admin related to the interface that is being managed. For more details see
must set the SERVER (the IP of the DNS server), FZONE (the domain of the `snf-network-dnshook`_.
instances), KEYFILE (the .private file created by dnssec-keygen)
variables found in `/etc/default/snf-network`. Please note that
currenlty only one domain is supported for the instances.
nfdhcpd nfdhcpd
^^^^^^^ ^^^^^^^
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment