Naming Scheme - Rev 1

Teams Infrastructure
1

Just looking to get a rough draft of the Naming Scheme as brought up in the

External

Purpose DNS
git git.rockylinux.org
wiki wiki.rockylinux.org
bugs bugs.rockylinux.org
mirror mirror.rockylinux.org
Build build.rockylinux.org
Build Logs buildlogs.rockylinux.org
Mail List lists.rockylinux.org
Documents docs.rockylinux.org
Vault vault.rockkylinux.org
RSS Feed planet.rockylinux.org

Internal

Purpose DNS
Cont Int. **id**.ci.rockylinux.org
File Storage **id**.fil.rockylinux.org
Identity Provider **id**.idp.rockylinux.org

**id** - Represents a unique identifier for clusters and systems that scale out

ID

xxx - unique id
env - (dev, test, stage, prod)
dcc - datacenter code

Examples

dev01.us1.ci.rockylinux.org
dev01.de1.ci.rockylinux.org
prod01.us1.idp.rockylinux.org
prod02.de1.idp.rockylinux.org

2 Likes
2

Bringing over thoughts from @neil on this topic to tack on to the Internal bit:

I’m personally a fan of location-environment-subenvironment-name/function-arity.subenvironment.environment.location.rockylinux.org… e.g.

use1-dev-ci-builder001.ci.dev.use1.rockylinux.org (or similar) though pieces can be removed/added/changed as required.

1 Like
3

to be clear that naming isn’t a hill i will die on - i just want to make sure we build in knowing where we have things situated if our gear ends up dispersed across multiple data centers or locations.

1 Like
4

The consideration of putting physical location of resources in the hostname and fqdn is good, the hostname might a bit overly verbose for my personal tastes given the fqdn, but too much verbosity is better than not enough for this. I think it’s a reasonable set of things to include.

1 Like
5

Absolutely but getting the schema correct now is a good idea, I am thinking for the id a format like this

xxx-env-cc

xxx – unique ID that is registered in a system (IE track location physical admin etc)
env - (dev, test, stage, prod)
cc - Country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

6

We really dont need it in both that was a carry over from something else i was working on.

7

For internal DNS, FreeIPA will either need to control the rockylinux.org domain as name servers or another DNS server will need to be managed with all the special DNS records (I don’t like the latter, it is very painful to manage - having IPA manage it would be ideal here).

If we want seamless identity management/idp, freeipa needs to be at the top to manage kerberos and other functionality of the system, including DNS records, KRA, CA, among other things. Having an “idp” subdomain is perfectly fine for having ipsilon and the like for that specific functionality, but we should be aware where the core of the identities need to sit, top level. As long as FreeIPA has control over the internal domains and reverse zones, it will work very well for our needs.

1 Like
8

@nazunalika to be clear, freeipa wants to own NS and SOA for rockylinux.org?

9

@neil Internally, yes. FreeIPA doesn’t care about external domains because it doesn’t do views. For example, my domain angelsofclockwork.net. I have external records hosted somewhere else but my IPA domain is still angelsofclockwork.net internally, held by my IPA servers. Changes I do there do not reflect external changes. My external changes are done elsewhere. This system is doable.

Edit, here’s what I mean.

# dig mgt.angelsofclockwork.net @10.100.0.231 A

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> mgt.angelsofclockwork.net @10.100.0.231 A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8a05702cb5025ce046ce117d5fd1343321297e13edf40253 (good)
;; QUESTION SECTION:
;mgt.angelsofclockwork.net.     IN      A

;; ANSWER SECTION:
mgt.angelsofclockwork.net. 1200 IN      A       10.100.0.10

;; AUTHORITY SECTION:
angelsofclockwork.net.  60      IN      NS      ipa02.angelsofclockwork.net.
angelsofclockwork.net.  60      IN      NS      ipa01.angelsofclockwork.net.
angelsofclockwork.net.  60      IN      NS      router.angelsofclockwork.net.

;; ADDITIONAL SECTION:
router.angelsofclockwork.net. 1200 IN   A       10.100.0.1
ipa01.angelsofclockwork.net. 1200 IN    A       10.100.0.231
ipa02.angelsofclockwork.net. 1200 IN    A       10.100.0.232
router.angelsofclockwork.net. 1200 IN   AAAA    2001:470:1f19:138::1
ipa01.angelsofclockwork.net. 1200 IN    AAAA    2001:470:1f19:138::231
ipa02.angelsofclockwork.net. 1200 IN    AAAA    2001:470:1f19:138::232

;; Query time: 0 msec
;; SERVER: 10.100.0.231#53(10.100.0.231)
;; WHEN: Wed Dec 09 13:31:47 MST 2020
;; MSG SIZE  rcvd: 291

# dig mgt.angelsofclockwork.net @8.8.8.8 A

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> mgt.angelsofclockwork.net @8.8.8.8 A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37100
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mgt.angelsofclockwork.net.     IN      A

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec 09 13:32:27 MST 2020
;; MSG SIZE  rcvd: 54
10

I’m in agreement in principle except for the hostname. I don’t see a need to duplicate everything twice. Why not just

function-arity.subenv.env.location.rockylinux.org?

11

Datacenter and (if applicable) availability zone would be more valuable than the country code, IMO. Easier to tell where the impact is that way.

1 Like
12

ahh I see. Never done freeipa before, but I get you now.

2 Likes
13

Fair, We were initially talking about distributed so i wasn’t thinking DC but in that case i updated ref specifying the. dc us1 de1 is just an example. could be alphanumeric as well. more important is the registry IE: Netbox of those sytems

14

The naming scheme looks very good. :beers:

15

hi everyone,

are we sure that we should should use FreeIPA for managing DNS on rockylinux.org.

what i have typically seen is that FreeIPA had control over a subdomain, like “infra.rockylinux.org”

and all systems managed by FreeIPA are hosted within this subdomain (with whatever level of deeper nested subdomains)

this has also the advantage, that the subdomain could be completely internal.

which would count as a security measure.

1 Like
16

If I’m understanding it right you set it up at the root but you make use of split-brain DNS so external requests are unaffected but internal auth is routed correctly.

Somebody please correct me if I don’t have that right.

17

hmm, split DNS always has its problems in my experience.

it can be tricky to get right, and hard to debug. it is always strange i things resolve differently, depending on what view you are seeing.

18

Split DNS is only problematic if you set it up poorly. I have done this at multiple clients and have it running personally at home with no issues. Regardless if you subdomain or not, you’re going to have to do split DNS for the infrastructure.

1 Like
19

We’ve never had problems with Split DNS configured under Bind9 :wink:

The general scheme from first post looks ok, but I would put ID as last thing to follow “from biggest to smallest” scheme, so for eg:
dev-us1-001.ci.rockylinux.org
dev-de1-001.ci.rockylinux.org
prod-de1-001.idp.rockylinux.org
dev-us1-001.idp.rockylinux.org

us1/de1 are under dev and host 001 from dev-us1 is… well… under dev-us1 :wink:

(and question do we even need 3digits here? maybe 2 digita is enough? do you really plan to have more than 99 servers in single DC?)

20

@morsik I agree, largest to smallest completely makes sense. updated to reflect the translation and decrease to two digits I have just generally used 3 for ids in the past due to large numbers of servers but 2 makes sense.