Skip to content
Permalink
Browse files

[debops.lxc] Change DNS configuration for lxc-net

The 'lxc-net' service sets up a 'dnsmasq' instance on the 'lxcbr0'
network interface to provide DNS and DHCP services for LXC containers.
The 'debops.dnsmasq' and 'debops.unbound' roles can use that 'dnsmasq'
instance to allow name resolution for LXC containers from the LXC host.

Unfortunately, 'dnsmasq' does not provide a "view" functionality, and
both the LXC host and LXC containers see the same information. This
caused a problem with previous implementation where the 'lxcbr0'
interface would use the name of the LXC host to generate the FQDN. This
could cause the LXC host name resolution to "switch over" from its
previous domain, to 'lxc.<domain>' and break the host configuration.

To avoid this, 'lxcbr0' interface will now use the LXC domain itself,
without the LXC host own hostname, as the interface name. This should
avoid issues with name resolution switching over.
  • Loading branch information...
drybjed committed Aug 10, 2019
1 parent 0285068 commit b7b919ee46aeaa1b24af9d14499a62573ca53bcf
@@ -314,6 +314,11 @@ User management
override to Debian Stretch and Ubuntu Xenial only. The containers correctly
shut down using ``SIGRTMIN+3`` signal on Debian Buster and beyond.

- The :envvar:`lxc__net_fqdn` variable will now define both the DNS domain for
the LXC containers as well as the DNS name of the ``lxcbr0`` interface. This
should ensure that both the LXC host and the containers see the same DNS
name for the same resource.

:ref:`debops.mariadb_server` role
'''''''''''''''''''''''''''''''''

@@ -147,28 +147,30 @@ lxc__net_dhcp_end: '-2'
# ]]]
# .. envvar:: lxc__net_domain [[[
#
# The DNS domain used for the internal LXC network. By default it is based on
# the LXC host domain.
# The DNS domain used as a base for the internal LXC network. By default it is
# based on the LXC host domain.
lxc__net_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else ansible_domain }}'

# ]]]
# .. envvar:: lxc__net_fqdn [[[
#
# The FQDN of the internal LXC bridge / internal LXC gateway registered in the
# :command:`dnsmasq` service, as well as the DNS domain advertised to the LXC
# containers via DHCP. It can be seen for example in traceroutes.
#
# The :command:`resolvconf` service will be used to add or remove the LXC
# domain in the :file:`/etc/resolv.conf`; with local DNS resolver, for example
# :command:`dnsmasq`, configured on the LXC host the containers can then be
# accessed by their hostnames instead of the IP addresses.
lxc__net_domain: '{{ ansible_local.lxc.net_domain
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.net_domain|d())
else ("lxc." + (ansible_local.core.domain
if (ansible_local|d() and
ansible_local.core|d() and
ansible_local.core.domain|d())
else ansible_domain)) }}'

# ]]]
# .. envvar:: lxc__net_interface_fqdn [[[
#
# The DNS name of the internal LXC bridge / internal LXC gateway registered in
# the :command:`dnsmasq` service; it can be seen for example in traceroutes.
lxc__net_interface_fqdn: '{{ ansible_hostname }}.{{ lxc__net_domain }}'
lxc__net_fqdn: '{{ ansible_local.lxc.net_domain
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.net_domain|d())
else ("lxc" + (("." + lxc__net_domain)
if lxc__net_domain|d()
else "")) }}'

# ]]]
# .. envvar:: lxc__net_dnsmasq_conf [[[
@@ -13,5 +13,5 @@ LXC_NETWORK="{{ lxc__net_address | ipaddr('subnet') }}"
LXC_DHCP_RANGE="{{ lxc__net_address | ipaddr(lxc__net_dhcp_start|int) | ipaddr('address') + ',' + lxc__net_address | ipaddr(lxc__net_dhcp_end|int) | ipaddr('address') }}"
LXC_DHCP_MAX="{{ (lxc__net_address | ipaddr('size'))|int - ((lxc__net_dhcp_start|int|abs) + (lxc__net_dhcp_end|int|abs)) }}"
LXC_DHCP_CONFILE="{{ lxc__net_dnsmasq_conf }}"
LXC_DOMAIN="{{ lxc__net_domain }}"
LXC_DOMAIN="{{ lxc__net_fqdn }}"
{% endif %}
@@ -7,15 +7,15 @@
dns-loop-detect

# Mark the LXC domain as local and generate PTR resource records automatically
domain = {{ lxc__net_domain + ',' + (lxc__net_address | ipaddr('subnet')) + (',local' if (lxc__net_address | ipaddr('prefix') in [ 8, 16, 24 ]) else '') }}
domain = {{ lxc__net_fqdn + ',' + (lxc__net_address | ipaddr('subnet')) + (',local' if (lxc__net_address | ipaddr('prefix') in [ 8, 16, 24 ]) else '') }}

# Set the FQDN name of the bridge interface in the DNS
interface-name = {{ lxc__net_interface_fqdn }},{{ lxc__net_bridge }}
{% if (lxc__net_domain.split('.') | length >= 3 and lxc__net_domain.split('.')[1:] | length >= 2) %}
interface-name = {{ lxc__net_fqdn }},{{ lxc__net_bridge }}
{% if (lxc__net_fqdn.split('.') | length >= 3 and lxc__net_fqdn.split('.')[1:] | length >= 2) %}

# Include the parent domain as searchable via resolvconf
dhcp-option = tag:{{ lxc__net_bridge }},option:domain-search,{{ lxc__net_domain }},{{ lxc__net_domain.split('.')[1:] | join('.') }}
dhcp-option = tag:{{ lxc__net_bridge }},option6:domain-search,{{ lxc__net_domain }},{{ lxc__net_domain.split('.')[1:] | join('.') }}
dhcp-option = tag:{{ lxc__net_bridge }},option:domain-search,{{ lxc__net_fqdn }},{{ lxc__net_fqdn.split('.')[1:] | join('.') }}
dhcp-option = tag:{{ lxc__net_bridge }},option6:domain-search,{{ lxc__net_fqdn }},{{ lxc__net_fqdn.split('.')[1:] | join('.') }}
{% endif %}
{% if not lxc__net_router|bool %}

@@ -100,6 +100,14 @@ Inventory variable changes
You can check the :envvar:`lxc__default_configuration` variable to see which
``name`` parameters can change.

- The ``lxc__net_interface_fqdn`` variable has been renamed to
:envvar:`lxc__net_fqdn` to conform to the variable naming scheme for domain
and FQDN names used in different DebOps roles. The new variable defines the
final DNS domain for the LXC containers, as well as the DNS name of the
``lxcbr0`` interface; the :envvar:`lxc__net_domain` variable which has done
that previously is now used to define the base DNS domain for the ``lxc.``
subdomain.

- The :ref:`debops.ipxe` role default variables have been renamed to move them
to their own ``ipxe__*`` namespace; you will have to update the Ansible
inventory.

0 comments on commit b7b919e

Please sign in to comment.
You can’t perform that action at this time.