diff options
| author | Alex Auvolat <alex@adnab.me> | 2020-01-18 17:34:55 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2020-06-30 17:31:35 +0200 |
| commit | 351e6f13d5bee3275f46fda4a1780c71d9f338d6 (patch) | |
| tree | 675a202635ed79730f9b3965782e0b28130de992 | |
| parent | 8fdebd74b37ae1766e03b39b8a3d6d84ef549a74 (diff) | |
| download | infrastructure-351e6f13d5bee3275f46fda4a1780c71d9f338d6.tar.gz infrastructure-351e6f13d5bee3275f46fda4a1780c71d9f338d6.zip | |
Network configuration:
- Remove nomad interface (unused)
- Deactivate systemd-resolved
- Add dns_server to production nodes variables
- Add recursors option to Consul so that it can resolve outside DNS
queries
- Use consul as a global DNS server for machines and containers, with
the outside DNS as a fallback (see roles/consul/templates/resolv.conf.j2)
| -rw-r--r-- | ansible/production | 6 | ||||
| -rw-r--r-- | ansible/roles/consul/tasks/main.yml | 3 | ||||
| -rw-r--r-- | ansible/roles/consul/templates/consul.json.j2 | 3 | ||||
| -rw-r--r-- | ansible/roles/consul/templates/resolv.conf.j2 | 2 | ||||
| -rw-r--r-- | ansible/roles/network/files/nsswitch.conf | 3 | ||||
| -rw-r--r-- | ansible/roles/network/files/systemd-resolve-no-listen.conf | 2 | ||||
| -rw-r--r-- | ansible/roles/network/handlers/main.yml | 6 | ||||
| -rw-r--r-- | ansible/roles/network/tasks/main.yml | 33 | ||||
| -rw-r--r-- | ansible/roles/network/templates/nomad-interface.j2 | 8 |
9 files changed, 23 insertions, 43 deletions
diff --git a/ansible/production b/ansible/production index 6266502..e1f0332 100644 --- a/ansible/production +++ b/ansible/production @@ -1,4 +1,4 @@ [cluster_nodes] -veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 -silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 -wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 +veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 dns_server=208.67.222.222 +silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 dns_server=208.67.222.222 +wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 dns_server=208.67.222.222 diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml index bb1d9ef..5cb68ab 100644 --- a/ansible/roles/consul/tasks/main.yml +++ b/ansible/roles/consul/tasks/main.yml @@ -47,3 +47,6 @@ - name: "Enable consul systemd service at boot" service: name=consul state=started enabled=yes daemon_reload=yes + +- name: "Deploy resolv.conf to use Consul" + template: src=resolv.conf.j2 dest=/etc/resolv.conf diff --git a/ansible/roles/consul/templates/consul.json.j2 b/ansible/roles/consul/templates/consul.json.j2 index d1bd2d8..b6c86aa 100644 --- a/ansible/roles/consul/templates/consul.json.j2 +++ b/ansible/roles/consul/templates/consul.json.j2 @@ -17,6 +17,9 @@ "ports": { "dns": 53 }, + "recursors": [ + "{{ dns_server }}" + ], "encrypt": "{{ consul_gossip_encrypt }}", "domain": "2.cluster.deuxfleurs.fr", "performance": { diff --git a/ansible/roles/consul/templates/resolv.conf.j2 b/ansible/roles/consul/templates/resolv.conf.j2 new file mode 100644 index 0000000..2404034 --- /dev/null +++ b/ansible/roles/consul/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver {{ private_ip }} +nameserver {{ dns_server }} diff --git a/ansible/roles/network/files/nsswitch.conf b/ansible/roles/network/files/nsswitch.conf index f4c3149..a84e024 100644 --- a/ansible/roles/network/files/nsswitch.conf +++ b/ansible/roles/network/files/nsswitch.conf @@ -9,8 +9,7 @@ group: files systemd shadow: files gshadow: files -#hosts: files dns -hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname +hosts: files dns networks: files protocols: db files diff --git a/ansible/roles/network/files/systemd-resolve-no-listen.conf b/ansible/roles/network/files/systemd-resolve-no-listen.conf deleted file mode 100644 index 6e95967..0000000 --- a/ansible/roles/network/files/systemd-resolve-no-listen.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Resolve] -DNSStubListener=no diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml index 3454894..85873ee 100644 --- a/ansible/roles/network/handlers/main.yml +++ b/ansible/roles/network/handlers/main.yml @@ -4,9 +4,3 @@ - name: reload ip6tables shell: ip6tables-restore < /etc/iptables/rules.v6 - -- name: reload nomad interface - shell: ifdown nomad1 || true ; ifup nomad1 - -- name: reload systemd-resolved - service: name=systemd-resolved state=restarted diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml index 7f95b0f..ee2f21e 100644 --- a/ansible/roles/network/tasks/main.yml +++ b/ansible/roles/network/tasks/main.yml @@ -1,9 +1,3 @@ -- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770" - template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg - when: public_ip != private_ip - notify: - - reload nomad interface - - name: "Deploy iptablesv4 configuration" template: src=rules.v4.j2 dest=/etc/iptables/rules.v4 notify: @@ -20,23 +14,18 @@ value: 1 sysctl_set: yes -- name: "Create systemd-resolved override directory" - file: path=/etc/systemd/resolved.conf.d/ state=directory - -- name: "Prevent systemd-resolved from listening on port 53 (DNS)" - copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf - notify: reload systemd-resolved +- name: "Flush handlers" + meta: flush_handlers -- name: "Use systemd-resolved as a source for /etc/resolv.conf" - file: - src: "/run/systemd/resolve/resolv.conf" - dest: "/etc/resolv.conf" - state: link - force: yes - notify: reload systemd-resolved -- name: "Update nsswitch.conf to use systemd-resolved" +# These two lines are used to undo previous config, remove them once it is done +- name: "Update nsswitch.conf to not use systemd-resolved" copy: src=nsswitch.conf dest=/etc/nsswitch.conf -- name: "Flush handlers" - meta: flush_handlers +- name: "Disable systemd-resolved" + systemd: + name: systemd-resolved + state: stopped + enabled: false + + diff --git a/ansible/roles/network/templates/nomad-interface.j2 b/ansible/roles/network/templates/nomad-interface.j2 deleted file mode 100644 index 74e9cd4..0000000 --- a/ansible/roles/network/templates/nomad-interface.j2 +++ /dev/null @@ -1,8 +0,0 @@ -auto nomad1 -iface nomad1 inet manual - pre-up /sbin/ip link add nomad1 type dummy - up /sbin/ip addr add {{ public_ip }} dev nomad1 - up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 - down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 - post-down /sbin/ip link del nomad1 - |