From 351e6f13d5bee3275f46fda4a1780c71d9f338d6 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 18 Jan 2020 17:34:55 +0100 Subject: Network configuration: - Remove nomad interface (unused) - Deactivate systemd-resolved - Add dns_server to production nodes variables - Add recursors option to Consul so that it can resolve outside DNS queries - Use consul as a global DNS server for machines and containers, with the outside DNS as a fallback (see roles/consul/templates/resolv.conf.j2) --- ansible/roles/consul/tasks/main.yml | 3 ++ ansible/roles/consul/templates/consul.json.j2 | 3 ++ ansible/roles/consul/templates/resolv.conf.j2 | 2 ++ ansible/roles/network/files/nsswitch.conf | 3 +- .../network/files/systemd-resolve-no-listen.conf | 2 -- ansible/roles/network/handlers/main.yml | 6 ---- ansible/roles/network/tasks/main.yml | 33 ++++++++-------------- ansible/roles/network/templates/nomad-interface.j2 | 8 ------ 8 files changed, 20 insertions(+), 40 deletions(-) create mode 100644 ansible/roles/consul/templates/resolv.conf.j2 delete mode 100644 ansible/roles/network/files/systemd-resolve-no-listen.conf delete mode 100644 ansible/roles/network/templates/nomad-interface.j2 (limited to 'ansible/roles') diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml index bb1d9ef..5cb68ab 100644 --- a/ansible/roles/consul/tasks/main.yml +++ b/ansible/roles/consul/tasks/main.yml @@ -47,3 +47,6 @@ - name: "Enable consul systemd service at boot" service: name=consul state=started enabled=yes daemon_reload=yes + +- name: "Deploy resolv.conf to use Consul" + template: src=resolv.conf.j2 dest=/etc/resolv.conf diff --git a/ansible/roles/consul/templates/consul.json.j2 b/ansible/roles/consul/templates/consul.json.j2 index d1bd2d8..b6c86aa 100644 --- a/ansible/roles/consul/templates/consul.json.j2 +++ b/ansible/roles/consul/templates/consul.json.j2 @@ -17,6 +17,9 @@ "ports": { "dns": 53 }, + "recursors": [ + "{{ dns_server }}" + ], "encrypt": "{{ consul_gossip_encrypt }}", "domain": "2.cluster.deuxfleurs.fr", "performance": { diff --git a/ansible/roles/consul/templates/resolv.conf.j2 b/ansible/roles/consul/templates/resolv.conf.j2 new file mode 100644 index 0000000..2404034 --- /dev/null +++ b/ansible/roles/consul/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver {{ private_ip }} +nameserver {{ dns_server }} diff --git a/ansible/roles/network/files/nsswitch.conf b/ansible/roles/network/files/nsswitch.conf index f4c3149..a84e024 100644 --- a/ansible/roles/network/files/nsswitch.conf +++ b/ansible/roles/network/files/nsswitch.conf @@ -9,8 +9,7 @@ group: files systemd shadow: files gshadow: files -#hosts: files dns -hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname +hosts: files dns networks: files protocols: db files diff --git a/ansible/roles/network/files/systemd-resolve-no-listen.conf b/ansible/roles/network/files/systemd-resolve-no-listen.conf deleted file mode 100644 index 6e95967..0000000 --- a/ansible/roles/network/files/systemd-resolve-no-listen.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Resolve] -DNSStubListener=no diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml index 3454894..85873ee 100644 --- a/ansible/roles/network/handlers/main.yml +++ b/ansible/roles/network/handlers/main.yml @@ -4,9 +4,3 @@ - name: reload ip6tables shell: ip6tables-restore < /etc/iptables/rules.v6 - -- name: reload nomad interface - shell: ifdown nomad1 || true ; ifup nomad1 - -- name: reload systemd-resolved - service: name=systemd-resolved state=restarted diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml index 7f95b0f..ee2f21e 100644 --- a/ansible/roles/network/tasks/main.yml +++ b/ansible/roles/network/tasks/main.yml @@ -1,9 +1,3 @@ -- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770" - template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg - when: public_ip != private_ip - notify: - - reload nomad interface - - name: "Deploy iptablesv4 configuration" template: src=rules.v4.j2 dest=/etc/iptables/rules.v4 notify: @@ -20,23 +14,18 @@ value: 1 sysctl_set: yes -- name: "Create systemd-resolved override directory" - file: path=/etc/systemd/resolved.conf.d/ state=directory - -- name: "Prevent systemd-resolved from listening on port 53 (DNS)" - copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf - notify: reload systemd-resolved +- name: "Flush handlers" + meta: flush_handlers -- name: "Use systemd-resolved as a source for /etc/resolv.conf" - file: - src: "/run/systemd/resolve/resolv.conf" - dest: "/etc/resolv.conf" - state: link - force: yes - notify: reload systemd-resolved -- name: "Update nsswitch.conf to use systemd-resolved" +# These two lines are used to undo previous config, remove them once it is done +- name: "Update nsswitch.conf to not use systemd-resolved" copy: src=nsswitch.conf dest=/etc/nsswitch.conf -- name: "Flush handlers" - meta: flush_handlers +- name: "Disable systemd-resolved" + systemd: + name: systemd-resolved + state: stopped + enabled: false + + diff --git a/ansible/roles/network/templates/nomad-interface.j2 b/ansible/roles/network/templates/nomad-interface.j2 deleted file mode 100644 index 74e9cd4..0000000 --- a/ansible/roles/network/templates/nomad-interface.j2 +++ /dev/null @@ -1,8 +0,0 @@ -auto nomad1 -iface nomad1 inet manual - pre-up /sbin/ip link add nomad1 type dummy - up /sbin/ip addr add {{ public_ip }} dev nomad1 - up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 - down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 - post-down /sbin/ip link del nomad1 - -- cgit v1.2.3