Network configuration:
- Remove nomad interface (unused) - Deactivate systemd-resolved - Add dns_server to production nodes variables - Add recursors option to Consul so that it can resolve outside DNS queries - Use consul as a global DNS server for machines and containers, with the outside DNS as a fallback (see roles/consul/templates/resolv.conf.j2)
This commit is contained in:
parent
8fdebd74b3
commit
351e6f13d5
9 changed files with 25 additions and 45 deletions
|
@ -1,4 +1,4 @@
|
||||||
[cluster_nodes]
|
[cluster_nodes]
|
||||||
veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1
|
veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 dns_server=208.67.222.222
|
||||||
silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1
|
silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 dns_server=208.67.222.222
|
||||||
wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1
|
wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 dns_server=208.67.222.222
|
||||||
|
|
|
@ -47,3 +47,6 @@
|
||||||
|
|
||||||
- name: "Enable consul systemd service at boot"
|
- name: "Enable consul systemd service at boot"
|
||||||
service: name=consul state=started enabled=yes daemon_reload=yes
|
service: name=consul state=started enabled=yes daemon_reload=yes
|
||||||
|
|
||||||
|
- name: "Deploy resolv.conf to use Consul"
|
||||||
|
template: src=resolv.conf.j2 dest=/etc/resolv.conf
|
||||||
|
|
|
@ -17,6 +17,9 @@
|
||||||
"ports": {
|
"ports": {
|
||||||
"dns": 53
|
"dns": 53
|
||||||
},
|
},
|
||||||
|
"recursors": [
|
||||||
|
"{{ dns_server }}"
|
||||||
|
],
|
||||||
"encrypt": "{{ consul_gossip_encrypt }}",
|
"encrypt": "{{ consul_gossip_encrypt }}",
|
||||||
"domain": "2.cluster.deuxfleurs.fr",
|
"domain": "2.cluster.deuxfleurs.fr",
|
||||||
"performance": {
|
"performance": {
|
||||||
|
|
2
ansible/roles/consul/templates/resolv.conf.j2
Normal file
2
ansible/roles/consul/templates/resolv.conf.j2
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
nameserver {{ private_ip }}
|
||||||
|
nameserver {{ dns_server }}
|
|
@ -9,8 +9,7 @@ group: files systemd
|
||||||
shadow: files
|
shadow: files
|
||||||
gshadow: files
|
gshadow: files
|
||||||
|
|
||||||
#hosts: files dns
|
hosts: files dns
|
||||||
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
|
|
||||||
networks: files
|
networks: files
|
||||||
|
|
||||||
protocols: db files
|
protocols: db files
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
[Resolve]
|
|
||||||
DNSStubListener=no
|
|
|
@ -4,9 +4,3 @@
|
||||||
|
|
||||||
- name: reload ip6tables
|
- name: reload ip6tables
|
||||||
shell: ip6tables-restore < /etc/iptables/rules.v6
|
shell: ip6tables-restore < /etc/iptables/rules.v6
|
||||||
|
|
||||||
- name: reload nomad interface
|
|
||||||
shell: ifdown nomad1 || true ; ifup nomad1
|
|
||||||
|
|
||||||
- name: reload systemd-resolved
|
|
||||||
service: name=systemd-resolved state=restarted
|
|
||||||
|
|
|
@ -1,9 +1,3 @@
|
||||||
- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770"
|
|
||||||
template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg
|
|
||||||
when: public_ip != private_ip
|
|
||||||
notify:
|
|
||||||
- reload nomad interface
|
|
||||||
|
|
||||||
- name: "Deploy iptablesv4 configuration"
|
- name: "Deploy iptablesv4 configuration"
|
||||||
template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
|
template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
|
||||||
notify:
|
notify:
|
||||||
|
@ -20,23 +14,18 @@
|
||||||
value: 1
|
value: 1
|
||||||
sysctl_set: yes
|
sysctl_set: yes
|
||||||
|
|
||||||
- name: "Create systemd-resolved override directory"
|
|
||||||
file: path=/etc/systemd/resolved.conf.d/ state=directory
|
|
||||||
|
|
||||||
- name: "Prevent systemd-resolved from listening on port 53 (DNS)"
|
|
||||||
copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf
|
|
||||||
notify: reload systemd-resolved
|
|
||||||
|
|
||||||
- name: "Use systemd-resolved as a source for /etc/resolv.conf"
|
|
||||||
file:
|
|
||||||
src: "/run/systemd/resolve/resolv.conf"
|
|
||||||
dest: "/etc/resolv.conf"
|
|
||||||
state: link
|
|
||||||
force: yes
|
|
||||||
notify: reload systemd-resolved
|
|
||||||
|
|
||||||
- name: "Update nsswitch.conf to use systemd-resolved"
|
|
||||||
copy: src=nsswitch.conf dest=/etc/nsswitch.conf
|
|
||||||
|
|
||||||
- name: "Flush handlers"
|
- name: "Flush handlers"
|
||||||
meta: flush_handlers
|
meta: flush_handlers
|
||||||
|
|
||||||
|
|
||||||
|
# These two lines are used to undo previous config, remove them once it is done
|
||||||
|
- name: "Update nsswitch.conf to not use systemd-resolved"
|
||||||
|
copy: src=nsswitch.conf dest=/etc/nsswitch.conf
|
||||||
|
|
||||||
|
- name: "Disable systemd-resolved"
|
||||||
|
systemd:
|
||||||
|
name: systemd-resolved
|
||||||
|
state: stopped
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
auto nomad1
|
|
||||||
iface nomad1 inet manual
|
|
||||||
pre-up /sbin/ip link add nomad1 type dummy
|
|
||||||
up /sbin/ip addr add {{ public_ip }} dev nomad1
|
|
||||||
up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
|
|
||||||
down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
|
|
||||||
post-down /sbin/ip link del nomad1
|
|
||||||
|
|
Reference in a new issue