Network configuration:

- Remove nomad interface (unused) - Deactivate systemd-resolved - Add dns_server to production nodes variables - Add recursors option to Consul so that it can resolve outside DNS queries - Use consul as a global DNS server for machines and containers, with the outside DNS as a fallback (see roles/consul/templates/resolv.conf.j2)
2020-01-18 17:34:55 +01:00 · 2020-01-18 17:34:55 +01:00 · 351e6f13d5
parent 8fdebd74b3
commit 351e6f13d5
9 changed files with 25 additions and 45 deletions
--- a/ansible/production
+++ b/ansible/production
@ -1,4 +1,4 @@
 [cluster_nodes]
-veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1
-silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1
-wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1
+veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 dns_server=208.67.222.222
+silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 dns_server=208.67.222.222
+wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 dns_server=208.67.222.222
--- a/ansible/roles/consul/tasks/main.yml
+++ b/ansible/roles/consul/tasks/main.yml
@ -47,3 +47,6 @@

 - name: "Enable consul systemd service at boot"
  service: name=consul state=started enabled=yes daemon_reload=yes
+
+- name: "Deploy resolv.conf to use Consul"
+  template: src=resolv.conf.j2 dest=/etc/resolv.conf
--- a/ansible/roles/consul/templates/consul.json.j2
+++ b/ansible/roles/consul/templates/consul.json.j2
@ -17,6 +17,9 @@
  "ports": {
     "dns": 53
  },
+  "recursors": [
+    "{{ dns_server }}"
+  ],
  "encrypt": "{{ consul_gossip_encrypt }}",
  "domain": "2.cluster.deuxfleurs.fr",
  "performance": {
--- a/ansible/roles/consul/templates/resolv.conf.j2
+++ b/ansible/roles/consul/templates/resolv.conf.j2
@ -0,0 +1,2 @@
+nameserver {{ private_ip }}
+nameserver {{ dns_server }}
--- a/ansible/roles/network/files/nsswitch.conf
+++ b/ansible/roles/network/files/nsswitch.conf
@ -9,8 +9,7 @@ group:          files systemd
 shadow:         files
 gshadow:        files

-#hosts:          files dns
-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          files dns
 networks:       files

 protocols:      db files
--- a/ansible/roles/network/files/systemd-resolve-no-listen.conf
+++ b/ansible/roles/network/files/systemd-resolve-no-listen.conf
@ -1,2 +0,0 @@
-[Resolve]
-DNSStubListener=no
--- a/ansible/roles/network/handlers/main.yml
+++ b/ansible/roles/network/handlers/main.yml
@ -4,9 +4,3 @@

 - name: reload ip6tables
  shell: ip6tables-restore < /etc/iptables/rules.v6
-
- name: reload nomad interface
-  shell: ifdown nomad1 || true ; ifup nomad1
-
- name: reload systemd-resolved
-  service: name=systemd-resolved state=restarted 
--- a/ansible/roles/network/tasks/main.yml
+++ b/ansible/roles/network/tasks/main.yml
@ -1,9 +1,3 @@
- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770"
-  template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg
-  when: public_ip != private_ip
-  notify:
-    - reload nomad interface
-
 - name: "Deploy iptablesv4 configuration"
  template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
  notify:
@ -20,23 +14,18 @@
    value: 1
    sysctl_set: yes

- name: "Create systemd-resolved override directory"
-  file: path=/etc/systemd/resolved.conf.d/ state=directory
-
- name: "Prevent systemd-resolved from listening on port 53 (DNS)"
-  copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf
-  notify: reload systemd-resolved
-
- name: "Use systemd-resolved as a source for /etc/resolv.conf"
-  file:
-    src: "/run/systemd/resolve/resolv.conf"
-    dest: "/etc/resolv.conf"
-    state: link
-    force: yes
-  notify: reload systemd-resolved
-
- name: "Update nsswitch.conf to use systemd-resolved"
-  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
-
 - name: "Flush handlers"
  meta: flush_handlers
+
+
+# These two lines are used to undo previous config, remove them once it is done
+- name: "Update nsswitch.conf to not use systemd-resolved"
+  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
+
+- name: "Disable systemd-resolved"
+  systemd:
+    name: systemd-resolved
+    state: stopped
+    enabled: false
+
+
--- a/ansible/roles/network/templates/nomad-interface.j2
+++ b/ansible/roles/network/templates/nomad-interface.j2
@ -1,8 +0,0 @@
-auto nomad1
-iface nomad1 inet manual
-    pre-up /sbin/ip link add nomad1 type dummy
-    up /sbin/ip addr add {{ public_ip }} dev nomad1
-    up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
-    down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
-    post-down /sbin/ip link del nomad1
-