forked from Deuxfleurs/infrastructure
Network configuration:
- Remove nomad interface (unused) - Deactivate systemd-resolved - Add dns_server to production nodes variables - Add recursors option to Consul so that it can resolve outside DNS queries - Use consul as a global DNS server for machines and containers, with the outside DNS as a fallback (see roles/consul/templates/resolv.conf.j2)
This commit is contained in:
parent
8fdebd74b3
commit
351e6f13d5
9 changed files with 25 additions and 45 deletions
|
@ -1,4 +1,4 @@
|
|||
[cluster_nodes]
|
||||
veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1
|
||||
silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1
|
||||
wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1
|
||||
veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 dns_server=208.67.222.222
|
||||
silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 dns_server=208.67.222.222
|
||||
wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 dns_server=208.67.222.222
|
||||
|
|
|
@ -47,3 +47,6 @@
|
|||
|
||||
- name: "Enable consul systemd service at boot"
|
||||
service: name=consul state=started enabled=yes daemon_reload=yes
|
||||
|
||||
- name: "Deploy resolv.conf to use Consul"
|
||||
template: src=resolv.conf.j2 dest=/etc/resolv.conf
|
||||
|
|
|
@ -17,6 +17,9 @@
|
|||
"ports": {
|
||||
"dns": 53
|
||||
},
|
||||
"recursors": [
|
||||
"{{ dns_server }}"
|
||||
],
|
||||
"encrypt": "{{ consul_gossip_encrypt }}",
|
||||
"domain": "2.cluster.deuxfleurs.fr",
|
||||
"performance": {
|
||||
|
|
2
ansible/roles/consul/templates/resolv.conf.j2
Normal file
2
ansible/roles/consul/templates/resolv.conf.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
nameserver {{ private_ip }}
|
||||
nameserver {{ dns_server }}
|
|
@ -9,8 +9,7 @@ group: files systemd
|
|||
shadow: files
|
||||
gshadow: files
|
||||
|
||||
#hosts: files dns
|
||||
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
|
||||
hosts: files dns
|
||||
networks: files
|
||||
|
||||
protocols: db files
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
[Resolve]
|
||||
DNSStubListener=no
|
|
@ -4,9 +4,3 @@
|
|||
|
||||
- name: reload ip6tables
|
||||
shell: ip6tables-restore < /etc/iptables/rules.v6
|
||||
|
||||
- name: reload nomad interface
|
||||
shell: ifdown nomad1 || true ; ifup nomad1
|
||||
|
||||
- name: reload systemd-resolved
|
||||
service: name=systemd-resolved state=restarted
|
||||
|
|
|
@ -1,9 +1,3 @@
|
|||
- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770"
|
||||
template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg
|
||||
when: public_ip != private_ip
|
||||
notify:
|
||||
- reload nomad interface
|
||||
|
||||
- name: "Deploy iptablesv4 configuration"
|
||||
template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
|
||||
notify:
|
||||
|
@ -20,23 +14,18 @@
|
|||
value: 1
|
||||
sysctl_set: yes
|
||||
|
||||
- name: "Create systemd-resolved override directory"
|
||||
file: path=/etc/systemd/resolved.conf.d/ state=directory
|
||||
|
||||
- name: "Prevent systemd-resolved from listening on port 53 (DNS)"
|
||||
copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf
|
||||
notify: reload systemd-resolved
|
||||
|
||||
- name: "Use systemd-resolved as a source for /etc/resolv.conf"
|
||||
file:
|
||||
src: "/run/systemd/resolve/resolv.conf"
|
||||
dest: "/etc/resolv.conf"
|
||||
state: link
|
||||
force: yes
|
||||
notify: reload systemd-resolved
|
||||
|
||||
- name: "Update nsswitch.conf to use systemd-resolved"
|
||||
copy: src=nsswitch.conf dest=/etc/nsswitch.conf
|
||||
|
||||
- name: "Flush handlers"
|
||||
meta: flush_handlers
|
||||
|
||||
|
||||
# These two lines are used to undo previous config, remove them once it is done
|
||||
- name: "Update nsswitch.conf to not use systemd-resolved"
|
||||
copy: src=nsswitch.conf dest=/etc/nsswitch.conf
|
||||
|
||||
- name: "Disable systemd-resolved"
|
||||
systemd:
|
||||
name: systemd-resolved
|
||||
state: stopped
|
||||
enabled: false
|
||||
|
||||
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
auto nomad1
|
||||
iface nomad1 inet manual
|
||||
pre-up /sbin/ip link add nomad1 type dummy
|
||||
up /sbin/ip addr add {{ public_ip }} dev nomad1
|
||||
up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
|
||||
down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
|
||||
post-down /sbin/ip link del nomad1
|
||||
|
Loading…
Reference in a new issue