Monday, August 1, 2016

CoreOS + Dnsmasq

Untitled Document.md

Overview

Expanding upon my previous post I will add DHCP/TFTP services to my CoreOS NAT gateway using the dnsmasq image provided by quay.io.

Configure the Dnsmasq Container

All steps are performed from the console of the CoreOS machine.

Fetch the pre-made container from quay.io.

rkt fetch coreos.com/dnsmasq:v0.3.0

Set environment variables according to your setup. These will be used when generating config files for dnsmasq.

DNS_PRIMARY=8.8.8.8
DNS_DOMAIN=localdomain
PUB_IF=pub0
MGMT_IF=mgmt0
DATA_IF=data0
DMZ_IF=dmz0
MGMT_DHCP=10.127.0.128,10.127.0.254
DATA_DHCP=10.127.1.128,10.127.1.254
DMZ_DHCP=10.127.2.128,10.127.2.254

Create the systemd unit file for dnsmasq.service.

cat > /etc/systemd/system/dnsmasq.service << EOF  
[Unit]
Description=dnsmasq
ExecStartPre=/usr/bin/mkdir /etc/dnsmasq
ExecStartPre=/usr/bin/mkdir /tftpboot

[Service]
TimeoutStartSec=0
ExecStart=/usr/bin/rkt run --hostname=natcore --net=host \
--volume etc-dnsmasq,kind=host,source=/etc/dnsmasq \
--volume tftpboot,kind=host,source=/tftpboot \
coreos.com/dnsmasq:v0.3.0 \
--mount volume=etc-dnsmasq,target=/etc/dnsmasq \
--mount volume=tftpboot,target=/tftpboot \
-- -d -C /etc/dnsmasq/dnsmasq.conf -R -S ${DNS_PRIMARY}
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

Create the required directories for dnsmasq and create a symlink to /etc/hosts.

mkdir /tftpboot
mkdir /etc/dnsmasq
ln /etc/hosts /etc/dnsmasq/hosts

Create dnsmasq.conf

cat > /etc/dnsmasq/dnsmasq.conf << EOF
### GENERAL SETTINGS ###    
local=/${DNS_DOMAIN}/
domain=${DNS_DOMAIN}
expand-hosts
addn-hosts=/etc/dnsmasq/hosts

### TFTP SETTINGS ###    
dhcp-boot=pxelinux.0
enable-tftp
tftp-root=/tftpboot

### DHCP SETTINGS ###    
# ntp
dhcp-option=42,0.0.0.0    
# default gw set to mgmt network
dhcp-option=${MGMT_IF},3,10.127.0.1
# no services on public interface
no-dhcp-interface=${PUB_IF}

# ${MGMT_IF} dhcp
dhcp-range=${MGMT_IF},${MGMT_DHCP},12h

# ${DATA_IF} dhcp
dhcp-range=${DATA_IF},${DATA_DHCP},12h

# ${DMZ_IF} dhcp
dhcp-range=${DMZ_IF},${DMZ_DHCP},12h
EOF

Add some entries to /etc/hosts for natcore (optional).

cat >> /etc/hosts << EOF
10.127.0.1 mgmt0.natcore
10.127.1.1 data0.natcore
10.127.2.1 dmz0.natcore
EOF

Start the Container

Enable and start services.

systemctl enable /etc/systemd/system/dnsmasq.service
systemctl start dnsmasq.service

Verify the service.

systemctl status dnsmasq.service

Verify dnsmasq is listening on UDP 53/69.

netstat -lnup

If for some reason dnsmasq fails to start then you may view the logs using machinectl to find the machine ID of the container.

machinectl list

and using journalctl to view its logs (provide the id returned from machinectl)

journalctl -M {id}

Be sure to allow TFTP through iptables by adding the following to the *filter section of /var/lib/iptables/rules-save.

# allow tftp from mgmt network
-A INPUT -s 10.127.0.0/24 -p udp --dport 69 -j ACCEPT

and apply the rules

iptables-restore /var/lib/iptables/rules-save

As part of a later post I’ll walk through configuring PXE services using Dnsmasq.

No comments:

Post a Comment