LXC OVS BIND DNS

This page is under construction.  This is about using LXC containers on OpenvSwitch (OVS) networking and using bind9 ("named") to provide the DNSAlso, this solution uses isc-dhcp-server to provide DHCP IP addresses to the LXC containers.  Below are the configuration files currently in use which are working for the needs of this project.

[root@lxcora3 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
HOSTNAME=lxcora3
DOMAIN=vmem.org
DHCP_HOSTNAME=lxcora3
NM_CONTROLLED=no
HWADDR=FE:F6:3A:0B:81:7E
IPADDR=10.207.39.78
BROADCAST=10.207.39.255
NETMASK=255.255.255.0
GATEWAY=10.207.39.1
DNS1=10.207.39.1

[root@lxcora3 ~]#

To understand these settings, for example the "DNS1" setting above, note that 10.207.39.1 points to a listen address monitored by bind9 "named" on port 53 as shown below.

gstanden@vmem1:~$ sudo netstat -ulnp | grep :53
[sudo] password for gstanden:

udp        0      0 0.0.0.0:5353            0.0.0.0:*                           772/avahi-daemon: r
udp        0      0 10.207.39.1:53          0.0.0.0:*                           2093/named     
udp        0      0 192.168.122.1:53        0.0.0.0:*                           2093/named     
udp        0      0 127.0.1.1:53            0.0.0.0:*                           3285/dnsmasq   
udp        0      0 192.168.122.1:53        0.0.0.0:*                           3244/dnsmasq   
udp        0      0 10.0.3.1:53             0.0.0.0:*                           2150/dnsmasq   
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2093/named     
udp6       0      0 :::53079                :::*                                3196/dhclient  
udp6       0      0 :::5353                 :::*                                772/avahi-daemon: r
udp6       0      0 fe80::5087:d9ff:fea2:53 :::*                                2150/dnsmasq   
udp6       0      0 :::53                   :::*                                2093/named    
 
And why does named listen on this address?  Because it was configured so on the Ubuntu 14.04.1 Desktop Edition host as shown below.  The bolded line shows the listen on for this IP range.

gstanden@vmem1:~$ cat /etc/bind/named.conf.options
options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders. 
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    forwarders {
         127.0.1.1;
      };


    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;
    recursion yes;
    allow-transfer { none; };
    allow-notify { 10.207.39.74; };
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    listen-on { ! 10.0.3.1; };
    listen-on { 192.168.122.1; };
    listen-on { 127.0.0.1; };
    listen-on { 10.207.39.1; };
};


gstanden@vmem1:~$

So named is providing DNS services for the LXC containers on my laptop, as well as the KVM guests, via OVS network switch "sw1" on the ip network 10.207.39.0 which is the management network for these KVM guests and LXC containers.  Internet www WAN resolution is provided by the forwarder line in the file above which points to the dnsmasq-base lightweight DNS server that supports NetworkManager on Ubuntu Desktop 14.04 as shown in bold above.

The line that has a "do-not-listen-on", i.e. "listen-on { ! 10.0.3.1; };" is there due to an issue when running bind9 "named" on Ubuntu 14.04 which causes the "lxcbr0" default networking to fail to start.  This do-not-listen-on is needed to block named from listening on that network so that LXC default networking works as designed by default.  This is discussed in more detail here.  The configuration in use here, however, uses OVS for the networking for all LXC containers and KVM guests so the default LXC functionality is maintained for backward compatibility with default configured containers not using OVS for networking.

The above settings result in a /etc/resolv.conf on the LXC containers as shown below (these settings are driven by the "DNS1" and "DOMAIN" settings in the ifcfg-eth0 shown above).

[root@lxcora3 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search vmem.org
nameserver 10.207.39.1
[root@lxcora3 ~]#

Some additional yum installs were done for various purposes as shown below.

yum install nslookup
yum install bind-utils
yum install xdpyinfo
yum install xauth








Comments