00_README.md

Setting up a dual-stack (ipv4 & ipv6) dnsmasq instance for OCP clusters

• Allow the following ports and servcices in the bastion node

firewall-cmd --zone=public   --permanent --add-port=6443/tcp 
firewall-cmd --zone=public   --permanent --add-port=22623/tcp 
firewall-cmd --zone=public   --permanent --add-port=8080/tcp 
firewall-cmd --zone=public   --permanent --add-service=ssh
firewall-cmd --zone=public   --permanent --add-service=cockpit
firewall-cmd --zone=public   --permanent --add-service=http
firewall-cmd --zone=public   --permanent --add-service=https
firewall-cmd --zone=public   --permanent --add-service=dns
firewall-cmd --zone=public   --permanent --add-service=dhcp
firewall-cmd --zone=public   --permanent --add-service=dhcpv6
firewall-cmd --zone=public   --permanent --add-service=tftp

firewall-cmd --reload

firewall-cmd --zone=public  --list-services
firewall-cmd --zone=public  --list-port
firewall-cmd --get-active-zones

dnsmasq.conf

###############################################################################
# DNS Server
###############################################################################
#interface=ens3,ens4,lo
#interface=*
#log-facility=-

# Log all queries (use for troubleshooting only)
#log-queries

# Set local src address or interface to talk to a server
#server=10.1.2.3@192.168.1.1#55
#server=10.1.2.3@ens4

server=8.8.8.8
server=8.8.4.4
server=/home.shift.zone/192.168.1.1

# Never forward plain names (without a dot or domain part)
domain-needed

# Never forward addresses in the non-routed address spaces.
bogus-priv

# do not use /etc/resolv.conf or any other file
no-resolv

# Don't store in cache the invalid resolutions
no-negcache

# point to other server for local or priv domains
#server=/localnet/192.168.0.1
# domains to force to a local IP 
#address=/double-click.net/127.0.0.1

# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts

# don't read /etc/hosts
no-hosts
# read OCP hosts from file
addn-hosts=/opt/dnsmasq/ocp.hosts

# Set the default domain for dnsmasq
domain=lab.shift.zone
# Set a different domain for a particular subnet
domain=ocp4poc.lab.shift.zone,198.18.100.0/24
# include external LB IP
domain=ocp4poc.lab.shift.zone,96.234.167.84
# include IPv6 range
domain=ocp4poc.lab.shift.zone,2001:470:8:d83::/64
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200

# Authoritative DNSA
# auth-zone=lab.shift.zone
# auth-zone=ocp4poc.lab.shift.zone
# # Set SOA record
# auth-soa=12345678,admin.example.com
# # Set A record
# address=/www.example.com/10.2.3.4
# # Set MX record
# mx-host=example.com,www.example.com,10
# # Set TXT record
# txt-record=_acme-challenge.www.example.com,f0o...bar

###############################################################################
# DHCP Server
###############################################################################
no-dhcp-interface=ens3
dhcp-authoritative
dhcp-fqdn
log-dhcp

dhcp-lease-max=100
#dhcp-duid=<enterprise-id>,<uid>

# read dhcp-host formatted entry per line
dhcp-hostsfile=/opt/dnsmasq/ocp-dhcp.hostfiles

#Changed or new files within the directory are read automatically
#hostdir=</path/to/dir>
#dhcp-hostsdir=</path/to/dir>

#####################
# IPv4 Configuration
#####################
dhcp-range=198.18.100.10,198.18.100.200,1h
dhcp-option=option:router,198.18.100.1
dhcp-option=option:dns-server,0.0.0.0,8.8.8.8,8.8.4.4
dhcp-option=option:domain-search,ocp4poc.lab.shift.zone
dhcp-option=option:ntp-server,204.11.201.10

# Injecting static subnetwork with DHCP 
#dhcp-option=option:classless-static-route,5.5.5.0/24,198.18.100.

#####################
# IPv6 Configuration
#####################
# Enable router advertisement (SLAAC)
enable-ra
# 'ra-names,slaac' means Dnsmasq tries to guess the auto-configured IPv6 address and send a new address + DNS configurationa
dhcp-range=::10,::100,constructor:ens3,ra-names,slaac,12h
#dhcp-range=::200,::400,constructor:ens4,ra-names,slaac,12h
# no SLAAC - DHCPv6 only (but RA for route)
#dhcp-range=::,::fff,constructor:ens4,64,1h

dhcp-range=::,::fff,constructor:ens4,ra-only,1h

# ra-stateless - tells dnsmasq to advertise that subnet via router-advertisements,
# and set the bits which tell the clients to use DHCPv6 for configuration, but not address allocation.
# ra-names - SLAAC & DHCPv6
# ra-only - 
#                     M-bit O-bit A-bit stateLess-DHCP DHCP-address
# range               x       x       x       x
# range+ra_only       x       x       x       x         x
# range+ra_stateless  x       x       x       x
# ra-only             x
# ra-names            x
# ra-stateless        x       x


# Send DHCPv6 option for DNS as the dnsmasq and dns.google
#dhcp-option=option6:dns-server,[::],2001:4860:4860::8844,2001:4860:4860::8888
#dhcp-option=option6:ntp-server,[::]
# Ask client to poll for option changes every six hours
dhcp-option=option6:information-refresh-time,1h

###############################################################################
# OCP lab 
###############################################################################
# wildcard domain   *.apps.<clusterName>.<baseDomain> (External VIP)
# define external fqdn to work around dnsmasq cname limitations
# NOTE: dnsmasq CNAMES must point to dnsmasq records
# wildcard *.apps.ocp4poc.lab.shift.zone
address=/apps.ocp4poc.lab.shift.zone/96.234.167.84
address=/apps.ocp4poc.lab.shift.zone/2001:470:8:d83::2
#cname=*.apps.ocp4poc.lab.shift.zone,lb-ext.ocp4poc.lab.shift.zone

# etcd SRV records
# srv-host=_etcd-server-ssl._tcp,etcd-0.ocp4poc.lab.shift.zone,2380
# srv-host=_etcd-server-ssl._tcp,etcd-1.ocp4poc.lab.shift.zone,2380
# srv-host=_etcd-server-ssl._tcp,etcd-2.ocp4poc.lab.shift.zone,2380
srv-host=_etcd-server-ssl._tcp.ocp4poc.lab.shift.zone,etcd-0.ocp4poc.lab.shift.zone,2380
srv-host=_etcd-server-ssl._tcp.ocp4poc.lab.shift.zone,etcd-1.ocp4poc.lab.shift.zone,2380
srv-host=_etcd-server-ssl._tcp.ocp4poc.lab.shift.zone,etcd-2.ocp4poc.lab.shift.zone,2380

###############################################################################
## PXE
###############################################################################
#####################
# Legacy PXE
#####################
# enable-tftp
# tftp-root=/var/lib/tftpboot,ens4
# dhcp-boot=pxelinux.0
#####################
# iPXE
#####################
# iPXE - chainload to bastion8.matchbox.ocp4poc.example.com ipxe boot script
# dhcp-userclass=set:ipxe,iPXE
# dhcp-boot=http://bastion8.ocp4poc.lab.shift.zone:8080/boot.ipxe
###############################################################################
# END OF FILE
###############################################################################

Dockerfile

# podman build -t quay.io/wcaban/poc-dnsmasq:latest -f Dockerfile
FROM registry.access.redhat.com/ubi8/ubi

RUN dnf install --nodocs -y dnsmasq && \
    dnf clean all && \
    rm -rf /var/cache/dnf 

LABEL io.k8s.display-name="dnsmasq" \
    io.k8s.description="Containerized dnsmasq - DNS caching server"

# DNS (53), DHCP (67,68), TFTP (69), DHCPv6 (547)
EXPOSE 53 67 68 69 547

#EXPOSE 24580
#EXPOSE 30581

# Using shell mode for env vars substitution
ENTRYPOINT /usr/sbin/dnsmasq -k -d --log-facility=-

ocp-dhcp.hostfiles

52:54:00:7c:98:cb,bootstrap

52:54:00:ff:40:98,master-0
52:54:00:59:8a:5a,master-0-enp7s0

52:54:00:e3:a8:6b,master-1
52:54:00:20:39:df,master-1-enp7s0

52:54:00:bf:e0:ce,master-2
52:54:00:1f:ae:5f,master-2-enp7s0

52:54:00:e4:e7:96,worker-0
52:54:00:99:d8:b0,worker-0-enp7s0

52:54:00:44:32:7e,worker-1
52:54:00:a0:a8:ac,worker-1-enp7s0

52:54:00:e3:76:09,worker-2
52:54:00:35:ba:16,worker-2-enp7s0

c8:1f:66:d7:55:c1,worker-3

52:54:00:49:d2:ee,registry
52:54:00:e1:22:dd,registry-enp7s0

ocp.hosts

# Bootstrap
198.18.100.10       bootstrap
2001:470:8:d83::10  bootstrap

# Masters
198.18.100.11       master-0 etcd-0
2001:470:8:d83::11  master-0 etcd-0

198.18.100.12       master-1 etcd-1
2001:470:8:d83::12  master-1 etcd-1

198.18.100.13       master-2 etcd-2
2001:470:8:d83::13  master-2 etcd-2

# Workers
198.18.100.15       worker-0
2001:470:8:d83::15  worker-0

198.18.100.16       worker-1
2001:470:8:d83::16  worker-1

198.18.100.17       worker-2
2001:470:8:d83::17  worker-2

198.18.100.18       worker-3
2001:470:8:d83::18  worker-3


# Local bastion node (old)
198.18.100.1        bastion
2001:470:8:d83::1   bastion

192.168.1.19        bastion-ex
2001:470:e455:1::1  bastion-ex

# lb
198.18.100.24       bastion8 lb lb-int api-int 
2001:470:8:d83::2   bastion8 lb lb-int api-int lb-ext api
# required for cname
96.234.167.84       lb-ext api

198.18.100.25       regisry
2001:470:8:d83::25  regisry

poc-dnsmasq.service

 Copy (chmod 664) to /etc/systemd/system/poc-dnsmasq.service
#
# systemctl daemon-reload
# systemctl start poc-dnsmasq
# systemctl status poc-dnsmasq
# systemctl enable poc-dnsmasq
#
# podman pull quay.io/wcaban/poc-dnsmasq
# mkdir -pv /opt/dnsmasq/{leases,dnsmasq.d}

#     --privileged --cap-add=NET_ADMIN --net host


[Unit]
Description=Bind DNS Server
After=network.target syslog.target

[Service]
Type=simple
TimeoutStartSec=5m
ExecStartPre=-mkdir -p /opt/dnsmasq/leases
ExecStartPre=-/usr/bin/podman rm "poc-dnsmasq"

ExecStart=/usr/bin/podman run --name poc-dnsmasq \
    --net host --privileged \
    -v /opt/dnsmasq/dnsmasq.d/lab.conf:/etc/dnsmasq.d/lab.conf:ro \
    -v /opt/dnsmasq/leases:/var/lib/dnsmasq:Z \
    -v /opt/dnsmasq/:/opt/dnsmasq/:ro \
    quay.io/wcaban/poc-dnsmasq

ExecReload=-/usr/bin/podman stop "poc-dnsmasq"
ExecReload=-/usr/bin/podman rm   "poc-dnsmasq"
ExecReload=-rm -f /opt/dnsmasq/leases/dnsmasq.leases
ExecStop=-/usr/bin/podman   stop "poc-dnsmasq"
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target