LXC OVS BIND DNS

This page is under construction. This is about using LXC containers on OpenvSwitch (OVS) networking and using bind9 ("named") to provide the DNS. Also, this solution uses isc-dhcp-server to provide DHCP IP addresses to the LXC containers. Below are the configuration files currently in use which are working for the needs of this project.

[root@lxcora3 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

BOOTPROTO=static

ONBOOT=yes

HOSTNAME=lxcora3

DOMAIN=vmem.org

DHCP_HOSTNAME=lxcora3

NM_CONTROLLED=no

HWADDR=FE:F6:3A:0B:81:7E

IPADDR=10.207.39.78

BROADCAST=10.207.39.255

NETMASK=255.255.255.0

GATEWAY=10.207.39.1

DNS1=10.207.39.1

[root@lxcora3 ~]#

To understand these settings, for example the "DNS1" setting above, note that 10.207.39.1 points to a listen address monitored by bind9 "named" on port 53 as shown below.

gstanden@vmem1:~$ sudo netstat -ulnp | grep :53

[sudo] password for gstanden:

udp 0 0 0.0.0.0:5353 0.0.0.0:* 772/avahi-daemon: r

udp 0 0 10.207.39.1:53 0.0.0.0:* 2093/named

udp 0 0 192.168.122.1:53 0.0.0.0:* 2093/named

udp 0 0 127.0.1.1:53 0.0.0.0:* 3285/dnsmasq

udp 0 0 192.168.122.1:53 0.0.0.0:* 3244/dnsmasq

udp 0 0 10.0.3.1:53 0.0.0.0:* 2150/dnsmasq

udp 0 0 127.0.0.1:53 0.0.0.0:* 2093/named

udp6 0 0 :::53079 :::* 3196/dhclient

udp6 0 0 :::5353 :::* 772/avahi-daemon: r

udp6 0 0 fe80::5087:d9ff:fea2:53 :::* 2150/dnsmasq

udp6 0 0 :::53 :::* 2093/named

And why does named listen on this address? Because it was configured so on the Ubuntu 14.04.1 Desktop Edition host as shown below. The bolded line shows the listen on for this IP range.

gstanden@vmem1:~$ cat /etc/bind/named.conf.options

options {

directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want

// to talk to, you may need to fix the firewall to allow multiple

// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable

// nameservers, you probably want to use them as forwarders.

// Uncomment the following block, and insert the addresses replacing

// the all-0's placeholder.

forwarders {

127.0.1.1;

};

//========================================================================

// If BIND logs error messages about the root key being expired,

// you will need to update your keys. See https://www.isc.org/bind-keys

//========================================================================

dnssec-validation auto;

recursion yes;

allow-transfer { none; };

allow-notify { 10.207.39.74; };

auth-nxdomain no; # conform to RFC1035

listen-on-v6 { any; };

listen-on { ! 10.0.3.1; };

listen-on { 192.168.122.1; };

listen-on { 127.0.0.1; };

listen-on { 10.207.39.1; };

};

gstanden@vmem1:~$

So named is providing DNS services for the LXC containers on my laptop, as well as the KVM guests, via OVS network switch "sw1" on the ip network 10.207.39.0 which is the management network for these KVM guests and LXC containers. Internet www WAN resolution is provided by the forwarder line in the file above which points to the dnsmasq-base lightweight DNS server that supports NetworkManager on Ubuntu Desktop 14.04 as shown in bold above.

The line that has a "do-not-listen-on", i.e. "listen-on { ! 10.0.3.1; };" is there due to an issue when running bind9 "named" on Ubuntu 14.04 which causes the "lxcbr0" default networking to fail to start. This do-not-listen-on is needed to block named from listening on that network so that LXC default networking works as designed by default. This is discussed in more detail here. The configuration in use here, however, uses OVS for the networking for all LXC containers and KVM guests so the default LXC functionality is maintained for backward compatibility with default configured containers not using OVS for networking.

The above settings result in a /etc/resolv.conf on the LXC containers as shown below (these settings are driven by the "DNS1" and "DOMAIN" settings in the ifcfg-eth0 shown above).

[root@lxcora3 ~]# cat /etc/resolv.conf

; generated by /sbin/dhclient-script

search vmem.org

nameserver 10.207.39.1

[root@lxcora3 ~]#

Some additional yum installs were done for various purposes as shown below.

yum install nslookup

yum install bind-utils

yum install xdpyinfo

yum install xauth