OCP 4.10.23 설치(openshift) - 2. DNS

DNS

•DNS를 구성하여 Cluster 정보 등록

•노드들의 ntp server를 bastion을 바라보게 함

•Ocp cluster zone과 ntp zone 두개를 등록

 

[registry]

 

bind install

yum install -y bind bind-utils

zone 등록

cat <<EOF >> /etc/named.rfc1912.zones

zone "maru.ocp4.com" IN {
        type master;
        file "maru.ocp4.com.zone";
        allow-update { none; };
};

zone "pool.ntp.org" IN {
        type master;
        file "/var/named/pool.ntp.org.zone";
        allow-update { none; } ;
};
EOF

 

ocp zone 생성

cat <<EOF >> /var/named/maru.ocp4.com.zone
$TTL 1D
@   IN SOA  @ ns.maru.ocp4.com.zone. (
                    20200520   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum

                    IN NS   ns.maru.ocp4.com.
                    IN A    172.16.2.192

; Bastion or Jumphost
bastion IN A 172.16.2.191
registry IN A 172.16.2.192
ns      IN A    172.16.2.192


; Ancillary services
lb IN A 172.16.2.191


;ocp cluster
bootstrap   IN  A   172.16.2.190
master01 IN  A   172.16.2.193
master02 IN  A   172.16.2.194
master03 IN  A   172.16.2.195

worker01 IN  A   172.16.2.196
worker02 IN  A   172.16.2.197

infra01 IN  A   172.16.2.198
infra02 IN  A   172.16.2.199

;ocp internal cluster ip
etcd-0  IN A    172.16.2.193
etcd-1  IN A    172.16.2.194
etcd-2  IN A    172.16.2.195

api-int         IN A 172.16.2.191
api             IN A 172.16.2.191
*.apps          IN A 172.16.2.191
apps            IN A 172.16.2.191

_etcd-server-ssl._tcp.maru.ocp4.com. IN SRV 0 10 2380 etcd-0.maru.ocp4.com.
_etcd-server-ssl._tcp.maru.ocp4.com. IN SRV 0 10 2380 etcd-1.maru.ocp4.com.
_etcd-server-ssl._tcp.maru.ocp4.com. IN SRV 0 10 2380 etcd-2.maru.ocp4.com.
EOF

 

ntp zone 생성

cat <<EOF >> /var/named/pool.ntp.org.zone
$TTL 1D
@   IN SOA  @ ns.pool.ntp.org.zone. (
            4019954001  ; serial
            3H          ; refresh
            1H          ; retry
            1W          ; expiry
            1H )        ; minimum

@           IN NS       ns.pool.ntp.org.
@           IN A        172.16.2.191

ns          IN A        172.16.2.191

; ntp
*.rhel      IN A        172.16.2.191
EOF

 

권한 및 zone check

chown root.named /var/named/maru.ocp4.com.zone
chown root.named /var/named/pool.ntp.org.zone
named-checkzone maru.ocp4.com /var/named/maru.ocp4.com.zone
named-checkzone maru.ocp4.com /var/named/pool.ntp.org.zone

 

config 설정 파일

[root@registry ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

데몬 재시작

systemctl restart named

 

[bastion]

 

조회

[root@bastion ~]# nslookup registry.maru.ocp4.com
Server:         172.16.2.192
Address:        172.16.2.192#53

Name:   registry.maru.ocp4.com
Address: 172.16.2.192

[root@bastion ~]# nslookup google.com
Server:         172.16.2.192
Address:        172.16.2.192#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.196.142
Name:   google.com
Address: 2404:6800:4004:822::200e