Skip to content

Create 2022-12-05-ipaclient_dns_resolver.md #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create 2022-12-05-ipaclient_dns_resolver.md #8

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions src/blog/_posts/2022-12-05-ipaclient_dns_resolver.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
---
layout: post
title: "DNS resolver configuration for clients and replicas"
section: Blog
date: 2022-12-05T07:00:00
author: Thomas Woerner
tags: dns client
---

## Introduction

Since ansible-freeipa version 1.9.0 it is possible to configure the DNS resolver for the clients and replicas.

## Description

The configuration of the DNS resolver with the ipaclient role simplifies the deployment of clients and especially clusters a lot as there is no extra step needed to configure the DNS resolvers before using the ipaclient role to deploy clients.

So far, if DNS was configured as part of the domain, it was needed to configure the DNS resolvers for client and replica deployments manually before starting the deployment. The configuration required knowledge about the used DNS resolver and also about the way how to configure it properly so that the change also survived a reload or restart of the DNS resolver service or a reboot of the machine. In the past it was common to modify simply `/etc/resolv.conf`, but if `NetworkManager` and also `systemd-resolved` are used this is a temporary change and will be overwritten by these services at some point.

By enabling the DNS resolver configuration for client and replica deployments the configuration of the DNS resolver is taken care by the ipaclient role. As the ipareplica role is at first deploying a client which is then promoted to become a replica (server), the DNS resolver configuraiton can also be used for replica deployments using the ipareplica role. The names of the variables to achieve this are the same as for the client role.

The DNS nameservers and the search domain are configured for NetworkManager, systemd-resolved (if installed and enabled) and /etc/resolv.conf if neither NetworkManager nor systemd-resolved is used.

The installation of packages is happening before the DNS resolver is configured, therefore package installation needs to be possible without the configuration of the DNS resolver.

The ipaserver deployment is already configuring the DNS resolvers if the internal DNS is enabled for the server. The client part installation on the server with the ipaclient role is not configuring the DNS resolver and is also not overwriting the configuration done before in the server deployment.

## Variables


**ipaclient_configure_dns_resolver**<br>
The bool value defines if the DNS resolver is configured. before deploying the client. This is useful if the IPA server has internal DNS support. **ipaclient_dns_servers** need to be set also.

**ipaclient_dns_servers**<br>
The list of DNS server IP addresses. This is only useful with **ipaclient_configure_dns_resolver**.

**ipaclient_cleanup_dns_resolver**<br>
The bool value defines if DNS resolvers that have been configured before with **ipaclient_configure_dns_resolver** will be cleaned up again.


## Configuration

To enable the configuration for the client use an inventory like this one:

```ini
[ipaservers]
ipaserver.example.com

[ipaclients]
ipaclient1.example.com
ipaclient2.example.com

[ipaclients:vars]
ipaadmin_principal=admin
ipaadmin_password=MySecretPassword123
ipaclient_domain=example.com
ipaclient_configure_dns_resolver=true
ipaclient_dns_servers=192.168.100.1
```

It is important to enable `ipaclient_configure_dns_resolver` and to use the IP address(es) of the DNS server(s) for `ipaclient_dns_servers`.

The configuration for NetworkManager and also systemd-resolved will be done if the components exist and are enabled otherwise `/etc/resolvconf` will be changed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a missing dot "." in /etc/resolvconf.


## How does it work

For **NetworkManager** the file `/etc/NetworkManager/conf.d/zzz-ipa.conf` will be generated:

```ini
# auto-generated by IPA client installer
[main]
dns={dnsprocessing}
[global-dns]
searches={searchdomains}
[global-dns-domain-*]
servers={servers}
```

`{dnsprocessing}` is either `"systemd-resolved"` if `/etc/resolv.conf` is managed by systemd-resolved or `"default"`.
`{searchdomains}` are the search domains and `{servers}` are the DNS server IP addresses.

The configuration of `NetworkManager` without using `systemd-reolved` can be directly seen in `/etc/resolv.conf`.

For **systemd-resolved** the configuration file `/etc/systemd/resolved.conf.d/zzz-ipa.conf` will be created:

```ini
# auto-generated by IPA client installer
[Resolve]
# use DNS servers
DNS={servers}
# make default DNS server, add search suffixes
Domains=~. {searchdomains}
```

The configuration of `systemd-resolved` can be checked using the command `systemd-resolve --status`.



## Result

**NetworkManager** `/etc/NetworkManager/conf.d/zzz-ipa.conf`

```ini
# auto-generated by IPA client installer
[main]
dns="systemd-resolved"
[global-dns]
searches=example.com
[global-dns-domain-*]
servers=192.168.100.1
```

**systemd-resolved** `/etc/systemd/resolved.conf.d/zzz-ipa.conf`

```ini
# auto-generated by IPA client installer
[Resolve]
# use DNS servers
DNS=192.168.100.1
# make default DNS server, add search suffixes
Domains=~. example.com
```