<div dir="ltr"><div>I am running lxc-net service on Oracle Linux 7. Here is the configuration information for the dnsmasq setup:<br><br></div>### START dnsmasq (lxc-net) configuration information ###<br><div><br>[ubuntu@guardian ~]$ cat /etc/NetworkManager/NetworkManager.conf<br># Configuration file for NetworkManager.<br>#<br># See "man 5 NetworkManager.conf" for details.<br>#<br># The directory /etc/NetworkManager/conf.d/ can contain additional configuration<br># snippets. Those snippets override the settings from this main file.<br>#<br># The files within conf.d/ directory are read in asciibetical order.<br>#<br># If two files define the same key, the one that is read afterwards will overwrite<br># the previous one.<br><br>[main]<br>plugins=ifcfg-rh<br>dns=none<br><br>[logging]<br>#level=DEBUG<br>#domains=ALL<br>[ubuntu@guardian ~]$<br><br>[ubuntu@guardian ~]$ dnsmasq --version<br>Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley<br>Compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify<br><br>This software comes with ABSOLUTELY NO WARRANTY.<br>Dnsmasq is free software, and you are welcome to redistribute it<br>under the terms of the GNU General Public License, version 2 or 3.<br>[ubuntu@guardian ~]$ cat /etc/dnsmasq.conf | grep -v '#' | sort -u<br><br>bind-interfaces<br>cache-size=150<br>conf-dir=/etc/dnsmasq.d<br>dhcp-authoritative<br>dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases<br>dhcp-lease-max=253<br>dhcp-no-override<br>DHCP-RANGE-OLXC<br>interface=lxcbr0<br>listen-address=127.0.0.1<br>pid-file=/var/run/lxc/dnsmasq.pid<br>resolv-file=/etc/resolv.dnsmasq<br>server=/29.207.10.in-addr.arpa/<a href="http://10.207.29.2">10.207.29.2</a><br>server=/39.207.10.in-addr.arpa/<a href="http://10.207.39.2">10.207.39.2</a><br>server=/<a href="http://consultingcommandos.us/10.207.29.2">consultingcommandos.us/10.207.29.2</a><br>server=/<a href="http://gns1.orabuntu-lxc.com/10.207.39.3">gns1.orabuntu-lxc.com/10.207.39.3</a><br>server=/localnet/<a href="http://192.168.0.1">192.168.0.1</a><br>server=/<a href="http://orabuntu-lxc.com/10.207.39.2">orabuntu-lxc.com/10.207.39.2</a><br>strict-order<br>[ubuntu@guardian ~]$ uname -a<br>Linux guardian 4.1.12-112.14.1.el7uek.x86_64 #2 SMP Fri Dec 8 18:37:23 PST 2017 x86_64 x86_64 x86_64 GNU/Linux<br>[ubuntu@guardian ~]$ cat /etc/oracle-release <br>Oracle Linux Server release 7.4<br>[ubuntu@guardian ~]$ cat /etc/redhat-release <br>Red Hat Enterprise Linux Server release 7.4 (Maipo)<br>[ubuntu@guardian ~]$ <br></div><div><br></div><div>[ubuntu@guardian ~]$ cat /etc/sysconfig/lxc-net<br># Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your<br># containers. Set to "false" if you'll use virbr0 or another existing<br># bridge, or mavlan to your host's NIC.<br>USE_LXC_BRIDGE="true"<br><br># If you change the LXC_BRIDGE to something other than lxcbr0, then<br># you will also need to update your /etc/lxc/default.conf as well as the<br># configuration (/var/lib/lxc/<container>/config) for any containers<br># already created using the default config to reflect the new bridge<br># name.<br># If you have the dnsmasq daemon installed, you'll also have to update<br># /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.<br>LXC_BRIDGE="lxcbr0"<br>LXC_ADDR="10.133.192.1"<br>LXC_NETMASK="255.255.255.0"<br>LXC_NETWORK="<a href="http://10.133.192.0/24">10.133.192.0/24</a>"<br>LXC_DHCP_RANGE="10.133.192.2,10.133.192.254"<br>LXC_DHCP_MAX="253"<br># Uncomment the next line if you'd like to use a conf-file for the lxcbr0<br># dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have<br># container 'mail1' always get ip address 10.0.3.100.<br>LXC_DHCP_CONFILE=/etc/dnsmasq.conf<br><br># Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc<br># domain. You can then add "server=/lxc/<a href="http://10.0.3.1">10.0.3.1</a>' (or your actual )<br># to /etc/dnsmasq.conf, after which 'container1.lxc' will resolve on your<br># host.<br>#LXC_DOMAIN="lxc"<br>[ubuntu@guardian ~]$</div><div><br></div><div>### END dnsmasq (lxc-net) configuration ###</div><div><br></div><div>At 10.207.39.2 (on a different physical host - "santorini") via a GRE tunnel there is an LXC container "olive" that has a bind9/isc-dhcp-server setup that hands out dhcp addresses and automatically adds them to bind9 DNS, all inside the container.</div><div><br></div><div>Everything works just great for DNS resolution on guardian EXCEPT that when new containers are created and come up on santorini, DNS lookups fail on guardian for the newly-added-to-olive container DNS records. The only way I can get lxc-net to successful lookup of newly added DNS entries on olive is to restart lxc-net on guardian (sudo service lxc-net restart) and then the lookup are all there including any that were added on live in the last few seconds.</div><div><br></div><div>Now I have found that if I activate "no-resolv" parameter in /etc/dnsmasq.conf then new DNS records on olive are immediately available on guardian without any need to restart lxc-net on guardian. However, this breaks WAN resolution to internet destinations such as <a href="http://google.com">google.com</a> <a href="http://yahoo.com">yahoo.com</a> etc. Also, "no-resolv" only resolves short names apparently - for example if it will resolve "newcontainer" but it won't resolve "<a href="http://newcontainer.urdomain1.com">newcontainer.urdomain1.com</a>". I also did some experiments with the parameter "all-servers" but it didn't seem to have any effect.</div><div><br></div><div>This seems to be a general configuration problems because I have the same issue when systemd-resolved is used remotely in the same way I am using dnsmasq on guardian to call to the DNS/DHCP container "olive" on the GRE-connected remote host. So I think this is a general DNS lookup scenario that is not dnsmasq-specific but nevertheless I'm trying to configure dnsmasq so that it will not be necessary to keep restarting lxc-net dnsmasq to pick up new DNS updates from olive on guardian, but at the same time be able to resolve WAN addresses on guardian.</div><div><br></div><div>Thanks, Gil<br clear="all"></div><div><div><br>-- <br><div class="gmail_signature"><div dir="ltr">Gilbert Standen<div>Creator Orabuntu-LXC</div><div>914-261-4594</div><div><a href="mailto:gilbert@orabuntu-lxc.com" target="_blank">gilbert@orabuntu-lxc.com</a></div><div><br></div></div></div>
</div></div></div>