IP Address Management
In any network it is important to keep track of the IP addresses used there. In the NSCHOOL environment, the base source of IP information is the Ansible inventory file /local/nschool/inventory/00-all.yml. This file contains every host in the environment, including gateways, printers, managed network switches, cable modems and guests. The same file will also contain the hardware Ethernet addresses of the hosts - either to be copied from the network interface of a new machine, or configured into a virtual machine. This information will be used to generate the following:
- The /etc/hosts file of the main server.
- The DNS server configuration:
- /etc/named.conf
- /var/named/prime_domain/db.xxx
- The DHCP configuration /etc/dhcp/dhcpd.conf
All of these will be automatically generated by playbooks and scripts, so that all one needs to do to add a machine is create an entry in the inventory.
Input files
These are the input files used when generating a DNS/DHCP server:
/local/nschool/inventory/00-all
This inventory file is a custom NSCHOOL design that includes the information eeded for a Main server with boot/install facilities. It follows the Ansible inventory file standards and defines a few variables for every host. By definition, if a host is included in this file, it is part of the NSCHOOL environment. If not, then it isn't. This is a sample of the contents:
[all]
algernon.nerdhole.me.uk main_ip=10.12.0.60 local_pxefile=0A0C003C macaddress=74:56:3c:3c:bd:bd
ariciel.nerdhole.me.uk main_ip=10.12.0.63 local_pxefile=0A0C003F macaddress=52:54:ba:be:01:02
bannog.nerdhole.me.uk main_ip=10.12.0.62 local_pxefile=0A0C003E macaddress=52:54:ba:be:01:01
emerald.nerdhole.me.uk main_ip=10.12.0.58 local_pxefile=0A0C003A macaddress=44:8a:5b:98:92:99
gateway.nerdhole.me.uk main_ip=10.12.0.1 local_pxefile=default macaddress=b0:4e:26:45:aa:62
sypha.nerdhole.me.uk main_ip=10.12.0.2 local_pxefile=0A0C0002 macaddress=d8:9e:f3:91:8a:d8
The information included is:
- The Fully Qualified Domain Name of the machine. No short names are allowed.
- The main IP address of the host. If we have a machine with multiple network interfaces, their additional addresses will be defined elsewhere.
- The local PXE file suffix. This is used by PXE to specify what this machine is to do when it boots off the BIS. Usually, reinstall itself. It is the IP address in hexadecimal, or "default" if the machine will never use PXE.
- The machine's MAC address on its main interface. This is used to configure DHCP as well as the hardware address of virtual machines.
/etc/hosts
We mainly use /etc/hosts to specify aliases to the machines when we don't specify them in an application. The main server's /etc/hosts file is generated by a Jinja2 template, but we can specify additional hostfiles if needed. It follows the normal /etc/hosts file format. The only restriction is that the first hostname on any line is the server's primary FQDN.
Generated files
These are samples of the files generated in the NSCHOOL environment:
The host file /etc/hosts
This file is only generated on the main server and not propagated anywhere else. It serves as a way to resolve hostnames in the absence of DNS servers, and also as a source for host aliases to be configured into the DNS server as CNAMEs. This is a sample of the contents:
# NERDHOLE SCHOOL ENHANCED HOST FILE
# ==================================
# Ansible managed
# Environment name: Nerdhole Enterprises
# Main domain : nerdhole.me.uk
# Main server : sypha.nerdhole.me.uk
# Main server IP : 10.12.0.2
# Timestamp : 1719382406
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.12.0.60 algernon.nerdhole.me.uk backup
10.12.0.63 ariciel.nerdhole.me.uk
10.12.0.62 bannog.nerdhole.me.uk
10.12.0.58 emerald.nerdhole.me.uk
10.12.0.1 gateway.nerdhole.me.uk
10.12.0.7 griggin.nerdhole.me.uk
10.12.0.100 labo100.nerdhole.me.uk
10.12.0.101 labo101.nerdhole.me.uk
10.12.0.2 sypha.nerdhole.me.uk main ns kerberos ldap bis fs git www
... All the other hosts ...
The aliases are specified in the nschool role's aliases variable. In the future, we may add host aliases to application related roles.
The named configuration files
The BIND process that translates between hostnames and IP addresses is called named, and it is configured using a file called /etc/named.conf. We do not want to put NSCHOOL information in this file, keeping it purely a system resource. We do need to configure named to listen on all network interfaces and allow queries from anyone. This is achieved by removing the lines listen-on and allow-query from /etc/named.conf. All the environment specific information goes into a file named /etc/named.conf.local which we generate from the inventory. This line in /etc/named.conf will have named use that file:
include "/etc/named.conf.local";
The /etc/named.conf.local file specifies which DNS domains are stored in which zone file. This is a sample, cut for brevity:
// Local zone definitions for DNSserver: nerdhole.me.uk
//----------------------------------------------------------------------
zone "nerdhole.me.uk" {
type master;
notify no;
file "/var/named/nerdhole.me.uk/db.nerdhole.me.uk";
};
zone "0.12.10.in-addr.arpa" {
type master;
notify no;
file "/var/named/nerdhole.me.uk/db.10.12.0.0";
};
The zone nerdhole.me.uk is specified in the zone file db.nerdhole.me.uk which is stored in a subdirectory /var/named/nerdhole.me.uk/ to keep it separate from any other DNS files. This way, we can simply erase the entire directory and regenerate it when necessary.
Zone files
A zone file comes in two flavours: forward and reverse. Both are essential for a well-configured name server. This is a sample of the forward zone file:
; Zone file: /var/named/nerdhole.me.uk/db.nerdhole.me.uk
;----------------------------------------------------------------------
; For nerdhole.me.uk
$TTL 3D
@ IN SOA sypha.nerdhole.me.uk. admin.nerdhole.me.uk. (
1719382445 ; Serial
8H ; Refresh time
2H ; Retry
4W ; Expire
1D ); Minimum
;
NS sypha.nerdhole.me.uk. ; Name server
;
algernon A 10.12.0.60
ariciel A 10.12.0.63
bannog A 10.12.0.62
[... Snipped for brevity ...]
sypha A 10.12.0.2
trixie A 10.12.0.10
yang A 10.12.0.64
; Aliases
backup CNAME algernon ; backup server
second CNAME paya ; second server
bis CNAME sypha ; bis server
fs CNAME sypha ; fs server
git CNAME sypha ; git server
kerberos CNAME sypha ; kerberos server
ldap CNAME sypha ; ldap server
main CNAME sypha ; main server
ns CNAME sypha ; ns server
www CNAME sypha ; www server
The IN SOA record provides authoritative information on the domain itself. The "A" records translate a name to an IP address. The CNAME records specify aliases for a host so that a query for backup.nerdhole.me.uk will yield algernon's IP address: 10.12.0.60.
This file is generated from the Ansible inventory files and the /etc/hosts file by a Perl script called /local/named/mkdnsserver which is part of the NSCHOOL environment.
A reverse zone file translates an IP address back into a hostname. This is used by certain applications to determine where connections are coming from in a first step towards authentication. This is a sample of a reverse zone file:
; Zone file: /var/named/nerdhole.me.uk/db.10.12.0.0
;----------------------------------------------------------------------
; For 0.12.10.in-addr.arpa
$TTL 3D
@ IN SOA sypha.nerdhole.me.uk. admin.nerdhole.me.uk. (
1719382445 ; Serial
8H ; Refresh time
2H ; Retry
4W ; Expire
1D ); Minimum
;
NS sypha.nerdhole.me.uk. ; Name server
;
1 PTR gateway.nerdhole.me.uk.
2 PTR sypha.nerdhole.me.uk.
5 PTR nero.nerdhole.me.uk.
[... Snipped for brevity...]
109 PTR labo109.nerdhole.me.uk.
110 PTR labo110.nerdhole.me.uk.
The IN SOA record is the same. The zone 0.12.10.in-addr.arpa is part of the DNS specification. It is the IP adress in reverse order, followed by in-addr.arpa which flags the domain as a reverse zonefile. A query on 10.12.0.2 will be translated to: 2.0.12.10.in-addr.arpa. Named will know to look in this database from its zone file, and find the PTR record with IP number 2, which is sypha.nerdhole.me.uk. This arrangement allows system administrators to divide up their labour and have each of them administer their own IP addresses.
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is designed to assign every client an IP address from a central table, based on its Ethernet hardware address. When a client wakes up on the network, it will send a broadcast package from its hardware address. The dhcp server will pick this up and supply the IP address from its internal table. The client will configure the IP address onto its own network interface and use it from then on. The DHCP protocol also allows us to give more network information to the client, such as a default gateway, a name server, a domain name, and information on which server to use as a boot/install server.
The DHCP server is called dhcpd and is configured using a file named /etc/dhcp/dhcpd.conf. This is a sample of the contents:
# DHCP configuration for nerdhole.me.uk
#----------------------------------------------------------------------
# This file is generated. Do not edit by hand.
option domain-name "nerdhole.me.uk.";
option domain-name-servers 10.12.0.2;
use-host-decl-names on;
default-lease-time 600;
max-lease-time 7200;
authoritative;
# Define what several numbered DHCP options mean.
option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;
option architecture-type code 93 = unsigned integer 16;
# Send PCs or VMs to PXE boot
class "PCs" {
match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";
next-server 10.12.0.2;
if option architecture-type = 00:07 {
filename = "efi/shimx64.efi";
}
else {
filename = "pxelinux/pxelinux.0";
}
}
# Define the subnet(s) served by this DHCP server
subnet 10.12.0.0 netmask 255.255.255.0 {
option routers 10.12.0.1;
range 10.12.0.200 10.12.0.215; # Guest machines
}
host algernon { hardware ethernet 74:56:3c:3c:bd:bd; fixed-address 10.12.0.60; }
host ariciel { hardware ethernet 52:54:ba:be:01:02; fixed-address 10.12.0.63; }
host bannog { hardware ethernet 52:54:ba:be:01:01; fixed-address 10.12.0.62; }
host sypha { hardware ethernet d8:9e:f3:91:8a:d8; fixed-address 10.12.0.2; }
At this time, we only generate the information for the main server's primary network, in this case 10.12.0.0/24. The IP addresses from 200 till 215 are meant for guest machines that we have not configured into our inventory, such as work laptops, phones, tablets and so on.
Automation
These are the ways in which we automate our IP address management:
The mkdnsserver script
Most of the work in configuring our IP address management facilities is done by a Perl script called /local/nschool/bin/mkdnsserver. It is called as follows:
/bin/mkdnsserver
--primeserver <full name of the main server>
--primeip <ip address of the main server>
--homedir /var/named/<directory for the zone files>
--localnamedconf /etc/named.conf.local
--dhcpfile /etc/dhcpd/dhcpd.conf
--inventorysrc /local/nschool/inventory/00-all
--etchostsrc /etc/hosts
This will take the name and IP address of the main server, an existing directory where it will store the zone files, file names of the named.conf.local and dhcpd.conf files, one or more inventory files, and one or more host files. All parameters are required.
The environment_bootstrap.yml playbook
The environment_bootstrap playbook will set up one server as a Main server using the nschool role, and configure it as a boot/install server using the bis role. The nschool role will:
- Open up the required ports (dns and dhcp) on the firewall
- Generate the /etc/hosts file
- Generate the DNS and DHCP configuration using mkdnsserver
- Make named listen on all interface rather than only on the loopback interface
- Allow DNS queries from any host
- Include /etc/named.conf.local in the /etc/named.conf
Conclusion
By automating the generation of all the IP address related files, we can easily add and remove hosts on the main server.