updated doc from todo

2025-05-28 07:38:39 +00:00 · 2025-05-28 07:38:39 +00:00 · 7e1eb4f96e
commit 7e1eb4f96e
parent e12ee33245
3 changed files with 112 additions and 53 deletions
--- a/doc/main.md
+++ b/doc/main.md
@ -14,13 +14,13 @@ integration.

 Before proceeding, ensure the following:

-   Incus is installed on the host system (`sudo apt install incus`).
+\- Incus is installed on the host system (`sudo apt install incus`).

-   A Debian-based container is created in Incus.
+\- A Debian-based container is created in Incus.

-   Basic knowledge of Linux networking and container management.
+\- Basic knowledge of Linux networking and container management.

-   Root or sudo access to the host and container.
+\- Root or sudo access to the host and container.

 # Step-by-Step Configuration

@ -104,12 +104,12 @@ interfaces named `vA` and `vB`.

 This command:

-   Creates a `veth` pair with one end (`vA`) in the default namespace
-    and the other end (`vB`) in the `deb1`'s network namespace.
+\- Creates a `veth` pair with one end (`vA`) in the default namespace
+and the other end (`vB`) in the `deb1`'s network namespace.

-   Ensures the interfaces are set up and operational, allowing network
-    traffic to flow between the container and the `ns1` namespace (or
-    default namespace if `ns1` is not explicitly created).
+\- Ensures the interfaces are set up and operational, allowing network
+traffic to flow between the container and the `ns1` namespace (or
+default namespace if `ns1` is not explicitly created).

 The script uses the `pyroute2` library to manage network interfaces and
 namespaces, and supports container types such as Incus, LXC, LXD, and
@ -184,22 +184,48 @@ Add or modify the following settings to enable DNS and DHCP:

 **Explanation:**

-   `domain-needed`: Prevents incomplete domain names from being sent to
-    upstream DNS.
+\- `domain-needed`: Prevents incomplete domain names from being sent to
+upstream DNS.

-   `bogus-priv`: Blocks reverse DNS lookups for private IP ranges.
+\- `bogus-priv`: Blocks reverse DNS lookups for private IP ranges.

-   `no-resolv`: Disables reading `/etc/resolv.conf`.
+\- `no-resolv`: Disables reading `/etc/resolv.conf`.

-   `server`: Specifies upstream DNS servers (Google DNS in this case).
+\- `server`: Specifies upstream DNS servers (Google DNS in this case).

-   `local` and `domain`: Configures a local domain.
+\- `local` and `domain`: Configures a local domain.

-   `dhcp-range`: Defines the IP range for DHCP clients (from
-    192.168.1.100 to 192.168.1.200, lease time 12 hours).
+\- `dhcp-range`: Defines the IP range for DHCP clients (from
+192.168.1.100 to 192.168.1.200, lease time 12 hours).

-   `dhcp-option`: Sets the default gateway (option 3) and DNS servers
-    (option 6).
+\- `dhcp-option`: Sets the default gateway (option 3) and DNS servers
+(option 6).
+
+## System-Level Adjustments for Network Stability
+
+In some cases, especially in nested or privileged containers, additional
+system-level adjustments are necessary to ensure proper network
+functionality and avoid conflicts.
+
+To remount the `/sys` filesystem as read-write (required if certain
+networking tools fail due to mount restrictions):
+
+``` {.bash language="bash"}
+sudo mount -o remount,rw /sys
+sudo systemctl restart systemd-udevd
+```
+
+Additionally, to prevent DNS conflicts with `systemd-resolved`, which
+may interfere with `dnsmasq`, stop and disable the service:
+
+``` {.bash language="bash"}
+sudo systemctl stop systemd-resolved
+sudo systemctl disable systemd-resolved
+```
+
+This ensures that `dnsmasq` can bind to port 53 without conflicts. If
+you require `systemd-resolved`, consider configuring it to listen on a
+different interface or using socket activation.

 ## Starting and Enabling dnsmasq

@ -232,12 +258,12 @@ that it receives an IP address in the range

 If `dnsmasq` fails to start:

-   Check the logs: `incus exec deb1 – journalctl -u dnsmasq`.
+\- Check the logs: `incus exec deb1 – journalctl -u dnsmasq`.

-   Ensure no other service is using port 53 (DNS) or 67 (DHCP).
+\- Ensure no other service is using port 53 (DNS) or 67 (DHCP).

-   Verify the network configuration with `incus exec deb1 – ip a` and
-    `incus exec deb1 – ping 8.8.8.8`.
+\- Verify the network configuration with `incus exec deb1 – ip a` and
+`incus exec deb1 – ping 8.8.8.8`.

 # Conclusion

--- a/doc/main.pdf
+++ b/doc/main.pdf
--- a/doc/main.tex
+++ b/doc/main.tex
@ -44,12 +44,16 @@ This guide provides step-by-step instructions for setting up \texttt{dnsmasq} as

 \section{Prerequisites}
 Before proceeding, ensure the following:
-\begin{itemize}
-  \item Incus is installed on the host system (\texttt{sudo apt install incus}).
-  \item A Debian-based container is created in Incus.
-  \item Basic knowledge of Linux networking and container management.
-  \item Root or sudo access to the host and container.
-\end{itemize}
+
+  
+- Incus is installed on the host system (\texttt{sudo apt install incus}).
+  
+- A Debian-based container is created in Incus.
+  
+- Basic knowledge of Linux networking and container management.
+  
+- Root or sudo access to the host and container.
+

 \section{Step-by-Step Configuration}

@ -64,8 +68,6 @@ incus start deb1
 \end{lstlisting}
 The \texttt{security.syscalls.intercept.mount}, \texttt{security.nesting}, and \texttt{security.privileged} settings are required for \texttt{dnsmasq} and Docker to function correctly in the container.

-
-% New subsection for firewall settings
 \subsection{Firewall Configuration}
 To allow traffic forwarding between the \texttt{incusbr0} bridge and the \texttt{wlo1} wireless interface, the following iptables rules are applied:

@ -107,7 +109,6 @@ Access the container's shell:
 incus exec deb1 -- su - user 
 \end{lstlisting}

-% New section for veth pair setup
 \section{Setting Up a Veth Pair Between Container and Network Namespace}
 To enable direct communication between a container and a network namespace, a virtual Ethernet (\texttt{veth}) pair is created. The following Python script (\texttt{link.py}) is used to create a \texttt{veth} pair between the \texttt{deb1} (an Incus container) and the \texttt{ns1} network namespace, with interfaces named \texttt{vA} and \texttt{vB}.

@ -116,10 +117,12 @@ sudo python3 link.py -n1 vA -t2 incus -ns2 deb1 -n2 vB
 \end{lstlisting}

 This command:
-\begin{itemize}
-  \item Creates a \texttt{veth} pair with one end (\texttt{vA}) in the default namespace and the other end (\texttt{vB}) in the \texttt{deb1}'s network namespace.
-  \item Ensures the interfaces are set up and operational, allowing network traffic to flow between the container and the \texttt{ns1} namespace (or default namespace if \texttt{ns1} is not explicitly created).
-\end{itemize}
+
+  
+- Creates a \texttt{veth} pair with one end (\texttt{vA}) in the default namespace and the other end (\texttt{vB}) in the \texttt{deb1}'s network namespace.
+  
+- Ensures the interfaces are set up and operational, allowing network traffic to flow between the container and the \texttt{ns1} namespace (or default namespace if \texttt{ns1} is not explicitly created).
+

 The script uses the \texttt{pyroute2} library to manage network interfaces and namespaces, and supports container types such as Incus, LXC, LXD, and Docker. Ensure the \texttt{deb1} is running in Incus before executing the command.

@ -148,7 +151,6 @@ Apply the configuration:
 incus exec deb1 -- netplan apply
 \end{lstlisting}

-
 \subsection{Installing dnsmasq}
 Update the package list and install \texttt{dnsmasq}:
 \begin{lstlisting}[language=bash]
@ -156,7 +158,6 @@ incus exec deb1 -- apt update
 incus exec deb1 -- apt install dnsmasq -y
 \end{lstlisting}

-
 \subsection{Configuring dnsmasq}
 Edit the \texttt{dnsmasq} configuration file at \texttt{/etc/dnsmasq.conf}:
 \begin{lstlisting}[language=bash]
@ -180,15 +181,45 @@ dhcp-option=6,8.8.8.8,8.8.4.4
 \end{lstlisting}

 \textbf{Explanation:}
-\begin{itemize}
-  \item \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS.
-  \item \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges.
-  \item \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}.
-  \item \texttt{server}: Specifies upstream DNS servers (Google DNS in this case).
-  \item \texttt{local} and \texttt{domain}: Configures a local domain.
-  \item \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours).
-  \item \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6).
-\end{itemize}
+
+  
+- \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS.
+  
+- \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges.
+  
+- \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}.
+  
+- \texttt{server}: Specifies upstream DNS servers (Google DNS in this case).
+  
+- \texttt{local} and \texttt{domain}: Configures a local domain.
+  
+- \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours).
+  
+- \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6).
+
+
+% ————————————————————————————————
+% 🔧 NOWA SEKCJA: System-Level Adjustments
+% ————————————————————————————————
+
+\subsection{System-Level Adjustments for Network Stability}
+In some cases, especially in nested or privileged containers, additional system-level adjustments are necessary to ensure proper network functionality and avoid conflicts.
+
+To remount the \texttt{/sys} filesystem as read-write (required if certain networking tools fail due to mount restrictions):
+\begin{lstlisting}[language=bash]
+sudo mount -o remount,rw /sys
+sudo systemctl restart systemd-udevd
+\end{lstlisting}
+
+Additionally, to prevent DNS conflicts with \texttt{systemd-resolved}, which may interfere with \texttt{dnsmasq}, stop and disable the service:
+\begin{lstlisting}[language=bash]
+sudo systemctl stop systemd-resolved
+sudo systemctl disable systemd-resolved
+\end{lstlisting}
+
+This ensures that \texttt{dnsmasq} can bind to port 53 without conflicts. If you require \texttt{systemd-resolved}, consider configuring it to listen on a different interface or using socket activation.
+
+% ————————————————————————————————

 \subsection{Starting and Enabling dnsmasq}
 Restart and enable the \texttt{dnsmasq} service:
@ -210,14 +241,16 @@ To test DHCP, connect a client device to the same network and verify that it rec

 \section{Troubleshooting}
 If \texttt{dnsmasq} fails to start:
-\begin{itemize}
-  \item Check the logs: \texttt{incus exec deb1 -- journalctl -u dnsmasq}.
-  \item Ensure no other service is using port 53 (DNS) or 67 (DHCP).
-  \item Verify the network configuration with \texttt{incus exec deb1 -- ip a} and \texttt{incus exec deb1 -- ping 8.8.8.8}.
-\end{itemize}
+
+  
+- Check the logs: \texttt{incus exec deb1 -- journalctl -u dnsmasq}.
+  
+- Ensure no other service is using port 53 (DNS) or 67 (DHCP).
+  
+- Verify the network configuration with \texttt{incus exec deb1 -- ip a} and \texttt{incus exec deb1 -- ping 8.8.8.8}.
+

 \section{Conclusion}
 This guide configures \texttt{dnsmasq} as a DNS and DHCP server in an Incus container on Debian. The Netplan configuration ensures proper network setup. For advanced configurations, refer to the \texttt{dnsmasq} documentation (\texttt{man dnsmasq}).

 \end{document}
-