diff --git a/doc/main.md b/doc/main.md index 30c79f3..765a4d1 100644 --- a/doc/main.md +++ b/doc/main.md @@ -14,13 +14,13 @@ integration. Before proceeding, ensure the following: -- Incus is installed on the host system (`sudo apt install incus`). +\- Incus is installed on the host system (`sudo apt install incus`). -- A Debian-based container is created in Incus. +\- A Debian-based container is created in Incus. -- Basic knowledge of Linux networking and container management. +\- Basic knowledge of Linux networking and container management. -- Root or sudo access to the host and container. +\- Root or sudo access to the host and container. # Step-by-Step Configuration @@ -104,12 +104,12 @@ interfaces named `vA` and `vB`. This command: -- Creates a `veth` pair with one end (`vA`) in the default namespace - and the other end (`vB`) in the `deb1`'s network namespace. +\- Creates a `veth` pair with one end (`vA`) in the default namespace +and the other end (`vB`) in the `deb1`'s network namespace. -- Ensures the interfaces are set up and operational, allowing network - traffic to flow between the container and the `ns1` namespace (or - default namespace if `ns1` is not explicitly created). +\- Ensures the interfaces are set up and operational, allowing network +traffic to flow between the container and the `ns1` namespace (or +default namespace if `ns1` is not explicitly created). The script uses the `pyroute2` library to manage network interfaces and namespaces, and supports container types such as Incus, LXC, LXD, and @@ -184,22 +184,48 @@ Add or modify the following settings to enable DNS and DHCP: **Explanation:** -- `domain-needed`: Prevents incomplete domain names from being sent to - upstream DNS. +\- `domain-needed`: Prevents incomplete domain names from being sent to +upstream DNS. -- `bogus-priv`: Blocks reverse DNS lookups for private IP ranges. +\- `bogus-priv`: Blocks reverse DNS lookups for private IP ranges. -- `no-resolv`: Disables reading `/etc/resolv.conf`. +\- `no-resolv`: Disables reading `/etc/resolv.conf`. -- `server`: Specifies upstream DNS servers (Google DNS in this case). +\- `server`: Specifies upstream DNS servers (Google DNS in this case). -- `local` and `domain`: Configures a local domain. +\- `local` and `domain`: Configures a local domain. -- `dhcp-range`: Defines the IP range for DHCP clients (from - 192.168.1.100 to 192.168.1.200, lease time 12 hours). +\- `dhcp-range`: Defines the IP range for DHCP clients (from +192.168.1.100 to 192.168.1.200, lease time 12 hours). -- `dhcp-option`: Sets the default gateway (option 3) and DNS servers - (option 6). +\- `dhcp-option`: Sets the default gateway (option 3) and DNS servers +(option 6). + +## System-Level Adjustments for Network Stability + +In some cases, especially in nested or privileged containers, additional +system-level adjustments are necessary to ensure proper network +functionality and avoid conflicts. + +To remount the `/sys` filesystem as read-write (required if certain +networking tools fail due to mount restrictions): + +``` {.bash language="bash"} +sudo mount -o remount,rw /sys +sudo systemctl restart systemd-udevd +``` + +Additionally, to prevent DNS conflicts with `systemd-resolved`, which +may interfere with `dnsmasq`, stop and disable the service: + +``` {.bash language="bash"} +sudo systemctl stop systemd-resolved +sudo systemctl disable systemd-resolved +``` + +This ensures that `dnsmasq` can bind to port 53 without conflicts. If +you require `systemd-resolved`, consider configuring it to listen on a +different interface or using socket activation. ## Starting and Enabling dnsmasq @@ -232,12 +258,12 @@ that it receives an IP address in the range If `dnsmasq` fails to start: -- Check the logs: `incus exec deb1 – journalctl -u dnsmasq`. +\- Check the logs: `incus exec deb1 – journalctl -u dnsmasq`. -- Ensure no other service is using port 53 (DNS) or 67 (DHCP). +\- Ensure no other service is using port 53 (DNS) or 67 (DHCP). -- Verify the network configuration with `incus exec deb1 – ip a` and - `incus exec deb1 – ping 8.8.8.8`. +\- Verify the network configuration with `incus exec deb1 – ip a` and +`incus exec deb1 – ping 8.8.8.8`. # Conclusion diff --git a/doc/main.pdf b/doc/main.pdf index b291df1..d130743 100644 Binary files a/doc/main.pdf and b/doc/main.pdf differ diff --git a/doc/main.tex b/doc/main.tex index 1bd9dd5..ab06ca8 100644 --- a/doc/main.tex +++ b/doc/main.tex @@ -44,12 +44,16 @@ This guide provides step-by-step instructions for setting up \texttt{dnsmasq} as \section{Prerequisites} Before proceeding, ensure the following: -\begin{itemize} - \item Incus is installed on the host system (\texttt{sudo apt install incus}). - \item A Debian-based container is created in Incus. - \item Basic knowledge of Linux networking and container management. - \item Root or sudo access to the host and container. -\end{itemize} + + +- Incus is installed on the host system (\texttt{sudo apt install incus}). + +- A Debian-based container is created in Incus. + +- Basic knowledge of Linux networking and container management. + +- Root or sudo access to the host and container. + \section{Step-by-Step Configuration} @@ -64,8 +68,6 @@ incus start deb1 \end{lstlisting} The \texttt{security.syscalls.intercept.mount}, \texttt{security.nesting}, and \texttt{security.privileged} settings are required for \texttt{dnsmasq} and Docker to function correctly in the container. - -% New subsection for firewall settings \subsection{Firewall Configuration} To allow traffic forwarding between the \texttt{incusbr0} bridge and the \texttt{wlo1} wireless interface, the following iptables rules are applied: @@ -107,7 +109,6 @@ Access the container's shell: incus exec deb1 -- su - user \end{lstlisting} -% New section for veth pair setup \section{Setting Up a Veth Pair Between Container and Network Namespace} To enable direct communication between a container and a network namespace, a virtual Ethernet (\texttt{veth}) pair is created. The following Python script (\texttt{link.py}) is used to create a \texttt{veth} pair between the \texttt{deb1} (an Incus container) and the \texttt{ns1} network namespace, with interfaces named \texttt{vA} and \texttt{vB}. @@ -116,10 +117,12 @@ sudo python3 link.py -n1 vA -t2 incus -ns2 deb1 -n2 vB \end{lstlisting} This command: -\begin{itemize} - \item Creates a \texttt{veth} pair with one end (\texttt{vA}) in the default namespace and the other end (\texttt{vB}) in the \texttt{deb1}'s network namespace. - \item Ensures the interfaces are set up and operational, allowing network traffic to flow between the container and the \texttt{ns1} namespace (or default namespace if \texttt{ns1} is not explicitly created). -\end{itemize} + + +- Creates a \texttt{veth} pair with one end (\texttt{vA}) in the default namespace and the other end (\texttt{vB}) in the \texttt{deb1}'s network namespace. + +- Ensures the interfaces are set up and operational, allowing network traffic to flow between the container and the \texttt{ns1} namespace (or default namespace if \texttt{ns1} is not explicitly created). + The script uses the \texttt{pyroute2} library to manage network interfaces and namespaces, and supports container types such as Incus, LXC, LXD, and Docker. Ensure the \texttt{deb1} is running in Incus before executing the command. @@ -148,7 +151,6 @@ Apply the configuration: incus exec deb1 -- netplan apply \end{lstlisting} - \subsection{Installing dnsmasq} Update the package list and install \texttt{dnsmasq}: \begin{lstlisting}[language=bash] @@ -156,7 +158,6 @@ incus exec deb1 -- apt update incus exec deb1 -- apt install dnsmasq -y \end{lstlisting} - \subsection{Configuring dnsmasq} Edit the \texttt{dnsmasq} configuration file at \texttt{/etc/dnsmasq.conf}: \begin{lstlisting}[language=bash] @@ -180,15 +181,45 @@ dhcp-option=6,8.8.8.8,8.8.4.4 \end{lstlisting} \textbf{Explanation:} -\begin{itemize} - \item \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS. - \item \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges. - \item \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}. - \item \texttt{server}: Specifies upstream DNS servers (Google DNS in this case). - \item \texttt{local} and \texttt{domain}: Configures a local domain. - \item \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours). - \item \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6). -\end{itemize} + + +- \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS. + +- \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges. + +- \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}. + +- \texttt{server}: Specifies upstream DNS servers (Google DNS in this case). + +- \texttt{local} and \texttt{domain}: Configures a local domain. + +- \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours). + +- \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6). + + +% ———————————————————————————————— +% 🔧 NOWA SEKCJA: System-Level Adjustments +% ———————————————————————————————— + +\subsection{System-Level Adjustments for Network Stability} +In some cases, especially in nested or privileged containers, additional system-level adjustments are necessary to ensure proper network functionality and avoid conflicts. + +To remount the \texttt{/sys} filesystem as read-write (required if certain networking tools fail due to mount restrictions): +\begin{lstlisting}[language=bash] +sudo mount -o remount,rw /sys +sudo systemctl restart systemd-udevd +\end{lstlisting} + +Additionally, to prevent DNS conflicts with \texttt{systemd-resolved}, which may interfere with \texttt{dnsmasq}, stop and disable the service: +\begin{lstlisting}[language=bash] +sudo systemctl stop systemd-resolved +sudo systemctl disable systemd-resolved +\end{lstlisting} + +This ensures that \texttt{dnsmasq} can bind to port 53 without conflicts. If you require \texttt{systemd-resolved}, consider configuring it to listen on a different interface or using socket activation. + +% ———————————————————————————————— \subsection{Starting and Enabling dnsmasq} Restart and enable the \texttt{dnsmasq} service: @@ -210,14 +241,16 @@ To test DHCP, connect a client device to the same network and verify that it rec \section{Troubleshooting} If \texttt{dnsmasq} fails to start: -\begin{itemize} - \item Check the logs: \texttt{incus exec deb1 -- journalctl -u dnsmasq}. - \item Ensure no other service is using port 53 (DNS) or 67 (DHCP). - \item Verify the network configuration with \texttt{incus exec deb1 -- ip a} and \texttt{incus exec deb1 -- ping 8.8.8.8}. -\end{itemize} + + +- Check the logs: \texttt{incus exec deb1 -- journalctl -u dnsmasq}. + +- Ensure no other service is using port 53 (DNS) or 67 (DHCP). + +- Verify the network configuration with \texttt{incus exec deb1 -- ip a} and \texttt{incus exec deb1 -- ping 8.8.8.8}. + \section{Conclusion} This guide configures \texttt{dnsmasq} as a DNS and DHCP server in an Incus container on Debian. The Netplan configuration ensures proper network setup. For advanced configurations, refer to the \texttt{dnsmasq} documentation (\texttt{man dnsmasq}). \end{document} -