I am running lxc-net service on Oracle Linux 7. Here is the configuration
information for the dnsmasq setup:
### START dnsmasq (lxc-net) configuration information ###
[ubuntu@guardian ~]$ cat /etc/NetworkManager/NetworkManager.conf
# Configuration file for NetworkManager.
# See "man 5 NetworkManager.conf" for details.
# The directory /etc/NetworkManager/conf.d/ can contain additional
# snippets. Those snippets override the settings from this main file.
# The files within conf.d/ directory are read in asciibetical order.
# If two files define the same key, the one that is read afterwards will
# the previous one.
[ubuntu@guardian ~]$ dnsmasq --version
Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua
TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
[ubuntu@guardian ~]$ cat /etc/dnsmasq.conf | grep -v '#' | sort -u
[ubuntu@guardian ~]$ uname -a
Linux guardian 4.1.12-112.14.1.el7uek.x86_64 #2 SMP Fri Dec 8 18:37:23 PST
2017 x86_64 x86_64 x86_64 GNU/Linux
[ubuntu@guardian ~]$ cat /etc/oracle-release
Oracle Linux Server release 7.4
[ubuntu@guardian ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)
[ubuntu@guardian ~]$ cat /etc/sysconfig/lxc-net
# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers. Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
# container 'mail1' always get ip address 10.0.3.100.
# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
# domain. You can then add "server=/lxc/10.0.3.1' (or your actual )
# to /etc/dnsmasq.conf, after which 'container1.lxc' will resolve on your
### END dnsmasq (lxc-net) configuration ###
At 10.207.39.2 (on a different physical host - "santorini") via a GRE
tunnel there is an LXC container "olive" that has a bind9/isc-dhcp-server
setup that hands out dhcp addresses and automatically adds them to bind9
DNS, all inside the container.
Everything works just great for DNS resolution on guardian EXCEPT that when
new containers are created and come up on santorini, DNS lookups fail on
guardian for the newly-added-to-olive container DNS records. The only way
I can get lxc-net to successful lookup of newly added DNS entries on olive
is to restart lxc-net on guardian (sudo service lxc-net restart) and then
the lookup are all there including any that were added on live in the last
Now I have found that if I activate "no-resolv" parameter in
/etc/dnsmasq.conf then new DNS records on olive are immediately available
on guardian without any need to restart lxc-net on guardian. However, this
breaks WAN resolution to internet destinations such as google.com yahoo.com
etc. Also, "no-resolv" only resolves short names apparently - for example
if it will resolve "newcontainer" but it won't resolve "
newcontainer.urdomain1.com". I also did some experiments with the
parameter "all-servers" but it didn't seem to have any effect.
This seems to be a general configuration problems because I have the same
issue when systemd-resolved is used remotely in the same way I am using
dnsmasq on guardian to call to the DNS/DHCP container "olive" on the
GRE-connected remote host. So I think this is a general DNS lookup
scenario that is not dnsmasq-specific but nevertheless I'm trying to
configure dnsmasq so that it will not be necessary to keep restarting
lxc-net dnsmasq to pick up new DNS updates from olive on guardian, but at
the same time be able to resolve WAN addresses on guardian.
Dnsmasq-discuss mailing list