commit 0e291a193cbfd0b169e749e7f28adc954a58f560
author Lorenz Brun <lorenz@monogon.tech> Thu Jun 01 12:22:45 2023 +0200
committer Lorenz Brun <lorenz@monogon.tech> Tue Jun 13 13:03:53 2023 +0000
tree 01b7ad51279b9060c3c967a0061826d37dbfaf01
parent 4264b8c641109c05c4828b40cd2e01e686890903

m/node: clean up DNS service

The primary change in here is that CoreDNS now only listens on the
loopback interface by default.
This fixes #217 as it cannot be accessed from the outside anymore.
Since the containers do not share the host network namespace, they can
now no longer access the DNS service. This is solved by introducing a
new Network Service API to add listener IPs and using a link-local IP,
169.254.77.53 for the container DNS.
While at it, I cleaned up various parts of the DNS code.

Change-Id: Id7b618f62690032db335e8478b9de84410c210a1
Reviewed-on: https://review.monogon.dev/c/monogon/+/1759
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>

metropolis/node/core/main.go

diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index 13d735f..dc50269 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go
@@ -20,12 +20,14 @@
 	"context"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"strings"
 	"time"
 
 	"golang.org/x/sys/unix"
 
+	"source.monogon.dev/metropolis/node"
 	"source.monogon.dev/metropolis/node/core/cluster"
 	"source.monogon.dev/metropolis/node/core/localstorage"
 	"source.monogon.dev/metropolis/node/core/localstorage/declarative"
@@ -115,6 +117,7 @@
 
 	networkSvc := network.New(nil)
 	networkSvc.DHCPVendorClassID = "dev.monogon.metropolis.node.v1"
+	networkSvc.ExtraDNSListenerIPs = []net.IP{node.ContainerDNSIP}
 	timeSvc := timesvc.New()
 
 	// This function initializes a headless Delve if this is a debug build or