m/node: clean up DNS service The primary change in here is that CoreDNS now only listens on the loopback interface by default. This fixes #217 as it cannot be accessed from the outside anymore. Since the containers do not share the host network namespace, they can now no longer access the DNS service. This is solved by introducing a new Network Service API to add listener IPs and using a link-local IP, 169.254.77.53 for the container DNS. While at it, I cleaned up various parts of the DNS code. Change-Id: Id7b618f62690032db335e8478b9de84410c210a1 Reviewed-on: https://review.monogon.dev/c/monogon/+/1759 Tested-by: Jenkins CI Reviewed-by: Serge Bazanski <serge@monogon.tech>

commit: 0e291a193cbfd0b169e749e7f28adc954a58f560 [log] [tgz]
author: Lorenz Brun <lorenz@monogon.tech> Thu Jun 01 12:22:45 2023 +0200
committer: Lorenz Brun <lorenz@monogon.tech> Tue Jun 13 13:03:53 2023 +0000
tree: 01b7ad51279b9060c3c967a0061826d37dbfaf01
parent: 4264b8c641109c05c4828b40cd2e01e686890903 [diff] [blame]
diff --git a/metropolis/node/net_ips.go b/metropolis/node/net_ips.go
new file mode 100644
index 0000000..27bc4b1
--- /dev/null
+++ b/metropolis/node/net_ips.go

@@ -0,0 +1,10 @@
+package node
+
+import "net"
+
+// These are IP addresses used by various parts of Metropolis.
+var (
+	// Used by //metropolis/node/kubernetes as the DNS server IP for containers.
+	// Link-local IP space, 77 for ASCII M(onogon), 53 for DNS port.
+	ContainerDNSIP = net.IPv4(169, 254, 77, 53)
+)
commit	0e291a193cbfd0b169e749e7f28adc954a58f560	[log] [tgz]
author	Lorenz Brun <lorenz@monogon.tech>	Thu Jun 01 12:22:45 2023 +0200
committer	Lorenz Brun <lorenz@monogon.tech>	Tue Jun 13 13:03:53 2023 +0000
tree	01b7ad51279b9060c3c967a0061826d37dbfaf01
parent	4264b8c641109c05c4828b40cd2e01e686890903 [diff] [blame]