みなさんあのね

エクセルいじりがお仕事のインフラ系SEのメモ

ConsulをDNSサーバとして使う方法

やりたいこと

iPhoneからテスト用のWEBサーバにhttps接続したいけど、DNSサーバがない…WEBサーバにbindを入れるほどのことでもないし…ファイル1つで動くDNSサーバがあればな…」

というようなニッチな悩みに対する解決策を調べていると、ConsulのDNSインターフェースの説明ページがヒットしたので、WEBサーバにConsulをインストールしてWEB兼DNS(Consul)サーバ化することにしてみた。

初期設定

名前解決リクエストを53ポートで受けるように指定して、Consulが動作している端末以外への名前解決リクエストは8.8.8.8に任せる。

$ sudo mkdir /etc/consul.d
$ sudo chown hoge:hoge /etc/consul.d
cat << JSON >> /etc/consul.d/consul.json\n{\n  "ports": {\n    "dns": 53\n  },\n  "recursor": "8.8.8.8"\n}\nJSON
$ sudo mkdir /tmp/consul
$ sudo chown hoge:hoge /tmp/consul

起動

nodeとdomainを指定することでconsul1.node.kintoki.xyzというコモンネームに対する名前解決リクエストを応答することが可能。

$ sudo ./consul agent -dev -server -domain=kintoki.xyz -client=0.0.0.0 \
             -node=consul1 -data-dir=/tmp/consul -bind=192.168.10.224 \
             -config-dir /etc/consul.d \
             -config-file /etc/consul.d/consul.json &
[1] 6598
Downloads$ ==> Starting Consul agent...
==> Starting Consul agent RPC...
==> Consul agent running!
         Node name: 'consul1'
        Datacenter: 'dc1'
            Server: true (bootstrap: false)
       Client Addr: 0.0.0.0 (HTTP: 8500, HTTPS: -1, DNS: 53, RPC: 8400)
      Cluster Addr: 192.168.10.224 (LAN: 8301, WAN: 8302)
    Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
             Atlas: <disabled>
dnsオプション

-domain - By default, Consul responds to DNS queries in the "consul." domain. This flag can be used to change that domain. All queries in this domain are assumed to be handled by Consul and will not be recursively resolved. Configuration - Consul by HashiCorp

bindオプション

-bind - The address that should be bound to for internal cluster communications. This is an IP address that should be reachable by all other nodes in the cluster. By default, this is "0.0.0.0", meaning Consul will use the first available private IPv4 address. If you specify "[::]", Consul will use the first available public IPv6 address. Consul uses both TCP and UDP and the same port for both. If you have any firewalls, be sure to allow both protocols. Configuration - Consul by HashiCorp

clientオプション

-client - The address to which Consul will bind client interfaces, including the HTTP, DNS, and RPC servers. By default, this is "127.0.0.1", allowing only loopback connections. The RPC address is used by other Consul commands, such as consul members, in order to query a running Consul agent. Configuration - Consul by HashiCorp

config-fileオプション

-config-file - A configuration file to load. For more information on the format of this file, read the Configuration Files section. This option can be specified multiple times to load multiple configuration files. If it is specified multiple times, configuration files loaded later will merge with configuration files loaded earlier. During a config merge, single-value keys (string, int, bool) will simply have their values replaced while list types will be appended together. Configuration - Consul by HashiCorp

config-dirオプション

-config-dir - A directory of configuration files to load. Consul will load all files in this directory with the suffix ".json". The load order is alphabetical, and the the same merge routine is used as with the config-file option above. This option can be specified multiple times to load multiple directories. Sub-directories of the config directory are not loaded. For more information on the format of the configuration files, see the Configuration Files section. Configuration - Consul by HashiCorp

data-dirオプション

-data-dir - This flag provides a data directory for the agent to store state. This is required for all agents. The directory should be durable across reboots. This is especially critical for agents that are running in server mode as they must be able to persist cluster state. Additionally, the directory must support the use of filesystem locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may not be suitable. Configuration - Consul by HashiCorp

名前解決テスト(WEB兼DNSサーバ)

Consulサーバ上で名前解決テストを実施する。

$ dig @192.168.10.224 consul1.node.kintoki.xyz
    2016/07/09 00:45:50 [DEBUG] dns: request for {consul1.node.kintoki.xyz. 1 1} (1.364404ms) from client 192.168.10.224:50229 (udp)

; <<>> DiG 9.8.3-P1 <<>> @192.168.10.224 consul1.node.kintoki.xyz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;consul1.node.kintoki.xyz.  IN  A

;; ANSWER SECTION:
consul1.node.kintoki.xyz. 0 IN  A   192.168.10.224

;; Query time: 4 msec
;; SERVER: 192.168.10.224#53(192.168.10.224)
;; WHEN: Sat Jul  9 00:45:50 2016
;; MSG SIZE  rcvd: 82

名前解決テスト(iPhoneからConsulサーバに接続)

ConsulサーバとiPhoneを同一NWに所属させ、iPhone側でhttp://consul1.node.kintoki.xyz:8000を指定してCosulサーバ(WEB兼DNSサーバ)に接続することができるか確認する。iPhoneが使用するDNSサーバは忘れずConsulサーバに設定すること。hogefileが表示されたら成功。

f:id:si871137:20160709012146j:plain

~$ mkdir hoge
~$ cd hoge
hoge$ touch hogefile
# pythonの簡易WEBサーバを起動
hoge$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

f:id:si871137:20160709012403p:plain

まとめ

ConsulはDNSサーバとして使える!iPhoneのhostsファイルを書き換えるという危ない技を使わなくて済んだ。 あとは証明書を作ってWEBサーバにインストールするだけだ。