1

The Openshift 'all-in-one' Vagrant box uses xip.io. The security team at my company has relayed to us that using 'xip.io' for a wildcard DNS could cause some security concerns. So given that 'xip.io' is not an option, how can I get this set up?

JWAL
  • 40
  • 1
  • 10
womplefrog
  • 769
  • 1
  • 6
  • 18

2 Answers2

1

We ran into a similar issue at my company. The best answer, which is a bit dire, is that you'll need to set up your own custom DNS. Sorry to say because it is a bit annoying to do but not all that bad. Use this link, it should give you some guidance.

Basically, you'll need to /etc/dnsmasq.conf file to look like:

# Reverse DNS record for master
host-record=master.example.com,192.168.1.100
# Wildcard DNS for OpenShift Applications - Points to Router
address=/apps.example.com/192.168.1.100

The article goes into great detail. I'm not sure how network savvy you are, but if you're not, then I'd suggest roping in one of your ops guys to assist with this. Without a relatively good understanding of networking, setting this up would be quite difficult.

JWAL
  • 40
  • 1
  • 10
  • 1
    Firstly, thank you. Any suggestions on a Linux flavor for the DNS server I'd set up? – womplefrog Aug 20 '16 at 21:41
  • 1
    Mmmm. Well you're working with Openshift so I'd imagine you either, A, have your hands licensed copy of RHEL or, B, you are probably using CentOS. If you have an extra copy of RHEL then use that because you'd want great security on a DNS server and SELinux on RHEL is top notch. – JWAL Aug 20 '16 at 21:51
  • 1
    That makes sense. Thanks again. I don't have another copy of RHEL. Would CentOS be OK to use? How is SELinux on it? – womplefrog Aug 20 '16 at 21:53
  • 1
    RHEL and CentOS are the same thing, really. The only difference being that one comes with a service contract (RHEL), while the other does not. CentOS would work perfectly. Just make sure that SELinux is turned on. – JWAL Aug 20 '16 at 21:55
  • Yup. Switching from permissive to enforced is always one of my first steps when setting up a Redhat Linux distro. – womplefrog Aug 20 '16 at 22:00
1

I understand that you can do this without requiring your own DNS.

Quickest way is to manually add required entries to /etc/hosts of your host system, mapping them to IP address that xip.io address would map to.

Alternatively set up dnsmasq something like the following.

$ cat /usr/local/etc/dnsmasq.conf
address=/.10.2.2.2.xip.io/10.2.2.2
address=/.ain1/10.2.2.2
address=/.10.1.2.2.xip.io/10.1.2.2
address=/.cdk/10.1.2.2

$ls /etc/resolver/
ain1      ain1-xip  cdk       cdk-xip   ddns

$cat /etc/resolver/cdk-xip
domain 10.1.2.2.xip.io
nameserver 127.0.0.1

This is cut and paste from elsewhere and I don't use CDK myself so not sure about the IP addresses here, but I understand this shouldn't require you to set up separate DNS. The 'ain1' entry is for the OpenShift Origin all in one VM, which is equivalent to CDK for OpenShift, but using latest Origin upstream version.

Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134