分类
devops

ubuntu系统上systemd-resolved不使用127.0.0.53的方法

有些文章说用关闭(删除)systemd-resolved ,而使用 resolvconf 、openresolv、Unbound 替换,测试发现在ubuntu 20.04.2 LTS NetworkManager已经被 systemd-networkd 取代,复杂度(依赖关系)较高。所以研究依然保持使用systemd-resolved而不使用127.0.0.53的配置思路。

后来发现systemd-resolved会产出两个运行配置,如下

/run/systemd/resolve/resolv.conf
/run/systemd/resolve/stub-resolv.conf

默认/etc/resolv.conf 软链接到/run/systemd/resolve/stub-resolv.conf,那么只需将/etc/resolv.conf 软链接到/run/systemd/resolve/resolv.conf

而/run/systemd/resolve/* 生成的配置文件是由/etc/systemd/resolved.conf 决定,于是就写了下边的配置脚本,放到服务器上一执行,确实已经不是指向127.0.0.53了。

mkdir -p /etc/systemd/resolved.conf.d/
cat >/etc/systemd/resolved.conf.d/99-dns.conf << EOF
[Resolve]
DNS=114.114.114.114 8.8.8.8
EOF
ln -s -f /run/systemd/resolve/resolv.conf /etc/resolv.conf
systemctl daemon-reload && systemctl restart systemd-resolved.service && systemctl status -l systemd-resolved.service --no-pager
cat /etc/resolv.conf

主要参考了这篇

下文是讲解了为啥systemd-resolved要搞127.0.0.53:53

How and why (not) to use the 127.0.0.53 nameserver, systemd-resolved and resolvctl Or what is systemd-resolved and how it is integrated on Ubuntu

既然不用127.0.0.53了,那么我们能直接关闭127.0.0.53:53吗?

mkdir -p /etc/systemd/resolved.conf.d/
cat >/etc/systemd/resolved.conf.d/98-disable-127-53.conf << EOF
[Resolve]
DNSStubListener=no
EOF
systemctl daemon-reload && systemctl restart systemd-resolved.service && systemctl status -l systemd-resolved.service --no-pager

执行后再ss -tunlp 查看53端口,127.0.0.53:53监听已经没了。

k8s相关

另发现kubeadm(v1.21.3)安装的kubelet 默认会使用 /run/systemd/resolve/resolv.conf,也可以手工更改,配置( /var/lib/kubelet/config.yaml)的说明在https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/

查看resolvConf字段的文档发现Default: “/etc/resolv.conf”,那为什么kubeadm安装完后会变成/run/systemd/resolve/resolv.conf呢?此处暂留有疑问(20210923)

cat /var/lib/kubelet/config.yaml | grep resolv
resolvConf: /run/systemd/resolve/resolv.conf

查了下kubeadm init 的日志,发现kubeadm-init阶段的各个操作

其中kubelet-start是负责Write a file with KubeletConfiguration and an environment file with node specific kubelet settings, and then (re)start kubelet.

经过查询代码代码,kubeadm是对环境作了默认的检测,从而得到了一份可用的配置。而二进制的安装就需要在/var/lib/kubelet/config.yaml自己指定下,决不能使用127.0.0.53:53的resolv.conf

cat /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
resolvConf: /run/systemd/resolve/resolv.conf

争夺/etc/resolv.conf控制权

推荐阅读—> 米开杨重新夺回对 /etc/resolv.conf 的控制权

  • https://man7.org/linux/man-pages/man5/resolv.conf.5.html

ref

附件1 ubuntu默认的/etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad