Complete CoreDNS and StepCA Setup on CoreOS with Quadlet

Table of Contents#

Overview#

This guide provides a complete setup for deploying CoreDNS and Smallstep Certificate Authority (StepCA) on Fedora CoreOS using Podman Quadlet. This approach offers a lightweight, systemd-integrated solution for DNS and PKI infrastructure without the complexity of Kubernetes.

Architecture Overview#

1
graph TB
2
    subgraph "Fedora CoreOS Host"
3
        subgraph "systemd Services"
4
            A[container-coredns.service]
5
            B[container-stepca.service]
6
        end
7

8
        subgraph "Podman Containers"
9
            C[CoreDNS Container]
10
            D[StepCA Container]
11
        end
12

13
        subgraph "Storage"
14
            E[CoreDNS Config Volume]
15
            F[StepCA Data Volume]
16
        end
17

18
        subgraph "Network"
19
            G[Podman Network]
20
            H[Host Network]
21
        end
22
    end
23

24
    A --> C
25
    B --> D
26
    C --> E
27
    D --> F
28
    C --> G
29
    D --> G
30
    G --> H
31

32
    style A fill:#ffd43b,stroke:#fab005,stroke-width:2px
33
    style B fill:#ffd43b,stroke:#fab005,stroke-width:2px
34
    style C fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
35
    style D fill:#74c0fc,stroke:#1971c2,stroke-width:2px

Initial CoreOS Setup#

1. Verify CoreOS Environment#

1
# Check CoreOS version
2
rpm-ostree status
3

4
# Verify Podman installation
5
podman --version
6

7
# Check systemd version
8
systemctl --version

2. Create Required Directories#

1
# Create directories for configurations
2
sudo mkdir -p /etc/containers/systemd
3
sudo mkdir -p /etc/containers/coredns
4
sudo mkdir -p /etc/containers/stepca

CoreDNS Configuration Files#

CoreDNS Corefile#

Create /etc/containers/coredns/Corefile:

1
.:53 {
2
    hosts {
3
        192.168.122.16 coredns.invinsense
4
        192.168.122.76 ca.invinsense
5
        192.168.122.236 nginx.invinsense
6
        fallthrough
7
    }
8
    forward . 8.8.8.8 9.9.9.9 {
9
        max_concurrent 1000
10
    }
11
    cache 300
12
    log
13
    errors
14
}
15

16
invinsense:53 {
17
    file /etc/coredns/invinsense.db
18
    log
19
    errors
20
}

DNS Zone File#

Create /etc/containers/coredns/invinsense.db:

1
$ORIGIN invinsense.
2
@    3600 IN    SOA coredns.invinsense. admin.invinsense. (
3
                2024010101 ; serial
4
                7200       ; refresh (2 hours)
5
                3600       ; retry (1 hour)
6
                1209600    ; expire (2 weeks)
7
                3600       ; minimum (1 hour)
8
                )
9

10
    3600 IN NS coredns.invinsense.
11

12
coredns    IN A     192.168.122.16
13
ca         IN A     192.168.122.76
14
nginx      IN A     192.168.122.236
15
*.apps     IN A     192.168.122.100

StepCA Configuration#

StepCA Environment File#

Create /etc/containers/stepca.env:

1
STEPCA_PASSWORD=your_secure_password_here

Secure the file:

1
sudo chmod 600 /etc/containers/stepca.env
2
sudo chown root:root /etc/containers/stepca.env

Quadlet Configuration Files#

CoreDNS Network Configuration#

Create /etc/containers/systemd/dns-ca.network:

1
[Network]
2
NetworkName=dns-ca-network
3
Subnet=10.89.0.0/24
4
Gateway=10.89.0.1
5
DNS=10.89.0.10

CoreDNS Volume Configuration#

Create /etc/containers/systemd/coredns-config.volume:

1
[Volume]
2
VolumeName=coredns-config
3
CopyFiles=/etc/containers/coredns:/etc/coredns

StepCA Volume Configuration#

Create /etc/containers/systemd/stepca-data.volume:

1
[Volume]
2
VolumeName=stepca-data

CoreDNS Container Configuration#

Create /etc/containers/systemd/coredns.container:

1
[Unit]
2
Description=CoreDNS DNS Server
3
After=network-online.target dns-ca.network.service
4
Wants=network-online.target dns-ca.network.service
5

6
[Container]
7
Image=docker.io/coredns/coredns:1.11.1
8
ContainerName=coredns
9
Network=dns-ca.network
10
PublishPort=53:53/udp
11
PublishPort=53:53/tcp
12
Volume=coredns-config.volume:/etc/coredns:ro,z
13
Environment=COREDNS_CONFIG=/etc/coredns/Corefile
14
Exec=-conf /etc/coredns/Corefile
15

16
# Security settings
17
SecurityLabelType=spc_t
18
ReadOnly=false
19
NoNewPrivileges=true
20

21
# Resource limits
22
MemoryLimit=512M
23
CPUQuota=50%
24

25
[Service]
26
Restart=always
27
RestartSec=30
28
TimeoutStartSec=900
29

30
[Install]
31
WantedBy=default.target

StepCA Container Configuration#

Create /etc/containers/systemd/stepca.container:

1
[Unit]
2
Description=Smallstep Certificate Authority
3
After=network-online.target dns-ca.network.service
4
Wants=network-online.target dns-ca.network.service
5

6
[Container]
7
Image=docker.io/smallstep/step-ca:0.24.0
8
ContainerName=stepca
9
Network=dns-ca.network
10
PublishPort=443:443
11
Volume=stepca-data.volume:/home/step:z
12
EnvironmentFile=/etc/containers/stepca.env
13
Environment=DOCKER_STEPCA_INIT_NAME=Invinsense CA
14
Environment=DOCKER_STEPCA_INIT_DNS_NAMES=ca.invinsense,localhost
15
Environment=DOCKER_STEPCA_INIT_ADDRESS=:443
16

17
# Security settings
18
SecurityLabelType=spc_t
19
ReadOnly=false
20
NoNewPrivileges=true
21

22
# Resource limits
23
MemoryLimit=512M
24
CPUQuota=50%
25

26
[Service]
27
Restart=always
28
RestartSec=30
29
TimeoutStartSec=900
30

31
[Install]
32
WantedBy=default.target

Deployment Process#

1. Deploy the Services#

1
# Reload systemd to detect new Quadlet files
2
sudo systemctl daemon-reload
3

4
# Start and enable the network
5
sudo systemctl enable --now dns-ca.network
6

7
# Start and enable volumes
8
sudo systemctl enable --now coredns-config.volume
9
sudo systemctl enable --now stepca-data.volume
10

11
# Start and enable containers
12
sudo systemctl enable --now coredns.container
13
sudo systemctl enable --now stepca.container

2. Verify Services#

1
# Check service status
2
sudo systemctl status coredns.container
3
sudo systemctl status stepca.container
4

5
# Check container status
6
podman ps
7

8
# View logs
9
sudo journalctl -u coredns.container
10
sudo journalctl -u stepca.container

Post-Deployment Configuration#

Configure System DNS#

1
# Update system DNS to use CoreDNS
2
sudo nmcli connection modify "System eth0" ipv4.dns "127.0.0.1"
3
sudo nmcli connection up "System eth0"
4

5
# Verify DNS resolution
6
dig @localhost ca.invinsense
7
nslookup nginx.invinsense

Initialize StepCA Client#

1
# Get CA fingerprint
2
sudo podman exec stepca step certificate fingerprint /home/step/certs/root_ca.crt
3

4
# Bootstrap the client
5
step ca bootstrap --ca-url https://ca.invinsense --fingerprint <FINGERPRINT>
6

7
# Request a test certificate
8
step ca certificate test.invinsense test.crt test.key

Advanced Configuration#

High Availability Setup#

1
graph TB
2
    subgraph "HA Architecture"
3
        subgraph "Node 1"
4
            A1[CoreDNS Primary]
5
            B1[StepCA Primary]
6
        end
7

8
        subgraph "Node 2"
9
            A2[CoreDNS Secondary]
10
            B2[StepCA Standby]
11
        end
12

13
        subgraph "Node 3"
14
            A3[CoreDNS Secondary]
15
            B3[StepCA Standby]
16
        end
17

18
        C[Load Balancer]
19
        D[Shared Storage]
20
    end
21

22
    C --> A1
23
    C --> A2
24
    C --> A3
25

26
    B1 --> D
27
    B2 --> D
28
    B3 --> D
29

30
    style C fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px
31
    style D fill:#74c0fc,stroke:#1971c2,stroke-width:2px

DNS Performance Tuning#

Add to CoreDNS Corefile:

1
.:53 {
2
    # Performance optimizations
3
    bufsize 1232
4
    cache {
5
        success 9984 300
6
        denial 9984 5
7
    }
8

9
    # Health checks
10
    health {
11
        lameduck 5s
12
    }
13
    ready
14

15
    # Prometheus metrics
16
    prometheus :9153
17
}

Certificate Auto-Renewal Script#

Create /usr/local/bin/cert-renewal.sh:

1
#!/bin/bash
2
set -euo pipefail
3

4
CERT_DIR="/etc/ssl/certs"
5
KEY_DIR="/etc/ssl/private"
6
DOMAINS=("nginx.invinsense" "app1.invinsense" "app2.invinsense")
7

8
for domain in "${DOMAINS[@]}"; do
9
    echo "Checking certificate for $domain..."
10

11
    if step certificate needs-renewal "$CERT_DIR/$domain.crt"; then
12
        echo "Renewing certificate for $domain..."
13
        step ca renew "$CERT_DIR/$domain.crt" "$KEY_DIR/$domain.key" --force
14

15
        # Reload services that use this certificate
16
        systemctl reload nginx || true
17
    fi
18
done

Monitoring Configuration#

1
# prometheus-config.yaml for monitoring
2
global:
3
  scrape_interval: 15s
4

5
scrape_configs:
6
  - job_name: "coredns"
7
    static_configs:
8
      - targets: ["localhost:9153"]
9

10
  - job_name: "stepca"
11
    static_configs:
12
      - targets: ["localhost:9000"]

Security Hardening#

SELinux Configuration#

1
# Create custom SELinux policy for containers
2
cat > coredns-stepca.te << 'EOF'
3
module coredns-stepca 1.0;
4

5
require {
6
    type container_t;
7
    type dns_port_t;
8
    type http_port_t;
9
    class tcp_socket name_bind;
10
    class udp_socket name_bind;
11
}
12

13
#============= container_t ==============
14
allow container_t dns_port_t:tcp_socket name_bind;
15
allow container_t dns_port_t:udp_socket name_bind;
16
allow container_t http_port_t:tcp_socket name_bind;
17
EOF
18

19
# Compile and install the policy
20
checkmodule -M -m -o coredns-stepca.mod coredns-stepca.te
21
semodule_package -o coredns-stepca.pp -m coredns-stepca.mod
22
sudo semodule -i coredns-stepca.pp

Firewall Rules#

1
# Configure firewall
2
sudo firewall-cmd --add-service=dns --permanent
3
sudo firewall-cmd --add-service=https --permanent
4
sudo firewall-cmd --reload

Maintenance Operations#

Backup Procedures#

1
#!/bin/bash
2
BACKUP_DIR="/var/backups/dns-ca"
3
DATE=$(date +%Y%m%d_%H%M%S)
4

5
# Create backup directory
6
mkdir -p "$BACKUP_DIR"
7

8
# Backup CoreDNS configuration
9
podman volume export coredns-config > "$BACKUP_DIR/coredns-config-$DATE.tar"
10

11
# Backup StepCA data
12
podman volume export stepca-data > "$BACKUP_DIR/stepca-data-$DATE.tar"
13

14
# Backup Quadlet configurations
15
tar -czf "$BACKUP_DIR/quadlet-configs-$DATE.tar.gz" /etc/containers/systemd/
16

17
# Keep only last 7 days of backups
18
find "$BACKUP_DIR" -name "*.tar*" -mtime +7 -delete

Update Procedures#

1
# Update container images
2
sudo podman pull docker.io/coredns/coredns:latest
3
sudo podman pull docker.io/smallstep/step-ca:latest
4

5
# Update Quadlet files with new image tags
6
sudo sed -i 's/coredns:1.11.1/coredns:latest/g' /etc/containers/systemd/coredns.container
7
sudo sed -i 's/step-ca:0.24.0/step-ca:latest/g' /etc/containers/systemd/stepca.container
8

9
# Restart services
10
sudo systemctl restart coredns.container
11
sudo systemctl restart stepca.container

Troubleshooting Guide#

Common Issues and Solutions#

Container Fails to Start

1
# Check for port conflicts
2
sudo ss -tlnp | grep -E ':53|:443'
3

4
# Verify SELinux context
5
ls -Z /etc/containers/systemd/

DNS Resolution Failures

1
# Test CoreDNS directly
2
dig @localhost invinsense
3

4
# Check CoreDNS logs
5
sudo podman logs coredns

Certificate Issues

1
# Verify StepCA is initialized
2
sudo podman exec stepca step ca health
3

4
# Check certificate chain
5
openssl s_client -connect ca.invinsense:443 -showcerts

Debug Commands#

1
# Enable debug logging for CoreDNS
2
sudo podman exec coredns kill -USR1 1
3

4
# View detailed container inspect
5
sudo podman inspect coredns stepca
6

7
# Check systemd unit status
8
systemctl status container-*.service

Performance Metrics#

1
graph LR
2
    subgraph "Performance Monitoring"
3
        A[CoreDNS Metrics] --> B[Query Rate]
4
        A --> C[Cache Hit Ratio]
5
        A --> D[Response Time]
6

7
        E[StepCA Metrics] --> F[Certificate Issued]
8
        E --> G[Request Latency]
9
        E --> H[Error Rate]
10
    end
11

12
    style A fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
13
    style E fill:#74c0fc,stroke:#1971c2,stroke-width:2px

Conclusion#

This comprehensive setup provides a production-ready DNS and PKI infrastructure on Fedora CoreOS using Podman Quadlet. The configuration offers:

Seamless Integration: Native systemd integration through Quadlet
High Security: SELinux policies, firewall rules, and container isolation
Easy Maintenance: Automated updates and backup procedures
Scalability: Ready for high-availability configurations
Monitoring: Built-in metrics and health checks

Key advantages:

No Kubernetes overhead
Immutable infrastructure approach
Declarative configuration
Automatic service management
Production-grade reliability

By following this guide, you can deploy a robust DNS and certificate infrastructure that’s both secure and maintainable, perfect for internal networks and development environments.