Add a dnsBindAddress configuration to the node #12805
Conversation
smarterclayton
force-pushed
the
dns_args
branch
4 times, most recently
from
162c5c0 to
b3f3316
Compare
|
@liggitt this needs review now. I forgot that node config isn't generated anything like master config so had to plumb the new flag in. This will enable @sdodson to start the node DNS even when DNSmasq is on so that we can get correct PTR record support (right now it's broken because the master isn't recursing and dnsmasq doesn't try other endpoints on failure). |
|
Required to fix openshift/openshift-ansible#3017 |
|
My only concern is how will the node's dns server know which upstream servers to use when doing recursion if /etc/resolv.conf points to the node's dnsmasq and dnsmasq is sending all in-addr.arpa back to the node's dns server. |
|
I may have to accept name servers or an alternate config file for skydns to bootstrap. Will look at that tomorrow morning. |
smarterclayton
force-pushed
the
dns_args
branch
from
b3f3316 to
47a0d88
Compare
|
Updated to add a |
smarterclayton
force-pushed
the
dns_args
branch
from
47a0d88 to
36bf0f1
Compare
pkg/cmd/server/api/types.go
Outdated
| @@ -112,12 +112,20 @@ type NodeConfig struct { | |||
| // MasterClientConnectionOverrides provides overrides to the client connection used to connect to the master. | |||
| MasterClientConnectionOverrides *ClientConnectionOverrides | |||
|
|
|||
| // DNSBindAddress is the ip:port to serve on. If this is not set, the DNS server will not be started. | |||
| DNSBindAddress string | |||
There was a problem hiding this comment.
group DNSNameservers with this param and lay out the two setup scenarios really clearly
pkg/cmd/server/start/node_args.go
Outdated
| @@ -37,12 +37,12 @@ func NewNodeComponentFlag() *utilflags.ComponentFlag { | |||
| return utilflags.NewComponentFlag( | |||
| map[string][]string{ComponentGroupNetwork: {ComponentProxy, ComponentPlugins}}, | |||
| ComponentKubelet, ComponentProxy, ComponentPlugins, ComponentDNS, | |||
| ).DefaultDisable(ComponentDNS) | |||
| ).DefaultEnable(ComponentDNS) | |||
There was a problem hiding this comment.
aren't all enabled by default?
pkg/cmd/server/start/node_args.go
Outdated
| } | ||
|
|
||
| // NewNodeComponentFlag returns a flag capable of handling enabled components for the network | ||
| func NewNetworkComponentFlag() *utilflags.ComponentFlag { | ||
| return utilflags.NewComponentFlag(nil, ComponentProxy, ComponentPlugins, ComponentDNS).DefaultDisable(ComponentDNS) | ||
| return utilflags.NewComponentFlag(nil, ComponentProxy, ComponentPlugins, ComponentDNS).DefaultEnable(ComponentDNS) |
| @@ -248,6 +248,7 @@ func (o *AllInOneOptions) Complete() error { | |||
| if dnsAddr.Provided { | |||
| if dnsAddr.Port == 53 { | |||
| // the user has set the DNS port to 53, which is the effective default (node on 53, master on 8053) | |||
| o.NodeArgs.DNSBindAddr = dnsAddr.URL.Host | |||
There was a problem hiding this comment.
Host in a URL is host:port or host.
smarterclayton
force-pushed
the
dns_args
branch
3 times, most recently
from
d0548f2 to
790a538
Compare
|
Flaked on kubernetes/kubernetes#40953 |
| @@ -86,6 +87,7 @@ func NewCommandNodeConfig(commandName string, fullName string, out io.Writer) *c | |||
| flags.StringVar(&options.ImageTemplate.Format, "images", options.ImageTemplate.Format, "When fetching the network container image, use this format. The latest release will be used by default.") | |||
| flags.BoolVar(&options.ImageTemplate.Latest, "latest-images", options.ImageTemplate.Latest, "If true, attempt to use the latest images for the cluster instead of the latest release.") | |||
| flags.BoolVar(&options.AllowDisabledDocker, "allow-disabled-docker", options.AllowDisabledDocker, "Allow the node to start without docker being available.") | |||
| flags.StringVar(&options.DNSBindAddress, "dns-bind-address", options.DNSBindAddress, "An address to bind DNS to.") | |||
There was a problem hiding this comment.
do we need to surface it as a flag, or only in config?
There was a problem hiding this comment.
We could avoid adding it as a flag, it just means that openshift start node will be unable to start DNS.
There was a problem hiding this comment.
do we ever run openshift start node without a config?
pkg/cmd/server/api/types.go
Outdated
| DNSDomain string | ||
|
|
||
| // DNSIP holds the IP | ||
| // DNSIP is the IP address that the DNS server will listen on and which will be reported into pods. Defaults |
There was a problem hiding this comment.
"DNSIP is the IP address that the DNS server will listen on" isn't accurate, right?
There was a problem hiding this comment.
hmm... looks like we try to listen on port 53 of this IP unless DNSBindAddress is specified, in which case it stomps? that is not clear
There was a problem hiding this comment.
We never listen on this IP. I'll update the comment.
| DNSIP string | ||
|
|
||
| // DNSBindAddress is the ip:port to serve DNS on. If this is not set, the DNS server will not be started. | ||
| // Because most DNS resolvers will only listen on port 53, if you select an alternative port you will need | ||
| // a DNS proxy like dnsmasq to answer queries for containers. A common configuration is dnsmasq configured |
There was a problem hiding this comment.
"if you select an alternative port you will need a DNS proxy like dnsmasq to answer queries for containers, and to point DNSIP at that DNS proxy", right?
There was a problem hiding this comment.
Because we say that in the previous field I don't know that it is necessary here (reordered to make that clear).
pkg/cmd/server/api/types.go
Outdated
| // queries to the host environments nameservers. | ||
| DNSBindAddress string | ||
|
|
||
| // DNSNameservers is a list of ip:port values of recursive nameservers to forward queries to. |
There was a problem hiding this comment.
only used by the DNS server started if DNSBindAddress is set
pkg/cmd/server/api/types.go
Outdated
| DNSBindAddress string | ||
|
|
||
| // DNSNameservers is a list of ip:port values of recursive nameservers to forward queries to. | ||
| // If this value is empty, the DNS server will default to the nameservers listed in /etc/resolv.conf. |
There was a problem hiding this comment.
"the DNS server will delegate to nameservers listed in /etc/resolv.conf for queries it cannot satisfy itself"?
| if len(config.DNSIP) > 0 { | ||
| validationResults.AddErrors(ValidateSpecifiedIP(config.DNSIP, fldPath.Child("dnsIP"))...) | ||
| } | ||
| for i, nameserver := range config.DNSNameservers { |
There was a problem hiding this comment.
error to specify this and not specify DNSBindAddress?
There was a problem hiding this comment.
Do we do that often? It means if you want to temporarily stop listening you have to change a bunch of fields, rather than just one.
There was a problem hiding this comment.
I guess not... just don't want people (more) confused. not a big deal either way
| if len(config.DNSIP) > 0 { | ||
| validationResults.AddErrors(ValidateSpecifiedIP(config.DNSIP, fldPath.Child("dnsIP"))...) | ||
| } | ||
| for i, nameserver := range config.DNSNameservers { | ||
| validationResults.AddErrors(ValidateSpecifiedIPPort(nameserver, fldPath.Child("dnsNameserver").Index(i))...) |
| @@ -317,8 +317,14 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig, enableProxy, enable | |||
| if len(options.DNSIP) > 0 { | |||
There was a problem hiding this comment.
if we don't start the dns server unless DNSBindAddress is specified, what's the point of setting it to DNSIP initially?
There was a problem hiding this comment.
are there old configs that just set DNSIP that will break (not start node DNS) if they upgrade and don't update their config to also set DNSBindAddress?
There was a problem hiding this comment.
No one has ever started node DNS by default, so only someone using the feature experimentally (outside of our control) would be in that setup.
There was a problem hiding this comment.
Before, you had to pass --enable=dns to get DNS. Now you don't. I think we can remove this check.
|
Another commit up. |
|
LGTM |
|
So it's on by default now and we need to set the bindaddress to avoid port conflicts? Recursion in the node's dns server was enabled to start with or do I need to do something to enable that as well? |
smarterclayton
force-pushed
the
dns_args
branch
from
a00ba63 to
f97f728
Compare
Allows the installer to start node DNS without having to set a config flag. BindAddress is consistent with others of this type.
|
No, it's not on by default, you have to set dns-bind-address. |
|
Node is recursion by default and you can't disable it. |
|
[merge] |
|
Evaluated for origin test up to f97f728 |
|
Sounds good, thanks.
…On Feb 9, 2017 6:37 PM, "OpenShift Bot" ***@***.***> wrote:
continuous-integration/openshift-jenkins/test Running (
https://ci.openshift.redhat.com/jenkins/job/test_pull_
requests_origin_future/62/) (Base Commit: 898266a
<898266a>
)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12805 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAC8IX6uhu4B7avjgpjtHfsuSCJ6tUZyks5ra6NOgaJpZM4L2vlW>
.
|
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/62/) (Base Commit: 898266a) |
|
Known flakes [merge] |
|
Evaluated for origin merge up to f97f728 |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/132/) (Base Commit: 4e8a130) (Image: devenv-rhel7_5898) |
Allows the installer to start node DNS without having to set a config
flag. BindAddress is consistent with others of this type.
@sdodson this would be how you could enable DNS and bind it (you could set 0.0.0.0:54, and then configure dnsmasq)
[test]