Systemd-resolved proper handling#37485
Conversation
|
will update the vendoring as the libnetwork side gets merged |
fcrisciani
force-pushed
the
resolv
branch
2 times, most recently
from
7750bed to
a9cd9df
Compare
johnstep
left a comment
johnstep
left a comment
There was a problem hiding this comment.
Looks good from a Windows perspective.
fcrisciani
force-pushed
the
resolv
branch
3 times, most recently
from
d1b4b19 to
643787c
Compare
Codecov Report
@@ Coverage Diff @@
## master #37485 +/- ##
=========================================
Coverage ? 34.96%
=========================================
Files ? 611
Lines ? 44939
Branches ? 0
=========================================
Hits ? 15714
Misses ? 27097
Partials ? 2128 |
internal/procfs/procfs_linux.go
Outdated
There was a problem hiding this comment.
Wondering; would shelling out to pidof work? (would it be slower?), e.g.;
pids, err := exec.Command("pidof", "some-binary").Output()
# check error and len(pids) > 0There was a problem hiding this comment.
more worried if the pidof is available on every platform and if it is reachable from the daemon (like is in the $PATH) etc
There was a problem hiding this comment.
I'm not sure Walk is really what we want here since it traverses every dir recursively.
What do you think about some either hitting the systemd-resolved API or checking /etc/resolv.conf for 127.0.0.53 instead?
There was a problem hiding this comment.
more worried if the pidof is available on every platform and if it is reachable from the daemon (like is in the $PATH) etc
Good point; looking at http://man7.org/linux/man-pages/man1/pidof.1.html, it's part of https://gitlab.com/procps-ng/procps. I think it's fairly common to be installed (at least on common distros), but we may want to check.
I had the same concerns as @cpuguy83; recursively traversing /proc just for detection looks like a lot of overhead. Not sure if string-matching for 127.0.0.53 in /etc/resolv.conf is a good solution though; sounds a bit brittle.
We should consider to what extend we want the automatic-detection to be "perfect", and possibly add a manual configuration, as discussed in moby/libnetwork#2232 (comment)
(...) is checking for a particular binary running the right way to do this? K8s is mainly doing it to issue a warning so that's "safe" in a sense. But transparently substituting in libnetwork doesn't seem robust. Maybe we should do what k8s is doing even more so: require the user to provide an option for a default resolv.conf file when starting up the engine. (...)
There was a problem hiding this comment.
I opened a PR on k8s repo here to optimize the pid lookup: kubernetes/kubernetes#66367
There was a problem hiding this comment.
@thaJeztah being in the config, does not automatically exposing it as an option? so if the user is not satisfied on the auto selection can specify it?
There was a problem hiding this comment.
@cpuguy83 will wait for that PR to be merged and will update, thanks for opening it
daemon/config/config_common_unix.go
Outdated
There was a problem hiding this comment.
Was thinking if we should do this "on demand", e.g.:
var systemdResolvedRunning *bool
func systemdResolvedPresent() bool {
if systemdResolvedRunning != nil {
return systemdResolvedRunning
}
systemdResolvedRunning = false
pids, err := procfs.PidOf("systemd-resolved")
if err != nil {
logrus.Errorf("unable to check systemd-resolved status: %s", err)
}
if len(pids) > 0 && pids[0] > 0 {
isSystemdResolvedPresent = true
}
return systemdResolvedRunning
}But also noticed that would only need this if conf.ResolvConf == ''; which will be only once (once GetResolvConf() is called, and it's not set, it will be set to conf.ResolvConf = defaultResolvConf)
So perhaps we can just as well inline this in GetResolvConf() ? (or a combination of the above)
There was a problem hiding this comment.
I think is expensive to check: procfs.PidOf("systemd-resolved") for every container creation
There was a problem hiding this comment.
Can we do this during daemon initialization instead of package init?
There was a problem hiding this comment.
sure don't have a, is there a specific point that you can suggest?
Just drop something like this one: https://github.com/moby/moby/blob/master/daemon/daemon.go#L569
There was a problem hiding this comment.
As good a place as any, I suppose.
vendor.conf
Outdated
There was a problem hiding this comment.
Looks like this needs vendoring; let me add that label, otherwise people may overlook that
There was a problem hiding this comment.
yep, I put it in this comment: #37485 (comment)
|
@cpuguy83 wdyt of this one? |
daemon/daemon_linux.go
Outdated
There was a problem hiding this comment.
There was a problem hiding this comment.
even if alternateResolvConf is present, "alternateResolvConf is not present" is printed here?
There was a problem hiding this comment.
sorry was looking at the wrong line
fcrisciani
force-pushed
the
resolv
branch
5 times, most recently
from
22bd786 to
cbf69f0
Compare
Signed-off-by: Flavio Crisciani <[email protected]>
Handle the case of systemd-resolved, and if in place use a different resolv.conf source. Set appropriately the option on libnetwork. Move unix specific code to container_operation_unix Signed-off-by: Flavio Crisciani <[email protected]>
Signed-off-by: Flavio Crisciani <[email protected]>
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
two questions/notes, but otherwise looks good
| @@ -394,13 +394,10 @@ func (n *networkNamespace) InvokeFunc(f func()) error { | |||
| // InitOSContext initializes OS context while configuring network resources | |||
| func InitOSContext() func() { | |||
There was a problem hiding this comment.
Did this file end up in the wrong commit?
|
|
||
| if container.HostConfig.NetworkMode.IsHost() { | ||
| sboxOptions = append(sboxOptions, libnetwork.OptionUseDefaultSandbox()) | ||
| if len(container.HostConfig.ExtraHosts) == 0 { |
There was a problem hiding this comment.
This code is not used for LCOW?
There was a problem hiding this comment.
Oh, just see @johnstep's comment; so ignore this one; only check if the vendored file ended up in the right commit
There was a problem hiding this comment.
@johnstep can you confirm the LCOW behavior here?
There was a problem hiding this comment.
This code path cannot be hit on Windows (including LCOW) because IsHost always returns false on Windows.
|
z failure is unrelated; merging |
|
Is this likely to appear in the next release of docker-ce? |
|
Answering my own question: Yes, this appears to be in the 18.09 beta. |
11 participants
- What I did
Added code to handle case where the OS is using systemd-resolved
Cleaned up some of the code in the resolv.conf area
Moved option NetworkControlPlaneMTU under networking options
Added a library to fetch the pid of a process, coming from (https://github.com/kubernetes/kubernetes/tree/master/pkg/util/procfs) minus, things not useful and avoiding other dependencies
- How to verify it
Did not change functionality so current testing should cover it already (moby and libnetwork)
- Description for the changelog
Handle systemd-resolved case providing appropriate resolv.conf to networking layer
- A picture of a cute animal (not mandatory but encouraged)
