Better selection of DNS server#41022
Merged
AkihiroSuda merged 1 commit intomoby:masterfrom Jun 25, 2020
Merged
Conversation
thaJeztah
added
status/2-code-review
area/networking
Commit e353e7e updated selection of the `resolv.conf` file to use in situations where systemd-resolvd is used as a resolver. If a host uses `systemd-resolvd`, the system's `/etc/resolv.conf` file is updated to set `127.0.0.53` as DNS, which is the local IP address for systemd-resolvd. The DNS servers that are configured by the user will now be stored in `/run/systemd/resolve/resolv.conf`, and systemd-resolvd acts as a forwarding DNS for those. Originally, Docker copied the DNS servers as configured in `/etc/resolv.conf` as default DNS servers in containers, which failed to work if systemd-resolvd is used (as `127.0.0.53` is not available inside the container's networking namespace). To resolve this, e353e7e instead detected if systemd-resolvd is in use, and in that case copied the "upstream" DNS servers from the `/run/systemd/resolve/resolv.conf` configuration. While this worked for most situations, it had some downsides, among which: - we're skipping systemd-resolvd altogether, which means that we cannot take advantage of addition functionality provided by it (such as per-interface DNS servers) - when updating DNS servers in the system's configuration, those changes were not reflected in the container configuration, which could be problematic in "developer" scenarios, when switching between networks. This patch changes the way we select which resolv.conf to use as template for the container's resolv.conf; - in situations where a custom network is attached to the container, and the embedded DNS is available, we use `/etc/resolv.conf` unconditionally. If systemd-resolvd is used, the embedded DNS forwards external DNS lookups to systemd-resolvd, which in turn is responsible for forwarding requests to the external DNS servers configured by the user. - if the container is running in "host mode" networking, we also use the DNS server that's configured in `/etc/resolv.conf`. In this situation, no embedded DNS server is available, but the container runs in the host's networking namespace, and can use the same DNS servers as the host (which could be systemd-resolvd or DNSMasq - if the container uses the default (bridge) network, no embedded DNS is available, and the container has its own networking namespace. In this situation we check if systemd-resolvd is used, in which case we skip systemd-resolvd, and configure the upstream DNS servers as DNS for the container. This situation is the same as is used currently, which means that dynamically switching DNS servers won't be supported for these containers. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Member
Author
thaJeztah
commented
May 26, 2020
| // namespace, so both `/etc/hosts` and `/etc/resolv.conf` should be the same | ||
| // as on the host itself. The container gets a copy of these files, but they | ||
| // may be symlinked, so resolve the original path first. | ||
| etcHosts, err := filepath.EvalSymlinks("/etc/hosts") |
Member
Author
There was a problem hiding this comment.
This is new; previously we didn't check if these were symlinked (which at least in case of /etc/resolv.conf may be the case for systems that were upgraded from older versions)
3 tasks
Member
Author
|
@xinfengliu PTAL, perhaps you have thought as well if this makes sense 🤗 |
Contributor
|
thanks for the detailed code comments ! |
Contributor
@thaJeztah Sorry I'm not familiar with this part of codes, not able to comment. |
lieutdan13
approved these changes
Jun 9, 2020
Member
Author
Thinking what the best way is to test this, as we don't run the daemons with |
arkodg
approved these changes
Jun 9, 2020
Contributor
arkodg
left a comment
arkodg
left a comment
There was a problem hiding this comment.
ya an integration test will be non trivial, approving this PR
thanks !
Member
Author
|
@AkihiroSuda LGTY? |
AkihiroSuda
approved these changes
Jun 25, 2020
Contributor
|
Would it be possible this commit to also be pushed in 19.03 branch? There are more and more systemd-resolved based setup. |
Member
Author
Member
|
It seems ok but also risky... I don't know... |
Member
Author
|
Opened a draft backport #41374, so that we can discuss/consider |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit e353e7e (#37485) updated selection of the
resolv.conffile to use in situations where systemd-resolvd is used as a resolver.If a host uses
systemd-resolvd, the system's/etc/resolv.conffile isupdated to set
127.0.0.53as DNS, which is the local IP address forsystemd-resolvd. The DNS servers that are configured by the user will now
be stored in
/run/systemd/resolve/resolv.conf, and systemd-resolvd actsas a forwarding DNS for those.
Originally, Docker copied the DNS servers as configured in
/etc/resolv.confas default DNS servers in containers, which failed to work if systemd-resolvd
is used (as
127.0.0.53is not available inside the container's networkingnamespace). To resolve this, e353e7e instead
detected if systemd-resolvd is in use, and in that case copied the "upstream"
DNS servers from the
/run/systemd/resolve/resolv.confconfiguration.While this worked for most situations, it had some downsides, among which:
advantage of addition functionality provided by it (such as per-interface
DNS servers)
not reflected in the container configuration, which could be problematic in
"developer" scenarios, when switching between networks.
This patch changes the way we select which resolv.conf to use as template
for the container's resolv.conf;
embedded DNS is available, we use
/etc/resolv.confunconditionally. Ifsystemd-resolvd is used, the embedded DNS forwards external DNS lookups to
systemd-resolvd, which in turn is responsible for forwarding requests to
the external DNS servers configured by the user.
DNS server that's configured in
/etc/resolv.conf. In this situation, noembedded DNS server is available, but the container runs in the host's
networking namespace, and can use the same DNS servers as the host (which
could be systemd-resolvd or DNSMasq
available, and the container has its own networking namespace. In this
situation we check if systemd-resolvd is used, in which case we skip
systemd-resolvd, and configure the upstream DNS servers as DNS for the
container. This situation is the same as is used currently, which means
that dynamically switching DNS servers won't be supported for these
containers.
Signed-off-by: Sebastiaan van Stijn [email protected]
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)