[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using cluster DNS for the integrated registry



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

+1

Erik M Jacobs, RHCA
Principal Technical Marketing Manager, OpenShift Enterprise
Red Hat, Inc.
Phone: 646.462.3745
Email: ejacobs redhat com
AOL Instant Messenger: ejacobsatredhat
Twitter: @ErikonOpen
Freenode: thoraxe


On 05/28/2015 10:36 AM, Andy Goldstein wrote:
> I was referring to the "append/prepend domain-name-servers”
> setting in /etc/dhcp/dhclient.conf so you can still use DHCP and
> have semi-custom DNS.
> 
>> On May 28, 2015, at 10:35 AM, Erik M Jacobs <ejacobs redhat com> 
>> wrote:
>> 
>> Well, you would need to provide instructions for how to 
>> appropriately modify the network interface configuration such 
>> that DNS is not automatically obtained, however that still may 
>> not work because, in some instances, customers may *need* to 
>> obtain resolver information from DHCP.
>> 
>> For example, what if my VM is migrated to another 
>> area/region/whatever that requires the use of a different DNS 
>> server?
>> 
>> Erik M Jacobs, RHCA Principal Technical Marketing Manager, 
>> OpenShift Enterprise Red Hat, Inc. Phone: 646.462.3745 Email: 
>> ejacobs redhat com AOL Instant Messenger: ejacobsatredhat 
>> Twitter: @ErikonOpen Freenode: thoraxe
>> 
>> 
>> On 05/28/2015 10:32 AM, Andy Goldstein wrote:
>>> I guess we’ll need instructions for how to modify dhclient as 
>>> well?
>>> 
>>>> On May 28, 2015, at 10:30 AM, Erik M Jacobs 
>>>> <ejacobs redhat com> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> Modifying resolv is not an option, generally speaking, as 
>>>> many customers with dynamic environments are leveraging DHCP 
>>>> for hostnames+DNS resolution, which means every DHCP refresh 
>>>> is going to (potentially) blow away the resolv.conf
>>>> 
>>>> Erik M Jacobs, RHCA Principal Technical Marketing Manager, 
>>>> OpenShift Enterprise Red Hat, Inc. Phone: 646.462.3745 Email:
>>>> ejacobs redhat com AOL Instant Messenger: ejacobsatredhat
>>>> Twitter: @ErikonOpen Freenode: thoraxe
>>>> 
>>>> 
>>>> On 05/28/2015 10:18 AM, Clayton Coleman wrote:
>>>>> 
>>>>> 
>>>>>> On May 28, 2015, at 10:15 AM, Andy Goldstein 
>>>>>> <agoldste redhat com> wrote:
>>>>>> 
>>>>>> Ok, I can test some scenarios out.
>>>>>> 
>>>>>> Anyone have any suggestions for a way around requiring 
>>>>>> users to modify /etc/resolv.conf? I see that Docker has
>>>>>> a --dns flag for the daemon, but it appears that is only 
>>>>>> used to set up resolv.conf in containers, so that’s not 
>>>>>> helpful.
>>>>> 
>>>>> We have two options.  Directly modify resolv, or print a 
>>>>> very large warning.  If the core resolv.conf is set, we 
>>>>> don't need to set cluster DNS for containers, so we at 
>>>>> least need to read resolv.conf to check.  If we start with 
>>>>> the warning and make sure it's in end user docs, we're in
>>>>> a not terrible place.
>>>>> 
>>>>>> 
>>>>>> On the Docker roadmap (for 1.8 or later) is configurable
>>>>>>  namespace support, meaning we’d be able to drop in a 
>>>>>> config file for docker that says that when you see the 
>>>>>> image namespace 
>>>>>> docker-registry.default.svc.cluster.local, use registry 
>>>>>> 172.x.x.x. If we had that today, that would solve this 
>>>>>> problem, but it’s not here yet…
>>>>>> 
>>>>>> Andy
>>>>>> 
>>>>>>> On May 28, 2015, at 10:12 AM, Clayton Coleman 
>>>>>>> <ccoleman redhat com> wrote:
>>>>>>> 
>>>>>>> If we need a patch to skydns to avoid ourselves as 
>>>>>>> master, it should not be too hard to land.  At the 
>>>>>>> point where we initialize DNS we know our ips and we 
>>>>>>> can pass resolvers in directly.
>>>>>>> 
>>>>>>>> On May 28, 2015, at 10:00 AM, Andy Goldstein 
>>>>>>>> <agoldste redhat com> wrote:
>>>>>>>> 
>>>>>>>> I am not very familiar with how SkyDNS works and will
>>>>>>>> need to look into it. If anyone else knows, please
>>>>>>>> chime in! :-)
>>>>>>>> 
>>>>>>>> Andy
>>>>>>>> 
>>>>>>>>> On May 28, 2015, at 9:50 AM, Erik M Jacobs 
>>>>>>>>> <ejacobs redhat com> wrote:
>>>>>>>>> 
>>>>>>>>> Hi Andy,
>>>>>>>>> 
>>>>>>>>> We are already seeing pretty serious issues when 
>>>>>>>>> SkyDNS is used as a resolver for the main system - 
>>>>>>>>> see Jorge Morales' thread on the openshiftbeta 
>>>>>>>>> list.
>>>>>>>>> 
>>>>>>>>> Does SkyDNS automatically perform lookups using the
>>>>>>>>> *second* (or further) resolver from 
>>>>>>>>> /etc/resolv.conf? Otherwise when my system tries
>>>>>>>>> to lookup "registry.access.redhat.com" it's going
>>>>>>>>> to ask SkyDNS and then SkyDNS is going to ask... 
>>>>>>>>> itself...
>>>>>>>>> 
>>>>>>>>> Erik M Jacobs, RHCA Principal Technical Marketing 
>>>>>>>>> Manager, OpenShift Enterprise Red Hat, Inc. Phone:
>>>>>>>>>  646.462.3745 Email: ejacobs redhat com AOL Instant
>>>>>>>>>  Messenger: ejacobsatredhat Twitter: @ErikonOpen 
>>>>>>>>> Freenode: thoraxe
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> On 05/28/2015 09:22 AM, Andy Goldstein wrote: We 
>>>>>>>>>> are looking to move from using the 
>>>>>>>>>> docker-registry service’s IP to its cluster DNS 
>>>>>>>>>> entry
>>>>>>>>>> (docker-registry.default.svc.cluster.local) to
>>>>>>>>>> make certificate generation and push/pull secret
>>>>>>>>>> usage easier. Currently, the master caches the
>>>>>>>>>> registry’s service IP and uses that when creating
>>>>>>>>>> image references in image streams. If the service
>>>>>>>>>> is deleted and recreated, it most likely gets a
>>>>>>>>>> new IP, invalidating previously generated image
>>>>>>>>>> references, and you also have to restart the
>>>>>>>>>> master for it to pick up the new IP. 
>>>>>>>>>> Additionally, if you want the registry to use 
>>>>>>>>>> TLS, you must generate a certificate for it, and 
>>>>>>>>>> any time the IP changes, you’ll have to generate 
>>>>>>>>>> a new certificate.
>>>>>>>>>> 
>>>>>>>>>> We’d like to use the cluster DNS entry 
>>>>>>>>>> exclusively, but there are some challenges. The 
>>>>>>>>>> biggest is that in order for Docker to be able
>>>>>>>>>> to talk to the registry using its DNS entry, the 
>>>>>>>>>> host where Docker is running must use the IP 
>>>>>>>>>> address of the OpenShift master as a resolver
>>>>>>>>>> for DNS. This is straightforward to implement
>>>>>>>>>> for Ansible-based installations (we have a
>>>>>>>>>> Trello card to do this work soon). But for
>>>>>>>>>> developers running OpenShift from source and
>>>>>>>>>> anyone running OpenShift via ‘docker run’, it’s
>>>>>>>>>> not automatic; you have to manually edit
>>>>>>>>>> /etc/resolv.conf to add a nameserver entry for
>>>>>>>>>> your master (which most likely will just be
>>>>>>>>>> 127.0.0.1 if you’re running an all-in-one
>>>>>>>>>> setup).
>>>>>>>>>> 
>>>>>>>>>> I’m wondering if anyone has any ideas for a way 
>>>>>>>>>> to eliminate the need to manually edit 
>>>>>>>>>> /etc/resolv.conf on your host and still have the 
>>>>>>>>>> host’s Docker daemon be able to resolve cluster 
>>>>>>>>>> DNS entries like the registry?
>>>>>>>>>> 
>>>>>>>>>> TIA, Andy
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________ 
>>>>>>>>>> dev mailing list dev lists openshift redhat com 
>>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>>>>>>
>>>>>>>>
>>>>>>>>>>
>>
>>>>>>>>>>
>>>>>>>>>> 
_______________________________________________
>>>>>>>> dev mailing list dev lists openshift redhat com 
>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>>>>
>>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iJwEAQEIAAYFAlVnNocACgkQZQdOwSab8pK4ZwP/aoFj+pj+f7OSd1S/1dyS4Nyi
VgesLs3uFBu+OoSt22WG9bqZtOGzBJ1OfQA45qCJig1r3Jm6bKZTzCEUnCpRI1RQ
XaYiYk1cGXwdl+8areBoj4jdDodFKo+4xXL9qTZBkAm6eQs335l2Cr4TvcASaU4/
fuEeb+LmEN6nao5pWYs=
=umsE
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]