feat(core) implement internal dns with loadbalancing, replace dnsmasq

[Tieske]

Summary

implements an internal dns resolver, removes the dnsmasq dependency.

Features

• uses the balancer_by_lua directive
• dns resolution is cached in Lua memory
• loadbalancing; lookups are rotated (round-robin) over the entire dns record. For example if the upstream url resolves to an A record with 3 entries, Kong will automatically round-robin the requests over those
• resolver also resolves SRV records and takes into account the ports in those cases
• the new connect method also resolves ports. So auxiliary systems can now also be configured using SRV records. The effect is that for example, the LDAP plugin, when connecting to a host named "myHost" and port "123", will be looked up against an SRV record as well. If the SRV record returns 3 hosts with ports, those will be used in round robin mode (the provided port '123' will be overridden by the dns results)

todo

• add tests to dns.lua and publish it
• check necessity to update cli / db name resolving, would be nice to use SRV records here as well
• implement set_more_retries as discussed here
  • still to fix: hacky migrations on retries
• implement global patch for the connect method as discussed here see patch the global tcp.connect function to use the internal dns resolver #1598
• implement dog-pile-effect prevention when a dns record expires
• make keepalive setting configurable

additional todos, not making it here...

• make the upstream block configurable (optional)
• implement applying healthdata, as discussed here (optional)
• implement the new balancer method setTimeouts() (optional)
• implement parsing the additional section of the dns records (optional)

related to

• extracted from 'upstreams' feat(core) upstreams #1541
• replaces 'dns' feat(core) embedded dns resolver #1225

instructions

To use this branch the dns.lua module must be manually installed

[thibaultcha]

Cool stuff 👏

[thibaultcha]

We could implement this in our globalpatches module now, to avoid diverging from the tcpsock regular API.

[Tieske]

How do you see that? the connect method is metatable property of the socket userdata. I don't think we should mess with that. Or did you have something different in mind?

[thibaultcha]

Maybe:

-- globalpatches.lua
local tcp = ngx.socket.tcp
_G.ngx.socket.tcp = function(...)
  local sock = tcp(...)
  local connect = sock.connect
  sock.connect = function(...)
    return dns.connect(sock, ...)
  end
  return sock
end

[Tieske]

did you try that? I'd expect sock to be a userdata, so the line sock.connect = ... will fail.

[thibaultcha]

openresty/resty-cli#10

[Tieske]

Might just work

> resty -e "local s = ngx.socket.tcp(); print(type(s));s.connect = function() end"
table

[thibaultcha]

does work, but was rejected by resty-cli

[Tieske]

What do you mean 'was rejected by resty-cli'?

[thibaultcha]

Should we make proxy_next_upstream and proxy_next_upstream_tries configurable? They could be configured on an per-API basis just like proxy_pass = $upstream_host; (which btw, I think should be updated).

[thibaultcha]

check necessity to update cli / db name resolving, would be nice to use SRV records here as well

Is there any reason why we couldn't do that? resty-cli runs in a timer context and we do not mind about blocking operations. I believe we should be able to resolve /etc/hosts entries as well as use dns.lua atop tcpsock:connect() (see my note about patching it in globalpatches too).

[thibaultcha]

Note for polishing this PR: make this configurable.
Also worth considering allowing users to add custom upstream blocks (managed by our template) to allow for different upstream connection pools maybe? With different keepalive settings.

[subnetmarco]

With different keepalive settings.

I think that making it globally configurable in the configuration file would be enough for now.

[sonicaghi]

loadbalancing; lookups are rotated (round-robin) over the entire dns record

Would be cool if the LB will be customizable with custom policies in the future.

[Tieske]

Is there any reason why we couldn't do that? resty-cli runs in a timer context and we do not mind about blocking operations. I believe we should be able to resolve /etc/hosts entries as well as use dns.lua atop tcpsock:connect() (see my note about patching it in globalpatches too).

If patching the the connect method in globalpatches works, then it would be easy.

[subnetmarco]

Currently having this error:

Missing dependencies for kong:
dns == 0.1


Error: Could not satisfy dependency: dns == 0.1
make: *** [install] Error 1

[subnetmarco]

This would override whatever ulimit I have already set - do we really need it?

[Tieske]

removed it, latest dns.lua master doesn't use it anymore

[subnetmarco]

@Tieske said we can merge with this TODO in place, because it's fixed in the other upstream PR.

[Tieske]

indeed, see https://github.com/Mashape/kong/blob/feature/upstreams2/kong/core/balancer.lua

[subnetmarco]

We can use return responses.send_HTTP_INTERNAL_SERVER_ERROR(err).

[Tieske]

fixed

[subnetmarco]

Bug: this is not doing anything. It's probably missing a row.retries = 5 before executing the update(..) method.

[subnetmarco]

Maybe the previous row.retries = 5 in the Cassandra migration was not set because the expectation was that re-updating the same entity would populate the default values.

Not sure if this really happens, and if it doesn't, should it be fixed? This needs to be tested.

[Tieske]

Just checked it and it works as it currently is. Adding an api on 0.9.2, then restarting Kong with this branch (running the migrations), results in this api output;

Mashapes-MacBook-Pro-2:kong thijs$ http get localhost:8001/apis
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Wed, 12 Oct 2016 18:10:31 GMT
Server: kong/0.9.2
Transfer-Encoding: chunked

{
    "data": [
        {
            "created_at": 1476295721000,
            "id": "13af5ca7-a617-4e22-92b7-540fe9607e65",
            "name": "tieske",
            "preserve_host": false,
            "request_path": "/",
            "retries": 5,
            "strip_request_path": false,
            "upstream_url": "http://www.thijsschreijer.nl"
        }
    ],
    "total": 1
}

Retries default is now set.

[Tieske]

^^^ being with Cassandra configured as the database

[subnetmarco]

We should use responses.send_HTTP..

[subnetmarco]

We should use responses.send_HTTP..

[subnetmarco]

We need to add more integration tests that check if SRV records are properly resolved, for example.

[Tieske]

keepalive is now configurable (one global setting)

[pgieniec5tar]

@Tieske one thing I wanted to bring up here, for ELB's in AWS, they will resolve to an ip address, however that underlying ip can eventually change.

I noticed one of the features is dns resolution is cached in Lua memory, but it should be looked up every few seconds to mitigate this.

Here is a much better post describing the issue and solution:
http://gc-taylor.com/blog/2011/11/10/nginx-aws-elb-name-resolution-resolvers/

[Tieske]

@pgieniec5tar apparently (what I read from the post) is that nginx does not honour the ttl by simply holding on to the IP address indefinitely.

This dns resolver branch will honour ttl so as long as the proper values are set, it will renew the ip addresses (and update its in memory cache) when the record expires.

[subnetmarco]

@Tieske can you please fix the conflicts? I would like to execute some benchmarks too on the latest code.