-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Task DNS Options #7661
Task DNS Options #7661
Conversation
Thank you for working on this... its a big blocker for us to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great @nickethier. I left one question and some minor cleanup/docs items.
@@ -74,6 +74,10 @@ job "docs" { | |||
- `host` - Each task will join the host network namespace and a shared network | |||
namespace is not created. This matches the current behavior in Nomad 0.9. | |||
|
|||
- `dns` <code>([DNSConfig](#dns-parameters): nil)</code> - Sets the DNS configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it might be valuable to have some brief info here about how this interacts with network isolation. If you set particular IPs as the nameservers, the routing is going to be different if the task uses host
networking vs other networking modes (particularly once CNI support is complete). So something like a reminder that this uses the task's view of the network address space.
"github.com/stretchr/testify/require" | ||
) | ||
|
||
// TestTaskDNSConfig asserts that a task is running with the given DNSConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like how clean this makes the task driver tests that need it. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I borrowed the idea from @notnoop!
path := filepath.Join(taskDir, "resolv.conf") | ||
mount := &drivers.MountConfig{ | ||
TaskPath: "/etc/resolv.conf", | ||
HostPath: path, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we're only using this function for exec
and java
task drivers. When we pass the TaskDir
into this function to create the HostPath
, is that path writable to the task? Mounting it from there read-only to /etc/resolv.conf
makes it seem like it shouldn't be. It doesn't seem like a security issue because it's a copy of the host's /etc/resolv.conf
and not a mount to it. Are we doing this bind-mount mostly for consistency with how we create mounts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah the idea being that if Nomad is going to manage the dns configuration (resolv.conf) then the task shouldn't be able to write to it. I couldn't find a great place to write the resolv.conf as we don't really have a per alloc directory thats not actually accessible from the alloc. I figured mounting as ro would give the "Nomad manages this file" UX even if we change where its mounted from in the future.
I did try and keep the concept of just passing a bind mount consistent as that seems the most compatible way other drivers could consume this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 That all sounds like solid reasoning.
Co-Authored-By: Tim Gross <[email protected]>
@nickethier double checking - this is going into |
No I just haven’t made the 0.12 branch yet. |
Co-Authored-By: Tim Gross <[email protected]> Co-Authored-By: Seth Hoenig <[email protected]>
Co-Authored-By: Tim Gross <[email protected]> Co-Authored-By: Seth Hoenig <[email protected]>
Co-Authored-By: Tim Gross <[email protected]> Co-Authored-By: Seth Hoenig <[email protected]>
Co-Authored-By: Tim Gross <[email protected]> Co-Authored-By: Seth Hoenig <[email protected]>
Co-Authored-By: Tim Gross <[email protected]> Co-Authored-By: Seth Hoenig <[email protected]>
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR adds a dns stanza to
network {...}
which allows setting the dns servers, searches and options. Example:It is implemented to pass on the configuration to task drivers. This means the task driver is responsible for configuring the DNS settings. For executor style drivers, a resolvconf utility package is included to build the
resolv.conf
file on Linux and generate thedrivers.Mount
struct to mount it in.Caveats
TODO
raw_execNot supportedfixes #7283 #7393 #6727