Using bridge network for nodes #484
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tao12345666333 If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/M
|
The custom bridge network's magical hostname resolution is causing coreDNS to detect a loop and fail. |
|
It seems that I missed some useful information. 😯 |
hm, the following is not an option:
we need to think of a way to avoid the loop. /cc |
|
The DNS loop seems caused because the docker DNS uses always the address
and that´s the address configured on the node´s CoreDNS documentation explains why such addresses causes a loop https://github.com/coredns/coredns/blob/master/plugin/loop/README.md
It offers 3 solutions, but personally I only see feasible the 1st want mentioned modifying the kubelet yaml. Let me try to see what´s needed to implement it and come back to you. In the other hand, I don´t know if creating a different bridge per cluster will break some functionality, I´m especially concerned about the multicluster/federation scenarios. I think it will be safer first to create a network for kind and then see if we need to move to a network per cluster |
|
@tao12345666333 in order to keep backward compatibility and avoid the DNS crash we should:
|
|
@aojea Thank you for the information, I will try it later. |
|
does docker only rewrite etc/resolv.conf on container creation or continually? if the former, then we can just overwrite that? otherwise we will have inconsistent DNS for system components. |
if you overwrite the resolv.conf of the nodes you lose the Docker DNS and the host discovery. |
|
Getting our own IP space for the nodes is still useful, and we could
selectively merge the resolv.conf
*From: *Antonio Ojea <[email protected]>
*Date: *Sun, May 5, 2019, 23:16
*To: *kubernetes-sigs/kind
*Cc: *Benjamin Elder, Review requested
does docker only rewrite etc/resolv.conf on container creation or
… continually? if the former, then we can just overwrite that?
otherwise we will have inconsistent DNS for system components.
if you overwrite the resolv.conf of the nodes you lose the Docker DNS and
the host discovery. I mean, there is no reason to move to user defined
bridges
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#484 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHADKZ5NYQQRUQB5UIWPSTPT7ENHANCNFSM4HK2Z64Q>
.
|
|
This fix can work at my side. |
|
|
|
/test pull-kind-conformance-parallel |
If you look at my strawman proposal, the idea is to make it configurable so federation can configure the same bridge for all. |
| @@ -237,6 +239,7 @@ evictionHard: | |||
| nodefs.available: "0%" | |||
| nodefs.inodesFree: "0%" | |||
| imagefs.available: "0%" | |||
| resolvConf: /kind/resolv.conf | |||
There was a problem hiding this comment.
I really don't like the idea that containerd and debugging tools will have a different resolv conf than kubelet.
There was a problem hiding this comment.
as you said
we could selectively merge the resolv.conf
There was a problem hiding this comment.
After considering it, I think the current practice is relatively simple. If we do resolv.conf merge, we need a lot of testing. Why don't we put it later? 🤔
Keep this practice for a while, then change it after the verification is passed.
I hope we can move forward. ❤️
There was a problem hiding this comment.
this means other components have an inconsistent resolv conf and we're not actually solving the issue. if we're going to use hostnames we need kubelet and everything else to have the same lookup.
There was a problem hiding this comment.
technically having a different resolv.conf doesn't mean that have a different lookup, just that the pods will not be able to resolv the nodes names, the other requests will use the same dns server, however I agree that reality is always different and we can be broken because docker changes on the DNS behaviour, that will not be surprising 😅
Docker daemon runs an embedded DNS server which provides DNS resolution among containers connected to the same user-defined network, so that these containers can resolve container names to IP addresses. If the embedded DNS server is unable to resolve the request, it will be forwarded to any external DNS servers configured for the container. To facilitate this when the container is created, only the embedded DNS server reachable at 127.0.0.11 will be listed in the container’s resolv.conf file.
I agree with tao here, I think that we should left until last the DNS exercise
There was a problem hiding this comment.
+1 on merging the resolv.confs if feasable.
|
The most basic features of this PR expectation have been achieved. Includes:
By using the bridge network, we can use Docker's embedded DNS to help push #408 forward. After this PR, we only need to modify i.e. I want to know your thoughts. @BenTheElder @aojea @neolit123 Thanks. |
|
Ben created a proposal, I think that only the labeling networks thing is missing
There was some controversy regarding the different resolv.conf for nodes and clusters. |
tao12345666333
force-pushed
the
using-network
branch
4 times, most recently
from
95fa838
to
eda987d
Compare
Signed-off-by: Jintao Zhang <[email protected]>
tao12345666333
force-pushed
the
using-network
branch
from
eda987d
to
48977ec
Compare
|
/test pull-kind-conformance-parallel |
|
It seems that the docker related commands cannot be tested in the CI environment, so I deleted the test case for the docker network. |
|
I think we should do something to push this PR forward. /assign @BenTheElder |
| } | ||
|
|
||
| // filter the loopback addresses | ||
| re := regexp.MustCompile("(?m)[\r\n]+^.*((127.([0-9]{1,3}.){2}[0-9]{1,3})|(::1)).*$") |
There was a problem hiding this comment.
this shouldn't even be necessary in the hosts's resolv.conf ?
| // DeleteNetwork delete the special network | ||
| // only when the network was created by kind | ||
| func DeleteNetwork(networkName string) error { | ||
| if isNetworkCreatedByKind(networkName) { |
There was a problem hiding this comment.
this is orthogonal to the functionality of delete network. this package should be kind agnostic. we don't do this for delete containers
| "docker", "network", | ||
| "create", | ||
| "--driver=bridge", | ||
| "--label="+fmt.Sprintf("%s=%s", constants.ClusterLabelKey, networkName), |
There was a problem hiding this comment.
this package should not be aware of the cluster label key. this package just implements docker functionality
| } | ||
|
|
||
| // isNetworkCreatedByKind checks if it was created by kind | ||
| func isNetworkCreatedByKind(networkName string) bool { |
There was a problem hiding this comment.
this should live somewhere in cluster/
| @@ -181,6 +182,7 @@ evictionHard: | |||
| nodefs.available: "0%" | |||
| nodefs.inodesFree: "0%" | |||
| imagefs.available: "0%" | |||
| resolvConf: /kind/resolv.conf | |||
There was a problem hiding this comment.
this is not being done for all api versions
| @@ -193,16 +214,16 @@ func nodesToCreate(cfg *config.Cluster, clusterName string) []nodeSpec { | |||
| } | |||
|
|
|||
| // TODO(bentheelder): remove network in favor of []cri.PortMapping when that is in | |||
| func (d *nodeSpec) Create(clusterLabel string) (node *nodes.Node, err error) { | |||
| func (d *nodeSpec) Create(networkName, clusterLabel string) (node *nodes.Node, err error) { | |||
There was a problem hiding this comment.
why isn't this in the nodeSpec?
| @@ -102,4 +102,7 @@ type Networking struct { | |||
| // If DisableDefaultCNI is true, kind will not install the default CNI setup. | |||
| // Instead the user should install their own CNI after creating the cluster. | |||
| DisableDefaultCNI bool | |||
| // BridgeName is the bridge network name. | |||
| // Defaults to same as cluster name. | |||
| BridgeName string | |||
There was a problem hiding this comment.
(this config field name is not suitable, we need to separate docker specific functionality and make that clear)
they absolutely can, but the unit tests should be unit tests, not invoking docker commands (!) this is why we need #528
@tao12345666333 unfortunately I need to prioritize some other fixes etc related to testing Kubernetes (EG the HA fixes), and we have many open PRs.. This is pretty far into P3 https://kind.sigs.k8s.io/docs/contributing/project-scope/ I'm still not convinced that the DNS approach is a good one to solve this problem and may introduce more problems, and the field name needs thought / is not in line with the proposal. Left some more specific review feedback. |
|
@tao12345666333: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
let's revisit a more complete design in the 0.7ish timeframe with the provider API in mind and more attention to dns config handling across platforms etc. |
do we want to use docker embedded dns for the nodes and use the autodiscovery or are we fine without that functionality? |
|
In my opinion, if we don't use docker embedded dns and only use the new bridge network, then we may be able to reduce a lot of trouble.😄 |
…ubernetes-sigs#484) * Update - create cluster - instllation dock EN/ES * Update - create cluster - quick start guide dock EN/ES * Fix - IP on doc * Fix - IP on doc * Fix - IP on doc
ref: #408 (comment) and #408 (comment)
we can using bridge network for nodes. after this we can using hostname instead of IPs.
It will push #408 forward.
things need todo:
- [ ] using hostname instead of IPs (config files.)load-balancer config
delete network while deleting cluster.