Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cni: fix regression in falling back to DNS owned by dockerd #20189

Merged
merged 1 commit into from
Mar 22, 2024
Merged

cni: fix regression in falling back to DNS owned by dockerd #20189

merged 1 commit into from
Mar 22, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented Mar 22, 2024
edited
Loading

In #20007 we fixed a bug where the DNS configuration set by CNI plugins was not threaded through to the task configuration. This resulted in a regression where a DNS override set by dockerd was not respected for bridge mode networking. Our existing handling of CNI DNS incorrectly assumed that the DNS field would be empty, when in fact it contains a single empty DNS struct.

Handle this case correctly by checking whether the DNS struct we get back from CNI has any nameservers, and ignore it if it doesn't. Expand test coverage of this case.

Fixes: #20174

In addition to the unit tests here, I verified this works with the Docker DNS override. Using the default values for dockerd and this patch, I get the following in a Nomad job using mode="bridge" networking:

$ docker exec -it 8b38 cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.1.1
search mynetworksettings.com

# Based on host file: '/run/systemd/resolve/resolv.conf' (legacy)
# Overrides: []

And after setting an override of --dns=8.8.8.8 in my docker.service unit, I get the following for the same job:

$ docker exec -it ec42 cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 8.8.8.8
search mynetworksettings.com

# Based on host file: '/run/systemd/resolve/resolv.conf' (legacy)
# Overrides: [nameservers]

@tgross
cni: fix regression in falling back to DNS owned by dockerd
7b02f71 
In #20007 we fixed a bug where the DNS configuration set by CNI plugins was not
threaded through to the task configuration. This resulted in a regression where
a DNS override set by `dockerd` was not respected for `bridge` mode
networking. Our existing handling of CNI DNS incorrectly assumed that the DNS
field would be empty, when in fact it contains a single empty DNS struct.

Handle this case correctly by checking whether the DNS struct we get back from
CNI has any nameservers, and ignore it if it doesn't. Expand test coverage of
this case.

Fixes: #20174
@tgross tgross added type/bug theme/cni backport/1.5.x backport to 1.5.x release line backport/1.6.x backport to 1.6.x release line backport/1.7.x backport to 1.7.x release line labels Mar 22, 2024
@tgross tgross added this to the 1.7.x milestone Mar 22, 2024
@tgross tgross marked this pull request as ready for review March 22, 2024 14:22
@tgross tgross mentioned this pull request Mar 22, 2024
Closed
@tgross tgross requested review from lgfa29 and shoenig March 22, 2024 14:26
lgfa29
lgfa29 approved these changes Mar 22, 2024
View reviewed changes
Copy link
Contributor

@lgfa29 lgfa29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validated that it fixes the problem described in #20174 👍

client/allocrunner/networking_cni.go
// Use the first DNS results.
// Use the first DNS results, if non-empty
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe not the best place for this, but it may be useful to have a place listing the multitude of possibilities for DNS config sources 😅

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah agreed... we're missing a DNS section of our Networking docs. That'd be a good place to describe how all that works. Once I've made some more progress on tproxy DNS I'll see about whipping that up.

@tgross tgross merged commit 1516291 into main Mar 22, 2024
29 checks passed
@tgross tgross deleted the b-cni-dns-regression branch March 22, 2024 14:54
This was referenced Mar 22, 2024
Merged
Merged
Merged
tgross added a commit that referenced this pull request Mar 22, 2024
@tgross
cni: fix regression in falling back to DNS owned by dockerd (#20189)
c96dcae 
In #20007 we fixed a bug where the DNS configuration set by CNI plugins was not
threaded through to the task configuration. This resulted in a regression where
a DNS override set by `dockerd` was not respected for `bridge` mode
networking. Our existing handling of CNI DNS incorrectly assumed that the DNS
field would be empty, when in fact it contains a single empty DNS struct.

Handle this case correctly by checking whether the DNS struct we get back from
CNI has any nameservers, and ignore it if it doesn't. Expand test coverage of
this case.

Fixes: #20174
tgross added a commit that referenced this pull request Mar 22, 2024
@tgross
cni: fix regression in falling back to DNS owned by dockerd (#20189)
2128529 
In #20007 we fixed a bug where the DNS configuration set by CNI plugins was not
threaded through to the task configuration. This resulted in a regression where
a DNS override set by `dockerd` was not respected for `bridge` mode
networking. Our existing handling of CNI DNS incorrectly assumed that the DNS
field would be empty, when in fact it contains a single empty DNS struct.

Handle this case correctly by checking whether the DNS struct we get back from
CNI has any nameservers, and ignore it if it doesn't. Expand test coverage of
this case.

Fixes: #20174
philrenaud pushed a commit that referenced this pull request Apr 18, 2024
@tgross @philrenaud
cni: fix regression in falling back to DNS owned by dockerd (#20189)
11ff282 
In #20007 we fixed a bug where the DNS configuration set by CNI plugins was not
threaded through to the task configuration. This resulted in a regression where
a DNS override set by `dockerd` was not respected for `bridge` mode
networking. Our existing handling of CNI DNS incorrectly assumed that the DNS
field would be empty, when in fact it contains a single empty DNS struct.

Handle this case correctly by checking whether the DNS struct we get back from
CNI has any nameservers, and ignore it if it doesn't. Expand test coverage of
this case.

Fixes: #20174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgfa29 lgfa29 lgfa29 approved these changes

@shoenig shoenig Awaiting requested review from shoenig

Assignees
No one assigned
Labels
backport/1.5.x backport to 1.5.x release line backport/1.6.x backport to 1.6.x release line backport/1.7.x backport to 1.7.x release line theme/cni type/bug
Projects
None yet
Milestone
1.7.x
Development

Successfully merging this pull request may close these issues.

Nomad 1.7.6 does not pick up Docker DNS settings
2 participants
@tgross @lgfa29