Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISO: Add 50-dnssec.conf to fix DNSSEC issue #18830

Merged
merged 1 commit into from
May 8, 2024
Merged

ISO: Add 50-dnssec.conf to fix DNSSEC issue #18830

merged 1 commit into from
May 8, 2024

Conversation

spowelljr
Copy link
Member

@spowelljr spowelljr commented May 7, 2024
edited

Fixes #18705

Implements #18705 (comment)

Some machines configurations no longer have DNSSEC=no set as the system default after the Buildroot update.

This results in errors when trying to pull imagse from insecure locations.

Adding 50-dnssec.conf that has DNSSEC=no to override system default.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 7, 2024
@spowelljr
Copy link
Member Author

ok-to-build-iso

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 7, 2024
@spowelljr spowelljr mentioned this pull request May 7, 2024
Closed
nirs
nirs reviewed May 7, 2024
View reviewed changes
Copy link
Contributor

@nirs nirs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but there is no info on why this configuration is there, and the commit message is has no info. One can go and find the PR and then find the issue, but it will much easier if the actual file had a link the the issue, or at least the commit message was linked to the issue.

@nirs
Copy link
Contributor

nirs commented May 7, 2024

Another issue - this setting is good for local user modifications - using 99-.conf so other configuration will not accidentally override this config. But changes delivered by minikube should use a lower number (e.g. 50-.conf) so someone can override the minikube setting locally (e.g using ~/.minikube/files/).

@nirs nirs mentioned this pull request May 7, 2024
Merged
@minikube-bot
Copy link
Collaborator

Hi @spowelljr, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further.

@nirs
Copy link
Contributor

nirs commented May 8, 2024

ISO for testing:
https://storage.googleapis.com/minikube-builds/iso/18830/minikube-v1.33.0-1715106791-18830-amd64.iso

@nirs
Copy link
Contributor

nirs commented May 8, 2024

Tested staring new cluster with the iso:

$ minikube start --driver kvm2 --iso-url https://storage.googleapis.com/minikube-builds/iso/18830/minikube-v1.33.0-1715106791-18830-amd64.iso
😄  minikube v1.33.0 on Fedora 39
    ▪ MINIKUBE_HOME=/data/tmp
✨  Using the kvm2 driver based on user configuration
💿  Downloading VM boot image ...
    > minikube-v1.33.0-1715106791...:  314.17 MiB / 314.17 MiB  100.00% 19.39 M
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🔥  Creating kvm2 VM (CPUs=2, Memory=6000MB, Disk=20000MB) ...
🐳  Preparing Kubernetes v1.30.0 on Docker 26.0.2 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: default-storageclass, storage-provisioner
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

$ minikube ssh 'cat /etc/systemd/resolved.conf.d/99-dnssec.conf'
[Resolve]
DNSSEC=no

@llegolas
Copy link

llegolas commented May 8, 2024

can confirm. This fixes #18705

@spowelljr spowelljr changed the title ISO: Add 99-dnssec.conf to fix DNSSEC issue ISO: Add 50-dnssec.conf to fix DNSSEC issue May 8, 2024
@spowelljr
ISO: Add 50-dnssec.conf to fix DNSSEC issue
a56af7e 
Some machines configurations no longer have DNSSEC=no set as the system default after the Buildroot update.

This results in errors when trying to pull imagse from insecure locations.

Adding 50-dnssec.conf that has DNSSEC=no to override system default.
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: medyagh, spowelljr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@spowelljr spowelljr merged commit d6e0d89 into kubernetes:master May 8, 2024
6 of 7 checks passed
@spowelljr spowelljr deleted the addDnssecConf branch May 8, 2024 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nirs nirs nirs left review comments

@medyagh medyagh medyagh approved these changes

@afbjorklund afbjorklund Awaiting requested review from afbjorklund

@ComradeProgrammer ComradeProgrammer Awaiting requested review from ComradeProgrammer

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fedora VM Drivers on minikube 1.33 cannot pull images (resolved.conf)
6 participants
@spowelljr @nirs @minikube-bot @llegolas @k8s-ci-robot @medyagh