New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsproxy: bind dns proxy to localhost only #25309
dnsproxy: bind dns proxy to localhost only #25309
Conversation
aba89a7
to
f0a8213
Compare
/test |
f0a8213
to
839791d
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
839791d
to
f48014f
Compare
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2166/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2175/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
f48014f
to
efac03a
Compare
(after rebasing to /test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice one, thanks! 🚀
I've just left a comment inline regarding the servers shutdown.
Currently the dns proxy is bound to all interfaces. With this commit, the dns proxy only gets bound to the localhost interfaces. Therefore, up to 4 DNS servers are created (udpv4, tcpv4, udpv6, tcpv6 - depending on the configuration) which all are using the same DNS handler. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit introduces proper error propagation when errors occur during sessionFactory.SetSocketOptions. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, switching the localOnly property of a proxy rule doesn't get reflected in the iptables rules. The checks for adding iptable rules don't include the IP of a rule. Therefore, when upgrading, the old rule remains in the table. The same applies for the check whether an outdated rule should be deleted from the table. This commit fixes this, and adds support for changing the localOnly property of a proxy rule. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit introduces the ipfamily type with its current implementations v4 & v6. This way duplication can be avoided. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, dns server goroutine would exit with log.fatal in case of returning without an error from ActivateAndServe (in case of a properly initiated shutdown). This commit changes this behaviour to only fail fatally in case of a returned error. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
efac03a
to
9215f5e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thanks! 💯
In a previous change [1], the bind address for the proxy changed from 0.0.0.0 to localhost. This broke restoring the old proxy port and caused Cilium to always allocate a new proxy port. Fix it by changing the regex string to include the new bind address as well as the previously used "0.0.0.0" and "::", for backwards-compatibility reasons on upgrade. Found by code inspection. [1]: cilium#25309 Fixes: 5304088 ("dnsproxy: bind dns proxy to localhost only") Fixes: cilium#25309 Signed-off-by: Chris Tarazi <chris@isovalent.com>
In a previous change [1], the bind address for the proxy changed from 0.0.0.0 to localhost. This broke restoring the old proxy port and caused Cilium to always allocate a new proxy port. Fix it by changing the regex string to include the new bind address as well as the previously used "0.0.0.0" and "::", for backwards-compatibility reasons on upgrade. Found by code inspection. [1]: #25309 Fixes: 5304088 ("dnsproxy: bind dns proxy to localhost only") Fixes: #25309 Signed-off-by: Chris Tarazi <chris@isovalent.com>
[ upstream commit 1f8e015 ] In a previous change [1], the bind address for the proxy changed from 0.0.0.0 to localhost. This broke restoring the old proxy port and caused Cilium to always allocate a new proxy port. Fix it by changing the regex string to include the new bind address as well as the previously used "0.0.0.0" and "::", for backwards-compatibility reasons on upgrade. Found by code inspection. [1]: #25309 Fixes: 5304088 ("dnsproxy: bind dns proxy to localhost only") Fixes: #25309 Signed-off-by: Chris Tarazi <chris@isovalent.com>
[ upstream commit 1f8e015 ] In a previous change [1], the bind address for the proxy changed from 0.0.0.0 to localhost. This broke restoring the old proxy port and caused Cilium to always allocate a new proxy port. Fix it by changing the regex string to include the new bind address as well as the previously used "0.0.0.0" and "::", for backwards-compatibility reasons on upgrade. Found by code inspection. [1]: #25309 Fixes: 5304088 ("dnsproxy: bind dns proxy to localhost only") Fixes: #25309 Signed-off-by: Chris Tarazi <chris@isovalent.com>
PR cilium#25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by cilium#27979. This commit fixes the data race by using dedicated instances of the sessionUDPFactory. Fixes: cilium#28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
PR #25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by #27979. This commit fixes the data race by using dedicated instances of the sessionUDPFactory. Fixes: #28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
PR cilium#25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by cilium#27979. This commit fixes the issue for the TCP servers too. It not set explicitly, these are initialized with the default udp session factory to prevent nil pointer exceptions. Therefore, an explicit noop udp session factory is set. Fixes: cilium#28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
PR #25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by #27979. This commit fixes the issue for the TCP servers too. It not set explicitly, these are initialized with the default udp session factory to prevent nil pointer exceptions. Therefore, an explicit noop udp session factory is set. Fixes: #28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
[ upstream commit fb6bd90 ] PR #25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by #27979. This commit fixes the data race by using dedicated instances of the sessionUDPFactory. Fixes: #28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit f73e1c5 ] [ backporter's notes: switched cilium/dns import to miekg/dns, as v1.14 was relying on a replace directive instead of pointing to the fork. ] PR #25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by #27979. This commit fixes the issue for the TCP servers too. It not set explicitly, these are initialized with the default udp session factory to prevent nil pointer exceptions. Therefore, an explicit noop udp session factory is set. Fixes: #28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit fb6bd90 ] PR #25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by #27979. This commit fixes the data race by using dedicated instances of the sessionUDPFactory. Fixes: #28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit f73e1c5 ] [ backporter's notes: switched cilium/dns import to miekg/dns, as v1.14 was relying on a replace directive instead of pointing to the fork. ] PR #25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by #27979. This commit fixes the issue for the TCP servers too. It not set explicitly, these are initialized with the default udp session factory to prevent nil pointer exceptions. Therefore, an explicit noop udp session factory is set. Fixes: #28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit fb6bd90 ] PR cilium#25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by cilium#27979. This commit fixes the data race by using dedicated instances of the sessionUDPFactory. Fixes: cilium#28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit f73e1c5 ] [ backporter's notes: switched cilium/dns import to miekg/dns, as v1.14 was relying on a replace directive instead of pointing to the fork. ] PR cilium#25309 introduced a data race by sharing the sessionUDPFactory between the DNS server instances for the different IP families (IPv4 & IPv6). This has been detected by cilium#27979. This commit fixes the issue for the TCP servers too. It not set explicitly, these are initialized with the default udp session factory to prevent nil pointer exceptions. Therefore, an explicit noop udp session factory is set. Fixes: cilium#28156 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Currently the dns proxy binds to all interfaces.
With this commit, the dns proxy only gets bound to the localhost interfaces. Therefore, up to 4 DNS servers are created (udpv4, tcpv4, udpv6, tcpv6 - depending on the configuration) which all are using the same DNS handler.
Fixes parts of #23353