Setup dns servers and search domains for Windows Pods #63905
Conversation
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
size/L
|
@feiskyer: GitHub didn't allow me to request PR reviews from the following users: PatrickLang, taylorb-microsoft. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
|
||
| // applySandboxPlatformOptions applies platform specific options to dockercontainer.HostConfig and dockercontainer.ContainerCreateConfig. | ||
| func (ds *dockerService) applySandboxPlatformOptions(hc *dockercontainer.HostConfig, config *runtimeapi.PodSandboxConfig, createConfig *dockertypes.ContainerCreateConfig, image string, separator rune) error { | ||
| dnsConfig := config.GetDnsConfig() |
There was a problem hiding this comment.
Where is this config initially set on Windows? Does it already have valid data, or does it need to be set up in another PR?
There was a problem hiding this comment.
@jstarks any thoughts here?
There was a problem hiding this comment.
It is from CRI, specifically from kuberuntime. There's already valid data, but just not set into docker container's config.
There was a problem hiding this comment.
@feiskyer - the code changes look fairly straightforward and isolated; however, this doesn't seem to be enough to resolve the issue (at least in server 2016). The container of the actual workload doesn't get the correct settings . If I understand correctly, the assumption is that if the dns configuration is set up in the HostConfig, then when the containers are started, they will get the correct settings.
Unfortunately, my testing on server 2016 shows that although the "sandbox container" ( in this case, the "apprenda/pause" container) does get the correct DNS settings, the container of the workload in the same pod, doesn't.
In my example app :
PS C:\Users\vagrant> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
NAMES
b78da7582bfd 4dba31379dad "powershell.exe -c..." 36 minutes ago Up 36 minutes
k8s_test-container_dapi-envars-fieldref-win_default_30371bdd-5abf-11e8-aa21-080027ee1df7_0
f4f40e1025cc apprenda/pause "cmd /S /C 'powers..." 36 minutes ago Up 36 minutes
k8s_POD_dapi-envars-fieldref-win_default_30371bdd-5abf-11e8-aa21-080027ee1df7_0
That shows both containers sitting in the pod. When I exec into the "apprenda/pause" container, it gets the correct DNS settings and the names of services are resolved by kube-dns:
PS C:\> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dapi-envars-fieldref-win
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : default.svc.cluster.local
svc.cluster.local
cluster.local
Ethernet adapter vEthernet (Container NIC d470fc15):
Connection-specific DNS Suffix . : apprenda.local
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #6
Physical Address. . . . . . . . . : 00-15-5D-91-C1-FF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b9f9:9e1f:fc8d:2534%33(Preferred)
IPv4 Address. . . . . . . . . . . : 172.24.24.33(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.24.16.1
DNS Servers . . . . . . . . . . . : 172.24.16.1
172.16.1.10
NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:\> ping my-nginx
Pinging my-nginx.default.svc.cluster.local [172.16.1.46]
However, in the container of the actual workload, that's not the case:
PS C:\> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : b78da7582bfd
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter vEthernet (Container NIC 828752cc):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #8
Physical Address. . . . . . . . . : 00-15-5D-C8-85-92
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::59bc:3470:cd58:8fc4%40(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.53(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:\> ping my-nginx
Ping request could not find host my-nginx. Please check the name and try again.
I was able to observe the same behavior if I "kubectl exec" into the pod, as it works only with the "workload container" (and not the infrastructure/sandbox/pause container), and the ipconfig settings do not have the correct DNS settings.
Does this behavior differ from what you have tested with ?
My windows kubelet was built from your PR. The rest of the cluster is a 1.10.0 cluster , with ovs/ovn CNI (I don't believe that to be relevant to this issue)
PS C:\k> .\kubelet --version
Kubernetes v1.11.0-alpha.2.541+228ba8e9090bf0-dirty
|
@akochnev I think it's a bug of old docker releases. As stated in PR description, it requires Docker version >= 17.10.0. |
|
/sig windows |
k8s-ci-robot
added
sig/windows
|
/assign @Random-Liu |
|
@Random-Liu Could you also take a look at the PR? |
|
I emailed some MS networking devs asking for a review. They've been looking at other DNS related issues in the Azure CNI plugin so they're the best to review this for Windows. |
feiskyer
added
kind/bug
|
/milestone v1.11 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-kubemark-e2e-gce-big |
|
I am encountering the same issue that @akochnev was describing. It doesn't seem that this commit fixes the issue in that case. I've tested on Windows Server 2016 version 1709 and 1803, docker version 17.10 and 17.11 from https://download.docker.com/win/static/test/x86_64/ More details about this issue can be found here: ovn-org/ovn-kubernetes#336 (comment) @feiskyer Any ideas what the issue could be? The infra container gets everything set up properly, but the other containers that are sharing the network compartment do not have the DNS set. |
|
/test pull-kubernetes-local-e2e-containerized |
Yep, @PatrickLang is working on this. Hoping we could make it within v1.12. |
|
I agree w/ @Random-Liu about the need for testing. /approve |
k8s-ci-robot
added
the
approved
|
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process @PatrickLang @Random-Liu @dchen1107 @derekwaynecarr @feiskyer @yujuhong Pull Request Labels
|
|
/test all |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, derekwaynecarr, feiskyer, PatrickLang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 63905, 64855). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
@madhanrm can you review these changes? |
|
I don't think this change does anything on Windows. On windows, the network endpoint configuration is taken care of completely by CNI. If you would like to pass on the custom dns polices from the pod spec, it should be dynamically going to the cni configuration that gets passed to CNI. From there, it would be passed down to platform and would be taken care of appropriately by HNS. etc\resolve.conf is very specific to linux and that should remain linux speicfic implementation. We should be trying to move away from platform specific code in Kubelet. |
|
@madhanrm, should we be reverting the changes with this PR then? |
Automatic merge from submit-queue (batch tested with PRs 66491, 66587, 66856, 66657, 66923). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Revert #63905: Setup dns servers and search domains for Windows Pods **What this PR does / why we need it**: From #63905 (comment): > I don't think this change does anything on Windows. On windows, the network endpoint configuration is taken care of completely by CNI. If you would like to pass on the custom dns polices from the pod spec, it should be dynamically going to the cni configuration that gets passed to CNI. From there, it would be passed down to platform and would be taken care of appropriately by HNS. > etc\resolve.conf is very specific to linux and that should remain linux speicfic implementation. We should be trying to move away from platform specific code in Kubelet. Docker is not managing the networking here for windows. So it doens't really care about any network settings. So passing it to docker shim's hostconfig also doens;t make sense here. DNS for Windows containers will be set by CNI plugins. And this change also introduced two endpoints for sandbox container. So this PR reverts #63905 . **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: The PR should also be cherry-picked to release-1.11. Also, #66588 is opened to track the process of pushing this to CNI. **Release note**: ```release-note Revert #63905: Setup dns servers and search domains for Windows Pods. DNS for Windows containers will be set by CNI plugins. ``` /sig windows /sig node /kind bug
What this PR does / why we need it:
Kubelet is depending on docker container's ResolvConfPath (e.g. /var/lib/docker/containers/439efe31d70fc17485fb6810730679404bb5a6d721b10035c3784157966c7e17/resolv.conf) to setup dns servers and search domains. While this is ok for Linux containers, ResolvConfPath is always an empty string for windows containers. So that the DNS setting for windows containers is always not set.
This PR setups DNS for Windows sandboxes. In this way, Windows Pods could also use kubernetes dns policies.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #61579
Special notes for your reviewer:
Requires Docker EE version >= 17.10.0.
Release note:
/cc @PatrickLang @taylorb-microsoft @michmike @JiangtianLi