update docker's resolv.conf file with options ndots:5

[ArtfulCoder]

Proof-of-concept PR for #10161 issue.
superseded #10241 PR

• manually verified that it works
• PR needs to be fixed up since ndots entry is done twice in the /etc/resolv.conf file(innocuous) amongst other things
• the earlier PR was more complex where we would unmount docker's resolv.conf file and mount our own
• in this PR, we simply modify the /etc/resolv.conf file that docker is mounting.

[ArtfulCoder]

@thockin @dchen1107 @smarterclayton

[k8s-bot]

GCE e2e build/test passed for commit 9d00fb0aad750800e15c7b89335286b364787fc6.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[ArtfulCoder]

In this PR, we simply add the "options ndots:3" to the docker generated resolv.conf file.
Far simpler that the #10241 PR which requires mount/umount

[k8s-bot]

GCE e2e build/test passed for commit e7bfa71be37ad070ff19629c5e0da3dc7d76db33.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[smarterclayton]

The challenge is now that user code can race against the resolver - if someone has a very fast script that makes a curl call, we probably won't beat them. This makes it possible to use ndots, so it's an improvement, but I worry that it will be unreliable for users.

[ArtfulCoder]

In reality, all containers of the pod share the same dns resolv file, because docker sees that the other containers have marked the pause container as the container to use for networking namespace.

The pause container gets created first and we update the resolv file for the pause container.
Other containers of the pod get created later with the updated resolv file.

So we should not have this problem.

For the pause container too, (whose only purpose is to hold the networking namespace), the resolv.conf file gets updated in the same second that it got created, per kubelet log timestamps..

So pause serves has two important functions:

1. hold the networking namespace
2. share the same dns resolv file

My guess is that the code we had to create resolv.conf per container of the pod was probably never working since docker always uses the pause container's resolv.conf file for other containers of the same pod.

This is similar to how docker uses the host's resolv.conf file when dns options is not specified

[smarterclayton]

Is there no case today where we recreate the infra pod without tearing down the old containers?

[ArtfulCoder]

If the infra pod is teared down, the networking namespace goes with it and old containers of the same pod have to be recreated.

You can verify this by manually killing a pause container and see that containers of that pod restart.

[k8s-bot]

GCE e2e build/test passed for commit 4003cd350411d7ec02254cbf53eebe3c43231189.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[k8s-bot]

GCE e2e build/test passed for commit 8d0d71279e66e1e9b2378d520e0c1473187da311.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[smarterclayton]

Remove this

[ArtfulCoder]

note to self: tests, address comments, add a lock to not update the same file twice.

[smarterclayton]

Will this fail if the file doesn't exist (due to another issue, like docker getting stopped and tearing down the container) and if so will it be a clean error?

[smarterclayton]

What would prevent us from updating the file? Kubelet killed during restart? I would expect only one execution path here.

On Jun 24, 2015, at 11:49 AM, Abhi Shah notifications@github.com wrote:

note to self: tests, address comments, add a lock to not update the same file twice.

—
Reply to this email directly or view it on GitHub.

[thockin]

I haven't done review yet, but pathologically, we need to set ndots to 5 if
we want _dns._udp.kube-dns.default.svc to resolve.

On Wed, Jun 24, 2015 at 8:53 AM, Clayton Coleman notifications@github.com
wrote:

What would prevent us from updating the file? Kubelet killed during
restart? I would expect only one execution path here.

On Jun 24, 2015, at 11:49 AM, Abhi Shah notifications@github.com
wrote:

note to self: tests, address comments, add a lock to not update the same
file twice.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#10266 (comment)
.

[k8s-bot]

GCE e2e build/test passed for commit 7e53e5ccbb7dbf6616a5b26749a07ff82eeb8c2b.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[ArtfulCoder]

@thockin @smarterclayton Thanks for the PR comments. I think I have addressed them all.
The e2e test is updated and should be green in the next run. (It is green on my test cluster)
I did a small refactor as well in the e2e test just because I was in there..

[thockin]

LGTM. We can reduce the test case back to one when we do a new dnsutils container.

[thockin]

@smarterclayton if you're not around, I'll get @dchen1107 to provide 2nd LGTM

[ArtfulCoder]

@thockin I already created a new dnsutils container. It is part of the PR. Its called jessie-dnsutils..

I didn't quite follow your new-container-comment..

[ArtfulCoder]

@k8s-bot test this please

[thockin]

I want to build a new dnsutils container that is not based on debian at
all. when I do that this test is not that useful any more.

On Wed, Jun 24, 2015 at 10:11 PM, Abhi Shah notifications@github.com
wrote:

@k8s-bot https://github.com/k8s-bot test this please

—
Reply to this email directly or view it on GitHub
#10266 (comment)
.

[dchen1107]

ok to test

[ArtfulCoder]

@thockin ok, thanks

[dchen1107]

LGTM

[ArtfulCoder]

@k8s-bot test this please
ok to test

[ArtfulCoder]

http://kubekins.dls.corp.google.com/view/Critical%20Builds/job/kubernetes-e2e-gce/7202/

Jenkins GCE e2e passed.

[ghaskins]

This change appears to have broken kubernetes in my environment w.r.t. accessing external DNS for reasons I do not fully understand yet. Is there a way to make this optional?

[thockin]

@ghaskins only if you don't want kubernetes DNS to work. You can probably reduce it from 5 to 3, but that may change again in the future...

[karteek]

This change seems to make external DNS lookups very slow.
Any external DNS request with less than 5 dots, seem to make n requests (number of search domains) before resolving correctly.

root@mypod-controller-203fa# nslookup -debug
> google.com
Server:     10.3.0.10
Address:    10.3.0.10#53

------------
    QUESTIONS:
    google.com.my-namespace.svc.cluster.local, type = A, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  cluster.local
    origin = ns.dns.cluster.local
    mail addr = hostmaster.cluster.local
    serial = 1470690000
    refresh = 28800
    retry = 7200
    expire = 604800
    minimum = 60
    ttl = 60
    ADDITIONAL RECORDS:
------------
** server can't find google.com.my-namespace.svc.cluster.local: NXDOMAIN
Server:     10.3.0.10
Address:    10.3.0.10#53

------------
    QUESTIONS:
    google.com.svc.cluster.local, type = A, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  cluster.local
    origin = ns.dns.cluster.local
    mail addr = hostmaster.cluster.local
    serial = 1470690000
    refresh = 28800
    retry = 7200
    expire = 604800
    minimum = 60
    ttl = 60
    ADDITIONAL RECORDS:
------------
** server can't find google.com.svc.cluster.local: NXDOMAIN
Server:     10.3.0.10
Address:    10.3.0.10#53

------------
    QUESTIONS:
    google.com.cluster.local, type = A, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  cluster.local
    origin = ns.dns.cluster.local
    mail addr = hostmaster.cluster.local
    serial = 1470690000
    refresh = 28800
    retry = 7200
    expire = 604800
    minimum = 60
    ttl = 60
    ADDITIONAL RECORDS:
------------
** server can't find google.com.cluster.local: NXDOMAIN
Server:     10.3.0.10
Address:    10.3.0.10#53

------------
    QUESTIONS:
    google.com.us-west-2.compute.internal, type = A, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
** server can't find google.com.us-west-2.compute.internal: NXDOMAIN
Server:     10.3.0.10
Address:    10.3.0.10#53

------------
    QUESTIONS:
    google.com, type = A, class = IN
    ANSWERS:
    ->  google.com
    internet address = 172.217.3.174
    ttl = 173
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:   google.com
Address: 172.217.3.174

Is there any way, I can use kubernetes DNS without slowing down external DNS resolution?

[thockin]

Can you characterize "slow" I see low milliseconds for DNS lookups, even
with ndots 5

On Mon, Aug 8, 2016 at 2:50 PM, Karteek E notifications@github.com wrote:

This change seems to make external DNS lookups very slow.
Any external DNS request with less than 5 dots, seem to make n requests
(number of search domains) before resolving correctly.

root@mypod-controller-203fa# nslookup -debug

google.com
Server: 10.3.0.10
Address: 10.3.0.10#53

---

QUESTIONS:
google.com.my-namespace.svc.cluster.local, type = A, class = IN
ANSWERS:
AUTHORITY RECORDS:
->  cluster.local
origin = ns.dns.cluster.local
mail addr = hostmaster.cluster.local
serial = 1470690000
refresh = 28800
retry = 7200
expire = 604800
minimum = 60
ttl = 60
ADDITIONAL RECORDS:

---

** server can't find google.com.my-namespace.svc.cluster.local: NXDOMAIN
Server: 10.3.0.10
Address: 10.3.0.10#53

---

QUESTIONS:
google.com.svc.cluster.local, type = A, class = IN
ANSWERS:
AUTHORITY RECORDS:
->  cluster.local
origin = ns.dns.cluster.local
mail addr = hostmaster.cluster.local
serial = 1470690000
refresh = 28800
retry = 7200
expire = 604800
minimum = 60
ttl = 60
ADDITIONAL RECORDS:

---

** server can't find google.com.svc.cluster.local: NXDOMAIN
Server: 10.3.0.10
Address: 10.3.0.10#53

---

QUESTIONS:
google.com.cluster.local, type = A, class = IN
ANSWERS:
AUTHORITY RECORDS:
->  cluster.local
origin = ns.dns.cluster.local
mail addr = hostmaster.cluster.local
serial = 1470690000
refresh = 28800
retry = 7200
expire = 604800
minimum = 60
ttl = 60
ADDITIONAL RECORDS:

---

** server can't find google.com.cluster.local: NXDOMAIN
Server: 10.3.0.10
Address: 10.3.0.10#53

---

QUESTIONS:
google.com.us-west-2.compute.internal, type = A, class = IN
ANSWERS:
AUTHORITY RECORDS:
ADDITIONAL RECORDS:

---

** server can't find google.com.us-west-2.compute.internal: NXDOMAIN
Server: 10.3.0.10
Address: 10.3.0.10#53

---

QUESTIONS:
google.com, type = A, class = IN
ANSWERS:
->  google.com
internet address = 172.217.3.174
ttl = 173
AUTHORITY RECORDS:
ADDITIONAL RECORDS:

---

Non-authoritative answer:
Name: google.com
Address: 172.217.3.174

Is there any way, I can use kubernetes DNS without slowing down external
DNS resolution?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#10266 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFVgVB3m74f7reXa7CoSYHtUEtab061Oks5qd6SagaJpZM4FKUZI
.

[karteek]

I don't have exact numbers to quantify the slowness.
But, on high scale, each request to an external REST api gets 20-100 milliseconds slower which adds up.

This is primarily due to two reasons IMO

1. One is due to ndots 5,
2. KubeDNS doesn't seem to be caching DNS results (https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-dns/app/server.go#L140)

[thockin]

kube-dns has a dnsmasq in front of it doign caching, supposedly.

On Mon, Aug 8, 2016 at 4:49 PM, Karteek E notifications@github.com wrote:

I don't have exact numbers to quantify the slowness.
But, on high scale, each request to an external REST api gets 20-100
milliseconds slower which adds up.

This is primarily due to two reasons IMO

1. One is due to ndots 5,
2. KubeDNS doesn't seem to be caching DNS results (https://github.com/
   kubernetes/kubernetes/blob/master/cmd/kube-dns/app/server.go#L140)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#10266 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFVgVEfF1HutbztUa2DsYpo51uDXHeApks5qd8CdgaJpZM4FKUZI
.

[girishkalele]

@karteek

There is dnsmasq caching in 1.3 - could you run a describe on your kube-dns RC ?

There are two questions in my mind that I need to verify -

• latency of a negative response from kube-dns should be extremely low
• does dnsmasq cache negative responses from kube-dns to speed up the progression through the N searches

[karteek]

@girishkalele

I understand that there is dnsmasq caching. Probably thats why I didn't see much difference in dnsperf results even after enabling caching on kube-dns.

This is my kube-dns RC

➜  ~ kubectl --namespace=kube-system describe rc kube-dns-v19
Name:       kube-dns-v19
Namespace:  kube-system
Image(s):   gcr.io/google_containers/kubedns-amd64:1.6,gcr.io/google_containers/kube-dnsmasq-amd64:1.3,gcr.io/google_containers/exechealthz-amd64:1.1
Selector:   k8s-app=kube-dns,version=v19
Labels:     k8s-app=kube-dns
        kubernetes.io/cluster-service=true
        version=v19
Replicas:   12 current / 12 desired
Pods Status:    12 Running / 0 Waiting / 0 Succeeded / 0 Failed
No volumes.
No events.

Edit: Removed irrelevant information.