Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic hostname resolving #16

Open
mmachatschek opened this issue Jun 30, 2022 · 9 comments
Open

Automatic hostname resolving #16

mmachatschek opened this issue Jun 30, 2022 · 9 comments

Comments

@mmachatschek
Copy link

mmachatschek commented Jun 30, 2022
edited

Is it somehow possible to get automatic resolving of the internal hostnames of render to its internal ip address?

It would be great to configure a secondary DNS or something.

Maybe someone that already has a workaround for this could share it, how to configure this (probably something in the tailscale ui too)

@anurag maybe you can help.
@anurag
Copy link
Collaborator

anurag commented Jul 13, 2022

We'll need to look into this. cc @crcastle for state.

@crcastle
Copy link
Contributor

Hey @mmachatschek - Interesting idea. I have some questions to better understand what you want.

  • You are looking to resolve a Render service's 10.0.0.0 IP address, not a Tailscale 100.64.0.0/10 address, right?
  • Do you want to resolve that IP address from a DNS client inside your Render private network or a client in your Tailnet outside of Render or both?
  • Do you have a more specific use case or cases you can share?

Thanks!

@mmachatschek
Copy link
Author

@crcastle thanks for reaching out

You are looking to resolve a Render service's 10.0.0.0 IP address, not a Tailscale 100.64.0.0/10 address, right?

correct. I want my machine (that is connected to my tailscale network that has a subnetrouter to render) to automatically resolve the render service hostname visible in the UI, to the render service IP address 10.x.x.x

Do you want to resolve that IP address from a DNS client inside your Render private network or a client in your Tailnet outside of Render or both?

To get the 10.x.x.x IP address of the render service (even private services or background workers), I would need a DNS from inside my render private network.

Do you have a more specific use case or cases you can share?

  • We have multiple team members of which not everyone has access to the render UI, but we want them to be able to connect e.g. to testing services (without opening the services to the whole internet 0.0.0.0/0) where they can test stuff. Managing IP addresses in a shared file that needs to be maintained everytime a service is recreated via a blueprint is tedious and error prone. Instead, just working with hostnames is very easy (can be fetched e.g. via the Render API getting the slugs of all services)
  • IP addresses can be easily mixed up with staging/production services (if you copy the wrong IP from a shared file) which can lead to unwanted side effects. when you type staging-someservice-suffix you can immediately see you connect to a staging service, whereas if you type e.g. psql -h 10.x.x.x -d database_name ... you would need to verify that that IP-address is the correct service I want to connect to
  • Copying the hostname from the render UI and just connect to the service, instead of going to the webshell and needing to get the correct IP-address is annoying
  • Some managed services like redis or postgres don't even support the webshell, therefore you would need to copy the internal address, go to another service that has a shell, and get the IP address via dig of the redis/psql database

@anurag
Copy link
Collaborator

anurag commented Jul 25, 2022

Hi @mmachatschek, this makes sense and we'll figure out how to make this possible in Tailscale. Until then, would SSH tunneling be an option? Here's an example: https://render.com/blog/ssh-vscode-remote-debugging. You can get the SSH URL for any service (not just web services) from the dashboard.

@CharlieMc0
Copy link

Agreed. DNS support would be super helpful. For us the goal is simply giving the developers a similar experience but over the VPN instead of public internet. This would allow us to protect certain admin pages and DBs connections behind the VPN. Currently they tend publicly expose services that should be kept private or have to whitelist their own IPs.

@CharlieMc0
Copy link

CharlieMc0 commented Oct 5, 2023
edited

I spoke too soon. It looks like this is working now but took a little digging. I was able to lookup the IP of the DNS server in the private network and add it as a DNS server in Tailscale. Then I had to find the FQDN and add the domain as a Search Domain in Tailscale.

@Sytten
Copy link

Sytten commented Dec 15, 2023

Alright I spent way too many hours on this setup so I figured it would be nice to share.
We use two teams, one for production and one for staging because projects in render don't have network isolation nor access control to different team members (but let me stop my rant here, they know I am pissed at their team pricing).

Render network

  • Each service gets a 10.204.X.0/24 subnet and each instance of that service gets a /32 IP in that subnet
  • Each service gets an address like srv-<SERVICE ID>.own-<TEAM ID>.svc.cluster.local
  • Each database gets a 10.205.Y.0/24 subnet and each instance (read replica) of that database gets a /32 IP in that subnet
  • Each database gets an address like dpg-<DATABASE ID>.own-<TEAM ID>.svc.cluster.local
  • The DNS server is always at IP 10.205.0.10 and it can resolve DNS names of ALL render services even if it is in a different team
  • To get an address you can shell into a service and do getent hosts <SERVICE SHORT NAME>

Tailscale setup

  • We deploy one router per team (see files below)
  • We advertise /24 subnets, we were lucky since we had no overlap between production and staging but that is not guaranteed. If that happens you have to re-create your service.
  • Make sure one router advertises the 10.205.0.0/24 subnet, it doesn't matter which
  • In DNS, we added a split DNS nameserver for svc.cluster.local with the IP 10.205.0.10
  • Disabled key expiration for the routers

Files

  • render.yaml
services:
  - type: worker
    plan: Starter
    region: oregon
    name: tailscale-router
    env: docker
    dockerfilePath: ./applications/tailscale/Dockerfile
    dockerContext: ./applications/tailscale
    numInstances: 1
    autoDeploy: false
    envVars:
      - key: ADVERTISE_ROUTES
        value: '10.205.195.0/24,10.205.98.0/24,10.204.123.0/24,10.204.69.0/24'
      - key: TAILSCALE_AUTHKEY
        sync: false
    disk:
      name: tailscale-state
      mountPath: /var/lib/tailscale
      sizeGB: 1
  • endpoint.sh
#!/bin/sh

tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
PID=$!

ADVERTISE_ROUTES=${ADVERTISE_ROUTES:-10.0.0.0/8}
until tailscale up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${RENDER_SERVICE_NAME}" --advertise-routes="$ADVERTISE_ROUTES"; do
  sleep 0.1
done
export ALL_PROXY=socks5://localhost:1055/
tailscale_ip=$(tailscale ip)
echo "Tailscale is up at IP ${tailscale_ip}"

wait ${PID}
  • Dockerfile
FROM tailscale/tailscale:v1.50.1

COPY "entrypoint.sh" .

ENTRYPOINT ["sh"]
CMD ["entrypoint.sh"]

@anurag
Copy link
Collaborator

anurag commented Dec 15, 2023

cc @iandouglas

@Sytten
Copy link

Sytten commented Jan 2, 2024

@anurag I posted in community forum https://community.render.com/t/render-internals/17888
Maybe @iandouglas could engage there :)
I saw that the 10.204.X.0/24 are not as fixed as I thought so any precision on that would be nice, I had to change my tailscale config a few times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@anurag @crcastle @Sytten @mmachatschek @CharlieMc0