New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use custom DNS server without adding it to system #36
Use custom DNS server without adding it to system #36
Conversation
Signed-off-by: Sunil Shetty <sunilsh@vmware.com>
Signed-off-by: Sunil Shetty <sunilsh@vmware.com> (cherry picked from commit 3aca59e)
Signed-off-by: Rashi Khandelwal <rashik@vmware.com>
Signed-off-by: Ian Zink <izink@pivotal.io>
Signed-off-by: Tasmiya Bano <tbano@tbano-a01.vmware.com> Co-authored-by: Tasmiya Bano <tbano@tbano-a01.vmware.com>
Currently, SIVT will fail if the DNS resolver it was configured with cannot resolve custom Avi FQDNs. This might not work for customers who want to use FQDNs that will only live on the DNS resolver that they provided to the UI. This commit fixes that by using `dns.resolver` and monkey-patching `urllib.connection.create_connection` to ensure that the resolver that the user provided is used during environment turn up. Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
This is also related to #34. |
Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
* Fix merge conflicts Signed-off-by: srinivasme21 <srinivasme@vmware.com> * Review and fix typos and formatting Signed-off-by: srinivasme21 <srinivasme@vmware.com> * Fix format Signed-off-by: srinivasme21 <srinivasme@vmware.com> * Update staging URLs to production Signed-off-by: srinivasme21 <srinivasme@vmware.com> * Fix release version in title Signed-off-by: srinivasme21 <srinivasme@vmware.com>
* Fixing Documentation issues Signed-off-by: Tasmiya Bano <tbano@tbano-a01.vmware.com> * Docmentation fix for AWS Signed-off-by: Tasmiya Bano <tbano@tbano-a01.vmware.com> Co-authored-by: Tasmiya Bano <tbano@tbano-a01.vmware.com>
Users get the message above when TMC token validation fails. This pull request fixes that. Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
562acf0
to
b5b931f
Compare
Signed-off-by: Sunil Shetty <sunilsh@vmware.com>
…check, wrapped-link check Signed-off-by: Sunil Shetty <sunilsh@vmware.com>
Signed-Off-By: Carlos Nunez <ncarlos@vmware.com>
The bootstrapping cluster forwards `/etc/resolv.conf` to CoreDNS, which prevents FQDNs with domains in the custom DNS servers from resolving. This fixes that. Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
@carlosonunez-vmw, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding
|
…server Signed-off-by: Carlos Nunez <ncarlos@vmware.com>
d70eadb
to
67b1edb
Compare
src/common/common_utilities.py
Outdated
@@ -7199,14 +7245,15 @@ def getAviIpFqdnDnsMapping(avi_controller_fqdn_ip_dict, dns_server): | |||
try: | |||
for dns in dns_server: | |||
for avi_fqdn, avi_ip in avi_controller_fqdn_ip_dict.items(): | |||
listOfCmd = ["dig", dns, avi_fqdn, "+short"] | |||
listOfCmd = ["dig", f"@{dns}", avi_fqdn, "+short"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since dnspython
is being used elsewhere, what are your thoughts on shoehorning in Resolver
here? Totally can see it as a being out of scope of this PR (this looks to be purely for 🐛 squashing), but it's so much more efficient than shelling out to run dig
and parsing the output.
I added dnspython for another PR that hasn't been merged yet. Once it is, I'll (or you'll!) cut another one to remove the dig dependencies!
…-- Carlos
On Jun 1, 2022, at 15:53, conzetti ***@***.***> wrote:
@conzetti commented on this pull request.
In src/common/common_utilities.py:
> @@ -7199,14 +7245,15 @@ def getAviIpFqdnDnsMapping(avi_controller_fqdn_ip_dict, dns_server):
try:
for dns in dns_server:
for avi_fqdn, avi_ip in avi_controller_fqdn_ip_dict.items():
- listOfCmd = ["dig", dns, avi_fqdn, "+short"]
+ listOfCmd = ["dig", f"@{dns}", avi_fqdn, "+short"]
Since dnspython is being used elsewhere, what are your thoughts on shoehorning in Resolver here? Totally can see it as a being out of scope of this PR (this looks to be purely for 🐛 squashing), but it's so much more efficient than shelling out to run dig and parsing the output.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
Here’s the summary of why this PR is needed up front:
Validating Avi RecordsThe first thing that the SIVT configuration file wizard asks for is for any custom DNS nameservers that are to be used during the deployment along with a list of search domains and NTP servers: Later in the wizard, you are asked to provide DNS records for the Avi controllers that you create. The wizard expects these to have been created already, and it appears that they must be provided in order to continue (i.e. you can’t just use static IPs): Since I installed this appliance in an environment that does not come with a DNS server, I created one using dnsmasq at 10.220.3.251 and added the following records for my Avi controllers:
Prior to entering them, I validated that the records were correct by using nslookup on the appliance, located at 10.220.3.240: Before this PR, trying to validate these records by clicking the “Validate Name Resolution” button would yield an error: This is clearly incorrect given that I was able to resolve this record from the appliance itself! Upon digging into the source code, I saw that this uses an API endpoint that resolves each record with Given the structure of this command, I assumed that the intent was to use the custom DNS server provided earlier to resolve each record. However, what this
Since this appliance is running Photon and is using systemd-resolved for DNS, the system’s nameservers are located at /etc/resolv.conf and managed by resolvectl and /etc/systemd/resolved.conf. When I set up this appliance, I only configured it to use the DNS servers for H2O, which are:
Which you can see here: Because the custom DNS server I provided earlier isn’t here, this validation test will always fail. Moreover, the setup instructions for this appliance do not tell users to add their custom DNS servers to the appliance’s nameservers (which I wouldn’t expect them to do anyway). The third commit in this PR fixes this by putting an Resolving Avi RecordsAfter I was able to get the SIVT frontend to validate my Avi FQDNs, the next problem I faced was getting The Unfortunately, once I fixed that, I ran into an issue verifying Avi’s self-signed certificates for a similar reason: Python’s built in Kind and TKGOnce I resolved these issues, I was finally able to get Arcas to provision a management cluster with
The first issue was tricky to pin down, but I found that the The Cluster object for Kind doesn’t expose a way of specifying custom nameservers, and even if it did, tanzu-framework doesn’t leverage that anyway. Consequently, the only way to forward custom nameservers to Kind is by modifying /etc/resolv.conf. However, because (a) the user is not instructed to do this in SIVT’s documentation, and (b) it would be a poor user experience if they were, Arcas should be able to handle modifying /etc/resolv.conf transparently before the Tanzu CLI starts up. This commit implements this functionality. Finally, the configuration file that Arcas generated for the Tanzu CLI does not pass in the custom nameservers that were provided earlier. Consequently, the only way these nodes would know about the custom nameservers is if they are defined in DHCP option 6 for the subnets they are connected to. The aforementioned commit (and others that follow it) fix this by:
|
7bdea37
to
528dca6
Compare
@carlosonunez-vmw Can you update the PR and raise it against the newly released version 1.3-1.5.4? |
Sure, but it will have to wait a month as I’ll be out of office for a few weeks.
… On Aug 2, 2022, at 11:44 PM, sunshetty ***@***.***> wrote:
@carlosonunez-vmw <https://github.com/carlosonunez-vmw> Can you update the PR and raise it against the newly released version 1.3-1.5.4?
—
Reply to this email directly, view it on GitHub <#36 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADGWPR2YNSTT4N3CE5UCOHDVXH2JXANCNFSM5W6ZS4FQ>.
You are receiving this because you commented.
|
That should be fine Carlos. |
Currently, SIVT will fail if the DNS resolver it was configured with cannot
resolve custom Avi FQDNs. This might not work for customers who want to
use FQDNs that will only live on the DNS resolver that they provided to the
UI.
This commit fixes that by using
dns.resolver
and monkey-patchingurllib.connection.create_connection
to ensure that the resolver thatthe user provided is used during environment turn up.
Signed-off-by: Carlos Nunez ncarlos@vmware.com