*: fill resolv.conf from command line --dns #2040
Conversation
Please explain/restate this as it is contradicting. |
| @@ -379,6 +380,26 @@ func preparedWithPrivateUsers(dir string) (string, error) { | |||
| return string(bytes), nil | |||
| } | |||
|
|
|||
| func addResolvConf(cfg RunConfig, rootFs string) { | |||
There was a problem hiding this comment.
rootFs -> rootfs for consistency
| if (access(mnt->source, F_OK) != 0) | ||
| continue; | ||
| if (access(to, F_OK) != 0) { | ||
| fd = creat(to, 0644); |
There was a problem hiding this comment.
Should we handle errors here or you're leaving it to mount?
There was a problem hiding this comment.
I don't know what's better. Any preferences?
There was a problem hiding this comment.
My preference: as early as possible
|
| "github.com/coreos/rkt/tests/testutils" | ||
| ) | ||
|
|
||
| // TestDNS is checking how rkt fill /etc/resolv.conf |
| @@ -379,6 +380,26 @@ func preparedWithPrivateUsers(dir string) (string, error) { | |||
| return string(bytes), nil | |||
| } | |||
|
|
|||
| func addResolvConf(cfg RunConfig, rootfs string) { | |||
| if len(cfg.DNS) == 0 { | |||
There was a problem hiding this comment.
IMHO it'd be better to read if this condition was also or even only used before the invocation of addResolvConf(..)
alban
force-pushed
the
alban/dns-2
branch
2 times, most recently
from
53d4547
to
5149e3e
Compare
| @@ -328,6 +340,22 @@ func (pl *portList) Type() string { | |||
| return "portList" | |||
| } | |||
|
|
|||
| // flagStringList implements the flag.Value interface to contain a set of strings | |||
| type flagStringList []string | |||
There was a problem hiding this comment.
@krnowak where is the preferred place to add this new type?
There was a problem hiding this comment.
I don't think we have a good place to put new types used in several, but not all commands. But often rkt.go serves as a dumpster for this kind of stuff. ;)
There was a problem hiding this comment.
Ah, this is quite generic, so rkt.go it is.
There was a problem hiding this comment.
I believe I wrote a similar thing somewhere before...
There was a problem hiding this comment.
It's here - https://github.com/coreos/rkt/blob/master/tools/common/util.go#L24
Maybe we should move this thing elsewhere.
There was a problem hiding this comment.
However, rkt/run.go already has some flag types: envMap, portList. Should I still move it to rkt.go which does not have any flag type yet?
There was a problem hiding this comment.
Just keep it here then. We can later move this stuff in to a separate go file.
alban
force-pushed
the
alban/dns-2
branch
3 times, most recently
from
190a00b
to
8a42cf5
Compare
| for _, server := range cfg.DNS { | ||
| if server == "" { | ||
| continue | ||
| } |
There was a problem hiding this comment.
Might be a good idea to check if server is a valid IP address here
rkt now provides /etc/resolv.conf in each app's chroot. All apps in the pod have the same /etc/resolv.conf. Getting DNS information from the CNI or from the host's resolv.conf is out of scope of this patch. The content of /etc/resolv.conf comes from the command line parameters: - "--dns=8.8.8.8": DNS name server - "--dns-search=domain.com": DNS search domain - "--dns-opt=debug": DNS options Implementation detail: systemd-nspawn can overwrite /etc/resolv.conf. It is supposed to overwrite it only when the container uses the host network namespace. However, the container network namespace is created by rkt via CNI and not by systemd-nspawn, so systemd-nspawn is not aware of the network configuration. As a consequence, we cannot use stage1's /etc/resolv.conf. Instead, rkt write /etc/rkt-resolv.conf in stage1 and prepare-app bind-mounts it in stage2's /etc/resolv.conf. It works in this way: > $ sudo rkt run --net=alban --dns=1.1.1.1 --dns=2.2.2.2 \ > --dns-search=foo.com --dns-opt=debug \ > sha512-a2fb8f390702 --interactive > / # cat /etc/resolv.conf > # Generated by rkt > > search foo.com > nameserver 1.1.1.1 > nameserver 2.2.2.2 > options debug > > / # Fixes rkt#660
| continue; | ||
| if (access(to, F_OK) != 0) { | ||
| pexit_if((fd = creat(to, 0644)) == -1, | ||
| "Cannot create file: \"%s\"", to); |
There was a problem hiding this comment.
Can we get more information in case of an error? Is there an implicit ERRNO parser here?
There was a problem hiding this comment.
Yes, the p of pexit_if means it will use strerror(errno) at the end of the error message.
| rktCmd := fmt.Sprintf(`%s --insecure-options=image run --set-env=FILE=/etc/resolv.conf %s %s`, | ||
| ctx.Cmd(), tt.paramDNS, imageFile) | ||
| t.Logf("%s\n", rktCmd) | ||
| runRktAndCheckOutput(t, rktCmd, tt.expectedLine, false) |
There was a problem hiding this comment.
These tests should be improved in the future to match against the whole file instead of lines. That way we can ensure that the order is deterministic which might matter for some DNS implementations.
|
Let's keep https://github.com/coreos/rkt/pull/2040/files#r51135829 in mind for a follow-up issue. Nice work |
|
@achanda thanks for you input on this PR. I'm merging this as is but you are welcome to raise any of your thoughts in an issue where we can discuss this further. |
*: fill resolv.conf from command line --dns* flags
rkt now provides /etc/resolv.conf in each app's chroot. All apps in the
pod have the same /etc/resolv.conf.
Getting DNS information from the CNI or from the host's resolv.conf is
out of scope of this patch. The content of /etc/resolv.conf comes from
the command line parameters:
Implementation detail: systemd-nspawn can overwrite /etc/resolv.conf. It
is supposed to overwrite it only when the container uses the host
network namespace. However, the container network namespace is created
by rkt via CNI and not by systemd-nspawn, so systemd-nspawn is not aware
of the network configuration. As a consequence, we cannot use stage1's
/etc/resolv.conf. Instead, rkt write /etc/rkt-resolv.conf in stage1 and
prepare-app bind-mounts it in stage2's /etc/resolv.conf.
It works in this way:
Fixes #660
/cc @steveej I can add tests and
--dns-search=after lunch. One difference compared to #2032 is that /etc/resolv.conf is not created if the user does not add--dns=. Also, if the ACI does not have a /etc/resolv.conf, it is created automatically.