DNS

Question

DNS

Closed this issue a year ago · 12 comments

The container does not resolve addresses via DNS:
curl: (6) Failed to resolve host: example.service.consul
But if you check the service in the consul, then it is registered in it

The ciliim parameters are as follows:
command: cilium-agent --kvstore consul --kvstore-opt consul.address=127.0.0.1:8500 -t geneve --enable-ipv6=false --prometheus-serve-addr="127.0.0.1:9962" --enable-l7-proxy=false

The policy config:

[
  {
    "labels": [
      {
        "key": "io.cosmonic.cilium_health"
      }
    ],
    "endpointSelector": {
      "matchLabels": {
        "reserved:health": ""
      }
    },
    "ingress": [
      {
        "fromEntities": ["remote-node", "host"]
      }
    ],
    "egress": [
      {
        "fromEntities": ["remote-node", "host"]
      }
    ]
  },
  {
    "endpointSelector": {},
    "labels": [
      {
        "key": "io.cosmonic.default_rule"
      }
    ],
    "ingress": [
      {
        "fromCIDRSet": [
          {
            "cidr": "0.0.0.0/0"
          }
        ]
      },
      {
        "fromEntities": ["host", "remote-node"]
      }
    ],
    "egress": [
      {
        "toEntity": ["host"],
        "toPorts": [
          {
            "ports": [
              {
                "port": "53",
                "protocol": "ANY"
              },
              {
                "port": "8600",
                "protocol": "ANY"
              }
            ]
          }
        ]
      },
      {
        "toCIDRSet": [
          {
            "cidr": "0.0.0.0/0"
          }
        ]
      }
    ]
  }
]

Answer 1 · 2023-05-29T15:02:50.000Z

@deverton can you help?

Answer 2 · 2023-05-29T23:20:03.000Z

The policy looks fine so my guess is this is more of a configuration issue with Nomad. Do you have Consul setup as the default resolver in resolv.conf or in the task definition?

Answer 3 · 2023-05-30T04:14:09.000Z

Yes, I configured dnsmasq which manages dns. I did the setup according to the following instructions:
https://developer.hashicorp.com/consul/tutorials/networking/dns-forwarding
I can find it locally, but it doesn't work from the container

Answer 4 · 2023-05-30T04:21:00.000Z

You'll probably need to get Hubble going so you can observe what the policy decisions are with the traffic from the container. I don't see anything here that would be a problem with netreap since it's just loading the policy in to the Cilium agents.

Answer 5 · 2023-06-02T09:47:53.000Z

@deverton dns works fine for you?

Answer 6 · 2023-06-02T21:01:52.000Z

@thomastaylor312 can you help?
when using the docker plugin there are no such problems.
Maybe there is some feature that is not indicated in the documentation?

Answer 7 · 2023-06-02T22:19:19.000Z

To rule out any policy issues you can disable them cilium config PolicyEnforcement=never to do testing. In my setup I had to disable rpfilter to get traffic working net.ipv4.conf.default.rp_filter=0 and net.ipv4.conf.*.rp_filter=0 on Ubuntu 22.04.2.

Answer 8 · 2023-06-10T07:02:51.000Z

@robloxrob
Netreap not labeling labels correctly! it does not remove the label "reserved:init"

I noticed that when you reboot, the shortcuts are not updated, but become "reserved:init"

Answer 9 · 2023-06-12T16:30:28.000Z

Great catch @Hanmask21!

Answer 10 · 2023-06-16T15:08:06.000Z

@Hanmask21 reserved:init is a default label applied by Cilium, so I don't think that's an issue. Netreap should be reapplying the labels as soon as the job restarts if you've rebooted the Nomad node where it's running.

Answer 11 · 2023-06-20T13:44:11.000Z

@protochron Labels by your logic should be applied in a new way on any restart, but this does not happen
Can you share access to your test bench with configured dns?

Answer 12 · 2023-07-12T14:43:29.000Z

@protochron Problem solved.
The problem is solved by adding the following configurations to dnsmasq:

interface=docker0
bind-dynamic
listen-address=172.17.0.1