Bug 1934905
Summary: | CoreDNS's "errors" plugin is not enabled for custom upstream resolvers | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Miciah Dashiel Butler Masters <mmasters> |
Component: | Networking | Assignee: | Miciah Dashiel Butler Masters <mmasters> |
Networking sub component: | DNS | QA Contact: | jechen <jechen> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | aos-bugs, hongli |
Version: | 4.8 | ||
Target Milestone: | --- | ||
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-07-27 22:49:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1953609 |
Description
Miciah Dashiel Butler Masters
2021-03-04 00:43:23 UTC
Verified in 4.8.0-0.nightly-2021-03-08-133419 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-03-08-133419 True False 118m Cluster version is 4.8.0-0.nightly-2021-03-08-133419 1. Set up a custom nameserver $ oc adm new-project mydns Created project mydns $ oc -n mydns create configmap coredns --from-file=Corefile configmap/coredns created $ oc -n mydns create deployment coredns --image=openshift/origin-coredns:latest --replicas=0 --port=5353 -- coredns --conf=/etc/coredns/Corefile deployment.apps/coredns create $ oc -n mydns set volume deployments/coredns --add --mount-path=/etc/coredns --type=configmap --configmap-name=coredns info: Generated volume name: volume-6wqvb deployment.apps/coredns volume updated $ oc -n mydns scale deployments/coredns --replicas=1 deployment.apps/coredns scaled $ oc -n mydns expose deployments/coredns --port=5353 --protocol=UDP service/coredns exposed $ oc -n mydns get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE coredns ClusterIP 172.30.197.57 <none> 5353/UDP 9s 2. Configured cluster DNS to forward queries for the zone to this custom nameserver $ oc patch dns.operator/default --type=merge --patch='{"spec":{"servers":[{"name":"mydns","zones":["redhat.com"],"forwardPlugin":{"upstreams":["172.30.197.57:5353"]}}]}}' dns.operator.openshift.io/default patched 3. created a test pod, from the pod, continuously performed nslookups for a name in the zone for which the custom nameserver is responsible $ oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/aosqe-pod-for-ping.json pod/hello-pod created $ oc rsh hello-pod / # while :; do nslookup www.redhat.com; sleep 0.5; done Server: 172.30.0.10 Address: 172.30.0.10:53 Name: www.redhat.com Address: 1.2.3.4 Server: 172.30.0.10 Address: 172.30.0.10:53 Name: www.redhat.com Address: 1.2.3.4 4. changed the replicas for the deployment to 0 $ oc -n mydns scale deployments/coredns --replicas=0 deployment.apps/coredns scaled 5. after step 4, nslookup from test pod failed as expected $ oc rsh hello-pod / # while :; do nslookup www.redhat.com; sleep 0.5; done ;; connection timed out; no servers could be reached Server: 172.30.0.10 Address: 172.30.0.10:53 ** server can't find www.redhat.com: SERVFAIL ** server can't find www.redhat.com: SERVFAIL 6. verified DNS pods started logging errors for pod in $(oc -n openshift-dns get pods -o name) > do oc -n openshift-dns logs -c dns $pod > done .:5353 <---snip ---> [ERROR] plugin/errors: 2 www.redhat.com. A: read udp 10.129.2.3:60009->172.30.197.57:5353: i/o timeout [ERROR] plugin/errors: 2 www.redhat.com. AAAA: read udp 10.129.2.3:53513->172.30.197.57:5353: i/o timeout [ERROR] plugin/errors: 2 www.redhat.com. A: read udp 10.129.2.3:35611->172.30.197.57:5353: read: connection refused [ERROR] plugin/errors: 2 www.redhat.com. AAAA: read udp 10.129.2.3:41772->172.30.197.57:5353: read: connection refused [ERROR] plugin/errors: 2 www.redhat.com. A: read udp 10.129.2.3:44281->172.30.197.57:5353: i/o timeout [ERROR] plugin/errors: 2 www.redhat.com. AAAA: read udp 10.129.2.3:50071->172.30.197.57:5353: i/o timeout <---snip---> 7. verified the custom nameserver Corefile has included "errors" plugin $ oc -n openshift-dns get configmaps/dns-default -o yaml apiVersion: v1 data: Corefile: | # mydns redhat.com:5353 { forward . 172.30.197.57:5353 errors <-- verified the fix from https://github.com/openshift/cluster-dns-operator/pull/241 } .:5353 { errors health kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure fallthrough in-addr.arpa ip6.arpa } prometheus 127.0.0.1:9153 forward . /etc/resolv.conf { policy sequential } cache 900 reload } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |