Bug 2017564

Summary: On-prem prepender dispatcher script overwrites DNS search settings
Product: OpenShift Container Platform Reporter: Ben Nemec <bnemec>
Component: Machine Config OperatorAssignee: Ben Nemec <bnemec>
Machine Config Operator sub component: platform-baremetal QA Contact: Aleksandra Malykhin <amalykhi>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: aos-bugs, augol, m.andre, pibanezr, rupatel, tsedovic, vpickard
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:22:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2058511    

Description Ben Nemec 2021-10-26 20:16:31 UTC 
Description of problem: When updating DNS settings using kubernetes-nmstate, any changes to the search domain list are ignored. This is because of the way the prepender script works[0]. It is hard-coded to use the DHCP-provided domains and the cluster domain. This is confusing to users who may want to update the search list to a static configuration.

0: https://github.com/openshift/machine-config-operator/blob/690efdad684a519af88e86de56fc5021b2766df9/templates/common/on-prem/files/NetworkManager-resolv-prepender.yaml#L53

Version-Release number of MCO (Machine Config Operator) (if applicable):

Platform (AWS, VSphere, Metal, etc.): All on-prem platforms, but specifically baremetal since that's where kubernetes-nmstate will initially be supported.

Are you certain that the root cause of the issue being reported is the MCO (Machine Config Operator)?
(Y/N/Not sure): Y

How reproducible: Always

Did you catch this issue by running a Jenkins job? If yes, please list: No

Steps to Reproduce:
1. Install kubernetes-nmstate
2. Apply a policy that contains a configuration such as:

  dns-resolver:
    config:
      search:
      - example.com

Actual results: example.com is not present in resolv.conf search list

Expected results: example.com in resolv.conf search list
Comment 1 Ben Nemec 2021-10-28 20:35:28 UTC 
I did a little investigation of this, and unfortunately it doesn't look like the dispatcher script has access to the custom-configured search domains. They don't appear anywhere in the environment variable list. This means we will probably have to find a way to pull them out of the resolv.conf in /var/run. Maybe instead of overwriting the search domains entirely we could just append the cluster domain to the line?
Comment 4 Martin André 2021-11-19 12:55:51 UTC 
See also https://bugzilla.redhat.com/show_bug.cgi?id=2024826, in case there is a need to backport the patch.
Comment 5 Rupesh Patel 2021-11-23 11:55:32 UTC 
*** Bug 2013726 has been marked as a duplicate of this bug. ***
Comment 6 Aleksandra Malykhin 2021-11-25 13:34:52 UTC 
Verified on Cluster version is 4.10.0-0.nightly-2021-11-21-005535
1. Deploy the cluster IPv4/IPv4 (there is an issue for the dual stack https://bugzilla.redhat.com/show_bug.cgi?id=2020780)
2. Install nmstate operator

[kni@provisionhost-0-0 ~]$  oc -n openshift-nmstate get csv
NAME                                             DISPLAY                       VERSION              REPLACES   PHASE
kubernetes-nmstate-operator.4.9.0-202111151318   Kubernetes NMState Operator   4.9.0-202111151318              Succeeded

3. Apply the network policy
[kni@provisionhost-0-0 ~]$ oc apply -f dns.yaml 
nodenetworkconfigurationpolicy.nmstate.io/amdns created
[kni@provisionhost-0-0 ~]$ oc get nncp
NAME    STATUS
amdns   Available

4. Go to the node and verify that the resolv.conf was updated

[kni@provisionhost-0-0 ~]$ ssh core@worker-0-0
[core@worker-0-0 ~]$ cat /etc/resolv.conf 
# Generated by KNI resolv prepender NM dispatcher script
search ocp-edge-cluster-0.qe.lab.redhat.com example.com
nameserver 192.168.123.119
nameserver 8.8.8.8
nameserver 192.168.123.1


====================================
cat dns.yaml
apiVersion: nmstate.io/v1beta1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: yodns
spec:
  nodeSelector:
    kubernetes.io/hostname: worker-0-0
  desiredState:
    dns-resolver:
      config:
        search:
        - example.com
        server:
        - 8.8.8.8
    interfaces:
    - name: enp0s3
      type: ethernet
      state: up
      ipv4:
        auto-dns: false
        enabled: true
        dhcp: true
Comment 9 errata-xmlrpc 2022-03-10 16:22:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056