Red Hat Bugzilla – Bug 1506418
Use FQDN for OPENSHIFT_DEFAULT_REGISTRY to avoid extra DNS query
Last modified: 2018-08-05 18:17:04 EDT
Description of problem: Currently it uses docker-registry.default.svc. OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000 From the the docker daemon on docker host, this DNS query goes to dnsmasq (docker host doesn't have /etc/resolv.conf ndots option so raw query first then search), and it forwarded to upstream DNS because there is no ".cluster.local". Next would be docker-registry.default.svc.your.domain.example.com, then ".cluster.local" appended from the search and finally hits OpenShift DNS. From the container it goes through search list and goes to upstream like docker-registry.default.svc.your.domain.example.com, then OpenShift DNS. We can specify FQDN and avoid these extra DNS queries. Version-Release number of the following components: $ rpm -q openshift-ansible openshift-ansible-3.6.173.0.21-2.git.0.44a4038.el7.noarch $ rpm -q ansible ansible-2.3.2.0-2.el7.noarch $ ansible --version ansible 2.3.2.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Query for OpenShift DNS goes to upstream DNS multiple times. Expected results: Query for OpenShift DNS goes to OpenShift DNS directly. Additional info:
Is there a measurable impact of this? It was a deliberate decision not to use the FQDN because it allowed flexibility to change cluster dns post installation and I believe there were other reasons too. We could potentially allow the admin to configure an option to use the FQDN but I'm not sure we want to do that just to save 1 dns resolution. NEEDINFO on michal who was involved in the decision to rely on search path.
For a situation with DNS blackholing, where the upstream DNS would respond with an address rather than nxdomain for docker-registry.default.svc, I added a configuration file to /etc/dnsmasq.d containing: server=/default.svc/ which will cause the first lookup to always immediately fail. That should be applicable in other cases where you don't want the initial lookup to be sent upstream as well. I think another reason why the choice not to use FQDN was made was that it'd break the secrets.
Right, secrets are not generated for the FQDN. I'm going to move this over to the registry component so that they can consider the next steps here, we can't implement this change in the installer until they ensure secrets are generated too.