Bug 2017564 - On-prem prepender dispatcher script overwrites DNS search settings
Summary: On-prem prepender dispatcher script overwrites DNS search settings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.10.0
Assignee: Ben Nemec
QA Contact: Aleksandra Malykhin
URL:
Whiteboard:
: 2013726 (view as bug list)
Depends On:
Blocks: 2058511
TreeView+ depends on / blocked
 
Reported: 2021-10-26 20:16 UTC by Ben Nemec
Modified: 2022-04-06 10:51 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:22:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 2823 0 None open Bug 2017564: Prepend to search domains instead of replacing 2021-11-04 20:26:33 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:22:31 UTC

Description Ben Nemec 2021-10-26 20:16:31 UTC
Description of problem: When updating DNS settings using kubernetes-nmstate, any changes to the search domain list are ignored. This is because of the way the prepender script works[0]. It is hard-coded to use the DHCP-provided domains and the cluster domain. This is confusing to users who may want to update the search list to a static configuration.

0: https://github.com/openshift/machine-config-operator/blob/690efdad684a519af88e86de56fc5021b2766df9/templates/common/on-prem/files/NetworkManager-resolv-prepender.yaml#L53

Version-Release number of MCO (Machine Config Operator) (if applicable):

Platform (AWS, VSphere, Metal, etc.): All on-prem platforms, but specifically baremetal since that's where kubernetes-nmstate will initially be supported.

Are you certain that the root cause of the issue being reported is the MCO (Machine Config Operator)?
(Y/N/Not sure): Y

How reproducible: Always

Did you catch this issue by running a Jenkins job? If yes, please list: No

Steps to Reproduce:
1. Install kubernetes-nmstate
2. Apply a policy that contains a configuration such as:

  dns-resolver:
    config:
      search:
      - example.com

Actual results: example.com is not present in resolv.conf search list

Expected results: example.com in resolv.conf search list

Comment 1 Ben Nemec 2021-10-28 20:35:28 UTC
I did a little investigation of this, and unfortunately it doesn't look like the dispatcher script has access to the custom-configured search domains. They don't appear anywhere in the environment variable list. This means we will probably have to find a way to pull them out of the resolv.conf in /var/run. Maybe instead of overwriting the search domains entirely we could just append the cluster domain to the line?

Comment 4 Martin André 2021-11-19 12:55:51 UTC
See also https://bugzilla.redhat.com/show_bug.cgi?id=2024826, in case there is a need to backport the patch.

Comment 5 Rupesh Patel 2021-11-23 11:55:32 UTC
*** Bug 2013726 has been marked as a duplicate of this bug. ***

Comment 6 Aleksandra Malykhin 2021-11-25 13:34:52 UTC
Verified on Cluster version is 4.10.0-0.nightly-2021-11-21-005535
1. Deploy the cluster IPv4/IPv4 (there is an issue for the dual stack https://bugzilla.redhat.com/show_bug.cgi?id=2020780)
2. Install nmstate operator

[kni@provisionhost-0-0 ~]$  oc -n openshift-nmstate get csv
NAME                                             DISPLAY                       VERSION              REPLACES   PHASE
kubernetes-nmstate-operator.4.9.0-202111151318   Kubernetes NMState Operator   4.9.0-202111151318              Succeeded

3. Apply the network policy
[kni@provisionhost-0-0 ~]$ oc apply -f dns.yaml 
nodenetworkconfigurationpolicy.nmstate.io/amdns created
[kni@provisionhost-0-0 ~]$ oc get nncp
NAME    STATUS
amdns   Available

4. Go to the node and verify that the resolv.conf was updated

[kni@provisionhost-0-0 ~]$ ssh core@worker-0-0
[core@worker-0-0 ~]$ cat /etc/resolv.conf 
# Generated by KNI resolv prepender NM dispatcher script
search ocp-edge-cluster-0.qe.lab.redhat.com example.com
nameserver 192.168.123.119
nameserver 8.8.8.8
nameserver 192.168.123.1


====================================
cat dns.yaml
apiVersion: nmstate.io/v1beta1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: yodns
spec:
  nodeSelector:
    kubernetes.io/hostname: worker-0-0
  desiredState:
    dns-resolver:
      config:
        search:
        - example.com
        server:
        - 8.8.8.8
    interfaces:
    - name: enp0s3
      type: ethernet
      state: up
      ipv4:
        auto-dns: false
        enabled: true
        dhcp: true

Comment 9 errata-xmlrpc 2022-03-10 16:22:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.