Description of problem: When updating DNS settings using kubernetes-nmstate, any changes to the search domain list are ignored. This is because of the way the prepender script works[0]. It is hard-coded to use the DHCP-provided domains and the cluster domain. This is confusing to users who may want to update the search list to a static configuration. 0: https://github.com/openshift/machine-config-operator/blob/690efdad684a519af88e86de56fc5021b2766df9/templates/common/on-prem/files/NetworkManager-resolv-prepender.yaml#L53 Version-Release number of MCO (Machine Config Operator) (if applicable): Platform (AWS, VSphere, Metal, etc.): All on-prem platforms, but specifically baremetal since that's where kubernetes-nmstate will initially be supported. Are you certain that the root cause of the issue being reported is the MCO (Machine Config Operator)? (Y/N/Not sure): Y How reproducible: Always Did you catch this issue by running a Jenkins job? If yes, please list: No Steps to Reproduce: 1. Install kubernetes-nmstate 2. Apply a policy that contains a configuration such as: dns-resolver: config: search: - example.com Actual results: example.com is not present in resolv.conf search list Expected results: example.com in resolv.conf search list
I did a little investigation of this, and unfortunately it doesn't look like the dispatcher script has access to the custom-configured search domains. They don't appear anywhere in the environment variable list. This means we will probably have to find a way to pull them out of the resolv.conf in /var/run. Maybe instead of overwriting the search domains entirely we could just append the cluster domain to the line?
See also https://bugzilla.redhat.com/show_bug.cgi?id=2024826, in case there is a need to backport the patch.
*** Bug 2013726 has been marked as a duplicate of this bug. ***
Verified on Cluster version is 4.10.0-0.nightly-2021-11-21-005535 1. Deploy the cluster IPv4/IPv4 (there is an issue for the dual stack https://bugzilla.redhat.com/show_bug.cgi?id=2020780) 2. Install nmstate operator [kni@provisionhost-0-0 ~]$ oc -n openshift-nmstate get csv NAME DISPLAY VERSION REPLACES PHASE kubernetes-nmstate-operator.4.9.0-202111151318 Kubernetes NMState Operator 4.9.0-202111151318 Succeeded 3. Apply the network policy [kni@provisionhost-0-0 ~]$ oc apply -f dns.yaml nodenetworkconfigurationpolicy.nmstate.io/amdns created [kni@provisionhost-0-0 ~]$ oc get nncp NAME STATUS amdns Available 4. Go to the node and verify that the resolv.conf was updated [kni@provisionhost-0-0 ~]$ ssh core@worker-0-0 [core@worker-0-0 ~]$ cat /etc/resolv.conf # Generated by KNI resolv prepender NM dispatcher script search ocp-edge-cluster-0.qe.lab.redhat.com example.com nameserver 192.168.123.119 nameserver 8.8.8.8 nameserver 192.168.123.1 ==================================== cat dns.yaml apiVersion: nmstate.io/v1beta1 kind: NodeNetworkConfigurationPolicy metadata: name: yodns spec: nodeSelector: kubernetes.io/hostname: worker-0-0 desiredState: dns-resolver: config: search: - example.com server: - 8.8.8.8 interfaces: - name: enp0s3 type: ethernet state: up ipv4: auto-dns: false enabled: true dhcp: true
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056