Bug 2031685 - Duplicated forward upstreams should be removed from the dns operator
Summary: Duplicated forward upstreams should be removed from the dns operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.10.0
Assignee: Sherine Khoury
QA Contact: Shudi Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-13 08:37 UTC by Shudi Li
Modified: 2022-08-04 22:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:33:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-dns-operator pull 308 0 None open Bug 2031685: Duplicated forward upstreams should be removed from the dns operator 2022-01-03 13:47:01 UTC
Github openshift cluster-dns-operator pull 310 0 None open Bug 2031685: Fix duplicate /etc/resolv.conf in configmap 2022-01-07 09:47:00 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:33:35 UTC

Description Shudi Li 2021-12-13 08:37:42 UTC
Description of problem:
Duplicated forward upstreams can be input in the dns operator, and as a result, dns-default config map and Corefile of coredns have the duplicated forward upstreams.

OpenShift release version:
- OCP 4.10.0

Cluster Platform:


How reproducible:
Edit the default dns operator, add 4 forward upstreams with 2 are duplicated. 

Steps to Reproduce (in detail):
1. oc edit dns.operator/default, add one upstream, save and quit

2. oc edit dns.operator/default again, add the same upstream and the default, save and quit

3. Check the default dns operator
% oc get dns.operator/default -o yaml | grep upstreamResolvers -A13
  upstreamResolvers:
    policy: Sequential
    upstreams:
    - port: 53
      type: SystemResolvConf
    - address: 100.1.1.1
      port: 5500
      type: Network
    - address: 100.1.1.1
      port: 5500
      type: Network
    - port: 53
      type: ""
status:
%

4. Check the default dns config map
% oc -n openshift-dns get  cm/dns-default -oyaml | grep forward -A2
        forward . /etc/resolv.conf 100.1.1.1:5500 100.1.1.1:5500 /etc/resolv.conf {
            policy sequential
        }
%

5. Check the Corefile of coredns
% oc -n openshift-dns rsh dns-default-b7tlw
Defaulted container "dns" out of: dns, kube-rbac-proxy
sh-4.4# cat /etc/coredns/Corefile | grep forward -A2
    forward . /etc/resolv.conf 100.1.1.1:5500 100.1.1.1:5500 /etc/resolv.conf {
        policy sequential
    }
sh-4.4#

6.
oc get clusterversion       
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-12-12-184227   True        False         6h42m   Cluster version is 4.10.0-0.nightly-2021-12-12-184227
shudi@Shudis-MacBook-Pro vSphere %

Actual results:
There are 4 forward dns upstreams

Expected results:
There are 2 forward dns upstreams, the duplicated two should be removed.

Impact of the problem:
The max items is 15, the configurable forward dns upstreams will be decreased.

Additional info:

Comment 1 Miciah Dashiel Butler Masters 2021-12-14 17:11:38 UTC
Marking as blocker- because the user has to specify invalid configuration to be affected by the bug, and the impact is minor.  

Assigning to Sherine, who is working on a fix for this.

Comment 2 Sherine Khoury 2022-01-03 13:42:15 UTC
PR https://github.com/openshift/cluster-dns-operator/pull/308

Comment 5 Shudi Li 2022-01-07 06:06:40 UTC
Tested it with 4.10.0-0.nightly-2022-01-07-004348, both duplicated ipv4 and ipv6 upstreams were removed, marked it verified(For the duplicated /etc/resolv.conf, I will contact Sherine Khoury to see if it is needed to be fixed)

1.
% oc get clusterversion                                             
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-07-004348   True        False         12m     Cluster version is 4.10.0-0.nightly-2022-01-07-004348
%

2.
% oc get dns.operator/default -o yaml | grep upstreamResolvers: -A20
  upstreamResolvers:
    policy: Sequential
    upstreams:
    - port: 53
      type: SystemResolvConf
    - address: 100.1.1.1
      port: 5500
      type: Network
    - address: 100.1.1.1
      port: 5500
      type: Network
    - port: 53
      type: ""
    - address: 1000::100
      port: 53
      type: Network
    - address: 1000::100
      port: 53
      type: Network
status:


3. Check it in the config map
% oc -n openshift-dns get  cm/dns-default -oyaml | grep forward -A2
        forward . /etc/resolv.conf 100.1.1.1:5500 /etc/resolv.conf [1000::100]:53 {
            policy sequential
        }
%

4. Check it in the Corefile
oc -n openshift-dns exec dns-default-2htj4 -c dns -- cat /etc/coredns/Corefile | grep forward -A2
    forward . /etc/resolv.conf 100.1.1.1:5500 /etc/resolv.conf [1000::100]:53 {
        policy sequential
    }
%

Comment 6 Shudi Li 2022-01-07 08:21:32 UTC
After talking with Sherine, duplicated /etc/resolv.conf should be fixed, so reopen it for fixing this issue.

Comment 9 Shudi Li 2022-01-12 01:54:58 UTC
Verified it with 4.10.0-0.nightly-2022-01-11-065245

1.
% oc get clusterversion                                            
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-11-065245   True        False         39m     Cluster version is 4.10.0-0.nightly-2022-01-11-065245
% 

2.
% oc get dns.operator/default -o yaml | grep upstreamResolvers -A18
  upstreamResolvers:
    policy: Sequential
    upstreams:
    - port: 53
      type: SystemResolvConf
    - address: 100.1.1.1
      port: 5500
      type: Network
    - address: 100.1.1.1
      port: 5500
      type: Network
    - port: 53
      type: ""
    - address: 1000::aaaa
      port: 53
      type: Network
    - address: 1000::aaaa
      port: 53
      type: Network
%

3.
% oc -n openshift-dns get  cm/dns-default -oyaml | grep forward -A2
        forward . /etc/resolv.conf 100.1.1.1:5500 [1000::AAAA]:53 {
            policy sequential
        }
%

4.
% oc -n openshift-dns exec dns-default-6j8ls -c dns -- cat /etc/coredns/Corefile | grep forward  -A2
    forward . /etc/resolv.conf 100.1.1.1:5500 [1000::AAAA]:53 {
        policy sequential
    }
%

Comment 12 errata-xmlrpc 2022-03-10 16:33:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.