2031685 – Duplicated forward upstreams should be removed from the dns operator

Bug 2031685 - Duplicated forward upstreams should be removed from the dns operator

Summary: Duplicated forward upstreams should be removed from the dns operator

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Sherine Khoury
QA Contact:	Shudi Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-13 08:37 UTC by Shudi Li
Modified:	2022-08-04 22:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-03-10 16:33:22 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift cluster-dns-operator pull 308	None	open	Bug 2031685: Duplicated forward upstreams should be removed from the dns operator	2022-01-03 13:47:01 UTC
Github	openshift cluster-dns-operator pull 310	None	open	Bug 2031685: Fix duplicate /etc/resolv.conf in configmap	2022-01-07 09:47:00 UTC
Red Hat Product Errata	RHSA-2022:0056	None	None	None	2022-03-10 16:33:35 UTC

Description Shudi Li 2021-12-13 08:37:42 UTC

Description of problem:
Duplicated forward upstreams can be input in the dns operator, and as a result, dns-default config map and Corefile of coredns have the duplicated forward upstreams.

OpenShift release version:
- OCP 4.10.0

Cluster Platform:

How reproducible:
Edit the default dns operator, add 4 forward upstreams with 2 are duplicated.

Steps to Reproduce (in detail):
1. oc edit dns.operator/default, add one upstream, save and quit

2. oc edit dns.operator/default again, add the same upstream and the default, save and quit

3. Check the default dns operator
% oc get dns.operator/default -o yaml | grep upstreamResolvers -A13
upstreamResolvers:
policy: Sequential
upstreams:
- port: 53
type: SystemResolvConf
- address: 100.1.1.1
port: 5500
type: Network
- address: 100.1.1.1
port: 5500
type: Network
- port: 53
type: ""
status:
%

4. Check the default dns config map
% oc -n openshift-dns get cm/dns-default -oyaml | grep forward -A2
forward . /etc/resolv.conf 100.1.1.1:5500 100.1.1.1:5500 /etc/resolv.conf {
policy sequential
}
%

5. Check the Corefile of coredns
% oc -n openshift-dns rsh dns-default-b7tlw
Defaulted container "dns" out of: dns, kube-rbac-proxy
sh-4.4# cat /etc/coredns/Corefile | grep forward -A2
forward . /etc/resolv.conf 100.1.1.1:5500 100.1.1.1:5500 /etc/resolv.conf {
policy sequential
}
sh-4.4#

6.
oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-0.nightly-2021-12-12-184227 True False 6h42m Cluster version is 4.10.0-0.nightly-2021-12-12-184227
shudi@Shudis-MacBook-Pro vSphere %

Actual results:
There are 4 forward dns upstreams

Expected results:
There are 2 forward dns upstreams, the duplicated two should be removed.

Impact of the problem:
The max items is 15, the configurable forward dns upstreams will be decreased.

Additional info:

Comment 1 Miciah Dashiel Butler Masters 2021-12-14 17:11:38 UTC

Marking as blocker- because the user has to specify invalid configuration to be affected by the bug, and the impact is minor.  

Assigning to Sherine, who is working on a fix for this.

Comment 2 Sherine Khoury 2022-01-03 13:42:15 UTC

PR https://github.com/openshift/cluster-dns-operator/pull/308

Comment 5 Shudi Li 2022-01-07 06:06:40 UTC

Tested it with 4.10.0-0.nightly-2022-01-07-004348, both duplicated ipv4 and ipv6 upstreams were removed, marked it verified(For the duplicated /etc/resolv.conf, I will contact Sherine Khoury to see if it is needed to be fixed)

1.
% oc get clusterversion                                             
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-07-004348   True        False         12m     Cluster version is 4.10.0-0.nightly-2022-01-07-004348
%

2.
% oc get dns.operator/default -o yaml | grep upstreamResolvers: -A20
  upstreamResolvers:
    policy: Sequential
    upstreams:
    - port: 53
      type: SystemResolvConf
    - address: 100.1.1.1
      port: 5500
      type: Network
    - address: 100.1.1.1
      port: 5500
      type: Network
    - port: 53
      type: ""
    - address: 1000::100
      port: 53
      type: Network
    - address: 1000::100
      port: 53
      type: Network
status:


3. Check it in the config map
% oc -n openshift-dns get  cm/dns-default -oyaml | grep forward -A2
        forward . /etc/resolv.conf 100.1.1.1:5500 /etc/resolv.conf [1000::100]:53 {
            policy sequential
        }
%

4. Check it in the Corefile
oc -n openshift-dns exec dns-default-2htj4 -c dns -- cat /etc/coredns/Corefile | grep forward -A2
    forward . /etc/resolv.conf 100.1.1.1:5500 /etc/resolv.conf [1000::100]:53 {
        policy sequential
    }
%

Comment 6 Shudi Li 2022-01-07 08:21:32 UTC

After talking with Sherine, duplicated /etc/resolv.conf should be fixed, so reopen it for fixing this issue.

Comment 9 Shudi Li 2022-01-12 01:54:58 UTC

Verified it with 4.10.0-0.nightly-2022-01-11-065245

1.
% oc get clusterversion                                            
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-11-065245   True        False         39m     Cluster version is 4.10.0-0.nightly-2022-01-11-065245
% 

2.
% oc get dns.operator/default -o yaml | grep upstreamResolvers -A18
  upstreamResolvers:
    policy: Sequential
    upstreams:
    - port: 53
      type: SystemResolvConf
    - address: 100.1.1.1
      port: 5500
      type: Network
    - address: 100.1.1.1
      port: 5500
      type: Network
    - port: 53
      type: ""
    - address: 1000::aaaa
      port: 53
      type: Network
    - address: 1000::aaaa
      port: 53
      type: Network
%

3.
% oc -n openshift-dns get  cm/dns-default -oyaml | grep forward -A2
        forward . /etc/resolv.conf 100.1.1.1:5500 [1000::AAAA]:53 {
            policy sequential
        }
%

4.
% oc -n openshift-dns exec dns-default-6j8ls -c dns -- cat /etc/coredns/Corefile | grep forward  -A2
    forward . /etc/resolv.conf 100.1.1.1:5500 [1000::AAAA]:53 {
        policy sequential
    }
%

Comment 12 errata-xmlrpc 2022-03-10 16:33:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Note You need to log in before you can comment on or make changes to this bug.