nmstate in disconnected environment failed to apply dns changes if it fail to resolve dns service for the domain root-servers.net?
Environment
- Openshift 4.x
- disconnected dns, openshift
Issue
- nmstate in disconnected environment failed to apply dns changes if it fail to resolve dns service for the domain root-servers.net?
- Infra dns are also placed under disconnected environment where it can not resolve root dns servers. nmstat in such case fail to apply dns policy.
Resolution
OCP version 4.19 and above.
- For 4.19 and above, there is configurable option. This has been added to release note as well.
OCP version 4.18 and below.
Workaround
You may configure the DNS server used by openshift cluster to provide the NS record of root-servers.net domain so the nmstate operator can pass proceed. Below examples shows how this can be achieved on DNS servers provided in RHEL 8 system.
bind9(named) DNS server
Assuming the OCP cluster is already allowed to query this DNS server you may add the fake root-servers.net zone into configuration that will contain at least one NS record. For example you can use the /var/named/named.localhost as zone file that already matches this criteria.
- Add the
root-servers.netzone at the end of/etc/named.confconfiguration file.
# cat >> /etc/named.conf <<EOF
// fake root-servers.net zone for nmstate operator in OCP
zone "root-servers.net" IN {
type master;
file "named.localhost";
};
EOF
- Restart the
namedservice and confirm thatroot-servers.netzone was loaded.
# systemctl restart named
# journalctl -u named|grep root-servers.net
Jul 03 15:16:26 rhel-8-10 bash[xxxx]: zone root-servers.net/IN: loaded serial 0
Jul 03 15:16:26 rhel-8-10 named[xxxx]: zone root-servers.net/IN: loaded serial 0
- Verify on DNS server machine that the NS record for root-servers.net domain can be resolved now.
# host -t NS root-servers.net. 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
root-servers.net name server root-servers.net.
dnsmasq DNS server
Note that dnsmasq DNS server cannot provide the NS records on its own. Assuming you have some other DNS server such as the bind9 in your network you can tell the dnsmasq to forward request for root-servers.net to that DNS server and dnsmasq will be then able to relay that reply to client.
To delegate queries for root-servers.net on dnsmasq to another DNS server (such as bind9) you can create following file and restart the DNS masq
- Create configuration file with delegation of domain
root-servers.netto another DNS server (replace thexx.xx.xx.xxwith IP of your DNS server that can resolveroot-servers.netdomain)
# echo 'server=/root-servers.net/xx.xx.xx.xx' > /etc/dnsmasq.d/delegate-root-servers.net.conf
- Restart the
dnsmasqservice and confirm thatroot-servers.netdomain is delegated to another DNS server.
# systemctl restart dnsmasq
# journalctl -u dnsmasq|grep root-servers.net
Jul 03 15:31:25 rhel-8-10 dnsmasq[xxxx]: using nameserver xx.xx.xx.xx#53 for domain root-servers.net
- Verify on DNS server machine that the NS record for root-servers.net domain can be resolved now.
# host -t NS root-servers.net. 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
root-servers.net name server root-servers.net.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments