Introduce dns_mode and resolvconf_mode and implement docker_dns mode
Also update reset.yml to do more dns/network related cleanup.
This commit is contained in:
parent
6dc1d05342
commit
2b3dbae9d6
18 changed files with 258 additions and 107 deletions
|
@ -48,6 +48,7 @@ before_script:
|
||||||
GS_SECRET_ACCESS_KEY: $GS_SECRET
|
GS_SECRET_ACCESS_KEY: $GS_SECRET
|
||||||
ANSIBLE_KEEP_REMOTE_FILES: "1"
|
ANSIBLE_KEEP_REMOTE_FILES: "1"
|
||||||
BOOTSTRAP_OS: none
|
BOOTSTRAP_OS: none
|
||||||
|
RESOLVCONF_MODE: docker_dns
|
||||||
LOG_LEVEL: "-vv"
|
LOG_LEVEL: "-vv"
|
||||||
ETCD_DEPLOYMENT: "docker"
|
ETCD_DEPLOYMENT: "docker"
|
||||||
KUBELET_DEPLOYMENT: "docker"
|
KUBELET_DEPLOYMENT: "docker"
|
||||||
|
@ -104,6 +105,7 @@ before_script:
|
||||||
-e download_run_once=true
|
-e download_run_once=true
|
||||||
-e download_localhost=true
|
-e download_localhost=true
|
||||||
-e deploy_netchecker=true
|
-e deploy_netchecker=true
|
||||||
|
-e resolvconf_mode=${RESOLVCONF_MODE}
|
||||||
-e local_release_dir=${PWD}/downloads
|
-e local_release_dir=${PWD}/downloads
|
||||||
-e etcd_deployment_type=${ETCD_DEPLOYMENT}
|
-e etcd_deployment_type=${ETCD_DEPLOYMENT}
|
||||||
-e kubelet_deployment_type=${KUBELET_DEPLOYMENT}
|
-e kubelet_deployment_type=${KUBELET_DEPLOYMENT}
|
||||||
|
@ -141,6 +143,7 @@ before_script:
|
||||||
CLOUD_REGION: us-west1-b
|
CLOUD_REGION: us-west1-b
|
||||||
CLUSTER_MODE: separated
|
CLUSTER_MODE: separated
|
||||||
BOOTSTRAP_OS: coreos
|
BOOTSTRAP_OS: coreos
|
||||||
|
RESOLVCONF_MODE: host_resolvconf # This is required as long as the CoreOS stable channel uses docker < 1.12
|
||||||
|
|
||||||
.debian8_canal_ha_variables: &debian8_canal_ha_variables
|
.debian8_canal_ha_variables: &debian8_canal_ha_variables
|
||||||
# stage: deploy-gce-part1
|
# stage: deploy-gce-part1
|
||||||
|
@ -177,6 +180,7 @@ before_script:
|
||||||
CLOUD_REGION: us-east1-b
|
CLOUD_REGION: us-east1-b
|
||||||
CLUSTER_MODE: default
|
CLUSTER_MODE: default
|
||||||
BOOTSTRAP_OS: coreos
|
BOOTSTRAP_OS: coreos
|
||||||
|
RESOLVCONF_MODE: host_resolvconf # This is required as long as the CoreOS stable channel uses docker < 1.12
|
||||||
|
|
||||||
.rhel7_canal_sep_variables: &rhel7_canal_sep_variables
|
.rhel7_canal_sep_variables: &rhel7_canal_sep_variables
|
||||||
# stage: deploy-gce-special
|
# stage: deploy-gce-special
|
||||||
|
|
|
@ -57,8 +57,8 @@
|
||||||
- hosts: k8s-cluster
|
- hosts: k8s-cluster
|
||||||
any_errors_fatal: true
|
any_errors_fatal: true
|
||||||
roles:
|
roles:
|
||||||
- { role: dnsmasq, tags: dnsmasq }
|
- { role: dnsmasq, when: "dns_mode == 'dnsmasq_kubedns'", tags: dnsmasq }
|
||||||
- { role: kubernetes/preinstall, tags: resolvconf }
|
- { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf }
|
||||||
|
|
||||||
- hosts: kube-master[0]
|
- hosts: kube-master[0]
|
||||||
any_errors_fatal: true
|
any_errors_fatal: true
|
||||||
|
|
|
@ -105,21 +105,21 @@ kube_apiserver_insecure_port: 8080 # (http)
|
||||||
# into appropriate IP addresses. It's highly advisable to run such DNS server,
|
# into appropriate IP addresses. It's highly advisable to run such DNS server,
|
||||||
# as it greatly simplifies configuration of your applications - you can use
|
# as it greatly simplifies configuration of your applications - you can use
|
||||||
# service names instead of magic environment variables.
|
# service names instead of magic environment variables.
|
||||||
# You still must manually configure all your containers to use this DNS server,
|
|
||||||
# Kubernetes won't do this for you (yet).
|
|
||||||
|
|
||||||
# Do not install additional dnsmasq
|
# Can be dnsmasq_kubedns, kubedns or none
|
||||||
skip_dnsmasq: false
|
dns_mode: dnsmasq_kubedns
|
||||||
# Upstream dns servers used by dnsmasq
|
|
||||||
|
# Can be docker_dns, host_resolvconf or none
|
||||||
|
resolvconf_mode: docker_dns
|
||||||
|
|
||||||
|
## Upstream dns servers used by dnsmasq
|
||||||
#upstream_dns_servers:
|
#upstream_dns_servers:
|
||||||
# - 8.8.8.8
|
# - 8.8.8.8
|
||||||
# - 8.8.4.4
|
# - 8.8.4.4
|
||||||
#
|
|
||||||
# # Use dns server : https://github.com/ansibl8s/k8s-skydns/blob/master/skydns-README.md
|
|
||||||
dns_setup: true
|
|
||||||
dns_domain: "{{ cluster_name }}"
|
dns_domain: "{{ cluster_name }}"
|
||||||
#
|
|
||||||
# # Ip address of the kubernetes skydns service
|
# Ip address of the kubernetes skydns service
|
||||||
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
||||||
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
||||||
|
|
||||||
|
|
|
@ -9,47 +9,14 @@ to serve as an authoritative DNS server for a given ``dns_domain`` and its
|
||||||
Other nodes in the inventory, like external storage nodes or a separate etcd cluster
|
Other nodes in the inventory, like external storage nodes or a separate etcd cluster
|
||||||
node group, considered non-cluster and left up to the user to configure DNS resolve.
|
node group, considered non-cluster and left up to the user to configure DNS resolve.
|
||||||
|
|
||||||
Note, custom ``ndots`` values affect only the dnsmasq daemon set (explained below).
|
|
||||||
While the kubedns has the ``ndots=5`` hardcoded, which is not recommended due to
|
|
||||||
[DNS performance reasons](https://github.com/kubernetes/kubernetes/issues/14051).
|
|
||||||
You can use config maps for the kubedns app to workaround the issue, which is
|
|
||||||
yet in the Kargo scope.
|
|
||||||
|
|
||||||
Additional search (sub)domains may be defined in the ``searchdomains``
|
DNS variables
|
||||||
and ``ndots`` vars. And additional recursive DNS resolvers in the `` upstream_dns_servers``,
|
=============
|
||||||
``nameservers`` vars. Intranet/cloud provider DNS resolvers should be specified
|
|
||||||
in the first place, followed by external resolvers, for example:
|
|
||||||
|
|
||||||
```
|
There are several global variables which can be used to modify DNS settings:
|
||||||
skip_dnsmasq: true
|
|
||||||
nameservers: [8.8.8.8]
|
|
||||||
upstream_dns_servers: [172.18.32.6]
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```
|
|
||||||
skip_dnsmasq: false
|
|
||||||
upstream_dns_servers: [172.18.32.6, 172.18.32.7, 8.8.8.8, 8.8.8.4]
|
|
||||||
```
|
|
||||||
The vars are explained below. For the early cluster deployment stage, when there
|
|
||||||
is yet K8s cluster and apps exist, a user may expect local repos to be
|
|
||||||
accessible via authoritative intranet resolvers. For that case, if none custom vars
|
|
||||||
was specified, the default resolver is set to either the cloud provider default
|
|
||||||
or `8.8.8.8`. And domain is set to the default ``dns_domain`` value as well.
|
|
||||||
Later, the nameservers will be reconfigured to the DNS service IP that Kargo
|
|
||||||
configures for K8s cluster.
|
|
||||||
|
|
||||||
Also note, existing records will be purged from the `/etc/resolv.conf`,
|
#### ndots
|
||||||
including resolvconf's base/head/cloud-init config files and those that come from dhclient.
|
ndots value to be used in ``/etc/resolv.conf``
|
||||||
This is required for hostnet pods networking and for [kubelet to not exceed search domains
|
|
||||||
limits](https://github.com/kubernetes/kubernetes/issues/9229).
|
|
||||||
|
|
||||||
Instead, new domain, search, nameserver records and options will be defined from the
|
|
||||||
aforementioned vars:
|
|
||||||
* Superseded via dhclient's DNS update hook.
|
|
||||||
* Generated via cloud-init (CoreOS only).
|
|
||||||
* Statically defined in the `/etc/resolv.conf`, if none of above is applicable.
|
|
||||||
* Resolvconf's head/base files are disabled from populating anything into the
|
|
||||||
`/etc/resolv.conf`.
|
|
||||||
|
|
||||||
It is important to note that multiple search domains combined with high ``ndots``
|
It is important to note that multiple search domains combined with high ``ndots``
|
||||||
values lead to poor performance of DNS stack, so please choose it wisely.
|
values lead to poor performance of DNS stack, so please choose it wisely.
|
||||||
|
@ -58,48 +25,97 @@ replies for [bogus internal FQDNS](https://github.com/kubernetes/kubernetes/issu
|
||||||
before it even hits the kubedns app. This enables dnsmasq to serve as a
|
before it even hits the kubedns app. This enables dnsmasq to serve as a
|
||||||
protective, but still recursive resolver in front of kubedns.
|
protective, but still recursive resolver in front of kubedns.
|
||||||
|
|
||||||
DNS configuration details
|
#### searchdomains
|
||||||
-------------------------
|
Custom search domains to be added in addition to the cluster search domains (``default.svc.{{ dns_domain }}, svc.{{ dns_domain }}``).
|
||||||
|
|
||||||
Here is an approximate picture of how DNS things working and
|
Most Linux systems limit the total number of search domains to 6 and the total length of all search domains
|
||||||
being configured by Kargo ansible playbooks:
|
to 256 characters. Depending on the length of ``dns_domain``, you're limitted to less then the total limit.
|
||||||
|
|
||||||
![Image](figures/dns.jpeg?raw=true)
|
Please note that ``resolvconf_mode: docker_dns`` will automatically add your systems search domains as
|
||||||
|
additional search domains. Please take this into the accounts for the limits.
|
||||||
|
|
||||||
Note that an additional dnsmasq daemon set is installed by Kargo
|
#### nameservers
|
||||||
by default. Kubelet will configure DNS base of all pods to use the
|
This variable is only used by ``resolvconf_mode: host_resolvconf``. These nameservers are added to the hosts
|
||||||
given dnsmasq cluster IP, which is defined via the ``dns_server`` var.
|
``/etc/resolv.conf`` *after* ``upstream_dns_servers`` and thus serve as backup nameservers. If this variable
|
||||||
The dnsmasq forwards requests for a given cluster ``dns_domain`` to
|
is not set, a default resolver is chosen (depending on cloud provider or 8.8.8.8 when no cloud provider is specified).
|
||||||
Kubedns's SkyDns service. The SkyDns server is configured to be an
|
|
||||||
authoritative DNS server for the given cluser domain (and its subdomains
|
|
||||||
up to ``ndots:5`` depth). Note: you should scale its replication controller
|
|
||||||
up, if SkyDns chokes. These two layered DNS forwarders provide HA for the
|
|
||||||
DNS cluster IP endpoint, which is a critical moving part for Kubernetes apps.
|
|
||||||
|
|
||||||
Nameservers are as well configured in the hosts' ``/etc/resolv.conf`` files,
|
#### upstream_dns_servers
|
||||||
as the given DNS cluster IP merged with ``nameservers`` values. While the
|
DNS servers to be added *after* the cluster DNS. Used by all ``resolvconf_mode`` modes. These serve as backup
|
||||||
DNS cluster IP merged with the ``upstream_dns_servers`` defines additional
|
DNS servers in early cluster deployment when no cluster DNS is available yet. These are also added as upstream
|
||||||
nameservers for the aforementioned nsmasq daemon set running on all hosts.
|
DNS servers used by ``dnsmasq`` (when deployed with ``dns_mode: dnsmasq_kubedns``).
|
||||||
This mitigates existing Linux limitation of max 3 nameservers in the
|
|
||||||
``/etc/resolv.conf`` and also brings an additional caching layer for the
|
|
||||||
clustered DNS services.
|
|
||||||
|
|
||||||
You can skip the dnsmasq daemon set install steps by setting the
|
DNS modes supported by kargo
|
||||||
``skip_dnsmasq: true``. This may be the case, if you're fine with
|
============================
|
||||||
the nameservers limitation. Sadly, there is no way to work around the
|
|
||||||
search domain limitations of a 256 chars and 6 domains. Thus, you can
|
You can modify how kargo sets up DNS for your cluster with the variables ``dns_mode`` and ``resolvconf_mode``.
|
||||||
use the ``searchdomains`` var to define no more than a three custom domains.
|
|
||||||
Remaining three slots are reserved for K8s cluster default subdomains.
|
## dns_mode
|
||||||
|
``dns_mode`` configures how kargo will setup cluster DNS. There are three modes available:
|
||||||
|
|
||||||
|
#### dnsmasq_kubedns (default)
|
||||||
|
This installs an additional dnsmasq DaemonSet which gives more flexibility and lifts some
|
||||||
|
limitations (e.g. number of nameservers). Kubelet is instructed to use dnsmasq instead of kubedns/skydns.
|
||||||
|
It is configured to forward all DNS queries belonging to cluster services to kubedns/skydns. All
|
||||||
|
other queries are forwardet to the nameservers found in ``upstream_dns_servers`` or ``default_resolver``
|
||||||
|
|
||||||
|
#### kubedns
|
||||||
|
This does not install the dnsmasq DaemonSet and instructs kubelet to directly use kubedns/skydns for
|
||||||
|
all queries.
|
||||||
|
|
||||||
|
#### none
|
||||||
|
This does not install any of dnsmasq and kubedns/skydns. This basically disables cluster DNS completely and
|
||||||
|
leaves you with a non functional cluster.
|
||||||
|
|
||||||
|
## resolvconf_mode
|
||||||
|
``resolvconf_mode`` configures how kargo will setup DNS for ``hostNetwork: true`` PODs and non-k8s containers.
|
||||||
|
There are three modes available:
|
||||||
|
|
||||||
|
#### docker_dns (default)
|
||||||
|
This sets up the docker daemon with additional --dns/--dns-search/--dns-opt flags.
|
||||||
|
|
||||||
|
The following nameservers are added to the docker daemon (in the same order as listed here):
|
||||||
|
* cluster nameserver (depends on dns_mode)
|
||||||
|
* content of optional upstream_dns_servers variable
|
||||||
|
* host system nameservers (read from hosts /etc/resolv.conf)
|
||||||
|
|
||||||
|
The following search domains are added to the docker daemon (in the same order as listed here):
|
||||||
|
* cluster domains (``default.svc.{{ dns_domain }}``, ``svc.{{ dns_domain }}``)
|
||||||
|
* content of optional searchdomains variable
|
||||||
|
* host system search domains (read from hosts /etc/resolv.conf)
|
||||||
|
|
||||||
|
The following dns options are added to the docker daemon
|
||||||
|
* ndots:{{ ndots }}
|
||||||
|
* timeout:2
|
||||||
|
* attempts:2
|
||||||
|
|
||||||
|
For normal PODs, k8s will ignore these options and setup its own DNS settings for the PODs, taking
|
||||||
|
the --cluster_dns (either dnsmasq or kubedns, depending on dns_mode) kubelet option into account.
|
||||||
|
For ``hostNetwork: true`` PODs however, k8s will let docker setup DNS settings. Docker containers which
|
||||||
|
are not started/managed by k8s will also use these docker options.
|
||||||
|
|
||||||
|
The host system name servers are added to ensure name resolution is also working while cluster DNS is not
|
||||||
|
running yet. This is especially important in early stages of cluster deployment. In this early stage,
|
||||||
|
DNS queries to the cluster DNS will timeout after a few seconds, resulting in the system nameserver being
|
||||||
|
used as a backup nameserver. After cluster DNS is running, all queries will be answered by the cluster DNS
|
||||||
|
servers, which in turn will forward queries to the system nameserver if required.
|
||||||
|
|
||||||
|
#### host_resolvconf
|
||||||
|
This activates the classic kargo behaviour that modifies the hosts ``/etc/resolv.conf`` file and dhclient
|
||||||
|
configuration to point to the cluster dns server (either dnsmasq or kubedns, depending on dns_mode).
|
||||||
|
|
||||||
|
As cluster DNS is not available on early deployment stage, this mode is split into 2 stages. In the first
|
||||||
|
stage (``dns_early: true``), ``/etc/resolv.conf`` is configured to use the DNS servers found in ``upstream_dns_servers``
|
||||||
|
and ``nameservers``. Later, ``/etc/resolv.conf`` is reconfigured to use the cluster DNS server first, leaving
|
||||||
|
the other nameservers as backups.
|
||||||
|
|
||||||
|
Also note, existing records will be purged from the `/etc/resolv.conf`,
|
||||||
|
including resolvconf's base/head/cloud-init config files and those that come from dhclient.
|
||||||
|
|
||||||
|
#### none
|
||||||
|
Does nothing regarding ``/etc/resolv.conf``. This leaves you with a cluster that works as expected in most cases.
|
||||||
|
The only exception is that ``hostNetwork: true`` PODs and non-k8s managed containers will not be able to resolve
|
||||||
|
cluster service names.
|
||||||
|
|
||||||
When dnsmasq skipped, Kargo redefines the DNS cluster IP to point directly
|
|
||||||
to SkyDns cluster IP ``skydns_server`` and configures Kubelet's
|
|
||||||
``--dns_cluster`` to use that IP as well. While this greatly simplifies
|
|
||||||
things, it comes by the price of limited nameservers though. As you know now,
|
|
||||||
the DNS cluster IP takes a slot in the ``/etc/resolv.conf``, thus you can
|
|
||||||
specify no more than a two nameservers for infra and/or external use.
|
|
||||||
Those may be specified either in ``nameservers`` or ``upstream_dns_servers``
|
|
||||||
and will be merged together with the ``skydns_server`` IP into the hots'
|
|
||||||
``/etc/resolv.conf``.
|
|
||||||
|
|
||||||
Limitations
|
Limitations
|
||||||
-----------
|
-----------
|
||||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 654 KiB |
|
@ -133,21 +133,21 @@ kube_apiserver_insecure_port: 8080 # (http)
|
||||||
# into appropriate IP addresses. It's highly advisable to run such DNS server,
|
# into appropriate IP addresses. It's highly advisable to run such DNS server,
|
||||||
# as it greatly simplifies configuration of your applications - you can use
|
# as it greatly simplifies configuration of your applications - you can use
|
||||||
# service names instead of magic environment variables.
|
# service names instead of magic environment variables.
|
||||||
# You still must manually configure all your containers to use this DNS server,
|
|
||||||
# Kubernetes won't do this for you (yet).
|
|
||||||
|
|
||||||
# Do not install additional dnsmasq
|
# Can be dnsmasq_kubedns, kubedns or none
|
||||||
skip_dnsmasq: false
|
dns_mode: dnsmasq_kubedns
|
||||||
# Upstream dns servers used by dnsmasq
|
|
||||||
|
# Can be docker_dns, host_resolvconf or none
|
||||||
|
resolvconf_mode: docker_dns
|
||||||
|
|
||||||
|
## Upstream dns servers used by dnsmasq
|
||||||
#upstream_dns_servers:
|
#upstream_dns_servers:
|
||||||
# - 8.8.8.8
|
# - 8.8.8.8
|
||||||
# - 8.8.4.4
|
# - 8.8.4.4
|
||||||
#
|
|
||||||
# # Use dns server : https://github.com/ansibl8s/k8s-skydns/blob/master/skydns-README.md
|
|
||||||
dns_setup: true
|
|
||||||
dns_domain: "{{ cluster_name }}"
|
dns_domain: "{{ cluster_name }}"
|
||||||
#
|
|
||||||
# # Ip address of the kubernetes skydns service
|
# Ip address of the kubernetes skydns service
|
||||||
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
||||||
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
||||||
|
|
||||||
|
|
|
@ -18,9 +18,6 @@ dnsmasq_version: 2.72
|
||||||
dnsmasq_image_repo: "andyshinn/dnsmasq"
|
dnsmasq_image_repo: "andyshinn/dnsmasq"
|
||||||
dnsmasq_image_tag: "{{ dnsmasq_version }}"
|
dnsmasq_image_tag: "{{ dnsmasq_version }}"
|
||||||
|
|
||||||
# Skip dnsmasq setup
|
|
||||||
skip_dnsmasq: false
|
|
||||||
|
|
||||||
# Limits for dnsmasq/kubedns apps
|
# Limits for dnsmasq/kubedns apps
|
||||||
dns_cpu_limit: 100m
|
dns_cpu_limit: 100m
|
||||||
dns_memory_limit: 170Mi
|
dns_memory_limit: 170Mi
|
||||||
|
|
|
@ -2,5 +2,5 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: download
|
- role: download
|
||||||
file: "{{ downloads.dnsmasq }}"
|
file: "{{ downloads.dnsmasq }}"
|
||||||
when: not skip_dnsmasq|default(false) and download_localhost|default(false)
|
when: dns_mode == 'dnsmasq_kubedns' and download_localhost|default(false)
|
||||||
tags: [download, dnsmasq]
|
tags: [download, dnsmasq]
|
||||||
|
|
|
@ -14,6 +14,10 @@
|
||||||
skip: true
|
skip: true
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
|
- include: set_facts_dns.yml
|
||||||
|
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
|
||||||
|
tags: facts
|
||||||
|
|
||||||
- name: check for minimum kernel version
|
- name: check for minimum kernel version
|
||||||
fail:
|
fail:
|
||||||
msg: >
|
msg: >
|
||||||
|
@ -63,6 +67,13 @@
|
||||||
with_items: "{{ docker_package_info.pkgs }}"
|
with_items: "{{ docker_package_info.pkgs }}"
|
||||||
when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (docker_package_info.pkgs|length > 0)
|
when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (docker_package_info.pkgs|length > 0)
|
||||||
|
|
||||||
|
- name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns
|
||||||
|
shell: docker version -f "{{ '{{' }}.Client.Version{{ '}}' }}"
|
||||||
|
register: docker_version
|
||||||
|
failed_when: docker_version.stdout|version_compare('1.12', '<')
|
||||||
|
changed_when: false
|
||||||
|
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
|
||||||
|
|
||||||
- name: Set docker systemd config
|
- name: Set docker systemd config
|
||||||
include: systemd.yml
|
include: systemd.yml
|
||||||
|
|
||||||
|
|
61
roles/docker/tasks/set_facts_dns.yml
Normal file
61
roles/docker/tasks/set_facts_dns.yml
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: set dns server for docker
|
||||||
|
set_fact:
|
||||||
|
docker_dns_servers: |-
|
||||||
|
{%- if dns_mode == 'kubedns' -%}
|
||||||
|
{{ [ skydns_server ] }}
|
||||||
|
{%- elif dns_mode == 'dnsmasq_kubedns' -%}
|
||||||
|
{{ [ dns_server ] }}
|
||||||
|
{%- endif -%}
|
||||||
|
|
||||||
|
- name: set base docker dns facts
|
||||||
|
set_fact:
|
||||||
|
docker_dns_search_domains:
|
||||||
|
- 'default.svc.{{ dns_domain }}'
|
||||||
|
- 'svc.{{ dns_domain }}'
|
||||||
|
docker_dns_options:
|
||||||
|
- ndots:{{ ndots }}
|
||||||
|
- timeout:2
|
||||||
|
- attempts:2
|
||||||
|
|
||||||
|
- name: add upstream dns servers (only when dnsmasq is not used)
|
||||||
|
set_fact:
|
||||||
|
docker_dns_servers: "{{ docker_dns_servers + upstream_dns_servers|default([]) }}"
|
||||||
|
when: dns_mode == 'kubedns'
|
||||||
|
|
||||||
|
- name: add global searchdomains
|
||||||
|
set_fact:
|
||||||
|
docker_dns_search_domains: "{{ docker_dns_search_domains + searchdomains|default([]) }}"
|
||||||
|
|
||||||
|
- name: check system nameservers
|
||||||
|
shell: grep "^nameserver" /etc/resolv.conf | sed 's/^nameserver\s*//'
|
||||||
|
changed_when: False
|
||||||
|
register: system_nameservers
|
||||||
|
|
||||||
|
- name: check system search domains
|
||||||
|
shell: grep "^search" /etc/resolv.conf | sed 's/^search\s*//'
|
||||||
|
changed_when: False
|
||||||
|
register: system_search_domains
|
||||||
|
|
||||||
|
- name: add system nameservers to docker options
|
||||||
|
set_fact:
|
||||||
|
docker_dns_servers: "{{ docker_dns_servers + [item] }}"
|
||||||
|
with_items: "{{ system_nameservers.stdout_lines|default([]) }}"
|
||||||
|
|
||||||
|
- name: add system search domains to docker options
|
||||||
|
set_fact:
|
||||||
|
docker_dns_search_domains: "{{ docker_dns_search_domains + [item] }}"
|
||||||
|
with_items: "{{ system_search_domains.stdout.split(' ') }}"
|
||||||
|
|
||||||
|
- name: check number of nameservers
|
||||||
|
fail: msg="Too many nameservers"
|
||||||
|
when: docker_dns_servers|length > 3
|
||||||
|
|
||||||
|
- name: check number of search domains
|
||||||
|
fail: msg="Too many search domains"
|
||||||
|
when: docker_dns_search_domains|length > 6
|
||||||
|
|
||||||
|
- name: check length of search domains
|
||||||
|
fail: msg="Search domains exceeded limit of 256 characters"
|
||||||
|
when: docker_dns_search_domains|join(' ')|length > 256
|
|
@ -21,4 +21,11 @@
|
||||||
dest: "/etc/systemd/system/docker.service.d/docker-options.conf"
|
dest: "/etc/systemd/system/docker.service.d/docker-options.conf"
|
||||||
notify: restart docker
|
notify: restart docker
|
||||||
|
|
||||||
|
- name: Write docker dns systemd drop-in
|
||||||
|
template:
|
||||||
|
src: docker-dns.conf.j2
|
||||||
|
dest: "/etc/systemd/system/docker.service.d/docker-dns.conf"
|
||||||
|
notify: restart docker
|
||||||
|
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
6
roles/docker/templates/docker-dns.conf.j2
Normal file
6
roles/docker/templates/docker-dns.conf.j2
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
[Service]
|
||||||
|
Environment="DOCKER_DNS_OPTIONS=\
|
||||||
|
{% for d in docker_dns_servers %}--dns {{ d }} {% endfor %} \
|
||||||
|
{% for d in docker_dns_search_domains %}--dns-search {{ d }} {% endfor %} \
|
||||||
|
{% for o in docker_dns_options %}--dns-opt {{ o }} {% endfor %} \
|
||||||
|
"
|
|
@ -22,6 +22,7 @@ ExecStart={{ docker_bin_dir }}/docker daemon \
|
||||||
$DOCKER_OPTS \
|
$DOCKER_OPTS \
|
||||||
$DOCKER_STORAGE_OPTIONS \
|
$DOCKER_STORAGE_OPTIONS \
|
||||||
$DOCKER_NETWORK_OPTIONS \
|
$DOCKER_NETWORK_OPTIONS \
|
||||||
|
$DOCKER_DNS_OPTIONS \
|
||||||
$INSECURE_REGISTRY
|
$INSECURE_REGISTRY
|
||||||
TasksMax=infinity
|
TasksMax=infinity
|
||||||
LimitNOFILE=1048576
|
LimitNOFILE=1048576
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
- {file: kubedns-rc.yml, type: rc}
|
- {file: kubedns-rc.yml, type: rc}
|
||||||
- {file: kubedns-svc.yml, type: svc}
|
- {file: kubedns-svc.yml, type: svc}
|
||||||
register: manifests
|
register: manifests
|
||||||
when: inventory_hostname == groups['kube-master'][0]
|
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
|
||||||
tags: dnsmasq
|
tags: dnsmasq
|
||||||
|
|
||||||
- name: Kubernetes Apps | Start Resources
|
- name: Kubernetes Apps | Start Resources
|
||||||
|
@ -24,7 +24,7 @@
|
||||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||||
state: "{{item.changed | ternary('latest','present') }}"
|
state: "{{item.changed | ternary('latest','present') }}"
|
||||||
with_items: "{{ manifests.results }}"
|
with_items: "{{ manifests.results }}"
|
||||||
when: inventory_hostname == groups['kube-master'][0]
|
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
|
||||||
tags: dnsmasq
|
tags: dnsmasq
|
||||||
|
|
||||||
- include: tasks/calico-policy-controller.yml
|
- include: tasks/calico-policy-controller.yml
|
||||||
|
|
|
@ -12,9 +12,9 @@ KUBELET_HOSTNAME="--hostname-override={{ ansible_hostname }}"
|
||||||
{% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}{% endset %}
|
{% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}{% endset %}
|
||||||
|
|
||||||
{# DNS settings for kubelet #}
|
{# DNS settings for kubelet #}
|
||||||
{% if dns_setup|bool and skip_dnsmasq|bool %}
|
{% if dns_mode == 'kubedns' %}
|
||||||
{% set kubelet_args_cluster_dns %}--cluster_dns={{ skydns_server }}{% endset %}
|
{% set kubelet_args_cluster_dns %}--cluster_dns={{ skydns_server }}{% endset %}
|
||||||
{% elif dns_setup|bool %}
|
{% elif dns_mode == 'dnsmasq_kubedns' %}
|
||||||
{% set kubelet_args_cluster_dns %}--cluster_dns={{ dns_server }}{% endset %}
|
{% set kubelet_args_cluster_dns %}--cluster_dns={{ dns_server }}{% endset %}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% set kubelet_args_cluster_dns %}{% endset %}
|
{% set kubelet_args_cluster_dns %}{% endset %}
|
||||||
|
|
|
@ -172,6 +172,7 @@
|
||||||
tags: [bootstrap-os, etchosts]
|
tags: [bootstrap-os, etchosts]
|
||||||
|
|
||||||
- include: resolvconf.yml
|
- include: resolvconf.yml
|
||||||
|
when: dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'
|
||||||
tags: [bootstrap-os, resolvconf]
|
tags: [bootstrap-os, resolvconf]
|
||||||
|
|
||||||
- name: Check if we are running inside a Azure VM
|
- name: Check if we are running inside a Azure VM
|
||||||
|
|
|
@ -67,7 +67,7 @@
|
||||||
- name: pick dnsmasq cluster IP or default resolver
|
- name: pick dnsmasq cluster IP or default resolver
|
||||||
set_fact:
|
set_fact:
|
||||||
dnsmasq_server: |-
|
dnsmasq_server: |-
|
||||||
{%- if skip_dnsmasq|bool and not dns_early|bool -%}
|
{%- if dns_mode == 'kubedns' and not dns_early|bool -%}
|
||||||
{{ [ skydns_server ] + upstream_dns_servers|default([]) }}
|
{{ [ skydns_server ] + upstream_dns_servers|default([]) }}
|
||||||
{%- elif dns_early|bool -%}
|
{%- elif dns_early|bool -%}
|
||||||
{{ upstream_dns_servers|default([]) }}
|
{{ upstream_dns_servers|default([]) }}
|
||||||
|
|
|
@ -16,13 +16,26 @@
|
||||||
- etcd
|
- etcd
|
||||||
register: services_removed
|
register: services_removed
|
||||||
|
|
||||||
|
- name: reset | remove docker dropins
|
||||||
|
file:
|
||||||
|
path: "/etc/systemd/system/docker.service.d/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- docker-dns.conf
|
||||||
|
- docker-options.conf
|
||||||
|
register: docker_dropins_removed
|
||||||
|
|
||||||
- name: reset | systemctl daemon-reload
|
- name: reset | systemctl daemon-reload
|
||||||
command: systemctl daemon-reload
|
command: systemctl daemon-reload
|
||||||
when: services_removed.changed
|
when: services_removed.changed or docker_dropins_removed.changed
|
||||||
|
|
||||||
- name: reset | remove all containers
|
- name: reset | remove all containers
|
||||||
shell: "{{ docker_bin_dir }}/docker ps -aq | xargs -r docker rm -fv"
|
shell: "{{ docker_bin_dir }}/docker ps -aq | xargs -r docker rm -fv"
|
||||||
|
|
||||||
|
- name: reset | restart docker if needed
|
||||||
|
service: name=docker state=restarted
|
||||||
|
when: docker_dropins_removed.changed
|
||||||
|
|
||||||
- name: reset | gather mounted kubelet dirs
|
- name: reset | gather mounted kubelet dirs
|
||||||
shell: mount | grep /var/lib/kubelet | awk '{print $3}' | tac
|
shell: mount | grep /var/lib/kubelet | awk '{print $3}' | tac
|
||||||
register: mounted_dirs
|
register: mounted_dirs
|
||||||
|
@ -42,6 +55,40 @@
|
||||||
- /etc/cni
|
- /etc/cni
|
||||||
- /etc/nginx
|
- /etc/nginx
|
||||||
- /etc/dnsmasq.d
|
- /etc/dnsmasq.d
|
||||||
|
- /etc/dnsmasq.conf
|
||||||
|
- /etc/dnsmasq.d-available
|
||||||
- /etc/etcd.env
|
- /etc/etcd.env
|
||||||
- /etc/calico
|
- /etc/calico
|
||||||
- /opt/cni
|
- /opt/cni
|
||||||
|
- /etc/dhcp/dhclient.d/zdnsupdate.sh
|
||||||
|
- /etc/dhcp/dhclient-exit-hooks.d/zdnsupdate
|
||||||
|
- "{{ bin_dir }}/kubelet"
|
||||||
|
|
||||||
|
- name: reset | remove dns settings from dhclient.conf
|
||||||
|
blockinfile:
|
||||||
|
dest: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
follow: yes
|
||||||
|
marker: "# Ansible entries {mark}"
|
||||||
|
failed_when: false
|
||||||
|
with_items:
|
||||||
|
- /etc/dhclient.conf
|
||||||
|
- /etc/dhcp/dhclient.conf
|
||||||
|
|
||||||
|
- name: reset | remove host entries from /etc/hosts
|
||||||
|
blockinfile:
|
||||||
|
dest: "/etc/hosts"
|
||||||
|
state: absent
|
||||||
|
follow: yes
|
||||||
|
marker: "# Ansible inventory hosts {mark}"
|
||||||
|
|
||||||
|
- name: reset | Restart network
|
||||||
|
service:
|
||||||
|
name: >-
|
||||||
|
{% if ansible_os_family == "RedHat" -%}
|
||||||
|
network
|
||||||
|
{%- elif ansible_os_family == "Debian" -%}
|
||||||
|
networking
|
||||||
|
{%- endif %}
|
||||||
|
state: restarted
|
||||||
|
when: ansible_os_family != "CoreOS"
|
||||||
|
|
Loading…
Reference in a new issue