Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow filtering the IP addresses that RawDNS returns for a given container #25

Open
michaeljbailey opened this issue Jan 12, 2020 · 1 comment
Open

Allow filtering the IP addresses that RawDNS returns for a given container #25

michaeljbailey opened this issue Jan 12, 2020 · 1 comment

Comments

@michaeljbailey
Copy link

I have some containers that have a frontend and backend network defined. Currently, if I perform a name resolution on those containers I am receiving both addresses.

We should consider a config.json option that excludes specifically labeled OR named networks from being advertised over DNS.

For arguments sake, we'll consider the containers db, redis, and app as created by the following docker-compose file:

networks:
  frontend
  backend:
    internal: true

services:
  db:
    image: mariadb
    networks:
      - backend
  redis:
    image: redis
    networks:
     - backend
  app:
    image: my_custom_app
    networks:
      - backend
      - frontend
    depends_on:
      - db
      - redis

If we dig <rawdns_container> app.tld then I should only receive the frontend IP address.

We can achieve this through some configuration option like:

{
	"docker.lab.local." {
		"type": "containers",
		"exclude": {
			"labels": [ "DO_NOT_RESOLVE" ]
			"names": [ "backend" ]
		}
		"socket": "unix:////var/run/docker.sock"
	},
	"lab.local.": {
		"type": "forwarding",
		"nameservers": [ "192.168.1.250" ]
	}
	".": {
			"type": "forwarding",
			"nameservers": [ "208.67.220.220" ]
	}
}

The way you would read this is:

  1. Resolve *.docker.label.local via the Docker API
  2. If a container has a network labeled DO_NOT_RESOLVE, then don't return IPs with that network
  3. If a container has a network named backend, then don't return IPs associated with that network

So if I try a dig <rawdns_container> app.tld then I would only receive the frontend IP.
@tianon
Copy link
Owner

tianon commented Jan 14, 2020

Interesting idea!

Right now, we only inspect containers, and doing something based on network labels would require us to perform an additional Docker API request for each attached network of the requested container, which I'm not a big fan of.

Also, the more I use the JSON configuration file, the less I like it, and I definitely don't think we want to add more bespoke one-off configuration items, so I'm wondering if maybe we could do something more "generic" with text/template to allow for a more generic mini-expression like {{ if (eq .Name "backend") }}true{{ end }} so that users can build up some of their own logic (maybe with helper functions defined for things like CIDR comparisons?).

Also, I went to a talk about CoreDNS back at KubeCon last November, and it's flexible enough that I've considered whether rawdns actually makes sense to continue doing things with, given that I think it could be implemented much more flexibly using CoreDNS (although with the caveat that I haven't actually tried writing anything with/for it yet). I mean, if it's working for the complex needs of Kubernetes itself, maybe it isn't worth maintaining my own DNS server anymore? 😅

@tianon tianon mentioned this issue Jan 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tianon @michaeljbailey