← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #95968

[Bug 2112446] [NEW] [RFE] Internal DNS resolution with OVS Agent

  Thread PreviousDate PreviousThread Next 
Public bug reported:

* Summary: Distributed DHCP for Openvswitch not support DNS lookup

* Description:
  - DHCP Agent with dnsmasq can provide both DHCP and DNS features
  - With Distributed DHCP for Openvswitch, we must setup connectivity from VM to DNS Server
  - AWS are using 169.254.169.253 and fd00:ec2::253 as DNS Server, and provide DNS without internet connection: https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html and https://www.youtube.com/watch?v=_Z5jAs2gvPA&t=277s
  - GCP is same with 169.254.169.254: https://cloud.google.com/compute/docs/internal-dns
  - OVN also provide some similar thing as a DNS Proxy: https://docs.openstack.org/charm-guide/latest/admin/networking/ovn/internal-dns.html

* Why we need this:
  - Provide internal DNS resolution for VM with OVS agent even when VM dont have internet/external connectivity
  - For example, VM connect to DBaaS domain endpoint and keep connect incase of DB instance failover (Master IP can be change)

* Proposal:
  - Create a dns proxy l2 extension like we did with Distributed DHCP for OVS - https://specs.openstack.org/openstack/neutron-specs/specs/wallaby/distributed_dhcp.html#solution-proposed
  - Capture packet sent to 169.254.169.253:53 and sent it CONTROLLER

* PoC: [WIP] Add dns proxy l2 extension:
https://review.opendev.org/c/openstack/neutron/+/951390

* How to test PoC code manually:
  1. File the neutron source code of "neutron openvswitch agent"
  2. Add new file "neutron/agent/l2/extensions/dns_proxy.py" following the patch (make sure you can connect to 1.1.1.1 or change it to another DNS Server)
  3. Update setup.cfg following the patch
  4. Run "python setup.py develop" inside folder contain setup.cfg
  5. Update neutron config file openvswitch_agent.ini to enable extension, like this: extensions = dhcp, dns_proxy
  5. Restart "neutron openvswitch agent"
  6. Add new flow on OVS: ovs-ofctl add-flow br-int "udp,nw_dst=169.254.169.253,tp_dst=53,actions=CONTROLLER:0"
  7. Create a VXLAN network >> Create an Router without External Gateway >> Attach subnet into Router ( (Network gateway IP must me exist for ARP first, so that why we need router here)
  8. Create a VM on above VXLAN network, then try to resolve a public domain like: dig @169.254.169.253 bugs.launchpad.net

** Affects: neutron
     Importance: Undecided
         Status: New

** Description changed:

  * Summary: Distributed DHCP for Openvswitch not support DNS lookup
  
  * Description:
-   - DHCP Agent with dnsmasq can provide both DHCP and DNS features
-   - With Distributed DHCP for Openvswitch, we must setup connectivity from VM to DNS Server
-   - AWS are using 169.254.169.253 and fd00:ec2::253 as DNS Server, and provide DNS without internet connection: https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html and https://www.youtube.com/watch?v=_Z5jAs2gvPA&t=277s
-   - GCP is same with 169.254.169.254: https://cloud.google.com/compute/docs/internal-dns
-   - OVN also provide some similar thing as a DNS Proxy: https://docs.openstack.org/charm-guide/latest/admin/networking/ovn/internal-dns.html
-   
+   - DHCP Agent with dnsmasq can provide both DHCP and DNS features
+   - With Distributed DHCP for Openvswitch, we must setup connectivity from VM to DNS Server
+   - AWS are using 169.254.169.253 and fd00:ec2::253 as DNS Server, and provide DNS without internet connection: https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html and https://www.youtube.com/watch?v=_Z5jAs2gvPA&t=277s
+   - GCP is same with 169.254.169.254: https://cloud.google.com/compute/docs/internal-dns
+   - OVN also provide some similar thing as a DNS Proxy: https://docs.openstack.org/charm-guide/latest/admin/networking/ovn/internal-dns.html
  
  * Why we need this:
-   - Provide internal DNS resolution for VM with OVS agent even when VM dont have internet/external connectivity
-   - For example, VM connect to DBaaS domain endpoint and keep connect incase of DB instance failover (Master IP can be change)
+   - Provide internal DNS resolution for VM with OVS agent even when VM dont have internet/external connectivity
+   - For example, VM connect to DBaaS domain endpoint and keep connect incase of DB instance failover (Master IP can be change)
  
  * Proposal:
-   - Create an dns proxy l2 extension like we did with Distributed DHCP for OVS - https://specs.openstack.org/openstack/neutron-specs/specs/wallaby/distributed_dhcp.html#solution-proposed
-   - Capture packet sent to 169.254.169.253:53 and sent it CONTROLLER
+   - Create a dns proxy l2 extension like we did with Distributed DHCP for OVS - https://specs.openstack.org/openstack/neutron-specs/specs/wallaby/distributed_dhcp.html#solution-proposed
+   - Capture packet sent to 169.254.169.253:53 and sent it CONTROLLER
  
  * PoC: [WIP] Add dns proxy l2 extension:
  https://review.opendev.org/c/openstack/neutron/+/951390
  
  * How to test PoC code manually:
-   1. File the neutron source code of "neutron openvswitch agent"
-   2. Add new file "neutron/agent/l2/extensions/dns_proxy.py" following the patch (make sure you can connect to 1.1.1.1 or change it to another DNS Server)
-   3. Update setup.cfg following the patch
-   4. Run "python setup.py develop" inside folder contain setup.cfg
-   5. Update neutron config file openvswitch_agent.ini to enable extension, like this: extensions = dhcp, dns_proxy
-   5. Restart "neutron openvswitch agent"
-   6. Add new flow on OVS: ovs-ofctl add-flow br-int "udp,nw_dst=169.254.169.253,tp_dst=53,actions=CONTROLLER:0"
-   7. Create a VXLAN network >> Create an Router without External Gateway >> Attach subnet into Router ( (Network gateway IP must me exist for ARP first, so that why we need router here)
-   8. Create a VM on above VXLAN network, then try to resolve a public domain like: dig @169.254.169.253 bugs.launchpad.net
+   1. File the neutron source code of "neutron openvswitch agent"
+   2. Add new file "neutron/agent/l2/extensions/dns_proxy.py" following the patch (make sure you can connect to 1.1.1.1 or change it to another DNS Server)
+   3. Update setup.cfg following the patch
+   4. Run "python setup.py develop" inside folder contain setup.cfg
+   5. Update neutron config file openvswitch_agent.ini to enable extension, like this: extensions = dhcp, dns_proxy
+   5. Restart "neutron openvswitch agent"
+   6. Add new flow on OVS: ovs-ofctl add-flow br-int "udp,nw_dst=169.254.169.253,tp_dst=53,actions=CONTROLLER:0"
+   7. Create a VXLAN network >> Create an Router without External Gateway >> Attach subnet into Router ( (Network gateway IP must me exist for ARP first, so that why we need router here)
+   8. Create a VM on above VXLAN network, then try to resolve a public domain like: dig @169.254.169.253 bugs.launchpad.net

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2112446

Title:
  [RFE] Internal DNS resolution with OVS Agent

Status in neutron:
  New

Bug description:
  * Summary: Distributed DHCP for Openvswitch not support DNS lookup

  * Description:
    - DHCP Agent with dnsmasq can provide both DHCP and DNS features
    - With Distributed DHCP for Openvswitch, we must setup connectivity from VM to DNS Server
    - AWS are using 169.254.169.253 and fd00:ec2::253 as DNS Server, and provide DNS without internet connection: https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html and https://www.youtube.com/watch?v=_Z5jAs2gvPA&t=277s
    - GCP is same with 169.254.169.254: https://cloud.google.com/compute/docs/internal-dns
    - OVN also provide some similar thing as a DNS Proxy: https://docs.openstack.org/charm-guide/latest/admin/networking/ovn/internal-dns.html

  * Why we need this:
    - Provide internal DNS resolution for VM with OVS agent even when VM dont have internet/external connectivity
    - For example, VM connect to DBaaS domain endpoint and keep connect incase of DB instance failover (Master IP can be change)

  * Proposal:
    - Create a dns proxy l2 extension like we did with Distributed DHCP for OVS - https://specs.openstack.org/openstack/neutron-specs/specs/wallaby/distributed_dhcp.html#solution-proposed
    - Capture packet sent to 169.254.169.253:53 and sent it CONTROLLER

  * PoC: [WIP] Add dns proxy l2 extension:
  https://review.opendev.org/c/openstack/neutron/+/951390

  * How to test PoC code manually:
    1. File the neutron source code of "neutron openvswitch agent"
    2. Add new file "neutron/agent/l2/extensions/dns_proxy.py" following the patch (make sure you can connect to 1.1.1.1 or change it to another DNS Server)
    3. Update setup.cfg following the patch
    4. Run "python setup.py develop" inside folder contain setup.cfg
    5. Update neutron config file openvswitch_agent.ini to enable extension, like this: extensions = dhcp, dns_proxy
    5. Restart "neutron openvswitch agent"
    6. Add new flow on OVS: ovs-ofctl add-flow br-int "udp,nw_dst=169.254.169.253,tp_dst=53,actions=CONTROLLER:0"
    7. Create a VXLAN network >> Create an Router without External Gateway >> Attach subnet into Router ( (Network gateway IP must me exist for ARP first, so that why we need router here)
    8. Create a VM on above VXLAN network, then try to resolve a public domain like: dig @169.254.169.253 bugs.launchpad.net

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2112446/+subscriptions
  Thread PreviousDate PreviousThread Next