2017商会网站建设方案,微信营销号是啥意思,国外服务器公司有哪些,网页制作工具及用途k8s pod访问集群外域名原理以及使用了systemd-resolved的不同情况
1、不同情况下的linux主机访问外部域名原理
没有使用systemd-resolved的linux主机上访问外部域名一般是按照以下步骤来的#xff1a; 从dns缓存里查找域名与ip的映射关系 从/etc/hosts里查找域名与ip的映射…k8s pod访问集群外域名原理以及使用了systemd-resolved的不同情况
1、不同情况下的linux主机访问外部域名原理
没有使用systemd-resolved的linux主机上访问外部域名一般是按照以下步骤来的 从dns缓存里查找域名与ip的映射关系 从/etc/hosts里查找域名与ip的映射关系 从/etc/resolv.conf里查找dns server并发起解析请求 /etc/resolv.conf的内容一般如下 nameserver 8.8.8.8
使用systemd-resolved的linux主机上访问外部域名一般是按照以下步骤来的 从dns缓存里查找域名与ip的映射关系 从/etc/hosts里查找域名与ip的映射关系 将dns解析请求发给本地systemd-resolved由其去代理处理因为systemd-resolved修改了 /etc/resolv.conf使得本地解析请求全部发到127.0.0.1:53 此时/etc/resolv.conf的内容一般如下
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run resolvectl status to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.nameserver 127.0.0.53
options edns0 trust-ad然后systemd-resolved再根据/run/systemd/resolve/resolv.conf里面的dns server去发起请求 /run/systemd/resolve/resolv.conf记录的就是真正的后端dns server
cat /run/systemd/resolve/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.nameserver 8.8.8.8
nameserver 4.4.4.42、pod内访问集群内service域名
当pod启动的时候一般用的是dnsPolicy: ClusterFirst此时就会将pod的/etc/resolv.conf改为集群内coredns的地址此时将解析请求发给coredns由其代理处理
集群内coredns的service ip
kubectl get svc -n kube-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 none 53/UDP,53/TCP,9153/TCP 14dpod内的/etc/resolv.conf在启动的时候被指定dns server为coredns service ip
# cat /etc/resolv.conf in pod
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:53、pod内访问集群外service域名 使用dnsPolicy: ClusterFirst时 pod内的/etc/resolv.conf在启动的时候被指定dns server为coredns service ip。 coredns的默认配置如下此时如果用在集群内找不到这个service域名就会用forward去转发请求此时默认配置的是使用coredns内的 /etc/resolv.conf文件里的dns server
coredns default config .:53 {logerrorshealth {lameduck 5s}readykubernetes cluster.local in-addr.arpa ip6.arpa {pods insecurefallthrough in-addr.arpa ip6.arpattl 30}prometheus :9153forward . /etc/resolv.conf {max_concurrent 1000}cache 30loopreloadloadbalance}使用dnsPolicy: Default时 这种方式其实是让 kubelet 来决定使用何种 DNS 策略。而 kubelet 默认的方式就是使用宿主机的 /etc/resolv.conf 简述 pod将dns代理到corednscoredns使用kubelet的resolv指定的conf里面的内容来解析集群外的ip
4、coredns pod内的/etc/resolv.conf为什么有时跟主机/etc/resolv.conf不一致
场景 当主机使用systemd-resolved来代理dns解析请求的时候此时coredns pod内的/etc/resolv.conf跟主机/etc/resolv.conf不一致。 coredns pod内的/etc/resolv.conf
cat /run/systemd/resolve/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.nameserver 8.8.8.8
nameserver 4.4.4.4主机/etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run resolvectl status to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.nameserver 127.0.0.53
options edns0 trust-adcoredns pod内的/etc/resolv.conf为什么有时跟主机/etc/resolv.conf不一致的原因 coredns的pod使用的是dnsPolicy: Default此时就会使用kubelet指定的resolvConf的地址默认是/etc/resolv.conf但是当主机使用了systemd-resolved则kubelet的的resolvConf变成了resolvConf: /run/systemd/resolve/resolv.conf也就是systemd-resolved存放真实后端dns server的文件路径所以其实coredns的pod使用的是/run/systemd/resolve/resolv.conf里的真实后端dns server 使用了systemd-resolved的主机kubelet使用/run/systemd/resolve/resolv.conf而不用/etc/resolv.conf的原因 如果coredns也是用/etc/resolv.conf则集群里的dns解析请求都要代理到systemd-resolved如果systemd-resolved挂了或者更新那上层k8s集群里的dns解析也全部受到影响 这里面会有循环依赖的问题参考coredns的官方文档解析 Troubleshooting Loops In Kubernetes Clusters A common cause of forwarding loops in Kubernetes clusters is an interaction with a local DNS cache on the host node (e.g. systemd-resolved). For example, in certain configurations systemd-resolved will put the loopback address 127.0.0.53 as a nameserver into /etc/resolv.conf. Kubernetes (via kubelet) by default will pass this /etc/resolv.conf file to all Pods using the default dnsPolicy rendering them unable to make DNS lookups (this includes CoreDNS Pods). CoreDNS uses this /etc/resolv.conf as a list of upstreams to forward requests to. Since it contains a loopback address, CoreDNS ends up forwarding requests to itself. 简述 coredns转到127.0.0.53此时源目ip都是自己自己在给自己转就会有循环问题
5、在node上如何访问集群内的service域名 通用方法直接修改网卡interface的配置文件在里面配上DNS的解析server 不通用方法linux没有使用systemd-resolved时 在/etc/resolv.conf里加入coredns的service ip 不通用方法linux使用systemd-resolved时 在/etc/systemd/resolved.conf里加入coredns的service ip [Resolve] DNS10.96.0.10 #FallbackDNS #Domains #LLMNRno #MulticastDNSno #DNSSECno #DNSOverTLSno #Cacheno-negative #DNSStubListeneryes #ReadEtcHostsyessystemctl restart systemd-resolved.servicesystemd-resolve --status查看结果 Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 10.96.0.10 DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa … … 注意不可以直接改/etc/resolv.conf否则重启后丢失配置因为此时/etc/resolv.conf被systemd-resolved接管每次重启由其来生成其中的内容
example
# 指定使用coredns来解析集群内service
root:/home/ubuntu# nslookup vmselect-example-vmcluster-persistent.default.svc.cluster.local 10.96.0.10
Server: 10.96.0.10
Address: 10.96.0.10#53Name: vmselect-example-vmcluster-persistent.default.svc.cluster.local
Address: 10.244.0.5
Name: vmselect-example-vmcluster-persistent.default.svc.cluster.local
Address: 10.244.1.3
Name: vmselect-example-vmcluster-persistent.default.svc.cluster.local
Address: 10.244.1.4# /etc/resolv.conf加入
nameserver 10.96.0.10# node上直接访问集群内service域名此时会转到coredns去解析
root:/home/ubuntu# curl vmselect-example-vmcluster-persistent.default.svc.cluster.local:8481/metrics
...
flag{namepromscrape.suppressScrapeErrors, valuefalse, is_setfalse} 1
flag{namepromscrape.suppressScrapeErrorsDelay, value0s, is_setfalse} 1
flag{namepromscrape.yandexcloudSDCheckInterval, value30s, is_setfalse} 1
flag{namepushmetrics.extraLabel, value, is_setfalse} 1
flag{namepushmetrics.interval, value10s, is_setfalse} 1
flag{namepushmetrics.url, valuesecret, is_setfalse} 1
flag{namereplicationFactor, value1, is_setfalse} 1
flag{namesearch.cacheTimestampOffset, value5m0s, is_setfalse} 1
flag{namesearch.denyPartialResponse, valuefalse, is_setfalse} 1
...
...6、使用了systemd-resolved的主机如果关闭systemd-resolved则机器的dns解析都会不同即使主机能通后端dns server
ubuntu:~$ sudo systemctl stop systemd-resolved.service
ubuntu:~$ nslookup www.baidu.com
^C
ubuntu:~$ dig www.baidu.com
^C
ubuntu:~$ host www.baidu.com
^C7、主机如何修改dns server
没有systemd-resolved直接修改/etc/resolv.conf如果机器装了systemd-resolved那么就不可以直接改/etc/resolv.conf则改法如下
以加上8.8.8.8为例
root:/home/ubuntu# cat /etc/systemd/resolved.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details[Resolve]
DNS8.8.8.8
#FallbackDNS
#Domains
#LLMNRno
#MulticastDNSno
#DNSSECno
#DNSOverTLSno
#Cacheno-negative
#DNSStubListeneryes
#ReadEtcHostsyessystemctl restart systemd-resolved.serviceroot:/home/ubuntu# systemd-resolve --status
GlobalLLMNR setting: no
MulticastDNS setting: noDNSOverTLS setting: noDNSSEC setting: noDNSSEC supported: noDNS Servers: 8.8.8.8DNSSEC NTA: 10.in-addr.arpa16.172.in-addr.arpa168.192.in-addr.arpa17.172.in-addr.arpa18.172.in-addr.arpa19.172.in-addr.arpa20.172.in-addr.arpa21.172.in-addr.arpa......
