Binciken DNS a cikin Kubernetes

Lura. fassara: Matsalar DNS a cikin Kubernetes, ko fiye daidai, saitunan sigina ndots, Abin mamaki shahararre ne, kuma tuni Ba farko ba год. A cikin wani bayanin kula akan wannan batu, marubucin shi, injiniyan DevOps daga babban kamfanin dillali a Indiya, yayi magana cikin sauƙi da taƙaitaccen hanya game da abin da ke da amfani ga abokan aiki da ke aiki Kubernetes su sani.

Ɗaya daga cikin manyan fa'idodin tura aikace-aikace akan Kubernetes shine gano aikace-aikacen da ba su dace ba. An sauƙaƙa mu'amala ta cikin gungu sosai godiya ga manufar sabis (Service), wanda shine ƙaƙƙarfan IP wanda ke goyan bayan saitin adiresoshin IP. Misali, idan sabis ɗin vanilla yana son tuntuɓar sabis ɗin chocolate, zai iya kai tsaye samun dama ga kama-da-wane IP don chocolate. Tambayar ta taso: wanda a cikin wannan yanayin zai warware buƙatar DNS zuwa chocolate Kuma Ta yaya?

An saita ƙudurin sunan DNS akan gungu na Kubernetes ta amfani da shi CoreDNS. Kubelet yana yin rijistar kwasfa tare da CoreDNS azaman mai suna a cikin fayiloli /etc/resolv.conf duk kwafsa. Idan ka dubi abun ciki /etc/resolv.conf duk wani kwasfa, zai yi kama da wani abu kamar haka:

search hello.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.152.183.10
options ndots:5

Abokan ciniki na DNS suna amfani da wannan tsarin don tura buƙatun zuwa uwar garken DNS. A cikin fayil resolv.conf ya ƙunshi bayanai masu zuwa:

• mai suna: uwar garken da za a aika buƙatun DNS. A cikin yanayinmu, wannan shine adireshin sabis na CoreDNS;
• search: Yana bayyana hanyar nema don takamaiman yanki. Yana da ban sha'awa cewa google.com ko mrkaran.dev ba FQDN ba (cikakken m yankin sunayen). Bisa ga ƙa'idar ƙa'idar da mafi yawan masu magance DNS ke bi, kawai waɗanda suka ƙare tare da digo ".", wakiltar tushen yankin, ana ɗaukar yankunan da suka cancanta (FDQN). Wasu masu warwarewa na iya ƙara batu da kansu. Don haka, mrkaran.dev. shine cikakken sunan yankin da ya cancanta (FQDN), kuma mrkaran.dev - A'a;
• ndots: Ma'anar mafi ban sha'awa (wannan labarin yana game da shi). ndots Yana ƙayyadadden adadin ɗigogi a cikin sunan buƙatu kafin a yi la'akari da sunan yankin "cikakken ƙwararru". Za mu yi magana game da wannan daga baya lokacin da muka bincika jerin binciken DNS.

Bari mu ga abin da zai faru idan muka tambaya mrkaran.dev cikin kwando:

$ nslookup mrkaran.dev
Server: 10.152.183.10
Address: 10.152.183.10#53

Non-authoritative answer:
Name: mrkaran.dev
Address: 157.230.35.153
Name: mrkaran.dev
Address: 2400:6180:0:d1::519:6001

Don wannan gwaji, na saita matakin shiga na CoreDNS zuwa all (wanda ya sa ya zama mai yawan magana). Bari mu dubi gungumen katako coredns:

[INFO] 10.1.28.1:35998 - 11131 "A IN mrkaran.dev.hello.svc.cluster.local. udp 53 false 512" NXDOMAIN qr,aa,rd 146 0.000263728s
[INFO] 10.1.28.1:34040 - 36853 "A IN mrkaran.dev.svc.cluster.local. udp 47 false 512" NXDOMAIN qr,aa,rd 140 0.000214201s
[INFO] 10.1.28.1:33468 - 29482 "A IN mrkaran.dev.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000156107s
[INFO] 10.1.28.1:58471 - 45814 "A IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 56 0.110263459s
[INFO] 10.1.28.1:54800 - 2463 "AAAA IN mrkaran.dev. udp 29 false 512" NOERROR qr,rd,ra 68 0.145091744s

Phew. Abubuwa biyu sun dauki hankalinku anan:

• Buƙatun yana tafiya ta kowane matakai na bincike har sai martani ya ƙunshi lambar NOERROR (abokan ciniki na DNS sun fahimci shi kuma suna adana shi a sakamakon haka). NXDOMAIN yana nufin cewa ba a sami rikodin sunan yankin da aka bayar ba. Domin da mrkaran.dev ba sunan FQDN bane (bisa ga ndots=5), mai warwarewa yana kallon hanyar bincike kuma yana ƙayyade tsari na buƙatun;
• Posts А и АААА iso a layi daya. Gaskiyar ita ce buƙatun lokaci ɗaya a ciki /etc/resolv.conf Ta hanyar tsoho, ana saita su ta hanyar da za a yi bincike na layi ɗaya ta amfani da ka'idojin IPv4 da IPv6. Kuna iya soke wannan hali ta ƙara zaɓi single-request в resolv.conf.

Note: glibc ana iya daidaita su don aika waɗannan buƙatun a jere, kuma musl - a'a, don haka masu amfani da Alpine yakamata su lura.

Gwaji da ɗigo

Bari mu ɗan ƙara gwadawa da ndots kuma bari mu ga yadda wannan siga ya kasance. Tunanin yana da sauki: ndots yana ƙayyade ko abokin ciniki na DNS zai kula da yankin a matsayin cikakke ko dangi. Misali, a cikin yanayin abokin ciniki mai sauƙi na google DNS, ta yaya yake sanin ko wannan yanki cikakke ne? Idan kun saita ndots daidai da 1, abokin ciniki zai ce: "Oh, in google babu aya guda; Ina tsammanin zan shiga cikin jerin binciken gaba ɗaya." Duk da haka, idan kun tambaya google.com, za a yi watsi da jerin maƙallan gabaɗaya saboda sunan da ake nema ya gamu da ƙima ndots (akwai akalla aya guda).

Bari mu tabbatar da wannan:

$ cat /etc/resolv.conf
options ndots:1
$ nslookup mrkaran
Server: 10.152.183.10
Address: 10.152.183.10#53

** server can't find mrkaran: NXDOMAIN

Alamar CoreDNS:

[INFO] 10.1.28.1:52495 - 2606 "A IN mrkaran.hello.svc.cluster.local. udp 49 false 512" NXDOMAIN qr,aa,rd 142 0.000524939s
[INFO] 10.1.28.1:59287 - 57522 "A IN mrkaran.svc.cluster.local. udp 43 false 512" NXDOMAIN qr,aa,rd 136 0.000368277s
[INFO] 10.1.28.1:53086 - 4863 "A IN mrkaran.cluster.local. udp 39 false 512" NXDOMAIN qr,aa,rd 132 0.000355344s
[INFO] 10.1.28.1:56863 - 41678 "A IN mrkaran. udp 25 false 512" NXDOMAIN qr,rd,ra 100 0.034629206s

Tun daga ciki mrkaran babu ko aya guda, an gudanar da binciken ne a cikin dukkan jerin sunayen kari.

Lura: a aikace mafi girman ƙimar ndots iyakance zuwa 15; ta tsohuwa a Kubernetes shine 5.

Aikace-aikace a samarwa

Idan aikace-aikacen yana yin kiran cibiyar sadarwar waje da yawa, DNS na iya zama ƙulli a cikin yanayin zirga-zirgar zirga-zirgar aiki, tunda ƙudurin suna yana sa yawancin tambayoyin da ba dole ba (kafin tsarin ya isa daidai). Aikace-aikace yawanci ba sa ƙara tushen yankin zuwa sunayen yanki, amma wannan yana kama da hack. Wato maimakon tambaya api.twitter.com, za ka iya 'hardcode' shi api.twitter.com. (tare da digo) a cikin aikace-aikacen, wanda zai sa abokan ciniki na DNS yin bincike mai iko kai tsaye a kan cikakken yanki.

Bugu da ƙari, farawa da Kubernetes sigar 1.14, kari dnsConfig и dnsPolicy samu barga matsayi. Don haka, lokacin tura kwasfa, zaku iya rage ƙimar ndots, ce, har zuwa 3 (har ma har zuwa 1!). Saboda wannan, kowane saƙon da ke cikin kumburi dole ne ya haɗa da cikakken yanki. Wannan yana ɗaya daga cikin tsayayyen ciniki lokacin da dole ne ka zaɓi tsakanin aiki da ɗaukakawa. Da alama a gare ni cewa ya kamata ku damu da wannan kawai idan ƙarancin ƙarancin latency yana da mahimmanci ga aikace-aikacen ku, tunda ana adana sakamakon DNS a ciki.

nassoshi

Na fara koya game da wannan fasalin akan K8s - haduwa, wanda aka gudanar a ranar 25 ga Janairu. An tattauna game da wannan matsala, da dai sauransu.

Ga wasu hanyoyin haɗin gwiwa don ƙarin bincike:

• Bayani, me yasa ndots=5 a Kubernetes;
• Babban kaya yadda canza ndots ke shafar aikin aikace-aikacen;
• Bambance-bambance tsakanin musl da glibc warware.

Lura: Na zaɓi rashin amfani dig a cikin wannan labarin. dig tana ƙara digo ta atomatik (mai gano yankin tushen tushen), yana mai da yankin "cikakken ƙware" (FQDN), ba ta hanyar fara gudanar da shi ta cikin jerin bincike. An rubuta game da wannan a cikin daya daga cikin littattafan da suka gabata. Koyaya, yana da ban mamaki sosai cewa, gabaɗaya, dole ne a keɓance tuta daban don daidaitaccen ɗabi'a.

Happy DNSing! Sai anjima!

PS daga mai fassara

Karanta kuma a kan shafinmu:

• «Calico don sadarwar yanar gizo a Kubernetes: gabatarwa da ɗan gogewa";
• «CoreDNS - uwar garken DNS don duniyar asalin girgije da Gano Sabis don Kubernetes";
• "Jagorar da aka kwatanta don Sadarwar Sadarwar a Kubernetes": sassa 1 da 2 (samfurin hanyar sadarwa, cibiyoyin sadarwa masu rufi), Kashi na 3 (sabis da sarrafa zirga-zirga).

source: www.habr.com