Can you show a netstat of the master to verify what services are listening on what interfaces and what ports?
Also show your dig command, and, if run from a node and against the service IP, show the node log where it proxies the connection to an endpoint. Erik M Jacobs, RHCA Principal Technical Marketing Manager, OpenShift Enterprise Red Hat, Inc. Phone: 646.462.3745 Email: [email protected] AOL Instant Messenger: ejacobsatredhat Twitter: @ErikonOpen Freenode: thoraxe On Fri, Jan 15, 2016 at 11:31 AM, Clayton Coleman <[email protected]> wrote: > This is so DNS is HA. Not sure why you can' get through the firewall. > > On Fri, Jan 15, 2016 at 11:27 AM, Luke Meyer <[email protected]> wrote: > > I rebuilt my dev cluster from HEAD recently and pods were having DNS > > problems. I'm set up with dnsmasq at port 53 on the master, forwarding > > cluster requests to SkyDNS running at port 8053, per > > > https://developerblog.redhat.com/2015/11/19/dns-your-openshift-v3-cluster/ > > > > I discovered that pods are now getting the kubernetes service IP > (172.30.0.1 > > by default) instead of the master IP like they used to. If I inspect that > > service, I see this: > > > > $ oc describe service/kubernetes --namespace default > > Name: kubernetes > > Namespace: default > > Labels: component=apiserver,provider=kubernetes > > Selector: <none> > > Type: ClusterIP > > IP: 172.30.0.1 > > Port: https 443/TCP > > Endpoints: 172.16.4.29:8443 > > Port: dns 53/UDP > > Endpoints: 172.16.4.29:8053 > > Port: dns-tcp 53/TCP > > Endpoints: 172.16.4.29:8053 > > Session Affinity: None > > No events. > > > > So there's my problem - DNS requests are presumably being forwarded to > the > > master IP, but at port 8053. This port isn't open, but even if I add a > > firewall rule to open it, it doesn't seem to connect (dig request times > > out). Also I didn't really want to make requests directly against SkyDNS, > > because I want my dnsmasq server to answer queries (from node or pod) > about > > my rogue domain names as well as cluster addresses. > > > > I think I could solve it by just running dnsmasq on a different server > and > > including it in /etc/resolv.conf everywhere. I'll try that. But that > seems > > like it shouldn't be necessary. Any thoughts on this change? Why was it > > necessary? > > > > _______________________________________________ > > dev mailing list > > [email protected] > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > > > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
