True :)
On Thu, Apr 2, 2015 at 3:37 PM, Tom Arnfeld <[email protected]> wrote: > Last time I checked haproxy didn't support UDP which would be key for > mesos-dns. > > -- > > Tom Arnfeld > Developer // DueDil > > (+44) 7525940046 > 25 Christopher Street, London, EC2A 2BS > > > On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <[email protected]> wrote: > >> That was my first response as well... I work at a bank, and the thought >> of changing dns servers on the clients everywhere made me roll my eyes :) >> >> John >> >> >> On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <[email protected]> wrote: >> >>> This is great, thanks for sharing! >>> >>> It's nice to see other members of the community sharing more realistic >>> implementations of DNS rather than just "update your resolv conf" and it >>> works :-) >>> >>> -- >>> >>> Tom Arnfeld >>> Developer // DueDil >>> >>> (+44) 7525940046 >>> 25 Christopher Street, London, EC2A 2BS >>> >>> >>> On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <[email protected]> wrote: >>> >>>> Based on my earlier emails about the state of service discovery. I did >>>> some research and a little writeup on how to use mesos-dns as a forward >>>> lookup zone in a enterprise bind installation. I feel this is more secure, >>>> and more comfortable for an enterprise DNS team as opposed to changing the >>>> first resolver on every client that may interact with mesos to be the >>>> mesos-dns server. Please feel free to modify/correct and include this in >>>> the mesos-dns documentation if you feel it's valuable. >>>> >>>> >>>> Goals/Thought Process >>>> - Run mesos-dns on a non-standard port. (such as 8053). This allows >>>> you to run it as a non-root user. >>>> - While most DNS clients may not understand this (a different port), in >>>> an enterprise, most DNS servers will respect a forward lookup zone with a >>>> server using a different port. >>>> - Setup below for BIND9 allows you to keep all your mesos servers AND >>>> clients in an enterprise pointing their requests at your enterprise DNS >>>> server, rather than mesos-dns. >>>> - This is easier from an enterprise configuration standpoint. Make >>>> one change on your dns servers, rather than adding a resolver on all the >>>> clients. >>>> - This is more secure in that you can run mesos-dns as non-root (53 >>>> is a privileged port, 8053 is not) no sudo required >>>> - For more security, you can limit connections to the mesos-dns >>>> server to only your enterprise dns servers. This could help mitigate any >>>> unknown vulnerabilities in mesos-dns. >>>> - This allows you to HA mesos-dns in that you can specify multiple >>>> resolvers for your bind configuration. >>>> >>>> >>>> >>>> >>>> Bind9 Config >>>> This was put into my named.conf.local It sets up the .mesos zone and >>>> forwards to mesos dns. All my mesos servers already pointed at this server, >>>> therefore no client changes required. >>>> >>>> >>>> #192.168.0.100 is my host running mesos DNS >>>> zone "mesos" { >>>> type forward; >>>> forward only; >>>> forwarders { 192.168.0.100 port 8053; }; >>>> }; >>>> >>>> >>>> >>>> >>>> config.json mesos-dns config file. >>>> I DID specify my internal DNS server in the resolvers (192.168.0.10) >>>> however, I am not sure if I need to do this. Since only requests for >>>> .mesos will actually be sent to mesos-dns. >>>> >>>> { >>>> "masters": ["192.168.0.98:5050"], >>>> "refreshSeconds": 60, >>>> "ttl": 60, >>>> "domain": "mesos", >>>> "port": 8053, >>>> "resolvers": ["192.168.0.10"], >>>> "timeout": 5, >>>> "listener": "0.0.0.0", >>>> "email": "root.mesos-dns.mesos" >>>> } >>>> >>>> >>>> marathon start json >>>> Note the lack of sudo here. I also constrained it to one host for now, >>>> but that could change if needed. >>>> >>>> { >>>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns >>>> -config=/mapr/brewpot/mesos/mesos-dns/config.json", >>>> "cpus": 1.0, >>>> "mem": 1024, >>>> "id": "mesos-dns", >>>> "instances": 1, >>>> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com >>>> "]] >>>> } >>>> >>> >>> >> >
