This is a great thread, thanks for starting it John. I will transcode your message into a tutorial on the Mesos-DNS documentation. I will ping you to take a look and edit as needed (that goes to all of you with some experience on the topic).
On Thu, Apr 2, 2015 at 5:58 PM, John Omernik <[email protected]> wrote: > Mesos-dns seems pretty light weight, why not constrain it to a group of > 3-5 hosts, and then list all of them as your forwarding resolvers. While > not truly "run anywhere", I would imagine with some good node/rack > placement you would be sufficiently HA > > On Thursday, April 2, 2015, Tom Arnfeld <[email protected]> wrote: > >> We're using a BGP based solution currently to solve the problem of highly >> available DNS resolvers. >> >> That might be a route worth taking, and one that could still work via >> marathon on top of Mesos. >> >> -- >> >> Tom Arnfeld >> Developer // DueDil >> >> (+44) 7525940046 >> 25 Christopher Street, London, EC2A 2BS >> >> >> On Thu, Apr 2, 2015 at 10:07 PM, John Omernik <[email protected]> wrote: >> >>> True :) >>> >>> >>> On Thu, Apr 2, 2015 at 3:37 PM, Tom Arnfeld <[email protected]> wrote: >>> >>>> Last time I checked haproxy didn't support UDP which would be key for >>>> mesos-dns. >>>> >>>> -- >>>> >>>> Tom Arnfeld >>>> Developer // DueDil >>>> >>>> (+44) 7525940046 >>>> 25 Christopher Street, London, EC2A 2BS >>>> >>>> >>>> On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <[email protected]> wrote: >>>> >>>>> That was my first response as well... I work at a bank, and the >>>>> thought of changing dns servers on the clients everywhere made me roll my >>>>> eyes :) >>>>> >>>>> John >>>>> >>>>> >>>>> On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <[email protected]> wrote: >>>>> >>>>>> This is great, thanks for sharing! >>>>>> >>>>>> It's nice to see other members of the community sharing more >>>>>> realistic implementations of DNS rather than just "update your resolv >>>>>> conf" >>>>>> and it works :-) >>>>>> >>>>>> -- >>>>>> >>>>>> Tom Arnfeld >>>>>> Developer // DueDil >>>>>> >>>>>> (+44) 7525940046 >>>>>> 25 Christopher Street, London, EC2A 2BS >>>>>> >>>>>> >>>>>> On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Based on my earlier emails about the state of service discovery. I >>>>>>> did some research and a little writeup on how to use mesos-dns as a >>>>>>> forward >>>>>>> lookup zone in a enterprise bind installation. I feel this is more >>>>>>> secure, >>>>>>> and more comfortable for an enterprise DNS team as opposed to changing >>>>>>> the >>>>>>> first resolver on every client that may interact with mesos to be the >>>>>>> mesos-dns server. Please feel free to modify/correct and include this >>>>>>> in >>>>>>> the mesos-dns documentation if you feel it's valuable. >>>>>>> >>>>>>> >>>>>>> Goals/Thought Process >>>>>>> - Run mesos-dns on a non-standard port. (such as 8053). This allows >>>>>>> you to run it as a non-root user. >>>>>>> - While most DNS clients may not understand this (a different port), >>>>>>> in an enterprise, most DNS servers will respect a forward lookup zone >>>>>>> with >>>>>>> a server using a different port. >>>>>>> - Setup below for BIND9 allows you to keep all your mesos servers >>>>>>> AND clients in an enterprise pointing their requests at your enterprise >>>>>>> DNS >>>>>>> server, rather than mesos-dns. >>>>>>> - This is easier from an enterprise configuration standpoint. Make >>>>>>> one change on your dns servers, rather than adding a resolver on all the >>>>>>> clients. >>>>>>> - This is more secure in that you can run mesos-dns as non-root >>>>>>> (53 is a privileged port, 8053 is not) no sudo required >>>>>>> - For more security, you can limit connections to the mesos-dns >>>>>>> server to only your enterprise dns servers. This could help mitigate any >>>>>>> unknown vulnerabilities in mesos-dns. >>>>>>> - This allows you to HA mesos-dns in that you can specify multiple >>>>>>> resolvers for your bind configuration. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Bind9 Config >>>>>>> This was put into my named.conf.local It sets up the .mesos zone and >>>>>>> forwards to mesos dns. All my mesos servers already pointed at this >>>>>>> server, >>>>>>> therefore no client changes required. >>>>>>> >>>>>>> >>>>>>> #192.168.0.100 is my host running mesos DNS >>>>>>> zone "mesos" { >>>>>>> type forward; >>>>>>> forward only; >>>>>>> forwarders { 192.168.0.100 port 8053; }; >>>>>>> }; >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> config.json mesos-dns config file. >>>>>>> I DID specify my internal DNS server in the resolvers (192.168.0.10) >>>>>>> however, I am not sure if I need to do this. Since only requests for >>>>>>> .mesos will actually be sent to mesos-dns. >>>>>>> >>>>>>> { >>>>>>> "masters": ["192.168.0.98:5050"], >>>>>>> "refreshSeconds": 60, >>>>>>> "ttl": 60, >>>>>>> "domain": "mesos", >>>>>>> "port": 8053, >>>>>>> "resolvers": ["192.168.0.10"], >>>>>>> "timeout": 5, >>>>>>> "listener": "0.0.0.0", >>>>>>> "email": "root.mesos-dns.mesos" >>>>>>> } >>>>>>> >>>>>>> >>>>>>> marathon start json >>>>>>> Note the lack of sudo here. I also constrained it to one host for >>>>>>> now, but that could change if needed. >>>>>>> >>>>>>> { >>>>>>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns >>>>>>> -config=/mapr/brewpot/mesos/mesos-dns/config.json", >>>>>>> "cpus": 1.0, >>>>>>> "mem": 1024, >>>>>>> "id": "mesos-dns", >>>>>>> "instances": 1, >>>>>>> "constraints": [["hostname", "CLUSTER", " >>>>>>> hadoopmapr1.brewingintel.com"]] >>>>>>> } >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > > -- > Sent from my iThing > -- Christos
