Thanks for this... very useful! ________________________________ From: Christos Kozyrakis [[email protected]] Sent: 07 April 2015 23:25 To: [email protected] Cc: John Omernik Subject: Re: Using mesos-dns in an enterprise
This is a great thread, thanks for starting it John. I will transcode your message into a tutorial on the Mesos-DNS documentation. I will ping you to take a look and edit as needed (that goes to all of you with some experience on the topic). On Thu, Apr 2, 2015 at 5:58 PM, John Omernik <[email protected]<mailto:[email protected]>> wrote: Mesos-dns seems pretty light weight, why not constrain it to a group of 3-5 hosts, and then list all of them as your forwarding resolvers. While not truly "run anywhere", I would imagine with some good node/rack placement you would be sufficiently HA On Thursday, April 2, 2015, Tom Arnfeld <[email protected]<mailto:[email protected]>> wrote: We're using a BGP based solution currently to solve the problem of highly available DNS resolvers. That might be a route worth taking, and one that could still work via marathon on top of Mesos. -- Tom Arnfeld Developer // DueDil (+44) 7525940046<tel:%28%2B44%29%207525940046> 25 Christopher Street, London, EC2A 2BS On Thu, Apr 2, 2015 at 10:07 PM, John Omernik <[email protected]> wrote: True :) On Thu, Apr 2, 2015 at 3:37 PM, Tom Arnfeld <[email protected]> wrote: Last time I checked haproxy didn't support UDP which would be key for mesos-dns. -- Tom Arnfeld Developer // DueDil (+44) 7525940046<tel:%28%2B44%29%207525940046> 25 Christopher Street, London, EC2A 2BS On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <[email protected]> wrote: That was my first response as well... I work at a bank, and the thought of changing dns servers on the clients everywhere made me roll my eyes :) John On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <[email protected]> wrote: This is great, thanks for sharing! It's nice to see other members of the community sharing more realistic implementations of DNS rather than just "update your resolv conf" and it works :-) -- Tom Arnfeld Developer // DueDil (+44) 7525940046<tel:%28%2B44%29%207525940046> 25 Christopher Street, London, EC2A 2BS On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <[email protected]> wrote: Based on my earlier emails about the state of service discovery. I did some research and a little writeup on how to use mesos-dns as a forward lookup zone in a enterprise bind installation. I feel this is more secure, and more comfortable for an enterprise DNS team as opposed to changing the first resolver on every client that may interact with mesos to be the mesos-dns server. Please feel free to modify/correct and include this in the mesos-dns documentation if you feel it's valuable. Goals/Thought Process - Run mesos-dns on a non-standard port. (such as 8053). This allows you to run it as a non-root user. - While most DNS clients may not understand this (a different port), in an enterprise, most DNS servers will respect a forward lookup zone with a server using a different port. - Setup below for BIND9 allows you to keep all your mesos servers AND clients in an enterprise pointing their requests at your enterprise DNS server, rather than mesos-dns. - This is easier from an enterprise configuration standpoint. Make one change on your dns servers, rather than adding a resolver on all the clients. - This is more secure in that you can run mesos-dns as non-root (53 is a privileged port, 8053 is not) no sudo required - For more security, you can limit connections to the mesos-dns server to only your enterprise dns servers. This could help mitigate any unknown vulnerabilities in mesos-dns. - This allows you to HA mesos-dns in that you can specify multiple resolvers for your bind configuration. Bind9 Config This was put into my named.conf.local It sets up the .mesos zone and forwards to mesos dns. All my mesos servers already pointed at this server, therefore no client changes required. #192.168.0.100 is my host running mesos DNS zone "mesos" { type forward; forward only; forwarders { 192.168.0.100 port 8053; }; }; config.json mesos-dns config file. I DID specify my internal DNS server in the resolvers (192.168.0.10) however, I am not sure if I need to do this. Since only requests for .mesos will actually be sent to mesos-dns. { "masters": ["192.168.0.98:5050<http://192.168.0.98:5050>"], "refreshSeconds": 60, "ttl": 60, "domain": "mesos", "port": 8053, "resolvers": ["192.168.0.10"], "timeout": 5, "listener": "0.0.0.0", "email": "root.mesos-dns.mesos" } marathon start json Note the lack of sudo here. I also constrained it to one host for now, but that could change if needed. { "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns -config=/mapr/brewpot/mesos/mesos-dns/config.json", "cpus": 1.0, "mem": 1024, "id": "mesos-dns", "instances": 1, "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com<http://hadoopmapr1.brewingintel.com>"]] } -- Sent from my iThing -- Christos
