Skip to content

Commit

Permalink
(maint) Add puppetserver alias puppet.local
Browse files Browse the repository at this point in the history
 - Remove the domain introspection / setting of AZURE_DOMAIN env var
   as this does not work as originally thought.

   Instead, hardcode the DNS suffix `.local` to each service in the
   compose stack, and make sure that `dns_search` for `.local` will
   use the Docker DNS resolver when dealing with these hosts. Note that
   these compose file settings only affect the configuration of the
   DNS resolver, *not* resolv.conf. This is different from the
   docker run behavior, which *does* modify resolv.conf. Also note,
   config file locations vary depending on whether or not systemd is
   running in the container.

   It's not "safe" to refer to services in the cluster by only their
   short service names like `puppet`, `puppetdb` or `postgres` as they
   can conflict with hosts on the external network with these names.

   When docker compose creates the user defined network, it copies the
   DNS settings from the host to the `resolv.conf` in each of the
   containers.

   When network resolutions happen, any default search suffix will be
   applied to short names when the dns option for ndots is not set to 0.
   So for instance, given a `resolv.conf` that contains:

	 search delivery.puppetlabs.net

   A DNS request for `puppet` becomes `puppet.delivery.puppetlabs.net`
   which will fail to resolve in the Docker DNS resolver, then be sent
   to the next DNS server in the `nameserver` list.

   While it is possible to try and service requests for an external
   domain like `delivery.puppetlabs.net`, it's better to instead choose
   a domain suffix to use inside the cluster.

   There are some good details on how various network types configure:
   docker/for-linux#488 (comment)

 - Note that the .local domain is typically not recommended for
   production given the only IANA reserved domains are .example, .test,
   .invalid or .localhost. However, given the DNS resolver is set to
   own the resolution of .local, this is a compromise.

   In production its recommended to use a subdomain of a domain that
   you own, but that's not yet configurable in this compose file.

 - Another workaround for this problem would be to set the ndots option
   in resolv.conf to 0 per the documentation at
   http://man7.org/linux/man-pages/man5/resolv.conf.5.html

   However that can't be done for two reasons:

   - docker-compose schema doesn't actually support setting DNS options
     docker/cli#1557

   - k8s sets ndots to 5 by default, so we don't want to be at odds

 - A further, but implausible workaround would be to modify the host DNS
   settings to remove any search suffixes.

 - The original FQDN change being reverted in this commit was introduced
   in 2549f19

   "
   Lastly, the Windows specific docker-compose.windows.yml sets up a
   custom alias in the "default" network so that an extra DNS name for
   puppetserver can be set based on the FQDN that Facter determines.
   Without this additional DNS reservation, the `puppetserver ca`
   command will be unable to connect to the REST endpoint.

   A better long-term solution is making sure puppetserver is setup to
   point to `puppet` as the host instead of an FQDN.
   "

   With the PUPPETSERVER_HOSTNAME value set on the puppetserver
   container, both certname and server are set to puppet.local,
   preventing a need to synchronize a domain name.

 - Note that at this time there is also a discrepancy in how Facter 3
   behaves vs Facter 2.

   The Facter 2 gem is being used by the `puppetserver ca` gem based
   application, and may return a different value for
   Facter.value('domain') than calling `facter domain` at the command
   line.  Such is the case inside the puppet network, where Facter 2
   returns `ops.puppetlabs.net` while Facter 3 returns the value
   `delivery.puppetlabs.net`

   This discrepancy makes it so that the `puppetserver ca` application
   cannot find the client side cert on disk and fails outright.

   Facter 2 should not be included in the puppetserver packages, so
   work is ongoing to extricate it.

   For now, setting the `puppet.conf` values explicitly to the desired
   DNS name works around this problem as well.
  • Loading branch information
Iristyle committed Apr 30, 2019
1 parent 2ee8e2b commit d300a5f
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 12 deletions.
4 changes: 0 additions & 4 deletions azure-pipelines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,12 +65,8 @@ steps:
name: test_prepare

- powershell: |
$domain = Get-WmiObject -Class Win32_NetworkAdapterConfiguration |
Select -ExpandProperty DNSDomain |
Select -First 1
Write-Host 'Writing compose config to disk'
$content = @"
AZURE_DOMAIN=$domain
VOLUME_ROOT=$ENV:TempVolumeRoot
"@
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
Expand Down
28 changes: 21 additions & 7 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,30 @@ version: '3'

services:
puppet:
hostname: puppet
hostname: puppet.local
image: puppet/puppetserver
ports:
- 8140:8140
environment:
# necessary to set certname and server in puppet.conf, required by
# puppetserver ca cli application
- PUPPETSERVER_HOSTNAME=puppet.local
# DNS_ALT_NAMES must be set before starting the stack the first time,
# and must list all the names under which the puppetserver can be
# reached. 'puppet' must be one of them, otherwise puppetdb won't be
# reached. 'puppet.local' must be one of them, otherwise puppetdb won't be
# able to get a cert. Add other names as a comma-separated list
- DNS_ALT_NAMES=puppet,${DNS_ALT_NAMES:-}
- DNS_ALT_NAMES=puppet,puppet.local,${DNS_ALT_NAMES:-}
- PUPPERWARE_ANALYTICS_ENABLED=${PUPPERWARE_ANALYTICS_ENABLED:-true}
- PUPPETDB_SERVER_URLS=https://puppetdb:8081
- PUPPETDB_SERVER_URLS=https://puppetdb.local:8081
volumes:
- ${VOLUME_ROOT:-.}/volumes/code:/etc/puppetlabs/code/
- ${VOLUME_ROOT:-.}/volumes/puppet:/etc/puppetlabs/puppet/
- ${VOLUME_ROOT:-.}/volumes/serverdata:/opt/puppetlabs/server/data/puppetserver/
dns_search: '.local'
networks:
default:
aliases:
- puppet.${AZURE_DOMAIN:-}
- puppet.local

postgres:
image: postgres:9.6
Expand All @@ -34,14 +38,19 @@ services:
volumes:
- ${VOLUME_ROOT:-.}/volumes/puppetdb-postgres/data:/var/lib/postgresql/data
- ./postgres-custom:/docker-entrypoint-initdb.d
dns_search: '.local'
networks:
default:
aliases:
- postgres.local

puppetdb:
hostname: puppetdb
hostname: puppetdb.local
image: puppet/puppetdb
environment:
- PUPPERWARE_ANALYTICS_ENABLED=${PUPPERWARE_ANALYTICS_ENABLED:-true}
# This name is an FQDN so the short name puppet doesn't collide outside compose network
- PUPPETSERVER_HOSTNAME=puppet.${AZURE_DOMAIN:-}
- PUPPETSERVER_HOSTNAME=puppet.local
- PUPPETDB_PASSWORD=puppetdb
- PUPPETDB_USER=puppetdb
ports:
Expand All @@ -52,3 +61,8 @@ services:
- puppet
volumes:
- ${VOLUME_ROOT:-.}/volumes/puppetdb/ssl:/etc/puppetlabs/puppet/ssl/
dns_search: '.local'
networks:
default:
aliases:
- puppetdb.local
2 changes: 1 addition & 1 deletion spec/dockerfile_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
]

before(:all) do
@test_agent = "puppet_test#{Random.rand(1000)}"
@test_agent = "puppet_test#{Random.rand(1000)}.local"
@timestamps = []
status = run_command('docker-compose --no-ansi version')[:status]
if status.exitstatus != 0
Expand Down

0 comments on commit d300a5f

Please sign in to comment.