Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(preflights): add host dns wildcard check #1210

Merged
merged 5 commits into from
Oct 14, 2024
Merged

feat(preflights): add host dns wildcard check #1210

merged 5 commits into from
Oct 14, 2024

Conversation

nvanthao
Copy link
Member

What this PR does / why we need it:

Add Host DNS Wildcard preflight check

Demo: https://asciinema.org/a/F2BtS3GLpIz0K4CqoaPpnyZeI

Which issue(s) this PR fixes:

Does this PR require a test?

NONE

Does this PR require a release note?

NONE

Does this PR require documentation?

NONE

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 20, 2024
edited
Loading

This PR has been released (on staging) and is available for download with a embedded-cluster-smoke-test-staging-app license ID.

Online Installer:

curl "https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci/appver-dev-2669a7a" -H "Authorization: $EC_SMOKE_TEST_LICENSE_ID" -o embedded-cluster-smoke-test-staging-app-ci.tgz

Airgap Installer (may take a few minutes before the airgap bundle is built):

curl "https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci-airgap/appver-dev-2669a7a?airgap=true" -H "Authorization: $EC_SMOKE_TEST_LICENSE_ID" -o embedded-cluster-smoke-test-staging-app-ci.tgz

Happy debugging!

@chris-sanders
Copy link
Member

@nvanthao please do not run linting on a code base in the some change as your actual change. This PR has several changes from " to ' which are not related to this in any way. It's also undesirable to have every person's personal inter changing things back and forth on every PR causing unnecessary noise in the change history.

If you can undo your linting and just submit the changed portions.

ajp-io
ajp-io reviewed Sep 23, 2024
View reviewed changes
pkg/preflights/host-preflight.yaml Outdated
outcomes:
- fail:
when: 'false'
message: 'Possible wildcard DNS entry detected at: {{ "{{" }} .resolvedFromSearch {{ "}}" }} . Remove the search domain OR remove the wildcard DNS entry.'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not going to write a code suggestion because I can't test it easily, but here is my desired output (open to suggestions too):

Wildcard DNS entry *.foo.testcluster.net detected. Remove the wildcard DNS entry or the foo.testcluster.net search domain from resolv.conf.

pkg/preflights/host-preflight.yaml Outdated
@@ -367,17 +371,30 @@ spec:
regex: 'nameserver\s*(localhost|127\.0\.0\.1)'
outcomes:
- fail:
when: "true"
when: 'true'
message: "Neither 'nameserver localhost' nor 'nameserver 127.0.0.1' can be present in resolv.conf. Remove them to continue."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes me wonder if we should reword this one a bit to match more closely. If this wording looks right.

Suggested change
message: "Neither 'nameserver localhost' nor 'nameserver 127.0.0.1' can be present in resolv.conf. Remove them to continue."
message: "Local DNS resolver detected. Remove the localhost and/or 127.0.0.1 nameserver entries from resolv.conf."

@nvanthao
Copy link
Member Author

@nvanthao please do not run linting on a code base in the some change as your actual change. This PR has several changes from " to ' which are not related to this in any way. It's also undesirable to have every person's personal inter changing things back and forth on every PR causing unnecessary noise in the change history.

If you can undo your linting and just submit the changed portions.

Hi @chris-sanders, I've made the request changes. Please let me know how it goes.

chris-sanders
chris-sanders previously approved these changes Sep 25, 2024
View reviewed changes
Copy link
Member

@chris-sanders chris-sanders left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That addresses my comments I'm good now.

@ajp-io
Copy link
Member

ajp-io commented Sep 25, 2024

I just ran this, and I think there are a few issues with the templating. It looks like this:

Wildcard DNS entry .foo.testcluster.net. detected. Remove the wildcard DNS entry or the .foo.testcluster.net. search domain from resolv.conf.

  1. The {{ "{{" }} .resolvedFromSearch {{ "}}" }} templating results in a period at the end, which seems incorrect. You end up with a period in the middle of the sentence too ("entry .foo.testcluster.net. detected").
  2. That templating also puts a period at the beginning, which is fine for the wildcard DNS entry but is wrong for the search domain (because the search domain is foo.testcluster.net, not .foo.testcluster.net).

The quickest fix might be to remove the period from the end of the templating (that just seems wrong to me), and then remove the templating from the second sentence. It would be nice if we could be specific about which search domain to remove, but I don't want to say it with a period at the beginning if that's not what will be in resolv.conf.

@nvanthao
Copy link
Member Author

The .resolvedFromSearch field is coming from here https://github.com/replicatedhq/troubleshoot/blob/e97b9613a55a727a99ac40cbc0b041794ccb13b4/pkg/collect/host_dns.go#L178-L180

I will create a seperate PR in troubleshoot repo to trim the prefix and suffix .

That being said, please let me know if there's any changes required in this PR.

@nvanthao nvanthao mentioned this pull request Sep 30, 2024
Merged
6 tasks
@nvanthao
Copy link
Member Author

PR created and merged in troubleshoot repo replicatedhq/troubleshoot#1629

@nvanthao nvanthao reopened this Sep 30, 2024
@nvanthao nvanthao force-pushed the gerard/host-preflight-dns branch 2 times, most recently from 01d6acb to b216bd7 Compare October 4, 2024 00:30
@nvanthao
Copy link
Member Author

nvanthao commented Oct 4, 2024

Hi @ajp-io, could you help me with the review?

@ajp-io
Copy link
Member

ajp-io commented Oct 4, 2024

Can you show me a screenshot of what a failure looks like?

@nvanthao
Copy link
Member Author

nvanthao commented Oct 7, 2024

Failure screenshot

image

ajp-io
ajp-io reviewed Oct 7, 2024
View reviewed changes
pkg/preflights/host-preflight.yaml Outdated
outcomes:
- fail:
when: 'false'
message: 'Wildcard DNS entry {{ "{{" }} .resolvedFromSearch {{ "}}" }} detected. Remove the wildcard DNS entry or the {{ "{{" }} .resolvedFromSearch {{ "}}" }} search domain from resolv.conf.'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wildcard DNS entry would look like this, right?

Suggested change
message: 'Wildcard DNS entry {{ "{{" }} .resolvedFromSearch {{ "}}" }} detected. Remove the wildcard DNS entry or the {{ "{{" }} .resolvedFromSearch {{ "}}" }} search domain from resolv.conf.'
message: 'Wildcard DNS entry *.{{ "{{" }} .resolvedFromSearch {{ "}}" }} detected. Remove the wildcard DNS entry or the {{ "{{" }} .resolvedFromSearch {{ "}}" }} search domain from resolv.conf.'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, I've updated the text accordingly.

2024-10-08_14-53

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like you did it backwards. The asterisk would be before the period. *.example.com

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies, it's updated now.

@nvanthao nvanthao requested a review from ajp-io October 8, 2024 03:55
ajp-io
ajp-io previously approved these changes Oct 9, 2024
View reviewed changes
@laverya laverya merged commit d39db4a into main Oct 14, 2024
57 checks passed
@laverya laverya deleted the gerard/host-preflight-dns branch October 14, 2024 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laverya laverya laverya approved these changes

@ajp-io ajp-io ajp-io left review comments

@chris-sanders chris-sanders chris-sanders left review comments

@emosbaugh emosbaugh Awaiting requested review from emosbaugh

Assignees
No one assigned
Labels
type::feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nvanthao @chris-sanders @ajp-io @laverya