MAAS IP addr is being enforced as a DNS server for deployed machine when using v1 curtin network config

Bug #1847537 reported by Vladimir Grevtsev
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
High
Lee Trager

Bug Description

One of our customers are asking for a way to completely get rid of the MAAS DNS usage, so based on that - machines should use DHCP-provided nameservers instead of having IPs of region controllers in netplan or resolv.conf (depends on target OS).

Here is a get-curtin-config output from machine, configured to be present in a single subnet without any DNS servers specified in subnet config: https://pastebin.canonical.com/p/RhmDmy5Zfp/

Subnet config: https://pastebin.canonical.com/p/fRXWh57yKm/
Machine config: https://pastebin.canonical.com/p/m9GcnvHGkb/

I can enforce required servers to be present by putting them as a "dns_servers" in subnet config, but is there an option to leave this option as "empty" and let machine gather its DNS config via DHCP, like it does already with the rest of the networking parameters?

Is this possible at all?

Related branches

Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

I'm not sure if this is a bug or a feature request, so I'm marking this as a ~field-high - but if I'm wrong, please let me know so I could remove a wrong tag.

tags: added: field-
tags: added: field-high
removed: field-
description: updated
description: updated
Revision history for this message
Blake Rouse (blake-rouse) wrote :

That interface on that machine is configured to "STATIC" so MAAS is assigning the IP. Please try by setting the interface to "DHCP". Or provided updated configuration information with the interface with the correct setting matching the reported bug.

Changed in maas:
status: New → Invalid
status: Invalid → Incomplete
Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

Ok, I have a reproducer here:

machine read: https://pastebin.canonical.com/p/dchjXrD8BF/
curtin config: https://pastebin.canonical.com/p/SMjGY4sGNM/
subnets read: https://pastebin.canonical.com/p/DFM82PRHMb/

So in this case, interface left even in "unconfigured" state but it's pushing MAAS IPs as a DNS servers for that subnet.
Even if interface got removed manually - the previous one before just picking these IPs as a nameservers again and continues to push them.

Any ideas?

Changed in maas:
status: Incomplete → New
Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

So I did some investigations and finally understood, that this is reproducible on non-Ubuntu images when using curtin network v1 config: https://github.com/maas/maas/blob/master/src/maasserver/preseed.py#L296

So steps to reproduce are:

1) maas admin maas set-config name=force_v1_network_yaml value=true
2) maas admin interfaces read 4xgsrk # get a interface ID
3) maas admin interface unlink-subnet 4xgsrk 3 id=9
4) maas admin interface link-subnet 4xgsrk 3 subnet=1 mode=dhcp # configure machine interface as a DHCP
5) maas admin machine deploy 4xgsrk
6) maas admin machine get-curtin-config 4xgsrk

So the problems is that rendered curtin-config contains MAAS rack/region controller as a DNS server, however this is an unexpected behaviour: http://paste.ubuntu.com/p/2jVDZWkvyD/
subnets read: https://pastebin.canonical.com/p/QV3kbr4Ny9/

It looks like this line of code https://github.com/maas/maas/blob/master/src/maasserver/preseed_network.py#L617 is problematic, so probably could we make this, at least, conditional?

summary: - MAAS IP addr is being enforced as a DNS server for deployed machine
+ MAAS IP addr is being enforced as a DNS server for deployed machine when
+ using v1 curtin network config
Revision history for this message
Adam Collard (adam-collard) wrote :

Digging into this, I see it was touched as part of fix for https://bugs.launchpad.net/juju/+bug/1771885/comments/26

Changed in maas:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Lee Trager (ltrager)
Revision history for this message
Lee Trager (ltrager) wrote :

It appears that MAAS didn't always honor the allow_dns field. The related branch fixes that so no MAAS DNS server is added to network configuration if allow_dns is set false. MAAS will still add DNS server manually added to the subnet.

Lee Trager (ltrager)
Changed in maas:
status: Triaged → In Progress
Changed in maas:
milestone: none → next
status: In Progress → Fix Committed
Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

I did a verification on 2.6.2rc1, and:

- "allow_dns" field disables a DNS enforcement completely (as expected)
- "allow_dns" enabled and "DNS" in subnet options is empty -> MAAS IP is used as DNS server (as expected)
- However, if "allow_dns" is enabled and "DNS" contains some IP address - it's still being overridden with MAAS IP addr instead of specified in subnet config: https://pastebin.canonical.com/p/PpjV33BSnM/

Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

More important, even using v2 network config, DNS server being specified in subnet config, is not respected when using DHCP-configured interface (so no way to override DHCP-provided DNS or specify it, if DHCP server is not providing it): https://pastebin.canonical.com/p/xTQFCCCcjz/

Here is a comparison table I made with different config options: https://docs.google.com/spreadsheets/d/1ofHNpBeY1Ll6zVCORMb_aAfX7zw1WNmjqFqcn0czZQ8/edit#gid=0

Revision history for this message
Lee Trager (ltrager) wrote :

Marking this as in progress again as I see the issue Vladimir pointed out. I'm working on a branch to resolve it.

Changed in maas:
status: Fix Committed → In Progress
Revision history for this message
Lee Trager (ltrager) wrote :

I've created another patch to fix this. It was a bit more difficult than I thought due to V1 config previously always including DNS information. Now all configuration options should be properly supported. See https://docs.google.com/spreadsheets/d/1Uw_ZgA5ulxa3RbxEMC0KjeodulSsWIUQhP8uTl3TiD4/edit#gid=0

Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

Hi Lee,

Thank you for that!

I have a question: according to the doc you've provided, in any case interface configured with DHCP wouldn't have any DNS address (even if provided explicitly in the subnet config), is this an expected behaviour?

Revision history for this message
Lee Trager (ltrager) wrote :

Yes because while the Curtin configuration does not contain a DNS server the DHCP server is configured to hand out the correct DNS servers. This allows users with DHCP configured to change DNS servers after deployment.

Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

> Curtin configuration does not contain a DNS server the DHCP server is configured to hand out the correct DNS servers.

But aren't we rendering exactly the Curtin config before the deployment? Why can't we just add "nameservers: ....." option based on the logic above?

Just thinking about the case when the DHCP server is not providing a DNS option (for example, external DHCP outside the MAAS) and there should be a way to override the DHCP-provided value... otherwise that's becoming non-obvious to understand for the end user.

Revision history for this message
Lee Trager (ltrager) wrote :

Its difficult to provide DNS information in the Curtin config consistently. Each IP address(static, DHCP, auto ip, discovered, or sticky) is linked to a subnet. When determining which subnet an interface is on DHCP and discovered IP addresses are ignored as the subnet may change based on the DHCP server. So if there is only one interface configured with DHCP no subnet will be linked to the machine. However if there are multiple interfaces it may be linked to a subnet.

I updated the spreadsheet to show how DNS configuration works on master/2.6 with one interface and with multiple. As you can see with only one interface the rack controllers IP is always used, even if dns_servers are defined. With the attached branch V1 config always gets its DNS servers from the DHCP server like V2 config currently does.

Changed in maas:
status: In Progress → Fix Committed
Lee Trager (ltrager)
no longer affects: maas/2.6
Changed in maas:
milestone: next → 2.7.0b1
Changed in maas:
status: Fix Committed → Fix Released
tags: added: dns-modeling
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.