mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James DeFelice <james.defel...@gmail.com>
Subject Re: Using mesos-dns in an enterprise
Date Thu, 02 Apr 2015 16:08:11 GMT
This is roughly how we've integrated consul dns at client sites. Bind
config still needs updating if/when mesos dns relocates.

--sent from my phone
On Apr 2, 2015 10:30 AM, "John Omernik" <john@omernik.com> wrote:

> Based on my earlier emails about the state of service discovery.  I did
> some research and a little writeup on how to use mesos-dns as a forward
> lookup zone in a enterprise bind installation. I feel this is more secure,
> and more comfortable for an enterprise DNS team as opposed to changing the
> first resolver on every client that may interact with mesos to be the
> mesos-dns server.  Please feel free to modify/correct and include this in
> the mesos-dns documentation if you feel it's valuable.
>
>
> Goals/Thought Process
> - Run mesos-dns on a non-standard port. (such as 8053).  This allows you
> to run it as a non-root user.
> - While most DNS clients may not understand this (a different port), in an
> enterprise, most DNS servers will respect a forward lookup zone with a
> server using a different port.
> - Setup below for BIND9 allows you to keep all your mesos servers AND
> clients in an enterprise pointing their requests at your enterprise DNS
> server, rather than mesos-dns.
>   - This is easier from an enterprise configuration standpoint. Make one
> change on your dns servers, rather than adding a resolver on all the
> clients.
>   - This is more secure in that you can run mesos-dns as non-root (53 is a
> privileged port, 8053 is not) no sudo required
>   - For more security, you can limit connections to the mesos-dns server
> to only your enterprise dns servers. This could help mitigate any unknown
> vulnerabilities in mesos-dns.
>   - This allows you to HA mesos-dns in that you can specify multiple
> resolvers for your bind configuration.
>
>
>
>
> Bind9 Config
> This was put into my named.conf.local It sets up the .mesos zone and
> forwards to mesos dns. All my mesos servers already pointed at this server,
> therefore no client changes required.
>
>
> #192.168.0.100 is my host running mesos DNS
> zone "mesos" {
> type forward;
> forward only;
> forwarders { 192.168.0.100 port 8053; };
> };
>
>
>
>
> config.json mesos-dns config file.
> I DID specify my internal DNS server in the resolvers (192.168.0.10)
> however, I am not sure if I need to do this.  Since only requests for
> .mesos will actually be sent to mesos-dns.
>
> {
>   "masters": ["192.168.0.98:5050"],
>   "refreshSeconds": 60,
>   "ttl": 60,
>   "domain": "mesos",
>   "port": 8053,
>   "resolvers": ["192.168.0.10"],
>   "timeout": 5,
>   "listener": "0.0.0.0",
>   "email": "root.mesos-dns.mesos"
> }
>
>
> marathon start json
> Note the lack of sudo here. I also constrained it to one host for now, but
> that could change if needed.
>
> {
> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns
> -config=/mapr/brewpot/mesos/mesos-dns/config.json",
> "cpus": 1.0,
> "mem": 1024,
> "id": "mesos-dns",
> "instances": 1,
> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com"]]
> }
>

Mime
View raw message