mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christos Kozyrakis <kozyr...@gmail.com>
Subject Re: Using mesos-dns in an enterprise
Date Tue, 07 Apr 2015 22:25:27 GMT
This is a great thread, thanks for starting it John.
I will transcode your message into a tutorial on the Mesos-DNS
documentation. I will ping you to take a look and edit as needed (that goes
to all of you with some experience on the topic).

On Thu, Apr 2, 2015 at 5:58 PM, John Omernik <john@omernik.com> wrote:

> Mesos-dns seems pretty light weight, why not constrain it to a group of
> 3-5 hosts, and then list all of them as your forwarding resolvers. While
> not truly "run anywhere", I would imagine with some good node/rack
> placement you would be sufficiently HA
>
> On Thursday, April 2, 2015, Tom Arnfeld <tom@duedil.com> wrote:
>
>> We're using a BGP based solution currently to solve the problem of highly
>> available DNS resolvers.
>>
>> That might be a route worth taking, and one that could still work via
>> marathon on top of Mesos.
>>
>> --
>>
>> Tom Arnfeld
>> Developer // DueDil
>>
>> (+44) 7525940046
>> 25 Christopher Street, London, EC2A 2BS
>>
>>
>> On Thu, Apr 2, 2015 at 10:07 PM, John Omernik <john@omernik.com> wrote:
>>
>>> True :)
>>>
>>>
>>> On Thu, Apr 2, 2015 at 3:37 PM, Tom Arnfeld <tom@duedil.com> wrote:
>>>
>>>> Last time I checked haproxy didn't support UDP which would be key for
>>>> mesos-dns.
>>>>
>>>> --
>>>>
>>>> Tom Arnfeld
>>>> Developer // DueDil
>>>>
>>>> (+44) 7525940046
>>>> 25 Christopher Street, London, EC2A 2BS
>>>>
>>>>
>>>>  On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <john@omernik.com> wrote:
>>>>
>>>>> That was my first response as well... I work at a bank, and the
>>>>> thought of changing dns servers on the clients everywhere made me roll
my
>>>>> eyes :)
>>>>>
>>>>> John
>>>>>
>>>>>
>>>>> On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <tom@duedil.com> wrote:
>>>>>
>>>>>> This is great, thanks for sharing!
>>>>>>
>>>>>> It's nice to see other members of the community sharing more
>>>>>> realistic implementations of DNS rather than just "update your resolv
conf"
>>>>>> and it works :-)
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Tom Arnfeld
>>>>>> Developer // DueDil
>>>>>>
>>>>>> (+44) 7525940046
>>>>>> 25 Christopher Street, London, EC2A 2BS
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <john@omernik.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Based on my earlier emails about the state of service discovery.
 I
>>>>>>> did some research and a little writeup on how to use mesos-dns
as a forward
>>>>>>> lookup zone in a enterprise bind installation. I feel this is
more secure,
>>>>>>> and more comfortable for an enterprise DNS team as opposed to
changing the
>>>>>>> first resolver on every client that may interact with mesos to
be the
>>>>>>> mesos-dns server.  Please feel free to modify/correct and include
this in
>>>>>>> the mesos-dns documentation if you feel it's valuable.
>>>>>>>
>>>>>>>
>>>>>>> Goals/Thought Process
>>>>>>> - Run mesos-dns on a non-standard port. (such as 8053).  This
allows
>>>>>>> you to run it as a non-root user.
>>>>>>> - While most DNS clients may not understand this (a different
port),
>>>>>>> in an enterprise, most DNS servers will respect a forward lookup
zone with
>>>>>>> a server using a different port.
>>>>>>> - Setup below for BIND9 allows you to keep all your mesos servers
>>>>>>> AND clients in an enterprise pointing their requests at your
enterprise DNS
>>>>>>> server, rather than mesos-dns.
>>>>>>>   - This is easier from an enterprise configuration standpoint.
Make
>>>>>>> one change on your dns servers, rather than adding a resolver
on all the
>>>>>>> clients.
>>>>>>>   - This is more secure in that you can run mesos-dns as non-root
>>>>>>> (53 is a privileged port, 8053 is not) no sudo required
>>>>>>>   - For more security, you can limit connections to the mesos-dns
>>>>>>> server to only your enterprise dns servers. This could help mitigate
any
>>>>>>> unknown vulnerabilities in mesos-dns.
>>>>>>>   - This allows you to HA mesos-dns in that you can specify multiple
>>>>>>> resolvers for your bind configuration.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Bind9 Config
>>>>>>> This was put into my named.conf.local It sets up the .mesos zone
and
>>>>>>> forwards to mesos dns. All my mesos servers already pointed at
this server,
>>>>>>> therefore no client changes required.
>>>>>>>
>>>>>>>
>>>>>>> #192.168.0.100 is my host running mesos DNS
>>>>>>> zone "mesos" {
>>>>>>> type forward;
>>>>>>> forward only;
>>>>>>> forwarders { 192.168.0.100 port 8053; };
>>>>>>> };
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> config.json mesos-dns config file.
>>>>>>> I DID specify my internal DNS server in the resolvers (192.168.0.10)
>>>>>>> however, I am not sure if I need to do this.  Since only requests
for
>>>>>>> .mesos will actually be sent to mesos-dns.
>>>>>>>
>>>>>>> {
>>>>>>>   "masters": ["192.168.0.98:5050"],
>>>>>>>   "refreshSeconds": 60,
>>>>>>>   "ttl": 60,
>>>>>>>   "domain": "mesos",
>>>>>>>   "port": 8053,
>>>>>>>   "resolvers": ["192.168.0.10"],
>>>>>>>   "timeout": 5,
>>>>>>>   "listener": "0.0.0.0",
>>>>>>>   "email": "root.mesos-dns.mesos"
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> marathon start json
>>>>>>> Note the lack of sudo here. I also constrained it to one host
for
>>>>>>> now, but that could change if needed.
>>>>>>>
>>>>>>> {
>>>>>>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns
>>>>>>> -config=/mapr/brewpot/mesos/mesos-dns/config.json",
>>>>>>> "cpus": 1.0,
>>>>>>> "mem": 1024,
>>>>>>> "id": "mesos-dns",
>>>>>>> "instances": 1,
>>>>>>> "constraints": [["hostname", "CLUSTER", "
>>>>>>> hadoopmapr1.brewingintel.com"]]
>>>>>>> }
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> --
> Sent from my iThing
>



-- 
Christos

Mime
View raw message