Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to create container DNS". In daily operation, I believe many people have doubts about how to create container DNS. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to create container DNS". Next, please follow the editor to study!

Introduction to DNS

DNS service is the abbreviation of domain name system, and its full name is Domain Name System, which maps domain name and IP address to each other. In a container environment, DNS is very important. For example, in a Kubernetes cluster, a group of Pod is usually loaded by a Service, but the IP address of the Service may need to be changed, so you can let Pod access the Service,Pod through the domain name regardless of the change of the IP address.

Docker DNSDocker link

Docker link is a legacy feature that is generally not recommended in the new version of Docker. To put it simply, Docker link is to connect two containers. Containers can use container names to communicate without relying on ip addresses. (in fact, host records are added to the container's / etc/hosts file. The IP between containers is connected, but we added host records to access them without IP.)

Create a container centos-1:

[root@host1] # docker run-itd-- name centos-1 registry.cn-shanghai.aliyuncs.com/public-namespace/cr7-centos7-tool:v2

To create a container centos-2, use-- link name:alias,name is the target machine to access, and alias is the custom alias.

[root@host1] # docker run-itd-- name centos-2-- link centos-1:centos-1-alias registry.cn-shanghai.aliyuncs.com/public-namespace/cr7-centos7-tool:v2

Check the / etc/hosts file of the container centos-2:

[root@host1 ~] # docker exec centos-2 cat / etc/hosts127.0.0.1 localhost::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allrouters172.18.0.2 centos-1-alias 9dde6339057a centos-1 # host record of container centos-1 172.18.0.3 f1a7e5fa3d96 # host record of container centos-2 itself

This means that centos-2 can use centos-1-alias,9dde6339057a,centos-1 to access previously created containers. Centos-1 cannot access centos-2 through hostname.

[root@host1] # docker exec centos-2 ping centos-1-aliasPING centos-1-alias (172.18.0.2) 56 (84) bytes of data.64 bytes from centos-1-alias (172.18.0.2): icmp_seq=1 ttl=64 time=0.174 Ms ^ C [root@host1] # docker exec centos-2 ping centos-1PING centos-1-alias (172.18.0.2) 56 (84) bytes of data.64 bytes from centos-1-alias (172.18.0.2) Icmp_seq=1 ttl=64 time=1.37 ms64 bytes from centos-1-alias (172.18.0.2): icmp_seq=2 ttl=64 time=0.523 Ms ^ C [root@host1 ~] # docker exec centos-2 ping 9dde6339057aPING centos-1-alias (172.18.0.2) 56 (84) bytes of data.64 bytes from centos-1-alias (172.18.0.2): icmp_seq=1 ttl=64 time=2.59 ms64 bytes from centos-1-alias (172.18.0.2): icmp_seq=2 ttl=64 time=3.75 msEmbedded DNS

Starting with Docker 1.10, Docker provides a built-in DNS server. When the created container belongs to a custom network, the container's / etc/resolv.conf uses the built-in DNS server (address is always 127.0.0.11) to resolve other containers within the same custom network.

For backward compatibility, the DNS configuration of the default bridge network has not changed, and the default docker network uses the host / etc/resolv.conf configuration.

Create a custom network:

[root@host1 ~] # docker network create my-network#bridge,host None is the network [root@host1 ~] # docker network lsNETWORK ID NAME DRIVER SCOPE2115f17cd9d0 bridge bridge local19accfa096cf host host locala23c8b371c7f my-network bridge local0a33edc20fae none null local created by default by docker

Creating two containers respectively belongs to the custom network my-network:

[root@host1] # docker run-itd-- name centos-3-- net my-network registry.cn-shanghai.aliyuncs.com/public-namespace/cr7-centos7-tool:v2 [root@host1] # docker run-itd-- name centos-4-- net my-network registry.cn-shanghai.aliyuncs.com/public-namespace/cr7-centos7-tool:v2

Looking at the / etc/hosts and / etc/resolv.conf of the container centos-4, you can see that nameserver added an Embedded DNS with an IP of 127.0.0.11:

# / etc/hosts does not configure the other party's host record [root@host1 ~] # docker exec centos-4 cat / etc/hosts127.0.0.1 localhost::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allrouters172.19.0.3 555281f37ea3#/etc/resolv.conf configures the dns server 127.0.0.11 [root@host1 ~] # docker exec centos- 4 cat / etc/resolv.confnameserver 127.0.0.11options ndots:0

At this point, centos-3 and centos-4 can resolve each other:

[root@host1] # docker exec centos-4 ping centos-3PING centos-3 (172.19.0.2) 56 (84) bytes of data.64 bytes from centos-3.my-network (172.19.0.2): icmp_seq=1 ttl=64 time=0.128 ms64 bytes from centos-3.my-network (172.19.0.2): icmp_seq=2 ttl=64 time=0.078 ms64 bytes from centos-3.my-network (172.19.0.2): icmp_seq=3 ttl=64 time=0.103 Ms ^ C [root @ host1 ~] # docker exec centos-3 ping centos-4PING centos-4 (172.19.0.3) 56 (84) bytes of data.64 bytes from centos-4.my-network (172.19.0.3): icmp_seq=1 ttl=64 time=0.087 ms64 bytes from centos-4.my-network (172.19.0.3): icmp_seq=2 ttl=64 time=0.101 ms64 bytes from centos-4.my-network (172.19.0.3): icmp_seq=3 ttl=64 time=0.076 Ms ^ CDocker DNS configuration Type 1: docker run (for a single container) FlagDescription--dns specifies the DNS server address If the container cannot access all the specified ip addresses, 8.8.8.8 is used as the DNS server address (defined by Docker by default)-- dns-search when the container accesses a hostname that does not include a full domain name, add the domain name suffix specified by dns-search to the hostname. For example, container access centos-1,dns-search is configured with example.com. Will be resolved to centos-1.example.com--dns-optoptions ndots:5 means that when the number of dot characters in the queried domain string is greater than or equal to the ndots value (5), it is considered to be a complete domain name and will not be resolved directly, instead of following the search domain-hostname specified container hostname mode 2: daemon.json

Nameserver is only for docker default network all containers, and dns-search and dns-opts are for all network containers.

{"dns": ["114.114.114.114", "223.5.5.5"], "dns-opts": ["ndots:5"], "dns-search": ["example.com"]} Kubernetes DNS

In kubernetes, there are the following 4 DNS policies, which can be specified through dnsPolicy:

Default: Pod inherits the name resolution configuration from the node where it is running, that is, the DNS configuration of the Pod will be exactly the same as that of the host. Default is not the default DNS policy. If dnsPolicy is not explicitly specified, ClusterFirst is used.

ClusterFirst: it pre-writes the information of kube-dns (or CoreDNS) to the DNS configuration in that Pod as a preset parameter. However, ClusterFirst also has a conflict. If your Pod is set to HostNetwork=true, ClusterFirst will be forced to be converted to Default.

ClusterFirstWithHostNet: for Pod running with hostNetwork (the network interface uses a host), its DNS policy ClusterFirstWithHostNet should be explicitly set, and it will resolve the DNS parsing of both default and ClusterFirst. If dnsPolicy: ClusterFirstWithHostNet is not added, Pod defaults to the DNS used by the host host, which also results in no access to other Pod in the K8s cluster through service name in the container.

None: indicates that the default DNS configuration of Pod will be cleared. When dnsPolicy is set to this value, Kubernetes will not preload any DNS configuration determined by its own logic for Pod. So to set the value of dnsPolicy to None, in order to avoid no DNS parameter configured in Pod, at least set the parameter of nameservers in dnsConfig.

In Kubernetes 1.11 and later, CoreDNS is recommended, and kubeadm installs CoreDNS by default. When Pod initiates a DNS resolution request to CoreDNS, CoreDNS will first try to resolve the domain name. If the domain name cannot be resolved, the DNS request will be forwarded to the host where CoreDNS's Pod resides, and the host will try to resolve it.

In this experiment, the address of coredns service in the kubernetes cluster is 10.247.3.10.

❯ kubectl get svc-n kube-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEcoredns ClusterIP 10.247.3.10 53 Universe

The / etc/resolv.conf file of the host is as follows:

[root@cr7-k8s-85091-ydy99 ~] # cat / etc/resolv.conf# Generated by NetworkManagersearch openstacklocalnameserver 100.125.1.250nameserver 100.125.64.250options single-request-reopenCluterFirst

CluterFirst is the default DNS policy in the kubernetes cluster. Here is a normal Pod yaml file with no dnsPolicy specified.

ApiVersion: v1kind: Podmetadata: name: busybox namespace: defaultspec: containers:-image: busybox:1.28 command:-sleep-"3600" imagePullPolicy: IfNotPresent name: busybox restartPolicy: Always

After creating the Pod, go to the Pod to view the / etc/resolv.conf configuration, and you can see the address of the service whose nameserver is CoreDNS.

/ # cat / etc/resolv.confnameserver 10.247.3.10search default.svc.cluster.local svc.cluster.local cluster.local openstacklocaloptions single-request-reopen timeout:2 ndots:5

If the DNS parameter is specified in the yaml file of Pod, it will be overlaid with the default configuration of ClusterFirst:

ApiVersion: v1kind: Podmetadata: name: busybox namespace: defaultspec: containers:-image: busybox:1.28 command:-sleep-"3600" imagePullPolicy: IfNotPresent name: busybox restartPolicy: Always dnsConfig: nameservers:-1.2.3.4 searches:-ns1.svc.cluster-domain.example-my.dns.search.suffix options:-name: ndots value: "2" -name: edns0/ # cat / etc/resolv.confnameserver 10.247.3.10nameserver 1.2.3.4search default.svc.cluster.local svc.cluster.local cluster.local openstacklocal ns1.svc.cluster-domain.example my.dns.search.suffixoptions timeout:2 ndots:2 edns0 single-request-reopenDefault

When dnsPolicy is in Default mode, Pod uses the DNS configuration of the host:

ApiVersion: v1kind: Podmetadata: name: busybox namespace: defaultspec: containers:-image: busybox:1.28 command:-sleep-"3600" imagePullPolicy: IfNotPresent name: busybox restartPolicy: Always dnsPolicy: Default/ # cat / etc/resolv.confnameserver 100.125.1.250nameserver 100.125.64.250search openstacklocaloptions single-request-reopen timeout:2ClusterFirstWithHostNet

When Pod uses hostNetwork mode, Pod uses the host's network card:

# View / # ifconfig.eth0 Link encap:Ethernet HWaddr FA:16:3E:6D:14:9B inet addr:192.168.0.8 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::f816:3eff:fe6d:149b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:44239432 errors:0 dropped:0 overruns: after entering pod 0 frame:0 TX packets:47841007 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:19884749467 (18.5 GiB) TX bytes:34713001649 (32.3 GiB).

When Pod uses hostNetwork mode and dnsPolicy is not specified as ClusterFirstWithHostNet, the host DNS that Pod will use:

ApiVersion: v1kind: Podmetadata: name: busybox namespace: defaultspec: containers:-image: busybox:1.28 command:-sleep-"3600" imagePullPolicy: IfNotPresent name: busybox restartPolicy: Always hostNetwork: true

At this time, Pod cannot access the internal Kubernetes cluster through the domain name:

# hostNetwork mode if dnsPolicy is not specified, default mode is used. The DNS/ # cat / etc/resolv.confnameserver 100.125.1.250nameserver 100.125.64.250search openstacklocaloptions single-request-reopen timeout:2#pod of the host used can access the public network through the domain name However, the internal / # ping baidu.comPING baidu.com (39.156.69.79): 56 data bytes64 bytes from 39.156.69.79: seq=0 ttl=49 time=29.193 ms64 bytes from 39.156.69.79: seq=1 ttl=49 time=29.104 Ms ^ C-baidu.com ping statistics-2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 29.104 ms/ 29.148 ms/ # ping nginxping: bad address' nginx' cannot be accessed through the domain name.

If Pod wants to access services in the kubernetes cluster through domain name in hostNetwork mode, you need to specify dnsPolicy as ClusterFirstWithHostNet:

ApiVersion: v1kind: Podmetadata: name: busybox namespace: defaultspec: containers:-image: busybox:1.28 command:-sleep-"3600" imagePullPolicy: IfNotPresent name: busybox restartPolicy: Always hostNetwork: true dnsPolicy: ClusterFirstWithHostNet

When you look at the DNS configuration of Pod, you can see that nameserver uses CoreDNS:

# ClusterFirstWithHostNet mode DNS uses the address of coredns. / # cat / etc/resolv.confnameserver 10.247.3.10search default.svc.cluster.local svc.cluster.local cluster.local openstacklocaloptions single-request-reopen timeout:2 ndots:5# can access the public network through the domain name Also access the cluster internal / # nslookup baidu.comServer: 10.247.3.10Address 1: 10.247.3.10 coredns.kube-system.svc.cluster.localName: baidu.comAddress 1: 39.156.69.79Address 2: 220.181.38.148 / # / # nslookup nginxServer: 10.247.3.10Address 1: 10.247.3.10 coredns.kube-system.svc.cluster.localName: nginxAddress 1: 10. 247.60.222 nginx.default.svc.cluster.local/ # None

When dnsPolicy is set to None, the DNS policy of the Kubernetes cluster and host will not be used, but you must configure dnsConfig yourself.

ApiVersion: v1kind: Podmetadata: name: busybox namespace: defaultspec: containers:-image: busybox:1.28 command:-sleep-"3600" imagePullPolicy: IfNotPresent name: busybox restartPolicy: Always dnsPolicy: None dnsConfig: nameservers:-1.2.3.4 / # cat / etc/resolv.confnameserver 1.2.3.4options single-request-reopen timeout:2StatefulSet and Service

StatefulSet Pod has a unique identity, which includes sequential identification, stable network identification, and stable storage. The identity is bound to the Pod, no matter which node it is dispatched to.

Each Pod in StatefulSet derives its hostname from the name of the StatefulSet and the sequence number of the Pod. The format of the combined hostname is $(StatefulSet name)-$(serial number). The following example creates three Pod named web-0, web-1, and web-2. StatefulSet can use Headless Service (headless service) to control the network domain of its Pod. The format of this service for the administrative domain is: $(service name). $(namespace) .svc.cluster.local, where cluster.local is the cluster domain. Once each Pod is created, you will get a matching DNS subdomain in the format: $(pod name). $(the DNS domain name of the service to which it belongs), where the service is set by the serviceName domain of StatefulSet.

It is not iptables to access Headless Service-loaded Pod through domain name, and Iptables is used to access ClusterIP-loaded Pod through domain name.

Here are some examples of selecting the cluster domain, the service name, the StatefulSet name, and how it affects the DNS name on the Pod of StatefulSet:

Cluster DomainService (ns/name) StatefulSet (ns/name) StatefulSet DomainPod DNSPod Hostnamecluster.localdefault/nginxdefault/webnginx.default.svc.cluster.localweb- {0..N-1} .nginx.default.svc.cluster.loca lweb- {0..N-1} cluster.localfoo/nginxfoo/webnginx.foo.svc.cluster.localweb- {0..N-1} .nginx.foo.svc.cluster.localweb-{0..N-1} kube.localfoo/nginxfoo/webnginx.foo.svc.kube.localweb- {0 .. Nmur1} .nginx.foo.svc.kube.localweb-{0..N-1} Headless Service

First of all, we use StatefulSet in combination with Headless Service, which is what we usually do:

ApiVersion: v1kind: Servicemetadata: name: headless-nginx labels: app: nginxspec: ports:-port: 80 name: web clusterIP: None selector: app: nginx---apiVersion: apps/v1kind: StatefulSetmetadata: name: webspec: selector: matchLabels: app: nginx serviceName: headless-nginx replicas: 3 template: metadata: labels: app: nginxspec: containers:-name: nginx image: Nginx:1.7.9 ports:-containerPort: 80 name: web

Take a look at the Pod of the created StatefulSet, and the naming is regularly incremented in the order of 0meme1jin2.

Root@master01:~/yaml/service# kubectl get pod-o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESweb-0 1 Running 0 6s 192.168.5.59 worker01 web-1 1 Running 0 5s 192.168.30.117 worker02 web-2 1/1 Running 0 3s 192.168.5.58 worker01

Looking at the created Headless Service, you can see that the ClusterIP is None:

Root@master01:~/yaml/service# kubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEheadless-nginx ClusterIP None 80/TCP 15m

Find a Pod with the same namespace to parse the Headless Service:

The ip address parsed by root@master01:~/yaml/service# kubectl exec busybox1-- nslookup headless-nginxServer: 10.96.0.10Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local# is ipName: headless-nginxAddress 1: 192.168.30.117 web-1.headless-nginx.default.svc.cluster.localAddress 2: 192.168.5.59 web-0.headless-nginx.default.svc for pod of 3 StatefulSet. Cluster.localAddress 3: 192.168.5.58 web-2.headless-nginx.default.svc.cluster.local

View the / etc/resolv.conf configuration of Pod under the default namespace:

Root@master01:~/yaml/service# kubectl exec busybox1-cat / etc/resolv.conf nameserver 10.96.0.10search default.svc.cluster.local svc.cluster.local cluster.localoptions ndots:5

When Pod under different namespace is accessed through Service, you need to add.. after Service name.

Root@master01:~/yaml/service# kubectl exec busybox2-n kube-system-- nslookup headless-nginx.default Server: 10.96.0.10Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.localName: headless-nginx.default.svc.cluster.localAddress 1: 192.168.5.58 web-2.headless-nginx.default.svc.cluster.localAddress 2: 192.168.5.59 web-0.headless-nginx.default.svc. Cluster.localAddress 3: 192.168.30.117 web-1.headless-nginx.default.svc.cluster.local

View the / etc/resolv.conf configuration of Pod under the kube-system namespace:

Root@master01:~/yaml/service# kubectl exec busybox2-n kube-system-- cat / etc/resolv.conf nameserver 10.96.0.10search kube-system.svc.cluster.local svc.cluster.local cluster.local options ndots:5ClusterIP Service

Now let's use StatefulSet in conjunction with ClusterIP Service:

If apiVersion: v1kind: Servicemetadata: name: clusterip-nginx labels: app: nginx#ClusterIP is not None, it means the Service has ClusterIP spec: ports:-port: 80 name: web selector: app: nginx

View the created Service:

Root@master01:~/yaml/service# kubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEclusterip-nginx ClusterIP 10.110.176.201 80/TCP 13s

At this point, you can only get the ClusterIP address by using Pod to resolve the domain name, but not the IP address of Pod:

Root@master01:~/yaml/service# kubectl exec busybox1-- hostname and subdomain of nslookup clusterip-nginxServer: 10.96.0.10Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.localName: clusterip-nginxAddress 1: 10.110.176.201 clusterip-nginx.default.svc.cluster.localPod

In Kubernetes, if you do not specify the hostname of Pod, it defaults to pod.metadata.name, which can be customized through the spec.hostname field; you can also set subdomain for Pod through the spec.subdomain field. For example, the following example:

Create a Nginx Pod and specify the hostname and subdomain of the Pod:

ApiVersion: v1kind: Podmetadata: name: nginx labels: name: nginxspec: hostname: domain-test subdomain: subdomain-test containers:-image: nginx name: nginx---apiVersion: v1kind: Servicemetadata: name: subdomain-testspec: selector: name: nginx ports:-port: 80 targetPort: 80 protocol: TCP

You can view the hostname and hosts files for this Pod:

[root@localhost] # kubectl get po-o wideNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESbusybox-5bbb5d7ff7-dh78j 1 Running 0 112m 10.244.1.246 172-16-105-2 nginx 1 Running 0 2m 10.244.1.253 172-16-105-2 [root@localhost] # kubectl exec-it nginx bashroot@domain-test:/# cat / etc/hosts# Kubernetes-managed hosts file.127.0.0.1 localhost::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetfe00::0 ip6-mcastprefixfe00::1 ip6-allnodesfe00::2 ip6-allrouters10.244.1.253 domain-test.subdomain-test.default .svc.cluster.local domain-testroot@domain-test:/#

Access the Pod through the domain name in the busybox container:

[root@localhost ~] # kubectl exec-it busybox-5bbb5d7ff7-dh78j sh/ # wget domain-test.subdomain-testConnecting to domain-test.subdomain-test (10.244.1.253 wget domain-test.subdomain-testConnecting to domain-test.subdomain-test) saving to 'index.html'index.html 100% | * * | 612 0:00:00 ETA'index.html' saved will be here The study on "how to create a container DNS" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.