Bug 35478 - Set nameserver to localhost
Set nameserver to localhost
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: DNS
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-28 06:20 CEST by Stefan Gohmann
Modified: 2021-03-26 10:23 CET (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-07-28 06:20:56 CEST
On a DC the nameserver could be set by default to localhost instead of the IP address.
Comment 1 Philipp Hahn univentionstaff 2017-02-02 16:00:29 CET
(In reply to Felix Botner from Bug #43217 comment #5)
> 127.0.0.1 is problematic for docker container.
> 
> appbox based container may work (see Bug #43458), but non-appbox container
> have a real problem.
> 
> Docker seems to copy /etc/resolv.conf to the container during create/run. If
> something like 127.0* is set as nameserver, this line is removed. If nothing
> is left, a public DNS server is added (8.8.8.8). So if we have a UCS system
> with only nameserver1=127.0.0.1:
>  * docker container can't resolve the UCS server
>  * if the system has no access to the internet, no DNS

<https://github.com/docker/docker/issues/6388> and <https://github.com/docker/docker/issues/14627> and finally <https://github.com/docker/libnetwork/pull/841> → docker-1.14

> It is possible to set custom DNS servers and domains (--dns-search=, --dns=
> parameter for docker run/create) but this would require more changes in the
> appcenter docker code.
> 
> So the question, is it really worth it.

Yes:
1. Today I had a system, where the network failed to restart
2. /etc/ldap/ldap.conf uses the FQHN, which resolves to the IP (which was unreachable)
3. Thus univention-ldapsearch failed
4. Every postinst/.inst script failed
5. BIND9/slapd failed to configure
→ very broken system!
Comment 2 Stefan Gohmann univentionstaff 2017-02-02 16:43:51 CET
Thanks, for moving the discussion to the right bug.

(In reply to Philipp Hahn from comment #1)
> <https://github.com/docker/docker/issues/6388> and
> <https://github.com/docker/docker/issues/14627> and finally
> <https://github.com/docker/libnetwork/pull/841> → docker-1.14

Currently, we have Docker 1.12 in UCS 4.2. 1.14 is not yet available.

> > It is possible to set custom DNS servers and domains (--dns-search=, --dns=
> > parameter for docker run/create) but this would require more changes in the
> > appcenter docker code.
> > 
> > So the question, is it really worth it.
> 
> Yes:
> 1. Today I had a system, where the network failed to restart

Was it a UCS 4.2 / UCS 4.1?

> 2. /etc/ldap/ldap.conf uses the FQHN, which resolves to the IP (which was
> unreachable)

OK

> 3. Thus univention-ldapsearch failed

OK

> 4. Every postinst/.inst script failed

Which postinst failed if the LDAP server is not available?

The join scripts will be executed later.

> 5. BIND9/slapd failed to configure
> → very broken system!

Can you provide log files?
Comment 3 Stefan Gohmann univentionstaff 2017-06-16 20:40:49 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 4 Ingo Steuwer univentionstaff 2020-07-03 20:55:44 CEST
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 5 Philipp Hahn univentionstaff 2021-03-26 06:45:36 CET
This is still a bug with 5.0: Local BIND9 becomes unused as soon as the IP address changes. This happens in EC2, where even the Primary Node gets its address from DHCP.

Using 127.0.0.1 in /etc/resolv.conf breaks Docker, as it copies the file into any container, where "localhost" is something else.
Actually docker checks for this and automatically falls back to 8.8.8.8 and 8.8.4.4 in that case, which does not work for resolving in-domain names.
<https://github.com/moby/moby/issues/6388>
<https://github.com/moby/moby/issues/14627>
<https://github.com/moby/moby/issues/23910>

Similar to what base/univention-server/univention-fix-ucr-dns implements since Bug #44462 we should do this:
1. Unjoined * -> use external DNS servers in resolv.conf
2. Joined Member -> dito
3. Joined DC ->
   host: use "localhost" + other UCRV nameserver[123]
   container: "IP from docker0" + other UCRV nameserver[123]

My implementation for Bug #52959 does this.