Based on my earlier emails about the state of service discovery. I did
some research and a little writeup on how to use mesos-dns as a forward
lookup zone in a enterprise bind installation. I feel this is more secure,
and more comfortable for an enterprise DNS team as opposed to changing the
first resolver on every client that may interact with mesos to be the
mesos-dns server. Please feel free to modify/correct and include this in
the mesos-dns documentation if you feel it's valuable.
Goals/Thought Process
- Run mesos-dns on a non-standard port. (such as 8053). This allows you to
run it as a non-root user.
- While most DNS clients may not understand this (a different port), in an
enterprise, most DNS servers will respect a forward lookup zone with a
server using a different port.
- Setup below for BIND9 allows you to keep all your mesos servers AND
clients in an enterprise pointing their requests at your enterprise DNS
server, rather than mesos-dns.
- This is easier from an enterprise configuration standpoint. Make one
change on your dns servers, rather than adding a resolver on all the
clients.
- This is more secure in that you can run mesos-dns as non-root (53 is a
privileged port, 8053 is not) no sudo required
- For more security, you can limit connections to the mesos-dns server to
only your enterprise dns servers. This could help mitigate any unknown
vulnerabilities in mesos-dns.
- This allows you to HA mesos-dns in that you can specify multiple
resolvers for your bind configuration.
Bind9 Config
This was put into my named.conf.local It sets up the .mesos zone and
forwards to mesos dns. All my mesos servers already pointed at this server,
therefore no client changes required.
#192.168.0.100 is my host running mesos DNS
zone "mesos" {
type forward;
forward only;
forwarders { 192.168.0.100 port 8053; };
};
config.json mesos-dns config file.
I DID specify my internal DNS server in the resolvers (192.168.0.10)
however, I am not sure if I need to do this. Since only requests for
.mesos will actually be sent to mesos-dns.
{
"masters": ["192.168.0.98:5050"],
"refreshSeconds": 60,
"ttl": 60,
"domain": "mesos",
"port": 8053,
"resolvers": ["192.168.0.10"],
"timeout": 5,
"listener": "0.0.0.0",
"email": "root.mesos-dns.mesos"
}
marathon start json
Note the lack of sudo here. I also constrained it to one host for now, but
that could change if needed.
{
"cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns
-config=/mapr/brewpot/mesos/mesos-dns/config.json",
"cpus": 1.0,
"mem": 1024,
"id": "mesos-dns",
"instances": 1,
"constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com"]]
}
