I wonder if you registered mesos-dns's port in marathon like you do
docker containers, if you could use the marathon-ha-proxy bridge in
conjunction to allow it to show up anywhere...
On Thu, Apr 2, 2015 at 11:08 AM, James DeFelice
<james.defel...@gmail.com> wrote:
> This is roughly how we've integrated consul dns at client sites. Bind config
> still needs updating if/when mesos dns relocates.
>
> --sent from my phone
>
> On Apr 2, 2015 10:30 AM, "John Omernik" <j...@omernik.com> wrote:
>>
>> Based on my earlier emails about the state of service discovery. I did
>> some research and a little writeup on how to use mesos-dns as a forward
>> lookup zone in a enterprise bind installation. I feel this is more secure,
>> and more comfortable for an enterprise DNS team as opposed to changing the
>> first resolver on every client that may interact with mesos to be the
>> mesos-dns server. Please feel free to modify/correct and include this in
>> the mesos-dns documentation if you feel it's valuable.
>>
>>
>> Goals/Thought Process
>> - Run mesos-dns on a non-standard port. (such as 8053). This allows you
>> to run it as a non-root user.
>> - While most DNS clients may not understand this (a different port), in an
>> enterprise, most DNS servers will respect a forward lookup zone with a
>> server using a different port.
>> - Setup below for BIND9 allows you to keep all your mesos servers AND
>> clients in an enterprise pointing their requests at your enterprise DNS
>> server, rather than mesos-dns.
>> - This is easier from an enterprise configuration standpoint. Make one
>> change on your dns servers, rather than adding a resolver on all the
>> clients.
>> - This is more secure in that you can run mesos-dns as non-root (53 is a
>> privileged port, 8053 is not) no sudo required
>> - For more security, you can limit connections to the mesos-dns server
>> to only your enterprise dns servers. This could help mitigate any unknown
>> vulnerabilities in mesos-dns.
>> - This allows you to HA mesos-dns in that you can specify multiple
>> resolvers for your bind configuration.
>>
>>
>>
>>
>> Bind9 Config
>> This was put into my named.conf.local It sets up the .mesos zone and
>> forwards to mesos dns. All my mesos servers already pointed at this server,
>> therefore no client changes required.
>>
>>
>> #192.168.0.100 is my host running mesos DNS
>> zone "mesos" {
>> type forward;
>> forward only;
>> forwarders { 192.168.0.100 port 8053; };
>> };
>>
>>
>>
>>
>> config.json mesos-dns config file.
>> I DID specify my internal DNS server in the resolvers (192.168.0.10)
>> however, I am not sure if I need to do this. Since only requests for .mesos
>> will actually be sent to mesos-dns.
>>
>> {
>> "masters": ["192.168.0.98:5050"],
>> "refreshSeconds": 60,
>> "ttl": 60,
>> "domain": "mesos",
>> "port": 8053,
>> "resolvers": ["192.168.0.10"],
>> "timeout": 5,
>> "listener": "0.0.0.0",
>> "email": "root.mesos-dns.mesos"
>> }
>>
>>
>> marathon start json
>> Note the lack of sudo here. I also constrained it to one host for now, but
>> that could change if needed.
>>
>> {
>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns
>> -config=/mapr/brewpot/mesos/mesos-dns/config.json",
>> "cpus": 1.0,
>> "mem": 1024,
>> "id": "mesos-dns",
>> "instances": 1,
>> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com"]]
>> }
