We're using a BGP based solution currently to solve the problem of highly
available DNS resolvers.
That might be a route worth taking, and one that could still work via marathon
on top of Mesos.
--
Tom Arnfeld
Developer // DueDil
(+44) 7525940046
25 Christopher Street, London, EC2A 2BS
On Thu, Apr 2, 2015 at 10:07 PM, John Omernik <j...@omernik.com> wrote:
> True :)
> On Thu, Apr 2, 2015 at 3:37 PM, Tom Arnfeld <t...@duedil.com> wrote:
>> Last time I checked haproxy didn't support UDP which would be key for
>> mesos-dns.
>>
>> --
>>
>> Tom Arnfeld
>> Developer // DueDil
>>
>> (+44) 7525940046
>> 25 Christopher Street, London, EC2A 2BS
>>
>>
>> On Thu, Apr 2, 2015 at 3:53 PM, John Omernik <j...@omernik.com> wrote:
>>
>>> That was my first response as well... I work at a bank, and the thought
>>> of changing dns servers on the clients everywhere made me roll my eyes :)
>>>
>>> John
>>>
>>>
>>> On Thu, Apr 2, 2015 at 9:39 AM, Tom Arnfeld <t...@duedil.com> wrote:
>>>
>>>> This is great, thanks for sharing!
>>>>
>>>> It's nice to see other members of the community sharing more realistic
>>>> implementations of DNS rather than just "update your resolv conf" and it
>>>> works :-)
>>>>
>>>> --
>>>>
>>>> Tom Arnfeld
>>>> Developer // DueDil
>>>>
>>>> (+44) 7525940046
>>>> 25 Christopher Street, London, EC2A 2BS
>>>>
>>>>
>>>> On Thu, Apr 2, 2015 at 3:30 PM, John Omernik <j...@omernik.com> wrote:
>>>>
>>>>> Based on my earlier emails about the state of service discovery. I did
>>>>> some research and a little writeup on how to use mesos-dns as a forward
>>>>> lookup zone in a enterprise bind installation. I feel this is more secure,
>>>>> and more comfortable for an enterprise DNS team as opposed to changing the
>>>>> first resolver on every client that may interact with mesos to be the
>>>>> mesos-dns server. Please feel free to modify/correct and include this in
>>>>> the mesos-dns documentation if you feel it's valuable.
>>>>>
>>>>>
>>>>> Goals/Thought Process
>>>>> - Run mesos-dns on a non-standard port. (such as 8053). This allows
>>>>> you to run it as a non-root user.
>>>>> - While most DNS clients may not understand this (a different port), in
>>>>> an enterprise, most DNS servers will respect a forward lookup zone with a
>>>>> server using a different port.
>>>>> - Setup below for BIND9 allows you to keep all your mesos servers AND
>>>>> clients in an enterprise pointing their requests at your enterprise DNS
>>>>> server, rather than mesos-dns.
>>>>> - This is easier from an enterprise configuration standpoint. Make
>>>>> one change on your dns servers, rather than adding a resolver on all the
>>>>> clients.
>>>>> - This is more secure in that you can run mesos-dns as non-root (53
>>>>> is a privileged port, 8053 is not) no sudo required
>>>>> - For more security, you can limit connections to the mesos-dns
>>>>> server to only your enterprise dns servers. This could help mitigate any
>>>>> unknown vulnerabilities in mesos-dns.
>>>>> - This allows you to HA mesos-dns in that you can specify multiple
>>>>> resolvers for your bind configuration.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Bind9 Config
>>>>> This was put into my named.conf.local It sets up the .mesos zone and
>>>>> forwards to mesos dns. All my mesos servers already pointed at this
>>>>> server,
>>>>> therefore no client changes required.
>>>>>
>>>>>
>>>>> #192.168.0.100 is my host running mesos DNS
>>>>> zone "mesos" {
>>>>> type forward;
>>>>> forward only;
>>>>> forwarders { 192.168.0.100 port 8053; };
>>>>> };
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> config.json mesos-dns config file.
>>>>> I DID specify my internal DNS server in the resolvers (192.168.0.10)
>>>>> however, I am not sure if I need to do this. Since only requests for
>>>>> .mesos will actually be sent to mesos-dns.
>>>>>
>>>>> {
>>>>> "masters": ["192.168.0.98:5050"],
>>>>> "refreshSeconds": 60,
>>>>> "ttl": 60,
>>>>> "domain": "mesos",
>>>>> "port": 8053,
>>>>> "resolvers": ["192.168.0.10"],
>>>>> "timeout": 5,
>>>>> "listener": "0.0.0.0",
>>>>> "email": "root.mesos-dns.mesos"
>>>>> }
>>>>>
>>>>>
>>>>> marathon start json
>>>>> Note the lack of sudo here. I also constrained it to one host for now,
>>>>> but that could change if needed.
>>>>>
>>>>> {
>>>>> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns
>>>>> -config=/mapr/brewpot/mesos/mesos-dns/config.json",
>>>>> "cpus": 1.0,
>>>>> "mem": 1024,
>>>>> "id": "mesos-dns",
>>>>> "instances": 1,
>>>>> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com
>>>>> "]]
>>>>> }
>>>>>
>>>>
>>>>
>>>
>>
