Skip to content

Refactor aro-dnsmasq-pre.sh #4501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ventifus wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Refactor aro-dnsmasq-pre.sh #4501

ventifus wants to merge 1 commit into from
+16 −6

Conversation

@ventifus
Copy link
Collaborator

@ventifus ventifus commented Dec 5, 2025
edited
Loading

Derive all information from NetworkManager directly to avoid setting dnsmasq's name server to the node IP in some circumstances

Which issue this PR addresses:

Fixes ARO-23104

What this PR does / why we need it:

In some circumstances where dnsmasq.service's ExecStopPost fails to fire, we end up consuming our own NetworkManager configuration resulting in resolv.conf.dnsmasq containing the node's IP not the upstream DNS servers' IPs. To avoid that, we now look directly at NetworkManager's configuration as obtained by DHCP. As a result, we no longer need to delete the NetworkManager drop-in with dnsmasq's ExecStopPost, and re-executing aro-dnsmasq-pre.sh is idempotent.

Test plan for issue:

  • Install cluster with local RP
  • Scale up worker nodes
  • Canary install of cluster with UDR / invalid DNS

Is there any documentation that needs to be updated for this PR?

How do you know this will function as expected in production?

@ventifus ventifus force-pushed the ventifus/ARO-23104-dnsmasq-pre-robustness branch from 71c8abd to c3fc857 Compare December 5, 2025 01:15
@ventifus
Refactor aro-dnsmasq-pre.sh
c3fc857 
Derive all information from NetworkManager directly to avoid setting dnsmasq's name server to the node IP in some circumstances
@ventifus
Copy link
Collaborator Author

ventifus commented Dec 5, 2025

/azp run ci

@azure-pipelines
Copy link

azure-pipelines bot commented Dec 5, 2025

Azure Pipelines successfully started running 1 pipeline(s).

mociarain
mociarain approved these changes Dec 8, 2025
View reviewed changes
Copy link
Member

@mociarain mociarain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a good change and based on the context in the JIRA I think it's good to merge as is but I wonder if it's worth testing the operator change for "real". AFAIK @ehvs wrote this process up recently. I tried to find it in the wiki but gave up. Do you have the link?

I'll approve anyway but wdyt?

@ventifus
Copy link
Collaborator Author

ventifus commented Dec 8, 2025

Test best test for this is to perform an install of a UDR cluster with invalid DNS on it's VNET. This requires a working gateway so will likely need Canary.

kimorris27
kimorris27 approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@kimorris27 kimorris27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to Maitiu. I think it could merge as-is, but testing definitely won't hurt.

hlipsig
hlipsig approved these changes Dec 12, 2025
View reviewed changes
Copy link
Collaborator

@hlipsig hlipsig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, is a test in canary the only way, or can we install a dev cluster into production and validate that way? Can do a hive-less cluster install via local RP, and I know we can do it with a local build ARO operator as well. Amber's done that in the past.

@ventifus
Copy link
Collaborator Author

ventifus commented Dec 12, 2025

We need to test with egress lockdown enabled and a working gateway, I don't think we can do that in an environment less than canary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hlipsig hlipsig hlipsig approved these changes

@mociarain mociarain mociarain approved these changes

@kimorris27 kimorris27 kimorris27 approved these changes

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@mrWinston mrWinston Awaiting requested review from mrWinston mrWinston is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam is a code owner

@fahlmant fahlmant Awaiting requested review from fahlmant

@sankur-codes sankur-codes Awaiting requested review from sankur-codes sankur-codes is a code owner

@wanghaoran1988 wanghaoran1988 Awaiting requested review from wanghaoran1988 wanghaoran1988 is a code owner

@pepedocs pepedocs Awaiting requested review from pepedocs pepedocs is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ventifus @hlipsig @mociarain @kimorris27