Closed Bug 870792 Opened 12 years ago Closed 12 years ago

DNS search path for datacenter VPN

Categories

(Infrastructure & Operations :: Infrastructure: Other, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Other
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: arich, Assigned: jabba)

References

Details

Attachments

(1 file)

patch to add domains
1.24 KB, patch
bhourigan
: review+
kang
: review+
Details | Diff | Splinter Review
The datacenter VPN doesn't currently have a DNS search path, so the only domain that you don't need an FQDN for is mozilla.com. It would be handy to have a per group config to tune this. Releng, for example, uses the following: domain => ["build.mozilla.org", "mozilla.com", "mozilla.org"]; Take a look at the node definition (in manifests/nodes/releng.pp) for vpn1.dmz.releng.scl3.mozilla.com for an example.
Here's a patch to add mozilla.org and build.mozilla.org to the search list. I'm not 100% clear on if this does the intended behavior, i.e. with just mozilla.com in there, my /etc/resolv.conf has a line "domain mozilla.com", but I *think* we want it to say "search mozilla.com build.mozilla.org mozilla.org" and not sure if this will do that automatically. Asking :digi for review to verify that this will do the right thing and :kang to ack whether this is ok to add to the global datacenter VPN.
Attachment #748203 - Flags: review?(gdestuynder)
Attachment #748203 - Flags: review?(bhourigan)
Comment on attachment 748203 [details] [diff] [review] patch to add domains the patch is fine however.. machine names could be the same with different domains, like blah.mozilla.com blah.build.mozilla.org blah.mozilla.org if that happens, this may cause confusion. personally when i connect i just always use the FQDN. Hopefully nobody hits "yes" when the SSH fingerprint check fails the domain check anyways :)
Attachment #748203 - Flags: review?(gdestuynder) → review+
That's one of the reasons I was hoping that the domain search path could be set on a per-group basis. people in releng almost exclusively use foo.build.mozilla.org and never the A record in mozilla.com.
Comment on attachment 748203 [details] [diff] [review] patch to add domains It will alter the search path as intended. Looking in openvpn/templates/server.conf.erb we're limited to a maximum of 6 search domains, so we should choose those domains carefully. I'm not sure if adding build.mozilla.org to the search path is appropriate for all users. I'm in the habit of using fully qualified names in conjunction with things like tab completion from my known_hosts. I'de lean towards no special search paths and let the end user manage hostname completion.
Attachment #748203 - Flags: review?(bhourigan) → review+
Note that the Linux resolver has a limit of 256 characters for the search list, as well as the 6 item limit.
(In reply to Brian Hourigan [:digi] from comment #4) If releng users don't get bmo in their search path, I think you're going to have a very difficult time convincing them to use the dc vpn.
it is technically possible to have a specific search path for specific groups only, albeit one should be careful not to collide too much between groups. The settings are pushed to the VPN at client connection time in a dynamic fashion (via a connect script), thus, this script can send different settings depending on the LDAP vpn_ group membership for example. It's also possible for users to just set their search path too
I think we should either: a) add build.mozilla.org and be done with it or b) add an LDAP attribute for search path and have the VPN push that to clients in that group, but this option might open up a can of worms and unexpected weirdness for someone that might be in 6 different groups that all have different search path settings. So, I'm leaning towards a).
(In reply to Justin Dow [:jabba] from comment #8) > I think we should either: > > a) add build.mozilla.org and be done with it > or > b) add an LDAP attribute for search path and have the VPN push that to > clients in that group, but this option might open up a can of worms and > unexpected weirdness for someone that might be in 6 different groups that > all have different search path settings. > > So, I'm leaning towards a). WFM. This is what we do on the existing RelEng VPN, AFAICT.
This is pushed. I connected and get in my /etc/resolv.conf: search mozilla.com build.mozilla.org mozilla.org nameserver 10.22.75.40 nameserver 10.22.75.41
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Hmm, this doesn't seem to be working for me: > cat /etc/resolv.conf # Generated by NetworkManager domain mozilla.com search mozilla.com nameserver 127.0.1.1
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Ben Hearsum [:bhearsum] from comment #11) > Hmm, this doesn't seem to be working for me: > > cat /etc/resolv.conf > # Generated by NetworkManager > domain mozilla.com > search mozilla.com > nameserver 127.0.1.1 It seems that I can't resolve build.mozilla.org hosts at all, actually: > host slavealloc.build.mozilla.org Host slavealloc.build.mozilla.org not found: 3(NXDOMAIN) > host buildbot-master36.build.mozilla.org Host buildbot-master36.build.mozilla.org not found: 3(NXDOMAIN)
Worked through this on IRC. The bug is in network manager and our mana page now has instructions on how to patch network manager to support multiple domains.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
See Also: → 1515259
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: