-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config knob to enable/disable dns packet redirection #164
base: main
Are you sure you want to change the base?
Conversation
This PR provides an option to explicitly enable/disable DNS redirection related eBPF programs. Signed-off-by: Anil Kumar Vishnoi <vishnoianil@gmail.com>
Signed-off-by: Anil Kumar Vishnoi <vishnoianil@gmail.com>
Welcome to the Merbridge OpenSource Community!👏 We're delighted to have you onboard 💘 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right now we are actually automatically recognizing when and only when the DNS_CAPTURE_PORT port is being listened to, and doing the redirect.
Of course, there's nothing wrong with what you've added, but maybe I think we need an "auto-detect" mode.
Instead, we will use DNS_CAPTURE_PORT detection only when working in "auto-detect" mode, other modes may not need this step.
@kebe7jun If I understood your comment correctly, you are suggesting that user should not have to set --dns-redir=true if they want to enable the dns redirection and merbridge should determine it at the load time and than internally just set it to --dns-redir=true/false ( or just define the macro's)? |
I think there are three possible scenarios.
What do you think? /cc @dddddai |
I'm not sure if it's worthy to remove the detection completely for performance, which is a little bit risky I think We should use auto-detection by default, for users who don't use DNS proxying and want the best performance, they could turn it off |
I think the only concern I see with the auto-detect mode is that mb_sendmsg4 will make two lookup call (for OUT_REDIRECT_PORT & DNS_CAPTURE_PORT) for every dns request message it will receive, and in large scale cluster number of dns requests can be significant. Even in my small setup of 3 master/ 3 worker with only fortio pods, i see that the sendmsg/recvmsg counter keep increasing. |
Yes, I think this makes sense. We can keep the auto-detection on by default and if user don't want to use it, disable it at the time of merbridge deployment. And if it's disable, dns redirection will still works anyways because of the iptables. The only concern with keeping auto-detection by default on is that in large scale cluster where you can have significant number of dns requests, it might cause performance issues for redirection of other traffic. |
In this scenario, merbridge will auto-discover if istio's dns redirection is enabled by doing lookup for the istio dns port. User can disable dns redirection by setting --dns-redir to false. Signed-off-by: Anil Kumar Vishnoi <vishnoianil@gmail.com>
@kebe7jun @dddddai Apart from that, I am wondering if we can use cni-mode to filter the packet in sendmsg/recvmsg coming from istio injected pod, rather than doing a lookup for OUT_REDIRECT_PORT. I am hoping that will reduce significant number of lookups, and probably give us better performance. Just guessing at this point, but would like your suggestion on it. I will test some of these scenario locally to see if it helps. |
I don't see solutions without lookup for now, feel free to comment if you have any ideas :) BTW |
Sounds like a good idea, it means that we use the CNI to determine if the current Pod needs to have DNS forwarding enabled. In fact, I think we could put the need for DNS forwarding into @vishnoianil is very concerned about the performance of lookup_sock. |
That sounds like a good options. Although in upstream Istio, DNS redirction is global configuration, but there are some Istio based service mesh distribution that support dns redirection per namespace. So having this configuration in pod_info can cover those scenarios as well. I will look into it and push a patch. |
Welcome to the Merbridge OpenSource Community!👏 We're delighted to have you onboard 💘 |
Istio does not enable dns redirection by default.
This PR provides an option to explicitly enable/disable
DNS redirection related eBPF programs. User need to
edit the merbridge daemonset and modify
--dns-redir
to trueto enable the dns redirection.
Signed-off-by: Anil Kumar Vishnoi vishnoianil@gmail.com