Fix Runner DNS resolution
by adding public nameservers to the CNI secure bridge configuration.
This commit is contained in:
Maximilian Paß
@ -65,6 +65,14 @@ nomad:
|
||||
# namespace: poseidon
|
||||
# Prefer local Docker images over pulling them from a registry. Images with the `latest` tag will always be force pulled by Nomad regardless of this configuration.
|
||||
disableforcepull: true
|
||||
# Network configuration for network-enabled runners. See https://developer.hashicorp.com/nomad/docs/job-specification/network.
|
||||
network:
|
||||
# Available Modes: "none", "bridge", "host", "cni/*".
|
||||
# "none": Even the network-enabled runners will be isolated.
|
||||
# "bridge": Isolated network namespace with bridged interface. Linux-only.
|
||||
# "host": Using the host network namespace. Less-secure.
|
||||
# "cni/*": Configure an isolated network namespace using CNI. For example, this can be a more secured bridge network.
|
||||
mode: "cni/secure-bridge"
|
||||
|
||||
aws:
|
||||
# Specifies whether AWS should be used as executor.
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"flag"
|
||||
"fmt"
|
||||
"github.com/getsentry/sentry-go"
|
||||
nomadApi "github.com/hashicorp/nomad/api"
|
||||
"github.com/openHPI/poseidon/pkg/dto"
|
||||
"github.com/openHPI/poseidon/pkg/logging"
|
||||
"github.com/sirupsen/logrus"
|
||||
@ -54,6 +55,10 @@ var (
|
||||
},
|
||||
Namespace: "default",
|
||||
DisableForcePull: false,
|
||||
Network: nomadApi.NetworkResource{
|
||||
Mode: "bridge",
|
||||
DNS: nil,
|
||||
},
|
||||
},
|
||||
AWS: AWS{
|
||||
Enabled: false,
|
||||
@ -120,6 +125,7 @@ type Nomad struct {
|
||||
TLS TLS
|
||||
Namespace string
|
||||
DisableForcePull bool
|
||||
Network nomadApi.NetworkResource
|
||||
}
|
||||
|
||||
// URL returns the URL for the configured Nomad cluster.
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"github.com/google/uuid"
|
||||
nomadApi "github.com/hashicorp/nomad/api"
|
||||
"github.com/hashicorp/nomad/jobspec2"
|
||||
"github.com/openHPI/poseidon/internal/config"
|
||||
"github.com/openHPI/poseidon/internal/nomad"
|
||||
"github.com/openHPI/poseidon/internal/runner"
|
||||
"github.com/openHPI/poseidon/pkg/dto"
|
||||
@ -170,16 +171,7 @@ func (n *NomadEnvironment) SetNetworkAccess(allow bool, exposedPorts []uint16) {
|
||||
}
|
||||
|
||||
if allow {
|
||||
var networkResource *nomadApi.NetworkResource
|
||||
if len(defaultTaskGroup.Networks) == 0 {
|
||||
networkResource = &nomadApi.NetworkResource{}
|
||||
defaultTaskGroup.Networks = []*nomadApi.NetworkResource{networkResource}
|
||||
} else {
|
||||
networkResource = defaultTaskGroup.Networks[0]
|
||||
}
|
||||
// Prefer "bridge" network over "host" to have an isolated network namespace with bridged interface
|
||||
// instead of joining the host network namespace.
|
||||
networkResource.Mode = "cni/secure-bridge"
|
||||
networkResource := config.Config.Nomad.Network
|
||||
for _, portNumber := range exposedPorts {
|
||||
port := nomadApi.Port{
|
||||
Label: strconv.FormatUint(uint64(portNumber), portNumberBase),
|
||||
@ -187,6 +179,11 @@ func (n *NomadEnvironment) SetNetworkAccess(allow bool, exposedPorts []uint16) {
|
||||
}
|
||||
networkResource.DynamicPorts = append(networkResource.DynamicPorts, port)
|
||||
}
|
||||
if len(defaultTaskGroup.Networks) == 0 {
|
||||
defaultTaskGroup.Networks = []*nomadApi.NetworkResource{&networkResource}
|
||||
} else {
|
||||
defaultTaskGroup.Networks[0] = &networkResource
|
||||
}
|
||||
|
||||
// Explicitly set mode to override existing settings when updating job from without to with network.
|
||||
// Don't use bridge as it collides with the bridge mode above. This results in Docker using 'bridge'
|
||||
@ -332,12 +329,12 @@ func (n *NomadEnvironment) SetConfigFrom(environment runner.ExecutionEnvironment
|
||||
}
|
||||
|
||||
func parseJob(jobHCL string) (*nomadApi.Job, error) {
|
||||
config := jobspec2.ParseConfig{
|
||||
jobConfig := jobspec2.ParseConfig{
|
||||
Body: []byte(jobHCL),
|
||||
AllowFS: false,
|
||||
Strict: true,
|
||||
}
|
||||
job, err := jobspec2.ParseWithConfig(&config)
|
||||
job, err := jobspec2.ParseWithConfig(&jobConfig)
|
||||
if err != nil {
|
||||
return job, fmt.Errorf("couldn't parse job HCL: %w", err)
|
||||
}
|
||||
|
||||
@ -4,6 +4,7 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
nomadApi "github.com/hashicorp/nomad/api"
|
||||
"github.com/openHPI/poseidon/internal/config"
|
||||
"github.com/openHPI/poseidon/internal/nomad"
|
||||
"github.com/openHPI/poseidon/internal/runner"
|
||||
"github.com/openHPI/poseidon/pkg/storage"
|
||||
@ -32,14 +33,14 @@ func (s *MainTestSuite) TestConfigureNetworkDoesNotCreateNewNetworkWhenNetworkEx
|
||||
defaultTaskGroup := nomad.FindAndValidateDefaultTaskGroup(job)
|
||||
environment := &NomadEnvironment{nil, "", job, nil, context.Background(), nil}
|
||||
|
||||
networkResource := &nomadApi.NetworkResource{Mode: "cni/secure-bridge"}
|
||||
defaultTaskGroup.Networks = []*nomadApi.NetworkResource{networkResource}
|
||||
networkResource := config.Config.Nomad.Network
|
||||
defaultTaskGroup.Networks = []*nomadApi.NetworkResource{&networkResource}
|
||||
|
||||
if s.Equal(1, len(defaultTaskGroup.Networks)) {
|
||||
environment.SetNetworkAccess(true, []uint16{})
|
||||
|
||||
s.Equal(1, len(defaultTaskGroup.Networks))
|
||||
s.Equal(networkResource, defaultTaskGroup.Networks[0])
|
||||
s.Equal(&networkResource, defaultTaskGroup.Networks[0])
|
||||
}
|
||||
}
|
||||
|
||||
@ -80,7 +81,7 @@ func (s *MainTestSuite) TestConfigureNetworkSetsCorrectValues() {
|
||||
s.Require().Equal(1, len(testTaskGroup.Networks))
|
||||
|
||||
networkResource := testTaskGroup.Networks[0]
|
||||
s.Equal("cni/secure-bridge", networkResource.Mode)
|
||||
s.Equal(config.Config.Nomad.Network.Mode, networkResource.Mode)
|
||||
s.Require().Equal(len(ports), len(networkResource.DynamicPorts))
|
||||
|
||||
assertExpectedPorts(s.T(), ports, networkResource)
|
||||
|
||||
Reference in New Issue
Block a user