Forward DNS service query to Consul inside container - dns

I am trying to craft some setup to be able to resolve *.service.consul type of queries by the Consul DNS service running inside the container. I followed systemd-resolved section in official documentation for systemd < 245, and added iptables rules as described. I got one service running consul.service.consul that was registered and visible in UI. After querying it either via host or via dig on ports 53/8600 I got NXDOMAIN. Am I missing something ? Any suggestions are welcome
root#a:~# host consul.service.consul
Host consul.service.consul not found: 3(NXDOMAIN)
EDIT: What I also want to avoid is adding --network=host parameter to minimize impact on current configuration and scripts
SOLVED: It took me a while, but I found the solution. The problem was Consul ACL that needs read service capability. If somebody is interested, this is what needs to be done:
cat > sread.hcl <<EOF
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
EOF
consul acl policy create -name service-read -rules #sread.hcl
consul acl token update -id anonymous -policy-name=service-read
Just check before if any policy is already attached to token id (which must exist, obviously). If so add -merge-policies to the last command. Hope that helps.

Related

dial tcp: lookup: device or resource busy

There is an intermittent issue while downloading docker images in a Linux VM. As per docker service journalctl logs I can see below error-
level=error msg="Handler for POST /images/create returned error: Get
"https://<containerregistry>": dial tcp: lookup
https://<containerregistry>: device or resource busy".
Initialy I thought it could be intermittent connectivity issue with container registry (Azure Container Registry) but that is not the case since even with retries at different time periods I got the same error.
I have checked the docker daemon.json config and don't see any issue with that. I also verified DNS servers in systemd-resolve and can see the expected IPs as required. Interestingly, another VM with same configs works fine.
I am using .Net Client for Docker Remote API (https://github.com/dotnet/Docker.DotNet) to trigger docker image updates. The client is hosted in a Linux VM which is triggered by via socket as an RPC call. It reaches the client and executes the API ImageOperation.CreateImageAsync.
Can someone help with this? Please let me know if I can add more details.
• Regarding the error that you are encountering, I would suggest you to please check the azure container registry health first by executing the below command: -
az acr check-health --name registryname --vnet virtualnetworkname
Then, check the internet upload and download speed through ‘AzureSpeed’ tool to the container registry which hosts the images layers. Also, it may be that the image size may not be supported for the registry service tier due to which it is not available.
• Ensure that both your ‘docker client’ and ‘docker daemon’ are configured for proxy behavior behind HTTPS proxy. If you have changed or updated any proxy settings, kindly ensure to restart the daemon service.
• Check the ‘Registry resource logs in the ContainerRegistryLoginEvents table’ for further diagnosis of an attempted connection. Also, check whether the registry is accessible over the internet and allow access to the public registry endpoints from all networks. If the container registry is configured for selected virtual network with a service endpoint, then disabling public network access also disables access over the service endpoint.
• If a private endpoint is configured for the container registry, confirm that the DNS resolves the registry's public FQDN such as myregistry.azurecr.io to the registry's private IP address. Use a network utility such as ‘dig’ or ‘nslookup’ for DNS lookup. Ensure that DNS records are configured for the registry FQDN and for each of the data endpoint FQDNs as per the below documentation link: -
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link#dns-configuration-options
• If a service endpoint to the registry is configured, confirm that a network rule is added to the registry that allows access from that network subnet. Also, ensure that the resource provider for Azure Container Registry is registered.
For more details regarding the further steps to take to perform regarding the error that you have encountered, kindly refer to the documentation link below: -
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-troubleshoot-access#configure-service-access

Connection Refused in-cluster but Port Forwarding works in Kubernetes

I currently have the Hashicorp Vault helm chart deployed, v0.8.0. It works as intended, I can run port-forward svc/vault 8200:8200 -n vault and log in with vault login -tls-skip-verify, the pod isn't crashing, there are no problems.
I've been verifying configs in the cluster, so I wanted to test access to Vault from another namespace in the same cluster. dig vault.vault.svc.cluster.local resolves to the proper service construct. However, when I run curl -v -k https://vault.vault.svc.cluster.local:8200/v1/sys/health, I get connection refused.
I'm running an AKS Cluster on Kubernetes v1.18 with Azure Policy defaults and the Azure CNI. What would cause this connection refused problem?
The comment #mdaniel left was what led me to solving the problem effectively. I had removed the address and cluster_address fields in the TCP listener config blocks as I forgot Vault only listens on 127.0.0.1. I put those back in and it solved the problem.

Azure devops allow IP's rules of Azure VM

I have a VM on Azure that runs SQL Server and I want to update my databases in a build pipeline of Azure devops. But the port of SQL Server is allowed to just some IP's and I don't want to expose for everyone... It is possible to update the allowed IP's in the build?
I found this link that could help to get the IP's of the hosted : https://learn.microsoft.com/pt-br/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#agent-ip-range
Microsoft update every week a json with the pipeline host IP''s but in the json are the services and the ips, but I don't know which the name of the service that I should get the IP's. I didn't find anything like "devops" or "pipeline".
Besides that, would be possible to auto update the allowed ip's in the build pipeline? I found this post: https://blog.simontimms.com/2020/01/10/2020-01-10-Allow-hosted-agents-through-firewall/ but I don't know how to edit my pipeline to do that.
Thank you
To confirm the ip adress of the Microsoft-hosted agent in Json file, you need to check the region of the Organizaiton.
You could navigate to Organization Settings -> Overview and check the region of the organization.
Then you could search the AzureCloud.<region> in Json file to get the Ipaddress Prefixes.
To run the Blog's script, you could add the Azure Powershell task in the pipeline.
By the way, you need to create a Azure Service connection before using this task.
In addition you may encounter this issue.
##[error]No MSFT_NetFirewallRule objects found with property 'DisplayName' equal to ' Remote Event Monitor'. Verify the value of
the property and retry.
The cause of this issue is that a firewall rule with this name that does not exist.
You need to use New-NetFirewallRule script to create a new firewall with the target name.
For example:
New-NetFirewallRule -DisplayName "Test" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
Then you could set the firewall rule with the Set-NetFirewallRule script.
I’m on my phone so I can’t test this, but you can probably find the Public IP of the hosted agent you are on in a task using a command like ‘ nslookup myip.opendns.com. resolver1.opendns.com’ and then add it to your NSG and then remove it when you are done.
Tested from cloud shell in the Azure app
https://imgur.com/a/lau2ZDs

Kubernetes DNS / Endpoint

So I am fairly new to Kubernetes. I am a Windows user (sorry) and have installed Minikube. I am trying to learn Kubenetes using MiniKube. I have created very simple REST API that should work with port 5000 exposed where there is a simple route /Hello/{somestring}
I have created a POD/Deployment and Service for this successfully in MiniKube like this
minikube.exe start --kubernetes-version="v1.9.0" --vm-driver="hyperv" --memory=1024 --hyperv-virtual-switch="Minikube Switch" --v=7 --alsologtostderr
kubectl run simple-sswebapi-pod-v1 --replicas=1 --labels="run=sswebapi-pod-v1" --image=sachabarber/sswebapp:v1 --port=5000
kubectl expose deployment simple-sswebapi-pod-v1 --type=NodePort --name=simple-sswebapi-service
kubectl get services simple-sswebapi-service
Which I can then grab the url from and paste into my browser like so
minikube service simple-sswebapi-service --url
Which gives me this URL
http://192.168.0.29:32246
Which I then try in the browser on my host, all is good my REST API is running as expected
But from what I have read, I believe I should be able to ALSO use a DNS name for the service rather than this url returned above.
In fact I am not sure what this IP address returned as part of the --url command is trying to tell me above. It is not one of the ones listed for the service endpoints for is it for the POD from what I can tell from the Dashboard.
This is the service
This is the POD
Shouldn't there be a DNS name available for the service that I should be able to use instead of this fairly hacky way of grabbing the url from the service I just created. Someone please let me know what this --url even represents. I am lost here
I have checked that the DNS add on is enabled in MiniKube it is, see kube-dns in list below
As I say this is also what I see for the service inside of the MiniKube Dashboard
This confused me even more as I cant seem to tie any of that back to the ONLY IP address that seems to actually work for me, which is the one I grabbed using this line from the service
.\minikube.exe service simple-sswebapi-service --url
This Ip Address is not shown in the dashboard at all.
I thought the service should be available at DNS name something like:
simple-sswebapi-service.default.svc.cluster.local
Which is the
The name of the service
The namespace
svc to tell its a service
Just for completeness this is me describing the service in command line
What am I missing?
Is my mental mode wrong. I should be able to see this service using a DNS in the host too? Or is the DNS name ONLY available inside the PODS?
kube-dns is internal DNS. You can only use the DNS name for a service from inside the cluster.
Since your service type is Nodeport, you can connect to the service using the IP of the machine (minikube) on that port.

No endpoint settings in azure console for ubuntu server

i've trouble getting proper access to my servers services.
It's an "new" ubuntu vm so that i can't access it via the old "manage" portal.
I cannot change the endpoint settings for this vm because the entry "endpoints" is missing, what can i do to fix this? Or am i supposed to use iptables / ufw? Because that's doesn't seem to be the case since i can access my server via ssh and either iptables nor ufw have entries for ssh.
Thanks in advise for helping informations.
Azure Resource Manager (ARM) is quite new addition to the Azure, so some things are only doable via Powershell at this time.
Please consider the following explanation on how to attach a Load Balancer to your Resource Group and then configure what we called "endpoints":
http://blog.itaysk.com/2015/08/03/azure-load-balancer-in-resource-manager-arm/

Resources