/ok-to-test

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: VannTen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Thanks @VannTen
Look Good to me.
If there are more eyes to help with the review the PR, it would be better

I'm just wondering if this could cause breakage when systemd-resolved is running but /etc/resolv.conf does not point to its managed files and has other settings

If systemd-resolved is not enabled, use /etc/resolv.conf (which is fine in this case)
If systemd-resolved is enabled, check if /etc/resolv.conf is a file or a soft link.

If it is a soft link, look at /etc/resolv.conf to see which file it points to. (EDIT: I'm not sure why kube_resolv_conf needs to be set to /run/systemd/resolve/resolv.conf instead of /run/systemd/resolve/stub-resolv.conf?)

I think that should solve your situation.
WDYT?

stub-resolv.conf use systemd-resolved stub resolver in nameserver (which listen on 127.0.0.53), while resolv.conf point use the upstream dns servers specified the systemd-resolved configuration

# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 192.168.1.1
search .

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

Pods don't have access to localhost network, so stub-resolv.conf wouldn't work.

We encountered this issue recently on Ubuntu. But initially, the cluster ran smoothly and coredns can work well to forward to local nameservers in /run/systemd/resolve/resolv.conf.

• IIUC, at first, when coredns pod started, the /run/systemd/resolve/resolv.conf had not yet been modified.
• Later, systemd-resolved service updated the /run/systemd/resolve/resolv.conf to point to the cluster DNS (coredns cluster IP)
• After that, coredns pod restarted for some reasons(like oom kill or drain) and the new CoreDNS pod(with the default DNSPolicy) is using the new /run/systemd/resolve/resolv.conf which is coredns cluster ip. Then the new pod can not handle forwarding properly. It will forward to itself and ultimately responding with REFUSED. The log shows AAAA: concurrent queries exceeded maximum 1000.
• To address this, we increased max_concurrent from default 1000 to 10000, and the error log still indicated AAAA: concurrent queries exceeded maximum 10000. Finally, we found the /run/systemd/resolve/resolv.conf is not as expected.

This will only happen if there is no external DNS in /etc/systemd/resolved.conf and there are nameservers in /etc/resolv.conf. Service systemd-resolved.service will edit /run/systemd/resolve/resolv.conf according to /etc/systemd/resolved.conf and coredns cluster ip.

[ERROR] plugin/errors: 5 console.d.run. AAAA: concurrent queries exceeded maximum 1000
[ERROR] plugin/errors: 5 console.d.run. A: concurrent queries exceeded maximum 1000

This issue is quite subtle and is likely to occur when CoreDNS restarts, posing a significant threat to many users' production environments.

HI @cyclinder
would you please help to review it ?

About with #11813 (comment). It looks like a lack of upstream dns, or changed the /etc/resolv.conf directly when systemd-resolved is running.

FYI, when /etc/resolv.conf is managed by systemd-resolved, any changes to /etc/resolv.conf will not take effect continuously.

So maybe we could add a checking to check if at least one configured nameserver is fixed when these conditions are met:

• the Kubespray option kube_resolv_conf point to /run/systemd/resolve/resolv.conf
• the systemd-resolved service is present and running

or

• the Kubespray option kube_resolv_conf set to /etc/resolv.conf
• the systemd-resolved service is present and running
• /etc/resolv.conf is a symlink to /run/systemd/resolv.conf or /run/systemd/stub-resolv.conf or /usr/lib/systemd/resolv.conf (i.e. /etc/resolv.conf is being managed by systemd-resolved).

The configured nameserver may be set by resolved.conf(5) or network interface configuration (netplan in Ubuntu), we could easily use resolvectl dns to get per-interface DNS configuration.

We ever accepted a pr #9502 which make the similar thing as I mentioned above, but that's a small range. Taking systemd-resolved into account will make Kubespray more robust.