OpenStack Designate-Bind Charm

Bind cache is not updated when an unit change IP

Bug #1850182 reported by Giuseppe Petralia
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Designate-Bind Charm
Expired
Medium
Unassigned

Bug Description

Description
===========
After removing and adding a designate bind, this changed IP.
In the other two units in /var/cache/bind/
we could still find reference to the old unit.

Expected behaviour
===========
Cache is flushed and the configuration is reloaded when a new unit is added

Workaround
===========
We manually run:

rndc flush + reconfig + reload

Tags: scaleback
Alex Kavanagh (ajkavanagh)
Changed in charm-designate-bind:
status: New → Triaged
importance: Undecided → Medium
Alex Kavanagh (ajkavanagh)
tags: added: scaleback
Revision history for this message
Drew Freiberger (afreiberger) wrote :

I've reproduced this with the following:

Deployed the bundle from charm-designate-bind/src/tests/bundles/focal-ussuri.yaml
Created zone with:
openstack zone create --debug --email <email address hidden> mysite.com.
Added A record in the zone:
openstack recordset create --type A --record 10.5.0.1 mysite.com. gw.mysite.com.
Looked up the record in designate-bind:
dig gw.mysite.com @10.5.0.7
    gw.mysite.com. 3600 IN A 10.5.0.1
Add a new unit with:
juju add-unit designate-bind
looked up the record on the new server after the model settles:
dig gw.mysite.com @10.5.0.12
    ;; WARNING: recursion requested but not available

When I look at the new unit, the slave.zone file has been created but is blank due to rndc RBAC failures.

I'm pulling a juju-crashdump now to attach to the bug.

Revision history for this message
Drew Freiberger (afreiberger) wrote :
Drew Freiberger (afreiberger)
Changed in charm-designate-bind:
assignee: nobody → Drew Freiberger (afreiberger)
Drew Freiberger (afreiberger)
tags: added: scaleout
Revision history for this message
Drew Freiberger (afreiberger) wrote :

My reproducer ran into issues on focal related to bug 1881532 which has a fix in-flight from Liam. I'll work to reproduce on bionic.

https://review.opendev.org/#/c/733600/

Revision history for this message
Drew Freiberger (afreiberger) wrote :

I am not able to reproduce my focal dns resolution on scaled-out units issue on bionic.

For clarity, the issue noted in bug is not a functional issue, but rather a lingering security issue that leaves old members of the bind cluster in the rndc allowed transfer cache. Worthy of cleanup, but not causing lack of DNS resolution or designate functionality.

Drew Freiberger (afreiberger)
tags: removed: scaleout
Revision history for this message
Drew Freiberger (afreiberger) wrote :

When trying to re-create this, I cannot find any references in /var/cache/bind directory on any nodes to the removed unit. Was this specifically in reference to stale recordsets such as "ns1.admin.cloud-dns-name.com" within the zone files on non-new units?

@peppepetra86: Can you describe the entire workflow of both juju and openstack zone/recordset commands around the issue you've identified?

I'm wondering if your remaining units were non-leaders and thus "slaves" for purposes of requesting sync, and thus were subject to the refresh TTL on the zone files rather than the charm auto-refreshing all units' zone caches.

Changed in charm-designate-bind:
status: Triaged → Incomplete
Drew Freiberger (afreiberger)
Changed in charm-designate-bind:
assignee: Drew Freiberger (afreiberger) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Designate-Bind Charm because there has been no activity for 60 days.]

Changed in charm-designate-bind:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.