incus icon indicating copy to clipboard operation
incus copied to clipboard
verified publisher icon lxc

Add support for network zone DNS NOTIFY

Open gbilic opened this issue 1 year ago • 6 comments

Hi all, It would be cool to have a resolution available as soon as possible after the creation of new instances via dns server notification. Also, currently, AXFR requests provide the zone with a serial number equal to the current timestamp, which triggers a systematic update on the slave servers.

gbilic avatar Oct 11 '24 15:10 gbilic

We may be able to have some events trigger a notify event for affected zones, though that may be a bit tricky to figure out in some cases.

For the serial, we don't have a way to change that as Incus generates the zone on demand and so has no way to actually version it.

stgraber avatar Oct 11 '24 18:10 stgraber

Another good way would be to send dynamic dns updates to authoritative servers.

gbilic avatar Oct 16 '24 17:10 gbilic

I've looked at the code for this a bit and I think for all static IPs we should be able to easily trigger notify events, since we just need to observe changes to the config values.

For dynamic addresses, dnsmasq has a --dhcp-script option which causes it to run the specified script (presumably it could be any executable?) whenever there are changes to the dhcp leases. Could we use that?

gwenya avatar Mar 01 '25 10:03 gwenya

For monitoring dnsmasq, I think using inotify would probably be cheaper than having commands get spawned all the time.

I think one bigger issue here is cluster handling as we'd want all servers to know when something affecting the DNS zone has changed on any of the other servers, so that may make things a fair bit more complex.

Then on top of that, I think we'd want to have some kind of limits as we definitely don't want an unprivileged user (user restricted to a single project) to be able to hammer things and cause all the Incus servers in the cluster to hammer the DNS servers with NOTIFY.

stgraber avatar Mar 01 '25 17:03 stgraber

Oh yeah, I didn't even think about clustering. I haven't looked at the code around that at all yet. Regarding the limits, I think a first implementation could just have it disabled by default and documented with an according warning, and more generally enabling it per-zone.

gwenya avatar Mar 02 '25 20:03 gwenya

Unrelated to clustering. Another thought: a way of doing things that would serve the same purpose would be to use dynamic dns updates instead. (This is in fact what I do at the moment when launching a new container via an ansible script invoked by cloud-init).

gbilic avatar Mar 06 '25 10:03 gbilic