Support for DNS names in egress routes

Introduced dns-proxy egress router mode that allows specifying DNS name for EGRESS_DESTINATION.
Currently, dns-proxy egress mode implementation is based on HAProxy.
HAProxy 1.6+ version is used to leverage DNS resolution at runtime.

Author: Ravi Sankar Penta

hack/build-images.sh

@@ -54,6 +54,7 @@ os::build::image "${tag_prefix}-keepalived-ipfailover" images/ipfailover/keepali
 os::build::image "${tag_prefix}-docker-registry"       images/dockerregistry
 os::build::image "${tag_prefix}-egress-router"         images/egress/router
 os::build::image "${tag_prefix}-egress-http-proxy"     images/egress/http-proxy
+os::build::image "${tag_prefix}-egress-dns-proxy"      images/egress/dns-proxy
 os::build::image "${tag_prefix}-federation"            images/federation
 # images that depend on "${tag_prefix}
 os::build::image "${tag_prefix}-gitserver"             examples/gitserver
@@ -67,4 +68,4 @@ os::build::image "openshift/node"                      images/node
 os::build::image "openshift/openvswitch"               images/openvswitch
 
 # extra images (not part of infrastructure)
-os::build::image "openshift/hello-openshift"           examples/hello-openshift
+os::build::image "openshift/hello-openshift"           examples/hello-openshift

images/egress/dns-proxy/.cccp.yml

@@ -0,0 +1 @@
+job-id: origin-egress-dns-proxy

images/egress/dns-proxy/Dockerfile

@@ -0,0 +1,28 @@
+#
+# This is the egress router L4 DNS proxy for OpenShift Origin
+#
+# The standard name for this image is openshift/origin-egress-dns-proxy
+
+FROM openshift/origin-base
+
+# HAProxy 1.6+ version is needed to leverage DNS resolution at runtime.
+RUN INSTALL_PKGS="rsyslog gcc make openssl-devel pcre-devel tar wget socat" && \
+    yum install -y $INSTALL_PKGS && \
+    rpm -V $INSTALL_PKGS && \
+    wget http://www.haproxy.org/download/1.7/src/haproxy-1.7.5.tar.gz && \
+    tar xvzf haproxy-1.7.5.tar.gz && \
+    groupadd haproxy && \
+    useradd -g haproxy haproxy && \
+    cd haproxy-* && make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 && make install && \
+    cd .. && rm -rf haproxy-* && \
+    setcap 'cap_net_bind_service=ep' /usr/local/sbin/haproxy && \
+    mkdir -p /var/lib/haproxy && \
+    mkdir -p /etc/haproxy && \
+    touch /etc/haproxy/haproxy.cfg && \
+    yum -y remove gcc && \
+    yum clean all
+
+ADD egress-dns-proxy.sh /bin/egress-dns-proxy.sh
+
+ENTRYPOINT /bin/egress-dns-proxy.sh
+

images/egress/dns-proxy/egress-dns-proxy.sh

@@ -0,0 +1,183 @@
+#!/bin/bash
+
+# OpenShift egress DNS proxy setup script
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Default DNS nameserver port
+NS_PORT=53
+CONF=/etc/haproxy/haproxy.cfg
+
+BLANK_LINE_OR_COMMENT_REGEX="([[:space:]]*$|#.*)"
+IPADDR_REGEX="[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+"
+PORT_REGEX="[[:digit:]]+"
+DOMAINNAME_REGEX="[[:alnum:]][[:alnum:]-]+?\.[[:alnum:].-]+"
+
+function die() {
+    echo "$*" 1>&2
+    exit 1
+}
+
+function check_prereqs() {
+    if [[ -z "${EGRESS_SOURCE}" ]]; then
+        die "Must specify EGRESS_SOURCE"
+    fi
+    if ! [[ "${EGRESS_SOURCE}" =~ ^${IPADDR_REGEX} ]]; then
+        die "EGRESS_SOURCE must be IPv4 address"
+    fi
+
+    if [[ -z "${EGRESS_DESTINATION}" ]]; then
+        die "Must specify EGRESS_DESTINATION"
+    fi
+}
+
+function validate_port() {
+    local port=$1
+    if [[ "${port}" -lt "1" || "${port}" -gt "65535" ]]; then
+        die "Invalid port: ${port}, must be in the range 1 to 65535"
+    fi
+}
+
+function generate_haproxy_defaults() {
+    echo "
+global
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+
+defaults
+    log                     global
+    mode                    tcp
+    option                  dontlognull
+    option                  tcplog
+    option                  redispatch
+    retries                 3
+    timeout http-request    100s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 100s
+    timeout check           10s
+"
+}
+
+function generate_dns_resolvers() {
+    echo "resolvers dns-resolver"
+    # Fetch nameservers from /etc/resolv.conf
+    declare -a nameservers=$(cat /etc/resolv.conf |grep nameserver|awk -F" " '{print $2}')
+    n=0
+    for ns in ${nameservers[@]}; do
+        n=$(($n + 1))
+        echo "    nameserver ns$n ${ns}:${NS_PORT}"
+    done
+
+    # Add google DNS servers as fallback
+    echo "    nameserver nsfallback1 8.8.8.8:${NS_PORT}"
+    echo "    nameserver nsfallback2 8.8.4.4:${NS_PORT}"
+
+    # Set default optional params
+    echo "    resolve_retries      3"
+    echo "    timeout retry        1s"
+    echo "    hold valid           10s"
+    echo ""
+}
+
+function generate_haproxy_frontends_backends() {
+    local n=0
+    declare -A used_ports=()
+
+    while read dest; do
+        local port target targetport resolvers 
+
+        if [[ "${dest}" =~ ^${BLANK_LINE_OR_COMMENT_REGEX}$ ]]; then
+            continue
+        fi
+        n=$(($n + 1))
+        resolvers=""
+
+        if [[ "${dest}" =~ ^${PORT_REGEX}\ +${IPADDR_REGEX}$ ]]; then
+            read port target <<< "${dest}"
+            targetport="${port}"
+        elif [[ "${dest}" =~ ^${PORT_REGEX}\ +${IPADDR_REGEX}\ +${PORT_REGEX}$ ]]; then
+            read port target targetport <<< "${dest}"
+        elif [[ "${dest}" =~ ^${PORT_REGEX}\ +${DOMAINNAME_REGEX}$ ]]; then
+            read port target <<< "${dest}"
+            targetport="${port}"
+            resolvers="resolvers dns-resolver"
+        elif [[ "${dest}" =~ ^${PORT_REGEX}\ +${DOMAINNAME_REGEX}\ +${PORT_REGEX}$ ]]; then
+            read port target targetport <<< "${dest}"
+            resolvers="resolvers dns-resolver"
+        else
+            die "Bad destination '${dest}'"
+        fi
+
+        validate_port ${port}
+        validate_port ${targetport}
+
+        if [[ "${used_ports[${port}]:-x}" == "x" ]]; then
+            used_ports[${port}]=1
+        else
+            die "Proxy port $port already used, must be unique for each destination"
+        fi
+
+        echo "
+frontend fe$n
+    bind ${EGRESS_SOURCE}:${port}
+    default_backend be$n
+
+backend be$n
+    server dest$n ${target}:${targetport} check $resolvers
+"
+    done <<< "${EGRESS_DESTINATION}"
+}
+
+function setup_haproxy_config() {
+    generate_haproxy_defaults
+    generate_dns_resolvers
+    generate_haproxy_frontends_backends
+}
+
+function setup_haproxy_syslog() {
+    cat >> /etc/rsyslog.conf <<EOF
+module(load="imudp")
+input(type="imudp" port="514")
+EOF
+
+    echo "local2.*  /var/log/haproxy.log" >> /etc/rsyslog.d/haproxy.conf
+
+    /usr/sbin/rsyslogd
+    touch /var/log/haproxy.log
+    tail -f /var/log/haproxy.log &
+}
+
+function run() {
+
+    check_prereqs
+
+    rm -f ${CONF}
+    setup_haproxy_config > ${CONF}
+
+    setup_haproxy_syslog
+
+    echo "Running haproxy with config:"
+    sed -e 's/^/  /' ${CONF}
+    echo ""
+    echo ""
+
+    exec haproxy -f ${CONF}
+ }
+
+if [[ "${EGRESS_DNS_PROXY_MODE:-}" == "unit-test" ]]; then
+    check_prereqs
+    setup_haproxy_config
+    exit 0
+fi
+
+run

images/egress/router/egress-router.sh

@@ -131,6 +131,26 @@ function wait_until_killed() {
     wait
 }
 
+function gen_dnsproxy_iptables_rules() {
+    pod_ip=$(ip addr show dev eth0 | grep -Po 'inet \K[\d.]+')
+    if [[ -z "${pod_ip}" ]]; then
+        die "Failed to fetch Pod IP"
+    fi
+      
+    echo -A PREROUTING -p tcp -d "${pod_ip}" -j DNAT --to-destination "${EGRESS_SOURCE}"
+}
+
+function setup_dnsproxy_iptables() {
+    gen_dnsproxy_iptables_rules
+
+    iptables -t nat -F
+    ( echo "*nat";
+      echo ":PREROUTING ACCEPT [0:0]";
+      echo ":POSTROUTING ACCEPT [0:0]";
+      gen_dnsproxy_iptables_rules;
+      echo "COMMIT" ) | iptables-restore --noflush --table nat
+}
+
 case "${EGRESS_ROUTER_MODE:=legacy}" in
     init)
         setup_network
@@ -147,6 +167,11 @@ case "${EGRESS_ROUTER_MODE:=legacy}" in
         setup_network
         ;;
 
+    dns-proxy)
+	    setup_network
+    	setup_dnsproxy_iptables
+	    ;;
+
     unit-test)
         gen_iptables_rules
         ;;