Query: Add servername to grpc dial options for DNS stores (Fixes #1507) #2407
Conversation
pkg/query/storeset.go
Outdated
| // New store or was unactive and was removed in the past - create new one. | ||
| conn, err := grpc.DialContext(ctx, addr, s.dialOpts...) | ||
| tlsCfg, err := tls.NewClientConfig(s.logger, s.cert, s.key, s.caCert, spec.ServerName()) | ||
| if err != nil { | ||
| level.Warn(s.logger).Log("msg", "update of store node failed", "err", errors.Wrap(err, "setting TLS"), "address", addr) | ||
| return | ||
| } | ||
| dialOpts := append(s.dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg))) | ||
| conn, err := grpc.DialContext(ctx, addr, dialOpts...) |
There was a problem hiding this comment.
I believe this makes an assumption that store is listening with TLS & won't work in insecure mode. Could you please verify that?
There was a problem hiding this comment.
Yes, That would be absolutely true. I need to conditionally do this based on the combination of the secure flag and the new grpc-client-dns-server-name flag.
To avoid needing a query per remote cluster, get the name to add to the dial options from the dns provider when making the grpc connection. Signed-off-by: JP Sullivan <jonpsull@cisco.com>
The grpc-client-dns-server-name needs to propogate to the storeset so that TLS is conditionally added to the grpc dialOpts based on whether it is set. Test that the grpc-client-tls-secure flag is also set when the grpc-client-dns-server-name flag is set to make it clear that a secure store connection is required when using the latter flag. Signed-off-by: JP Sullivan <jonpsull@cisco.com>
Signed-off-by: JP Sullivan <jonpsull@cisco.com>
Signed-off-by: JP Sullivan <jonpsull@cisco.com>
|
looks legit, can we have this approved and released? |
| conn, err := grpc.DialContext(ctx, addr, s.dialOpts...) | ||
| dialOpts := s.dialOpts | ||
| // Update the dialOpts if we are asked to add dnsServerName. | ||
| if s.dnsServerName { |
There was a problem hiding this comment.
Hmm this seems a bit odd. The NewStoreSet func already accepts a slice of dialopts. I think we should expect that the dialopts has the correct WithTransportCredentials already set, no? ie correctly configure this option in cmd/Thanos/query rather than leaking configuration into this struct. Also, it looks to me like the server name is already set in the dialopts generated with extgrpc https://github.com/j3p0uk/thanos/blob/40526f52f54d4501737e5246c0e71e56dd7e0b2d/pkg/extgrpc/client.go#L56
There was a problem hiding this comment.
Also, taking out this new dial opt and server name bool from this struct would eliminate the need for extending the StoreSpec interface and adding the extra field to the grpcStoreSpec struct
There was a problem hiding this comment.
The bug, as it stands, is that the arguments provided to the query at start time do not allow for individual server names per configured store. The store set gets populated with the resolved addresses of the stores in the store spec and not the original server name, as far as I could tell. Given this, I attempted to pass minimal data through to generate the TLS portion of the dialOpts on demand at connection time by retrieving the server name from the dns provider.
There was a problem hiding this comment.
Indeed this is a bit weird because with this we not only have two places where these options are set but also this newly introduced option overrides the other one. It should probably be refactored so that query.NewGRPCStoreSpec* would hook into some function which would give it a list of opts to use. We could discuss it on #thanos-dev.
Also, I wonder if there any downsides to enabling this kind of feature by default for everyone, and then only allow overriding the server name via the option that exists already? That would probably simplify things too.
There was a problem hiding this comment.
Sure, happy to discuss further.
My thoughts are that this looks odd because a StoreSet is a set of Stores, and the code assumes that each of the stores shares a particular set of characteristics, which may not be true (and is the basis for this bug fix). The StoreSet currently holds attributes that can differ on a per-store basis. The ServerName is one such attribute.
There was a problem hiding this comment.
Yes, but I think we need to refactor this because the current approach causes the StoreSet to have duplicate WithTransportCredentials dialopts, one of which overrides the other. This makes it hard to reason about the code IMO
There was a problem hiding this comment.
Chat in slack...
Sounds like implementation of this would be something like removing dialOpts from the StoreSet, and adding it to the StoreSpec.
We should be able to generate the dialOpts at creation of the StoreSpec array in the StoreSet, so would only be once at startup.
Need to decide on what flags should exist, and how would they interact and how to handle address-specified stores and DNS SRV records.
For the SRV case, I think the correct behaviour would be to enable lookup of the A record resolved from the SRV lookup. This data is currently lost during resolution, as only the IPs are returned to the provider from resolver, and stored under the key of the original store spec.
To improve the DNS Provider lookup of address to server name, we could pass back the data to stash in the provider as a reverse lookup cache. This would allow SRV to do addr -> A lookup, and others to do addr -> host lookup, simplifying the Provider.ServerName() function.
I can drop the “--grpc-client-dns-server-name” flag and then use “dns” in the “--grpc-client-server-name” to trigger addition of server name from DNS in the dialOpts, as “dns” is likely an illegal server name anyway.
* Comment formatting * Changelog formatting * Remove nginx references Signed-off-by: JP Sullivan <jonpsull@cisco.com>
| @@ -240,7 +247,11 @@ func runQuery( | |||
| func() (specs []query.StoreSpec) { | |||
| // Add DNS resolved addresses. | |||
| for _, addr := range dnsProvider.Addresses() { | |||
| specs = append(specs, query.NewGRPCStoreSpec(addr, false)) | |||
| if dnsServerName { | |||
| specs = append(specs, query.NewGRPCStoreSpecServerName(addr, false, dnsProvider.ServerName(addr))) | |||
There was a problem hiding this comment.
| specs = append(specs, query.NewGRPCStoreSpecServerName(addr, false, dnsProvider.ServerName(addr))) | |
| specs = append(specs, query.NewGRPCStoreSpecServerName(addr, false, serverName) |
can we just use serverName provided from --grpc-client-server-name instead of relying on dns?
There was a problem hiding this comment.
Currently, the code as-is will use a provided server-name (--grpc-client-server-name). This works when using a single store from the querier. But adding multiple store options to collect data from many stores will not be able to use individual server names as the code currently stands.
The change intended here is to allow for multiple stores to each use different server names.
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
Needs updating with new design as detailed in #2407 (comment) and |
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
@j3p0uk Friendly ping. Are you still planning to work on this? |
I want to, but I haven't yet found the time to do so, and don't see myself getting to it in the short term :( |
|
All good. I just asked so that we can keep this open. |
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Closes #1507
Changes
To avoid needing a query per remote cluster, get the name to add to
the dial options from the dns provider when making the grpc connection.
Verification
Building via make docker and running a query against multiple remote query services through nginx proxies.