kube-dns: dnsmasq intermittent connection refused

[someword]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.):

What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.):

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

Kubernetes version (use kubectl version):

kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.7", GitCommit:"8eb75a5810cba92ccad845ca360cf924f2385881", GitTreeState:"clean", BuildDate:"2017-04-27T10:00:30Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.7", GitCommit:"8eb75a5810cba92ccad845ca360cf924f2385881", GitTreeState:"clean", BuildDate:"2017-04-27T09:42:05Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release): PRETTY_NAME="Container Linux by CoreOS 1339.0.0 (Ladybug)"
• Kernel (e.g. uname -a): 4.10.1-coreos
• Install tools: custom ansible
• Others: kube dns related images. gcr.io/google_containers/kubedns-amd64:1.9 and gcr.io/google_containers/kube-dnsmasq-amd64:1.4.1

What happened:
java.net.UnknownHostException: dynamodb.us-east-1.amazonaws.com

What you expected to happen:
Receive a response to the name lookup request.

How to reproduce it (as minimally and precisely as possible):
This is the kicker. We are not able to reproduce this issue on purpose. However we experience this in our production cluster 1 - 500 times a week.

Anything else we need to know:
In the past 2 months or so we had experienced a handful of events where DNS was failing for most/all of our production pods and the event would last for 5 - 10 minutes. During this time the kube-dns service was healthy with 3 - 6 available endpoints at all times. We increased our kube-dns pod count to 20 in 20 node production clusters. This level of provisioning alleviated the DNS issues that were taking down our production services. However we still experience at least weekly smaller events ranging from 1 second to 30 seconds which affect a small subset of pods. During these events 1 - 5 pods on different nodes across the cluster experience a burst of DNS failures which have a much smaller end user impact. We enabled query logging in dnsmasq as we were not sure whether the queries made it from the client pod to one of the kube-dns pods or not. What was interesting is that during the DNS events where query logging was enabled none of the name lookup requests that resulted in an exception were received by dnsmasq. At this point my colleague noticed these errors coming from dnsmasq-metrics

ERROR: logging before flag.Parse: W0517 03:19:50.139060 1 server.go:53] Error getting metrics from dnsmasq: read udp 127.0.0.1:36181->127.0.0.1:53: i/o timeout

That error as near as I can tell is basically a name resolution error from dnsmasq-metrics as it's trying to query the dnsmasq container in the same pod to get dnsmasq's internal metrics similar to running dig +short chaos txt cachesize.bind.

All of our DNS events are happening at the exact same time that 1 or more dnsmasq-metrics container is throwing those errors. We thought we might be possibly exceeding the default 150 connection limit that dnsmasq has but we do not see any logs indicating that. IF we did we would expect to see these log messages

dnsmasq: Maximum number of concurrent DNS queries reached (max: 150)

Based off of conversations with other cluster operators and users in slack I know that other users are experiencing these same problems. I'm hoping that this issue can be used to centralize our efforts and determine if dnsmasq refusing connections is the problem or a symptom of something else.

[ravilr]

cc @bowei

we are also seeing this intermittently in our clusters, specifically from java based containers. the lookups that fail are for non-cluster domains.

@someword what version of kube-dns manifest are you running with. specifically, does it have this #41212 change ? we are running a older version without that change. Just wondering if the above change helps.

[someword]

@ravilr
We are mostly seeing it from java apps but that's because they are the ones that are the best at logging what happens. It mostly seems for external names as well but 90% of our the DNS lookups done by our java apps are off cluster names. Our nodejs apps see it as well but they are not instrumented very well so we don't know the exposure.

So we have been running an internal experimental version of the manifest while trying to unravel all of this. The dnsmasq flags that we are currently running are here. I think that's what you were wanting right? The combination of the below flags AND over provisioning has helped but obviously we are still having issues.

- args:
    - --cache-size=1000
    - --no-resolv
    - --server=/cluster.local/ec2.internal/127.0.0.1#10053
    - --server=169.254.169.253
    - --server=8.8.8.8
    - --log-facility=-
    - --log-async
    - --address=/com.cluster.local/com.svc.cluster.local/com.kube-system.svc.cluster.local/OUR_DOMAIN.com.cluster.local/OUR_DOMAIN.com.svc.cluster.local/OUR_DOMAIN.com.kube-system.svc.cluster.local/com.ec2.internal/ec2.internal.kube-system.svc.cluster.local/ec2.internal.svc.cluster.local/ec2.internal.cluster.local/

[ravilr]

ok. good to know. i was just trying to see if there are any patterns.

Another thing that is related for sure in our case is, kube-proxy being up and available all the times. During kubernetes version upgrades (in place upgrade without drain) on the nodes, we've observed this happening when kube-proxy gets restarted.

reminds me of this #32749 which helps in removing dependency on some of the kube components for pod dns resolutions of non-cluster-local queries.

[cmluciano]

It's interesting that you both noted this problem was present in a Java app. Can you note if you are using a specific TTL setting w/i your library or the JVM?

[bowei]

There is a limit on dnsmasq for # of concurrent forwarded queries, -0, --dns-forward-max=<queries>, I'm wondering if you may be hitting this limit (and we should increase it)

[someword]

@bowei - We pondered about that as well. We do not have any log messages from dnsmasq like this
dnsmasq: Maximum number of concurrent DNS queries reached (max: 150)

We tested on a kube-dns pod and set the max to a very low number and verified that log messages would get written when we hit the max. We have been tempted to set it to 300 as a test but from what i've seen dnsmasq will log if this is the reason.

[someword]

@cmluciano - We do not pass any of these flags to the jvm networkaddress.cache.ttl or networkaddress.cache.negative.ttl. I am going to investigate what networkaddress.cache.ttl is set to and see if maybe the java based apps are not doing any caching. However the issue we are seeing where dnsmasq-metrics in the same pod as dnsmasq is getting connection refused when trying to do a dns lookup against dnsmasq makes me think the issue is in the kube-dns pod itself. Whether that is dnsmasq just being locked up or possibly some resource shortfall (ephemeral ports, file descriptors, etc) that is causing the attempted UDP connection from dnsmasq-metrics to the dnsmasq container to fail at some layer lower than dnsmasq.

[someword]

@cmluciano we use the openjdk and the default for networkaddress.cache.ttl is 30 seconds according to https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/sun/net/InetAddressCachePolicy.java#L48. I verified by capturing traffic from a java app that is just doing a dns lookup in a loop for kinesis.us-east-1.amazonaws.com. I see requests hit the wire about every 30 seconds even though the loops are at 10 second intervals. Increasing this to 60 seconds may lighten the load on the name servers but dnsmasq is still refusing queries occasionally.

[bowei]

@someword do you know what is the dns QPS hitting dnsmasq? (this can be obtained from measuring the delta hits/misses # from the dns pod http://127.0.0.01/metrics)

[someword]

@bowei When I look at the available metrics I don't see a cache hit metric. I have a cachemiss counter
skydns_skydns_dns_cachemiss_count_total{cache="response"} 4.565907e+06

And request totals
skydns_skydns_dns_request_count_total{system="recursive"} 98618
skydns_skydns_dns_request_count_total{system="reverse"} 40638

What's strange is that for this particular pod i have 4 million cache misses but only 98618 requests? I would assume that cache miss has to be a smaller number than total requests. So we are just in the process in getting these metrics into datadog for visualization across our cluster. Something doesn't seem to be accurate. In this screenshot we are looking at all of our kube-dns pods in a specific production cluster. The request counter is converted to a QPS datapoint for each pod. This is showing on average 1/2 to 1 qps which seems low.

This screen shot shows the cache miss broken down by second (MPS?). We are averaging 1.3K MPS but only 13 QPS.

The query count seems low and the miss seems very high. Does the above make any sense or am I missing something. I'll capture some traffic and see what sort of DNS query rate I see.

[someword]

I looked at a 30 second snapshot of traffic going to a single dnsmasq container and my numbers don't line up with the dnsmasq-metrics QPS.

sysdig -w output.scap -M 30
sysdig -r output.scap "proc.name=dnsmasq and fd.sport=53 and evt.type=recvmsg and evt.dir=>" |wc -l
5120

I did this a few times on a couple nodes but the count was in the high 4K and low 5K each time so the above seems like a decent representation. Also we are at a low time in our usage so I would expect those numbers to be even 20% higher during higher load time.

[bowei]

The dnsmasq metrics are available in dnsmasq_cache_hits, dnsmasq_cache_misses from the prometheus metrics.

Given ~4k - 5k QPS at dnsmasq and given the CPU request that dnsmasq has, you may need another replica to handle the load. Or I would try increasing the CPU request for dnsmasq.

[someword]

@bowei - i was hitting port 10055 (skydns) for metrics and it looks like i want the different metrics on port 10054 for dnsmasq. Doh!

core@ip-10-40-6-21 ~ $ curl -s 172.20.102.3:10054/metrics |grep -E '(misses|hits)' |grep -v ^#
dnsmasq_cache_hits 8.012014e+06
dnsmasq_cache_misses 5.355583e+06

So for cache hits 7,992,626 to miss is 0.000005342244 which seems like a pretty healthy caching name server.

We do have 16 kube-dns replicas and have tried running with 30 but still experience dnsmasq refusing connections. When I look at cpu stats for dnsmasq I don't see anything that makes me think it's underpowered. With a 100m cpu limit we have 0 docker.cpu.throttled with a max of 20m for kubernetes.cpu.usage.total.