puppet: Read resolver from /etc/resolv.conf.

04cf68b45e make nginx responsible for downloading (and caching) files from S3. As noted in that commit, nginx implements its own non-blocking DNS resolver, since the base syscall is blocking, so requires an explicit nameserver configuration. That commit used 127.0.0.53, which is provided by systemd-resolved, as the resolver. However, that service may not always be enabled and running, and may in fact not even be installed (e.g. on Docker). Switch to parsing `/etc/resolv.conf` and using the first-provided nameserver. In many deployments, this will still be `127.0.0.53`, but for others it will provide a working DNS server which is external to the host. In the event that a server is misconfigured and has no resolvers in `/etc/resolv.conf`, it will error out: ```console Error: Evaluation Error: Error while evaluating a Function Call, No nameservers found in /etc/resolv.conf! Configure one by setting application_server.nameserver in /etc/zulip/zulip.conf (file: /home/zulip/deployments/current/puppet/zulip/manifests/app_frontend_base.pp, line: 76, column: 70) on node example.zulipdev.org ```
2023-06-08 19:30:41 +00:00 · 2023-06-08 19:30:41 +00:00 · bd217ad31b
parent 6ca5130cd8
commit bd217ad31b
6 changed files with 50 additions and 8 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@ -824,6 +824,14 @@ immutable, this serves only as a potential additional limit on the
 size of the contents on disk; `s3_disk_cache_size` is expected to be
 the primary control for cache sizing.
 #### `nameserver`
 When the [S3 storage backend][s3-backend] is in use, downloads from S3 are
 proxied from nginx, whose configuration requires an explicit value of a DNS
 nameserver to resolve the S3 server's hostname. Zulip defaults to using the
 resolver found in `/etc/resolv.conf`; this setting overrides any value found
 there.
 [s3-backend]: upload-backends.md
 #### `uwsgi_listen_backlog_limit`
--- a/docs/production/upload-backends.md
+++ b/docs/production/upload-backends.md
@ -85,6 +85,18 @@ You may also wish to increase the cache sizes if the S3 storage (or
 S3-compatible equivalent) is not closely located to your Zulip server,
 as cache misses will be more expensive.
 ## nginx DNS nameserver configuration
 The S3 cache described above is maintained by nginx. nginx's configuration
 requires an explicitly-set DNS nameserver to resolve the hostname of the S3
 servers; Zulip defaults this value to the first nameserver found in
 `/etc/resolv.conf`, but this resolver can be [adjusted in
 `/etc/zulip/zulip.conf`][s3-resolver] if needed. If you adjust this value, you
 will need to run `/home/zulip/deployments/current/scripts/zulip-puppet-apply` to
 update the nginx configuration for the new value.
 [s3-resolver]: deployment.md#nameserver
 ## S3 bucket policy
 The best way to do the S3 integration with Amazon is to create a new IAM user
--- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
+++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
@ -23,13 +23,6 @@ location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
    # the first response.  Django explicitly unsets the first, and
    # does not set the latter two.
    # nginx does its own DNS resolution, which is necessary here to
    # resolve the IP of the S3 server.  Point it at the local caching
    # systemd resolved service.  The validity duration is set to match
    # S3's DNS validity.
    resolver 127.0.0.53 valid=300s;
    resolver_timeout 10s;
    proxy_pass $download_url$is_args$args;
    proxy_cache uploads;
    # If the S3 response doesn't contain Cache-Control headers (which
--- a/puppet/zulip/lib/puppet/functions/resolver_ip.rb
+++ b/puppet/zulip/lib/puppet/functions/resolver_ip.rb
@ -0,0 +1,11 @@
 require "resolv"
 Puppet::Functions.create_function(:resolver_ip) do
  def resolver_ip()
    parsed = Resolv::DNS::Config.default_config_hash()
    if parsed[:nameserver].empty?
      raise 'No nameservers found in /etc/resolv.conf!  Configure one by setting application_server.nameserver in /etc/zulip/zulip.conf'
    end
    parsed[:nameserver][0]
  end
 end
--- a/puppet/zulip/manifests/app_frontend_base.pp
+++ b/puppet/zulip/manifests/app_frontend_base.pp
@ -73,8 +73,19 @@ class zulip::app_frontend_base {
  $s3_memory_cache_size = zulipconf('application_server', 's3_memory_cache_size', '1M')
  $s3_disk_cache_size = zulipconf('application_server', 's3_disk_cache_size', '200M')
  $s3_cache_inactive_time = zulipconf('application_server', 's3_cache_inactive_time', '30d')
  $configured_nginx_resolver = zulipconf('application_server', 'nameserver', '')
  if $configured_nginx_resolver == '' {
    # This may fail in the unlikely change that there is no configured
    # resolver in /etc/resolv.conf, so only call it is unset in zulip.conf
    $nginx_resolver_ip = resolver_ip()
  } else {
    $nginx_resolver_ip = $configured_nginx_resolver
  }
  file { '/etc/nginx/zulip-include/s3-cache':
-    require => [Package[$zulip::common::nginx], File['/srv/zulip-uploaded-files-cache']],
+    require => [
      Package[$zulip::common::nginx],
      File['/srv/zulip-uploaded-files-cache'],
    ],
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
--- a/puppet/zulip/templates/nginx/s3-cache.template.erb
+++ b/puppet/zulip/templates/nginx/s3-cache.template.erb
@ -1,3 +1,10 @@
 # nginx does its own DNS resolution, which is necessary here to
 # resolve the IP of the S3 server.  Point it at whatever is configured
 # first in /etc/resolv.conf.  The validity duration is set to match
 # S3's DNS validity.
 resolver <%= @nginx_resolver_ip %> valid=300s;
 resolver_timeout 10s;
 # This cache is only used if S3 file storage is configured.
 proxy_cache_path /srv/zulip-uploaded-files-cache
    levels=1:2