Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Jul 9, 2025. It is now read-only.

Rework dns server and transparent endpoint injection #941

Merged
merged 12 commits into from
Nov 30, 2023
Merged

Rework dns server and transparent endpoint injection #941

merged 12 commits into from
Nov 30, 2023

Conversation

joe4dev
Copy link
Member

@joe4dev joe4dev commented Nov 28, 2023
edited
Loading

Motivation

The current DNS server page is badly outdated, misleading, and incomplete. With the increasing importance of DNS-based resolution in LocalStack networking, the DNS server page needs to be reworked.

Changes

  • Document missing config DISABLE_TRANSPARENT_ENDPOINT_INJECTION
  • Restructure the DNS server page
    • Add more subheaders
    • Adjust order by de-emphasizing the system configuration because that is more of a special case. Information that is relevant for LocalStack container users is more important and should come first.
  • Refine and extend the general introduction to this page
  • Re-write system DNS config section with a general start and OS-specific subsections. macOS is done and tested.
  • Generally clarify writing and warnings
  • UPDATE: Move the DNS server page to a top-level tool and describe transparent endpoint injection more self-contained
  • Ignore problematic URLs in link checker:
    • CloudFlare using bot detection returning 403 forbidden
    • GithHub boto3 link with line reference frequently flakes. Unfortunately, retries only happen on 429 (too many requests) according to the link checker tool.
  • UPDATE: Consistently use "Transparent Endpoint Injection" instead of transparent execution mode

Preview

Discussion

  • The explanations around "transparent execution mode" / "transparent endpoint injection" could be improved. We used to have multiple implementations (legacy SDK replacement + DNS-based) and with the introduction of AWS_ENDPOINT_URL, this could be considered another implementation because it does transparently inject the endpoint. However, the configuration DISABLE_TRANSPARENT_ENDPOINT_INJECTION could be confusing if we do not clarify that this specific implementation refers to the DNS-based implementation.
  • It is not 100% clear where transparent endpoint injection is explained. The page Transparent Endpoint Injection (preview) gives a short 1-sentence intro and then refers to the DNS server page for more details. Not yet ideal (but much better than before ;).
  • The default for DNS_SERVER mentioned to be 8.8.8.8 can be confusing because, in the current implementation, the upstream DNS will be used as default (i.e., typically the system DNS). That is also the reason why we need to explicitly set an external DNS server when configuring LocalStack as system DNS because otherwise, we would create an infinite loop ;)

TODO

  • Clarify default DNS server behavior
  • Fix CloudFlare link yielding 403 (probably checking user agent).
    • CloudFlare doesn't like link checkers an blocks them using some advanced fingerprinting (user-agent worked on my machine). Ignoring the URL for now.

Follow Up

@joe4dev joe4dev requested review from simonrw and dfangl November 28, 2023 09:05
@joe4dev joe4dev self-assigned this Nov 28, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 28, 2023
edited
Loading

🎊 PR Preview has been successfully built and deployed to https://localstack-docs-preview-pr-941.surge.sh 🎊

@simonrw
Copy link
Contributor

simonrw commented Nov 29, 2023
edited
Loading

The DNS server page is still under the "transparent endpoint injection" section, is this a conscious decision? I think it would be better either at the top level in the user guide, or at least elevated to the "LocalStack tools" section, though it's not an external tool like the section naming suggests.

@joe4dev
Copy link
Member Author

joe4dev commented Nov 29, 2023

The DNS server page is still under the "transparent endpoint injection" section, is this a conscious decision? I think it would be better either at the top level in the user guide, or at least elevated to the "LocalStack tools" section, though it's not an external tool like the section naming suggests.

@HarshCasper suggested the same in #866 and that makes sense if it would remain the only subsection

I foresee that we are going to have 3 scenarios on how to connect to LocalStack:

  1. [Community] Manual endpoint configuration: Specify the endpoint_url using AWS_ENDPOINT_URL for AWS clients that do not yet support it natively (all default Lambda runtimes ATM: https://docs.aws.amazon.com/sdkref/latest/guide/feature-ss-endpoints.html). This is not really a tool but rather something we should document for each (major) runtime (currently missing). Maybe in the Lambda docs?
  2. [Community] Auto AWS_ENDPOINT_URL detection: Newer SDKs automatically detect AWS_ENDPOINT_URL and no code changes are necessary. This is likely going to be the default option in the future. This is also not really a tool and does not fit here nicely.
  3. [Pro] LocalStack Transparent Endpoint injection: The current way of DNS-based seamless connectivity to LocalStack for Pro users is enabled by default in Lambda (i.e., opt-out). This is a LocalStack tool and fits here.

Given that only the LS transparent endpoint injection is a real (internal) "tool", it might best to only cover that one here (including DISABLE_TRANSPARENT_ENDPOINT_INJECTION) and move the "DNS server" somewhere else.

I think it would be better either at the top level in the user guide, or at least elevated to the "LocalStack tools" section, though it's not an external tool like the section naming suggests.

Transparent endpoint injection and Lambda are also not really "external" tools (I think the term is used broadly for extra features beyond AWS emulation). I agree/suggest moving the "DNS server" to the top-level Tools section for now. What do you think?

simonrw
simonrw suggested changes Nov 29, 2023
View reviewed changes
Copy link
Contributor

@simonrw simonrw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a huge improvement thanks, and most of my comments are suggestions I'll let you decide how to proceed, but the DNS_LOCAL_NAME_PATTERNS section needs updating.

content/en/user-guide/tools/transparent-endpoint-injection/dns-server.md Outdated
{{< alert title="Warning" color="warning">}}
Use this configuration with caution because we generally do not recommend connecting to real AWS from within LocalStack.
{{< /alert >}}


## Self-signed certificates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this step could remain with the TEI docs, since it is not specific to the DNS server but rather TEI.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this option does indeed refer to DNS_LOCAL_NAME_PATTERNS because skipping LocalStack resolution enables connecting to real AWS 🤔 (at least in it's original use)

I agree that it also fits for disabling transparent endpoint injection.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But that is disabling transparent endpoint injection, right?!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, disabling transparent endpoint injection deserves a bigger warning than partially disabling it through ...

Maybe the thought was that people use alternative ways (custom DNS or manual endpoint injection) if they disable it completely.

👉 I added to both places for now because the effect is ultimately the same

@joe4dev joe4dev requested a review from giograno as a code owner November 29, 2023 16:24
joe4dev
joe4dev commented Nov 29, 2023
View reviewed changes
content/en/user-guide/tools/transparent-endpoint-injection/_index.md
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
```

If you are using the Java AWS SDK v2 in Lambda, you can opt in to automatically disable SSL validation using the configuration `LAMBDA_DISABLE_JAVA_SDK_V2_CERTIFICATE_VALIDATION=1`.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dfangl @dominikschubert sadly, we missed making this breaking change upon v3 announced at the 2.3.0 release:

Transparent endpoint injection for Lambdas running AWS Java SDK v2 is now available with the feature flag LAMBDA_DISABLE_JAVA_SDK_V2_CERTIFICATE_VALIDATION=1 . This will be default behaviour by 3.0.
https://discuss.localstack.cloud/t/localstack-release-v2-3-0/533#other-changes-and-enhancements-14

Should we add it to the Lambda configurations (so we won't miss it at v4)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

general config discussion: do we strive to have all defaults 0 for configurations?

If we ever change the default for a single config, it gets inconsistent. Hence avoiding double negations might be clearer in most cases 💭

simonrw
simonrw approved these changes Nov 30, 2023
View reviewed changes
Copy link
Contributor

@simonrw simonrw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff, thanks for making this sooo much clearer!

content/en/user-guide/tools/transparent-endpoint-injection/dns-server.md Outdated
{{< alert title="Warning" color="warning">}}
Use this configuration with caution because we generally do not recommend connecting to real AWS from within LocalStack.
{{< /alert >}}


## Self-signed certificates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But that is disabling transparent endpoint injection, right?!

@joe4dev joe4dev changed the title Rework dns server Rework dns server and transparent endpoint injection Nov 30, 2023
@joe4dev joe4dev merged commit 2b08cdc into main Nov 30, 2023
@joe4dev joe4dev deleted the rework-dns-server branch November 30, 2023 16:43
@joe4dev joe4dev mentioned this pull request Nov 30, 2023
Merged
@simonrw simonrw mentioned this pull request Nov 30, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@simonrw simonrw simonrw approved these changes

@dfangl dfangl Awaiting requested review from dfangl dfangl is a code owner

@giograno giograno Awaiting requested review from giograno giograno is a code owner

Assignees

@joe4dev joe4dev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joe4dev @simonrw