Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Telepresence change in 2.13.0 GPO setGlobalSearchList fallback handling #3152

Closed
peter-galcik opened this issue Apr 27, 2023 · 2 comments · Fixed by #3154
Closed

Telepresence change in 2.13.0 GPO setGlobalSearchList fallback handling #3152

peter-galcik opened this issue Apr 27, 2023 · 2 comments · Fixed by #3154
Assignees

Comments

@peter-galcik
Copy link

Describe the bug
We are using telepresence on Windows with group policies enforced on our Windows machines. We also have admin accounts and daemon is leveraged to run in elevated prompt. We are facing issue in new release of telepresence 2.13.0 where handling of Windows GlobalSearchList injection for dns resolution to cluster namespace is added.
After starting daemon we are getting such errors when SearchLists are updated.

2023-04-26 08:03:02.2857 error   daemon/session/dns : goroutine "/daemon/session/dns" exited with error: failed to set DNS: Set-DnsClientGlobalSetting : Access to a CIM resource was not available to the client.
At line:1 char:1
+ Set-DnsClientGlobalSetting -SuffixSearchList @("xxx.net","xyz ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (MSFT_DNSClientG...nstanceID = ""):ROOT/StandardCi...ntGlobalSetting)  
   [Set-DnsClientGlobalSetting], CimException
    + FullyQualifiedErrorId : MI RESULT 2,Set-DnsClientGlobalSetting: exit status 1

This seems to be caused by GPO policy enforced (please see: https://serverfault.com/questions/988876/set-dnsclientglobalsetting-throwing-access-to-a-cim-resource-was-not-availabl)

We were bypassing it before version of 2.13.0 with manually altering respecitve entry in registry hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList

Seems setting it via powershell command respect enforced group policy...
cmd := proc.CommandContext(ctx, "powershell.exe", "-NoProfile", "-NonInteractive", "Set-DnsClientGlobalSetting", "-SuffixSearchList", psList(gss))

I want to ask, if this couldn't be updated as fallback option via direct update/write in registry?
For example retrieval is done via registry.OpenKey, but setting is done via powershell.

Also if updating of SearchList is not done, the outcomes shall not block daemon for routing DNS requests to the kubernetes dns resolver if we adapt the entries by hand (which seems to be not working right now)

To Reproduce
Group policy with enforced SearchList from Oranizational Unit or Site.
Connect with telepresence and intercept service.

Expected behavior
Try all possible options to update Windows DNSClient Searchlist

Versions (please complete the following information):
Host on 2.13.0
Cluster side 2.12.0

** Commit involved **
@thallgren
Use powershell Resolve-DnsName -Name to verify DNS on Windows.
Thomas Hallgren 3. 4. 2023 11:47
CommitID: ddd86cf

@thallgren thallgren self-assigned this Apr 28, 2023
@thallgren
Copy link
Member

I want to ask, if this couldn't be updated as fallback option via direct update/write in registry?
For example retrieval is done via registry.OpenKey, but setting is done via powershell.

Also if updating of SearchList is not done, the outcomes shall not block daemon for routing DNS requests to the kubernetes dns resolver if we adapt the entries by hand (which seems to be not working right now)

Seems reasonable. I'll look into this. I don't have access to a Windows box with enforced group policies though, so I'd appreciate if you can test the fix.

@peter-galcik
Copy link
Author

peter-galcik commented Apr 28, 2023

Very gladly. Just ping me if test needs to be conducted. I would have tried to make change and open merge request, but not feeling confident in go language to make changes on my own. Thank you very much in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants