Run-time reconfiguration¶
Knot Resolver offers several ways to modify its configuration at run-time:
- Using control socket driven by an external system
- Using Lua program embeded in Resolver’s configuration file
Both ways can also be combined: For example the configuration file can containa little Lua function which gathers statistics and returns them in JSON string.This can be used by an external system which uses control socket to call thisuser-defined function and to retrieve its results.
Control sockets¶
Control socket acts like “an interactive configuration file” so all actionsavailable in configuration file can be executed interactively using the controlsocket. One possible use-case is reconfiguring Resolver instances from anotherprogram, e.g. a maintenance script.
Note
Each instance of Knot Resolver exposes its own control socket. Takethat into account when scripting deployments withMultiple instances.
When Knot Resolver is started using Systemd (see sectionStartup) it creates a control socket in path/run/knot-resolver/control/$ID. Connection to the socket canbe made from command line using e.g.netcat orsocat:
$ nc -U /run/knot-resolver/control/1or$ socat - UNIX-CONNECT:/run/knot-resolver/control/1
When successfully connected to a socket, the command line should change tosomething like>. Then you can interact with kresd to see configuration orset a new one. There are some basic commands to start with.
>help()-- shows help>net.interfaces()-- lists available interfaces>net.list()-- lists running network services
Thedirect output of commands sent over socket is captured and sent back,while also printed to the daemon standard outputs (inverbose() mode).This gives you an immediate response on the outcome of your command. Error ordebug logs aren’t captured, but you can find them in the daemon standardoutputs.
Control sockets are also a way to enumerate and test running instances, thelist of sockets corresponds to the list of processes, and you can test theprocess for liveliness by connecting to the UNIX socket.
Lua scripts¶
As it was mentioned in sectionSyntax, Resolver’s configurationfile contains program in Lua programming language. This allows you to writedynamic rules and helps you to avoid repetitive templating that is unavoidablewith static configuration. For example parts of configuration can depend onhostname() of the machine:
ifhostname()=='hidden'thennet.listen(net.eth0,5353)elsenet.listen('127.0.0.1')net.listen(net.eth1.addr[1])end
Another example would show how it is possible to bind to all interfaces, usingiteration.
forname,addr_listinpairs(net.interfaces())donet.listen(addr_list)end
Tip
Some users observed a considerable, close to 100%, performance gain inDocker containers when they bound the daemon to a single interface:ipaddress pair. One may expand the aforementioned example with browsingavailable addresses as:
addrpref=env.EXPECTED_ADDR_PREFIXfork,vinpairs(addr_list["addr"])doifstring.sub(v,1,string.len(addrpref))==addrprefthennet.listen(v)...
You can also use third-party Lua libraries (available for example throughLuaRocks) as on this example to download cache from parent,to avoid cold-cache start.
localhttp=require('socket.http')localltn12=require('ltn12')localcache_size=100*MBlocalcache_path='/var/cache/knot-resolver'cache.open(cache_size,'lmdb://'..cache_path)ifcache.count()==0thencache.close()-- download cache from parenthttp.request{url='http://parent/data.mdb',sink=ltn12.sink.file(io.open(cache_path..'/data.mdb','w'))}-- reopen cache with 100M limitcache.open(cache_size,'lmdb://'..cache_path)end
Helper functions¶
Following built-in functions are useful for scripting:
env (table)¶Retrieve environment variables.
Example:
env.USER-- equivalent to $USER in shell
fromjson(JSONstring)¶Returns: Lua representation of data in JSON string. Example:
>fromjson('{"key1": "value1", "key2": {"subkey1": 1, "subkey2": 2}}')[key1]=>value1[key2]=>{[subkey1]=>1[subkey2]=>2}
hostname([fqdn])¶Returns: Machine hostname. If called with a parameter, it will set kresd’s internalhostname. If called without a parameter, it will return kresd’sinternal hostname, or the system’s POSIX hostname (seegethostname(2)) if kresd’s internal hostname is unset.
This also affects ephemeral (self-signed) certificates generated by kresdfor DNS over TLS.
package_version()¶Returns: Current package version as string. Example:
>package_version()2.1.1
resolve(name, type[, class = kres.class.IN, options = {}, finish = nil, init = nil])¶Parameters: - name (string) – Query name (e.g. ‘com.’)
- type (number) – Query type (e.g.
kres.type.NS) - class (number) – Query class(optional) (e.g.
kres.class.IN) - options (strings) – Resolution options (see
kr_qflags) - finish (function) – Callback to be executed when resolution completes (e.g.function cb (pkt, req) end). The callback gets a packet containing the final answer and doesn’t have to return anything.
- init (function) – Callback to be executed with the
kr_requestbefore resolution starts.
Returns: boolean,
trueif resolution was startedThe function can also be executed with a table of arguments instead. This isuseful if you’d like to skip some arguments, for example:
resolve{name='example.com',type=kres.type.AAAA,init=function(req)end,}
Example:
-- Send query for root DNSKEY, ignore cacheresolve('.',kres.type.DNSKEY,kres.class.IN,'NO_CACHE')-- Query for AAAA recordresolve('example.com',kres.type.AAAA,kres.class.IN,0,function(pkt,req)-- Check answer RCODEifpkt:rcode()==kres.rcode.NOERRORthen-- Print matching recordslocalrecords=pkt:section(kres.section.ANSWER)fori=1,#recordsdolocalrr=records[i]ifrr.type==kres.type.AAAAthenprint('record:',kres.rr2str(rr))endendelseprint('rcode: ',pkt:rcode())endend)
tojson(object)¶Returns: JSON text representation ofobject. Example:
>testtable={key1="value1","key2"={subkey1=1,subkey2=2}}>tojson(testtable){"key1":"value1","key2":{"subkey1":1,"subkey2":2}}
Asynchronous events¶
Lua language used in configuration file allows you to script actions uponvarious events, for example publish statistics each minute. Following exampleuses built-in functionevent.recurrent() which calls user-suppliedanonymous function:
modules.load('stats')-- log statistics every secondlocalstat_id=event.recurrent(1*second,function(evid)log(table_print(stats.list()))end)-- stop printing statistics after first minuteevent.after(1*minute,function(evid)event.cancel(stat_id)end)
Note that each scheduled event is identified by a number valid for the durationof the event, you may use it to cancel the event at any time.
To persist state between two invocations of a fuction Lua uses concept calledclosures. In the following example functionspeed_monitor() is a closurefunction, which provides persistent variable calledprevious.
modules.load('stats')-- make a closure, encapsulating counterfunctionspeed_monitor()localprevious=stats.list()-- monitoring functionreturnfunction(evid)localnow=stats.list()localtotal_increment=now['answer.total']-previous['answer.total']localslow_increment=now['answer.slow']-previous['answer.slow']ifslow_increment/total_increment>0.05thenlog('WARNING! More than 5 %% of queries was slow!')endprevious=now-- store current value in closureendend-- monitor every minutelocalmonitor_id=event.recurrent(1*minute,speed_monitor())
Another type of actionable event is activity on a file descriptor. This allowsyou to embed other event loops or monitor open files and then fire a callbackwhen an activity is detected. This allows you to build persistent serviceslike monitoring probes that cooperate well with the daemon internal operations.Seeevent.socket().
Filesystem watchers are possible withworker.coroutine() andcqueues,see the cqueues documentation for more information. Here is an simple example:
localnotify=require('cqueues.notify')localwatcher=notify.opendir('/etc')watcher:add('hosts')-- Watch changes to /etc/hostsworker.coroutine(function()forflags,nameinwatcher:changes()doforflaginnotify.flags(flags)do-- print information about the modified fileprint(name,notify[flag])endendend)
Timers and events reference¶
The timer represents exactly the thing described in the examples - it allows you to executeclosuresafter specified time, or event recurrent events. Time is always described in milliseconds,but there are convenient variables that you can use -sec,minute,hour.For example,5*hour represents five hours, or 5*60*60*100 milliseconds.
event.after(time, function)¶Returns: event id Execute function after the specified time has passed.The first parameter of the callback is the event itself.
Example:
event.after(1*minute,function()print('Hi!')end)
event.recurrent(interval, function)¶Returns: event id Similar to
event.after(), periodically execute function afterintervalpasses.Example:
msg_count=0event.recurrent(5*sec,function(e)msg_count=msg_count+1print('Hi #'..msg_count)end)
event.reschedule(event_id, timeout)¶Reschedule a running event, it has no effect on canceled events.New events may reuse the event_id, so the behaviour is undefined if the functionis called after another event is started.
Example:
localinterval=1*minuteevent.after(1*minute,function(ev)print('Good morning!')-- Halven the interval for each iterationinterval=interval/2event.reschedule(ev,interval)end)
event.cancel(event_id)¶Cancel running event, it has no effect on already canceled events.New events may reuse the event_id, so the behaviour is undefined if the functionis called after another event is started.
Example:
e=event.after(1*minute,function()print('Hi!')end)event.cancel(e)
Watch for file descriptor activity. This allows embedding other event loops or simplyfiring events when a pipe endpoint becomes active. In another words, asynchronousnotifications for daemon.
event.socket(fd, cb)¶Parameters: - fd (number) – file descriptor to watch
- cb – closure or callback to execute when fd becomes active
Returns: event id
Execute function when there is activity on the file descriptor and calls a closurewith event id as the first parameter, status as second and number of events as third.
Example:
e=event.socket(0,function(e,status,nevents)print('activity detected')end)e.cancel(e)
Asynchronous function execution¶
Theevent package provides a very basic mean for non-blocking execution - it allows running code when activity on a file descriptor is detected, and when a certain amount of time passes. It doesn’t however provide an easy to use abstraction for non-blocking I/O. This is instead exposed through theworker package (ifcqueues Lua package is installed in the system).
worker.coroutine(function)¶Start a new coroutine with given function (closure). The function can do I/O or run timers without blocking the main thread. Seecqueues for documentation of possible operations and synchronization primitives. The main limitation is that you can’t wait for a finish of a coroutine from processing layers, because it’s not currently possible to suspend and resume execution of processing layers.
Example:
worker.coroutine(function()fori=0,10doprint('executing',i)worker.sleep(1)endend)
worker.sleep(seconds)¶Pause execution of current function (asynchronously if running inside a worker coroutine).
Example:
functionasync_print(testname,sleep)log(testname..': system time before sleep'..tostring(os.time())worker.sleep(sleep)-- other corroutines continue execution nowlog(testname..': system time AFTER sleep'..tostring(os.time())endworker.coroutine(function()async_print('call #1',5)end)worker.coroutine(function()async_print('call #2',3)end)
Output from this example demonstrates that both calls to functionasync_print were executed asynchronously:
call #2: system time before sleep 1578065073call #1: system time before sleep 1578065073call #2: system time AFTER sleep 1578065076call #1: system time AFTER sleep 1578065078
Etcd support¶
Theetcd module connects toetcd peers and watchesfor configuration changes. By default, the module watches the subtree under/knot-resolver directory, but you can change this in theetcd library configuration.
The subtree structure corresponds to the configuration variables in the declarative style.
$ etcdctlset /knot-resolvevr/net/127.0.0.153$ etcdctlset /knot-resolver/cache/size10000000
Configures all listening nodes to following configuration:
net={'127.0.0.1'}cache.size=10000000
Example configuration¶
modules.load('etcd')etcd.config({prefix='/knot-resolver',peer='http://127.0.0.1:7001'})
Warning
Work in progress!