Modify DNS cache settings

[rocketraman]

The JRE/JDK default for system property networkaddress.cache.ttl should be set to something like 5 or 10s, or possibly even 0 (for never) -- IP addresses pointing to services in docker containers can often change, and caching the value forever (the default) causes issues when the target service moves.

See:

http://stackoverflow.com/questions/34730542/eureka-on-docker-container-unknown-host-exception

Here are examples of some other java images:

• https://hub.docker.com/r/dockerimages/java/~/dockerfile/
• https://github.com/Dwolla/docker-java/blob/master/Dockerfile

[anapsix]

thanks for the tip, an excellent suggestion!

[anapsix]

for the record, failed resolutions will not get cached (for too long):

# The Java-level namelookup cache policy for failed lookups:
#
# any negative value: cache forever
# any positive value: the number of seconds to cache negative lookup results
# zero: do not cache
#
# In some Microsoft Windows networking environments that employ
# the WINS name service in addition to DNS, name service lookups
# that fail may take a noticeably long time to return (approx. 5 seconds).
# For this reason the default caching policy is to maintain these
# results for 10 seconds.
#
#
networkaddress.cache.negative.ttl=10

[anapsix]

and default at the moment is the following

#
# The Java-level namelookup cache policy for successful lookups:
#
# any negative value: caching forever
# any positive value: the number of seconds to cache an address for
# zero: do not cache
#
# default value is forever (FOREVER). For security reasons, this
# caching is made forever when a security manager is set. When a security
# manager is not set, the default behavior in this implementation
# is to cache for 30 seconds.
#
# NOTE: setting this to anything other than the default value can have
#       serious security implications. Do not set it unless
#       you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1

[rocketraman]

Yup! BTW, as a workaround until this is fixed, I have in my Dockerfile:

RUN echo "networkaddress.cache.ttl=5" >> /opt/jdk/jre/lib/security/java.security

Thanks!

[anapsix]

I'm going to set it to 30, as the default with no security manager.. any objections?

[anapsix]

done

[rocketraman]

I'm going to set it to 30, as the default with no security manager.. any objections?

30 seems a little long -- I'd recommend 5, or 10 at max. In the case of a service IP change, a 30s delay for switchover is a long time.

Maybe you can parameterize this via an env variable?

[titechnologies]

RUN echo "networkaddress.cache.ttl=5" >> /opt/jdk/jre/lib/security/java.security It will make any reverse issue ? like slowing the response from cluster ?

[rocketraman]

@titechnologies DNS lookups more often... if your program is active, generally every 5s. This implies a slightly higher latency for requests approximately every 5s, slightly higher network traffic, and greater load on your DNS server. The tradeoff is that service DNS changes (for example, if a service pod is recycled in Kubernetes) are picked up by your java program within 5s instead of 30s or more.