Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker resolver: hostmachine 127.0.0.1 usage broken #38512

Closed
CharlieR-o-o-t opened this issue Jan 8, 2019 · 3 comments
Closed

Docker resolver: hostmachine 127.0.0.1 usage broken #38512

CharlieR-o-o-t opened this issue Jan 8, 2019 · 3 comments
Labels
area/networking/dns area/networking version/18.03

Comments

@CharlieR-o-o-t
Copy link

CharlieR-o-o-t commented Jan 8, 2019
edited

Description
Hostmachine 127.0.0.1 cannot be used as resolver if DnsSearch/DnsOpts in use - container tries to reach hostmachine 127.0.0.1 with own namespace.
Need workaround on RP

Container resolv.conf looks like this:

search foo.com
nameserver 127.0.0.11
options timeout:2 ndots:0

Hostmachine resolv.conf

nameserver 127.0.0.1
nameserver <my_dns_server_ip>
nameserver <my_dns_server_ip2>

Here extConnect should be called, but HostLoopback is empty field

components/engine/vendor/github.com/docker/libnetwork/resolver.go:442

            if extDNS.HostLoopback {
                extConnect()
            } else {
                execErr := r.backend.ExecFunc(extConnect)
                if execErr != nil {
                    logrus.Warn(execErr)
                    continue
                }
            }

Steps to reproduce the issue:

  1. Set 127.0.0.1 at host level in resolv.conf
  2. Start container with macvlan driver, use --dns-search/--dns-opt options
  3. Try to nslookup/ping etc. any host
  4. Review docker debug log / tcpdump (in container namespace)
Jan 04 15:32:25 <hostname_here> dockerd[22275]: time="2019-01-04T15:32:25.161072587Z" level=debug msg="[resolver] query google.com. (A) from 127.0.0.1:49612, forwarding to udp:127.0.0.1"
Jan 04 15:32:25 <hostname_here> dockerd[22275]: time="2019-01-04T15:32:25.161290288Z" level=debug msg="[resolver] read from DNS server failed, read udp 127.0.0.1:49612->127.0.0.1:53: read: connection refused"

11:45:52.631743 IP 127.0.0.1.40462 > 127.0.0.11.41413: UDP, length 38
11:45:52.632090 IP 127.0.0.1.48099 > 127.0.0.1.53: 3328+ A? google.com. (38)
11:45:52.632108 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 udp port 53 unreachable, length 71

Describe the results you received:
Docker attempts to reach hostmachine 127.0.0.1 at container namespace

Describe the results you expected:
Docker will use global net namespace to reach HostLoopback

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

 docker version
Client:
 Version:      18.05.0-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   f150324
 Built:        Wed May  9 22:14:54 2018
 OS/Arch:      linux/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.03.1-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.5
  Git commit:   9ee9f402cd
  Built:        Fri Jan  4 16:48:31 2019
  OS/Arch:      linux/amd64
  Experimental: false

Output of docker info:

Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 3
Server Version: 18.03.1-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 773c489c9c1b21a6d78b5c538cd395416ec50f88
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.4.145-1.el7.elrepo.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 29.45GiB
Name: hostname
ID: RRVZ:OLHK:CDXP:3TCG:4T22:A57R:QZJC:PD22:YU6G:W4PF:CWD3:GSQF
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 38
 Goroutines: 48
 System Time: 2019-01-08T09:42:17.696050379Z
 EventsListeners: 1
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

affects any version

Additional environment details (AWS, VirtualBox, physical, etc.):
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Jan 8, 2019
Add checkLoopbackOpts. Fix #38512
3c14bb6 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512
@CharlieR-o-o-t
Copy link
Author

Proposed solution :
moby/libnetwork@master...CharlieR-o-o-t:fix_38512

@CharlieR-o-o-t CharlieR-o-o-t mentioned this issue Feb 13, 2019
Closed
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Feb 13, 2019
Add checkLoopbackOpts. Fix #38512
b85baba 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512

Signed-off-by: Siarhei Rasiukevich <raskintech@gmail.com>
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Feb 13, 2019
Add checkLoopbackOpts. Fix #38512
483087a 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512

Signed-off-by: Siarhei Rasiukevich <raskintech@gmail.com>
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Feb 13, 2019
Add checkLoopbackOpts. Fix #38512
cd3e13b 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512

Signed-off-by: Siarhei Rasiukevich <raskintech@gmail.com>
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Feb 13, 2019
Add checkLoopbackOpts. Fix #38512
c728648 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512

Signed-off-by: Siarhei Rasiukevich <raskintech@gmail.com>
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Feb 13, 2019
Add checkLoopbackOpts. Fix #38512
759a121 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512

Signed-off-by: Siarhei Rasiukevich <raskintech@gmail.com>
CharlieR-o-o-t pushed a commit to CharlieR-o-o-t/libnetwork that referenced this issue Feb 13, 2019
Add CheckUseExtLoopback. Fix #38512
bb16638 
Control param checkLoopback depending on sb.config.dnsList
* if dnsList contains 127.0.0.1 - HostLoopback will be set to false. Container net namespace will be used to access loopback dns .

Fix to moby/moby#38512

Signed-off-by: Siarhei Rasiukevich <raskintech@gmail.com>
@CharlieR-o-o-t
Copy link
Author

PR : moby/libnetwork#2338

@corhere
Copy link
Contributor

corhere commented Jan 19, 2024

I believe this has been fixed as of v23.0.2, v24.0.0.

@corhere corhere closed this as completed Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking/dns area/networking version/18.03
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@corhere @thaJeztah @CharlieR-o-o-t