I try create docker container with custom network and dos settings.
docker network create --driver=bridge --opt "com.docker.network.bridge.enable_ip_masquerade"="true" --opt "com.docker.network.bridge.enable_icc"="true" --opt="com.docker.network.driver.mtu"="1500" --opt="com.docker.network.bridge.host_binding_ipv4"="0.0.0.0" net
--
docker run --dns 10.0.0.2 --network=net busybox cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0
Else if I use standard network all work fine
docker run --dns 10.0.0.2 --network=bridge busybox cat /etc/resolv.conf
nameserver 10.0.0.2
As of Docker 1.10, DNS is managed differently for user-defined networks. DNS for the default bridge network is unchanged for backwards compatibility. In a user-defined network, docker daemon uses the embedded DNS server. According to the documentation found here:
https://docs.docker.com/engine/userguide/networking/configure-dns/
--dns=[IP_ADDRESS...] The IP addresses passed via the --dns option is used by the embedded
DNS server to forward the DNS query if embedded DNS server is unable
to resolve a name resolution request from the containers. These
--dns IP addresses are managed by the embedded DNS server and will not
be updated in the container’s /etc/resolv.conf file.
So, the DNS nameserver will be used, it just is not visible in the container's /etc/resolv.conf.
Related
When I connect to a VPN using open connect, the docker containers that run afterwards have the ability to use DNS but the host machine itself does not.
If I look at the contents of /etc/resolv.conf in the containers, the file has the DNS servers in them, but the file on the host machine does not.
From Containers:
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 10.x.x.x
nameserver 10.x.x.x
search university.liberty.edu liberty.edu
(I have replaced the actual addresses)
From the host:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53
search university.liberty.edu liberty.edu
When I use anyconnect instead of openconnect, the containers do not have dns but the host machine does. Everyone on my development team has had identical results. We're on Linux Mint 19.
I added the DNS addresses in the IPv4 tab of the Network Manager in network settings.
Does anyone have any suggestions as to what I need to do to have DNS available to the host machine and the containers at the same time?
Update:
When I connect to VPN using Cisco AnyConnect, the link from /etc/resolv.conf to /run/resolvconf/resolv.conf is maintained. The result of this is that docker containers run afterward DO NOT have access to DNS. When I connect to VPN using Cisco's openconnect, the link from /etc/resolv.conf is broken and replaced, presumably by open connect. The result of this is that the docker containers are happy using DNS, but my host machine cannot.
How can i restrict a docker container to run inside an existing iproute2-style network namespace?
ip netns exec mynetns docker-compose up
does not work (unsurprisingly).
EDIT on comment:
$ docker network create --opt com.docker.network.bridge.name=dockerbridge dockernet
$ ip link set dockerbridge netns mynetns
RTNETLINK answers: Invalid argument
trying to assign the interface of my docker network to the namespace would not work.
i do want to make sure no traffic leaks - so i want to make sure everything is set up before the containers are started. so waiting for the containers to start and then injecting a veth into their netns to link to mynetns seems fragile.
am trying to route the traffic from dockerbridge to/from mynetns's external veth, maybe that's a way.
EDIT 2:
a solution for me was to create an external network using
docker network create --opt com.docker.network.bridge.name=dockerbridge dockernet
and using iproute2 tools to route all traffic from dockerbridge through mynetns's outer veth.
i had to adjust my docker-compose.yml to include
somecontainer:
dns: 8.8.8.8
networks:
default:
external:
name: dockernet
ip route's table option helped, so i could set a second default gateway just for the docker-bridges i want to connect to mynetns.
I'm trying to get dnsmasq to operate as a DHCP server inside a Docker container, issuing DHCP addresses to machines on the host's physical network. I'm using the Alpine Linux 6MB container from https://hub.docker.com/r/andyshinn/dnsmasq/.
It works fine as a DNS server on port 53 on the host machine, however there is nothing listening on port 67/udp, which is where I'm expecting DHCP to be. I use
dhcping 192.168.2.2, but get "no answer". telnet 192.168.2.2 67 returns "Connection refused".
My dnsmasq.conf file in the container looks like this:
interface=eth0
user=root
domain-needed
bogus-priv
no-resolv
local=/mydomain.io/
no-poll
server=8.8.8.8
server=8.8.4.4
no-hosts
addn-hosts=/etc/dnsmasq_static_hosts.conf
expand-hosts
domain=mydomain.io
dhcp-range=192.168.2.10,192.168.2.250,255.255.255.0,192.168.2.255,5m
# Have windows machine release on shutdown
dhcp-option=vendor:MSFT,2,1i
# No default route
dhcp-option=3
The host machine has a static address of 192.168.2.2.
I start the container like this:
docker run -d --name dns -p 192.168.2.2:67:67/udp -p 192.168.2.2:53:53/udp sitapati/dns
There is no firewall on this machine, which is running Ubuntu 16.04.
Things I've thought of/tried:
is it because eth0 in the container has an address on a completely different subnet? (docker inspect tells me it's 172.17.0.2 on the bridged interface)
does it need to use --net host? I tried that, and it still didn't work.
Yes, the container will have its own interfaces on a virtual subnet (the docker0 bridge network). So it will be trying to offer addresses on that subnet.
Using --net host worked for me, I got the DHCP server working using something like the following command:
docker run --name dnsmasq2 -t -v /vagrant/dnsmasq.conf:/opt/dnsmasq.conf -p 67:67/udp --net host centos
--net host ensures that the container appears to using the host's networking stack rather than its own.
dnsmasq -q -d --conf-file=/opt/dnsmasq.conf --dhcp-broadcast
I also needed to add the --dhcp-broadcast flag to dnsmasq within the container to get it to actually broadcast DHCPOFFER messages on the network. For some reason, dnsmasq was trying to unicast the DHCPOFFER messages, and it was using ARP to try to get an address that had not yet been assigned.
I am trying to force the docker daemon to use my DNS server which is binded to bridge0 interface.
I have added --dns 172.17.42.1 in my docker_opts but no success
DNS server reply ok with dig command:
dig #172.17.42.1 registry.service.consul SRV +short
1 1 5000 registry2.node.staging.consul.
But pull with this domain fails:
docker pull registry.service.consul:5000/test
FATA[0000] Error: issecure: could not resolve "registry.service.consul": lookup registry.service.consul: no such host
PS: By adding nameserver 172.17.42.1 in my /etc/resolv.conf solve the issue but the DNS has to be exclusively for docker commands.
Any idea ?
You passed --dns 172.17.42.1 to docker_opts, so since that you should be able to resolve the container hostnames from inside other containers. But obviously you're doing docker pull from the host, not from the container, isn't it? Therefore it's not surprising that you cannot resolve container's hostname from your host, because it is not configured to use 172.17.42.1 for resolving.
I see two possible solutions here:
Force your host to use 172.17.42.1 as DNS (/etc/resolv.conf etc).
Create a special container with Docker client inside and mount docker.sock inside it. This will make you able to use all client commands including pull:
docker run -d -v /var/run/docker.sock:/var/run/docker.sock:rw --name=client ...
docker exec -it client docker pull registry.service.consul:5000/test
I'm trying to configure my docker container to see my local private rpm repository through http. It cannot resolve the dns name and I'm probably not setting up DNS correctly on the host CENTOS 6.5 VM.
http://
172.17.42.1
/repository/CENTOS/6/nginx/x86_64/repodata/repomd.xml:
[Errno 14] PYCURL ERROR 7 - > "couldn't connect to host"
bash-4.1# more /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://
172.17.42.1/repository/CENTOS/$releasever/nginx/$basearch/
(can't connect to host)
gpgcheck=0
enabled=1
The container /etc/resolv.conf contains this
bash-4.1# cat /etc/resolv.conf
nameserver 192.168.64.2
nameserver 192.168.64.129
nameserver 127.0.0.1
search localdomain eadis.local
When I try to add the domainname to the IP address it does not
resolve.
Docker container IP address
eth0 Link encap:Ethernet HWaddr 7E:EB:4C:25:F4:DA
inet addr:172.17.0.7 Bcast:0.0.0.0 Mask:255.255.0.0
Host VM Docker server
docker0 Link encap:Ethernet HWaddr FE:EF:63:A8:65:5C
inet addr:
172.17.42.1
Bcast:0.0.0.0 Mask:255.255.0.0
eth3 Link encap:Ethernet HWaddr 00:0C:29:10:0A:77
inet addr:192.168.64.129 Bcast:192.168.64.255 Mask:255.255.255.0
[root#centos named]# cat /etc/resolv.conf
domain localdomain
search localdomain eadis.local
nameserver 192.168.64.129
nameserver 192.168.64.2
When you run your container with --net or --network, docker will use a self DNS server to discover services that runs with it. All DNS queries are sent to the docker engine.
In normal times (when using default network) you can use the --dns option on your run command. But when you run your images with a self-defined network, you must add your customize resolv.conf file to the container. You make one on your system and name it custom-resolv.conf.
In this file you can add your custom dns address and add it to your container.
nameserver 1.0.0.1
nameserver 4.2.2.4
Then you must add this small part to your run command:
-v /path/to/file/custom-resolv.conf:/etc/resolv.conf:ro
Use ro for read-only volume mapping. When your container is started, you can exec to your container and check the /etc/resolv.conf file which must be the same as custom-resolv.conf.
Now all of your DNS requests are sent to your DNS server.