-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.10 breaks containerized DNS #20019
Comments
For completeness, here's a gist that should allow the issue to be reproduced: https://gist.github.com/huguesb/ce2c88f144dce518e4ce Create a fresh boot2docker VM and run rawdns.sh |
@huguesb the new DNS model in 1.10 should not impact your use-case since all your containers are connected to the default bridge network (docker0). The new embedded DNS in 1.10 is applicable only to user-defined networks. |
@mavenugo the script expects a docker-machine environment. raw docker on linux is not fully supported because updating the daemon dns config requires a manual step (cf tangents above about NB: as it is, the script requires jq 1.5 and on linux it needs a recent version of curl to use unix sockets but that could easily be removed to make a minimal reproducer. |
@huguesb okay. I think i got the setup in place and reproduce your use-case. I dont know much about the |
@huguesb also, I tried a simple |
@huguesb btw, I tried the scenario in an ubuntu 14.04 system with the following result
It does seem to work as expected. can you please find out the difference with your setup ? |
@huguesb The problem seems to happen when using the bridge IP for --dns and with userland_proxy set to false. I tried two things just to narrow down the issue..
This is with boot2docker. We have to look into this some more to identify the change in 1.10 that is causing this. Looks like its specific to boot2docker environment. |
@mavenugo @sanimej I tried passing the rawdns container ip instead of the bridge ip. It works but it's not acceptable for our use case. Remember: this is about passing a dns option to Unfortunately, removing userland_proxy=false is also not an option. The memory and cpu overhead is just too high. |
Sorry I mixed it with another issue, this one is not a p0. |
I made this a P3; we have some urgent issues that we want solved asap for the 1.10.1 release; I think it's ok to let this slip to 1.10.2 if we're unable to resolve before 1.10.1. enabling userland-proxy (the default setting) can work as a workaround in the meantime |
- Fixes moby#20132 moby#20140 moby#20019 Signed-off-by: Madhu Venugopal <madhu@docker.com>
- Fixes moby#20132 moby#20140 moby#20019 Signed-off-by: Madhu Venugopal <madhu@docker.com> (cherry picked from commit 84705f1) From PR moby#20181
server: docker 1.10 (boot2docker 1.10 / docker-machine 0.6)
client: docker 1.9.1 (OSX El Capitan)
In our dev environment we're using a containerized instance of rawdns to transparently proxy apt and apk downloads through appropriate caching proxy, themselves in containers on the same host. For python packages, unfortunately we cannot do transparent proxying but we can rely on rawdns to resolve the the name of the caching container to its ip.
Because
docker build
doesn't accept a--dns
argument (which blows my mind but I digress) we have to change the docker daemon configuration to point all containers to that DNS server. The most reliable way to do this we've found is to have the rawdns container bind to the bridge ip directly and use that ip for the daemon--dns
argument (tangent: it'd be nice if DNS settings could be changed at runtime with the new SIGHUP config reload).The upgrade to 1.10 completely breaks our setup: for some reason the rawdns container doesn't get any requests, which means that resolving the pypy caching containers fails (with a annoyingly long delay as well), transparent apt caching doesn't work and, more importantly, our sanity checks fail so the build doesn't even start.
Is this a known limitation of the new networking model? If not, how can I debug this? The daemon logs don't show anything suspicious afaict. If yes, is there an alternate approach to achieve the desired behavior?
The text was updated successfully, but these errors were encountered: