New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embedded DNS not resolving hostname #179
Comments
Put the docker daemon on the affected host into debug mode then watch the daemon logs while running the failing ping. Healthy output looks something like this:
If there's no activity in the daemon logs while name resolution fails, then check on the plumbing for service discovery. container's
container iptables should have a DNAT rule to dest port 53 on udp and tcp. Output should look something like this (natted-to port will be different):
Then check if
Diagram of DNS programming here: https://www.slideshare.net/MadhuVenugopal2/dcus17-docker-networking-deep-dive/18?src=clipshare If the "plumbing" for DNS is incorrect or missing, then please reply with attachments:
|
Closing because this issue went stale; also docker 17.09.1 and 17.12 have been released, and may have fixes in this area |
I'm seeing the same issue, this is the second time. I tried to do everything you asked, but the stack pull isn't working... docker version Server: Issuing docker exec ping resulted in no journald entries for docker. docker exec rfrla0212454dc cat /etc/resolv.conf sudo nsenter -n -p -t $(docker inspect --format {{.State.Pid}} rfrla0212454dc) ss -utnlp sudo nsenter -n -t $(docker inspect --format {{.State.Pid}} rfrla0212454dc) iptables -t nat -nvL Chain INPUT (policy ACCEPT 1474 packets, 299K bytes) Chain OUTPUT (policy ACCEPT 467 packets, 33554 bytes) Chain POSTROUTING (policy ACCEPT 467 packets, 33554 bytes) Stack trace call doesn't seem to work. No log output results from 'sudo kill -SIGUSR1 '. |
@jamesdboone you’re running the Red Hat fork of Docker, which is an unofficial package, that has a large number of modifications that are not in the official packages, and is not maintained here. Also note that the 1.12 version reached end of life in March last year. I’d recommend upgrading to a current version of Docker. If you cannot upgrade, at least make sure to install the latest patch release of docker 1.12 (version 1.12.6), because docker 1.12.5 uses a version of the runc runtime that has a critical vulnerability that enables container processes to escape the container and get root access on the host |
Okay. Thanks for the response/feedback!
…On Fri, Feb 2, 2018 at 12:14 AM, Sebastiaan van Stijn < ***@***.***> wrote:
@jamesdboone <https://github.com/jamesdboone> you’re running the Red Hat
fork of Docker, which is an unofficial package, that has a large number of
modifications that are not in the official packages, and is not maintained
here.
Also note that the 1.12 version reached end of life in March last year.
I’d recommend upgrading to a current version of Docker.
If you cannot upgrade, at least make sure to install the latest patch
release of docker 1.12 (version 1.12.6), because docker 1.12.5 uses a
version of the runc runtime that has a critical vulnerability that enables
container processes to escape the container and get root access on the host
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#179 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ASndtzwHLLrdKw0wBwdz5P0FByR4Shzrks5tQqetgaJpZM4Q0b7C>
.
|
FYI, we just ran into an issue with the embedded DNS server behaving differently from the Linux resolver. We had 2 DNS servers listed in SERVFAIL (or RCODE 2) is defined in RFC 1035 as "Server failure - The name server was unable to process this query due to a problem with the name server." This is distinct from NXDOMAIN (RCODE 3), which stands for Non-Existent Domain or Name error. The former is a server error, the latter is a categorical "domain does not exist" answer. In our case, the Linux resolver correctly (in my view) moved on on to the second configured DNS server and resolved the host name. The Docker embedded DNS server appears to interpret SERVFAIL same as NXDOMAIN (unfortunately I wasn't fast enough to see which error it actually returned) and fail the name resolution. What this meant in practice was that any container not started on a bridge network was able to do DNS resolution without problems (maybe with some added latency) when faced with a misconfigured first DNS server, whereas any container using a bridge network would consistently fail to resolve any host names. This was especially confusing as (without direct access to the Docker server) all I could see was different |
Just wanted to chime in to say thanks for saving me time tracking down the same issue @alin-amana. Saw that behavior on Docker 18.09.5 on CentOS 7. Container was using bridged networking, and could not resolve hostnames. Checked |
@thaJeztah I'm running the official |
What error is returned by the first DNS? |
moby/libnetwork#2171 should've changed the behavior to continue with the next DNS (depending on the error) |
@thaJeztah In my case the first server wasn't available at all (networking outage - no route to host or connection timeout). |
in that case it should continue with the next DNS; https://github.com/docker/libnetwork/blob/a86d2765b829fb122c70eea7a914d59a8fb1df4a/resolver.go#L452 (did you see that message in the daemon logs?) Could you open a new ticket with details, and if possible with steps to reproduce the situation? |
Unfortunately I didn't have debug mode on for the daemon at the time but I've found these entries in the logs from around the time it was failing. I didn't find the one you mentioned above.
Worth noting that it was only failing when using I've tried to reproduce the problem now by setting an unreachable IP as the first DNS server but was unable to reproduce it, docker reported slightly different error to what you expected:
It properly went on to use the second DNS server which resolved the domain. If I manage to reproduce it I'll create a new ticket. |
Thanks! This one is interesting as well; haven't looked at the code yet to see in what situation that error would be produced though;
|
i am facing similar issue on RHEL docker info Security Options: |
Just in case anybody has the same problem than me, that could save you some time:
|
Expected behavior
# docker exec -it busybox01 ping -c 2 busybox02 PING busybox02 (172.18.0.3): 56 data bytes 64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.037 ms 64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.060 ms
Actual behavior
Steps to reproduce the behavior
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.)
Works perfectly fine in another VM in Azure with the same OS.
The text was updated successfully, but these errors were encountered: