New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolving down Swarm service from service with dns: "127.0.0.11"
results in hundreds of errors per second in syslog
#47716
Comments
It seems like @robmry has experience with this part of docker codebase |
I have no idea what manuals you're talking about but if that's one of our docs page we need to fix it. The There are a couple of different ways to ensure DNS queries don't get forwarded to upstream resolvers:
For the record, we're waiting for the ICANN report Proposed Top-Level Domain String for Private Use to decide whether we want to make the daemon an authoritative NS for the DNS zone I'll check if we can slightly improve our config validation to make sure we don't accept |
@akerouanton Thank you so much for clarifications! I've asked Haproxy team to update blog post to don't mislead people like me. |
@akerouanton Unfortunately Swarm stack doesn't support dns_opt:
- "ndots:0" |
Ah, right -- that's not available on Swarm. Well, in that case unfortunately you have no way to disable upstream forwarding. |
docker service create supports --dns-option though, right? dns_opt seems to be missing in plumbing for docker stack deploy. I guess it's worth creating a separate issue for this. |
What is this supposed to mean? Asking because regularly seeing this same kind of log flood with no DNS set in |
It looks like part of a docker compose service definition, equivalent to
If you're seeing something similar, without configuring |
@elyulka Did you remove the upstream DNS server of
TL;DR: I do not have any useful data except I note the two similarities to the OP: Swarm & I would love to open an issue but I have nothing tangible on this problem. Just the symptoms that seem to manifest randomly with average maybe 1 to 6 times a month. Probably I'll continue monitoring and try to figure out something/anything of use before opening an issue. All I know is that in various Swarms once in a while machine(s) suddenly start to spam this, triggering The log lines are identical except of course things like port numbers, query etc.; and the A record query does have our search domain appended. No DNS settings whatsoever are defined in Interesting that our "flooding query" also starts with This issue did give some great ideas but since Swarm we also cannot use |
@bluikko I removed setting from the Swarm Stack file and I don't have log flood anymore when Swarm internal DNS can't resolve request. I also noticed that inside container there is |
You are right, the Swarm I am looking at had the same problem with There must be some bad advice being given in some documentation or "howto" somewhere: it's too much of a coincidence otherwise. @elyulka I'll add my comment in the relevant HAProxy issue, hopefully this will get removed from the "howto". Oh how I despise howtos. |
Description
I've setup haproxy to load balance services (following manuals set
dns: "127.0.0.11"
to do not forward requests to the external DSN servers) and noticed hundreds of errors per second in syslog when any backend service gets down:How can I avoid log pollution without making load to the external DNS service with queries of down service?
Reproduce
docker-compose.yml
:docker stack deploy -c docker-compose.yml dnstest
tail -n10 -f /var/log/syslog
Expected behavior
logs should not be filled with hundreds of errors quering down service when limiting dns resolvers to single
127.0.0.11
docker version
Client: Docker Engine - Community Version: 26.0.0 API version: 1.45 Go version: go1.21.8 Git commit: 2ae903e Built: Wed Mar 20 15:17:48 2024 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 26.0.0 API version: 1.45 (minimum version 1.24) Go version: go1.21.8 Git commit: 8b79278 Built: Wed Mar 20 15:17:48 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.28 GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e94 docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Additional Info
Initially I was on v25, upgrade to v26 did not help.
I've opened haproxy issue but it seems like it's some docker edge case.
Here is output of
tcpdump -v -i lo udp
:tcpdump-any-port.txt
I tried to run nslookup without overriding dns and got
OS: Digitalocean image "Docker 25.0.3 on Ubuntu 22.04"
The text was updated successfully, but these errors were encountered: