[19.03 backport] Better selection of DNS server#41374
Closed
thaJeztah wants to merge 2 commits intomoby:19.03from
Closed
[19.03 backport] Better selection of DNS server#41374thaJeztah wants to merge 2 commits intomoby:19.03from
thaJeztah wants to merge 2 commits intomoby:19.03from
Conversation
Commit e353e7e updated selection of the `resolv.conf` file to use in situations where systemd-resolvd is used as a resolver. If a host uses `systemd-resolvd`, the system's `/etc/resolv.conf` file is updated to set `127.0.0.53` as DNS, which is the local IP address for systemd-resolvd. The DNS servers that are configured by the user will now be stored in `/run/systemd/resolve/resolv.conf`, and systemd-resolvd acts as a forwarding DNS for those. Originally, Docker copied the DNS servers as configured in `/etc/resolv.conf` as default DNS servers in containers, which failed to work if systemd-resolvd is used (as `127.0.0.53` is not available inside the container's networking namespace). To resolve this, e353e7e instead detected if systemd-resolvd is in use, and in that case copied the "upstream" DNS servers from the `/run/systemd/resolve/resolv.conf` configuration. While this worked for most situations, it had some downsides, among which: - we're skipping systemd-resolvd altogether, which means that we cannot take advantage of addition functionality provided by it (such as per-interface DNS servers) - when updating DNS servers in the system's configuration, those changes were not reflected in the container configuration, which could be problematic in "developer" scenarios, when switching between networks. This patch changes the way we select which resolv.conf to use as template for the container's resolv.conf; - in situations where a custom network is attached to the container, and the embedded DNS is available, we use `/etc/resolv.conf` unconditionally. If systemd-resolvd is used, the embedded DNS forwards external DNS lookups to systemd-resolvd, which in turn is responsible for forwarding requests to the external DNS servers configured by the user. - if the container is running in "host mode" networking, we also use the DNS server that's configured in `/etc/resolv.conf`. In this situation, no embedded DNS server is available, but the container runs in the host's networking namespace, and can use the same DNS servers as the host (which could be systemd-resolvd or DNSMasq - if the container uses the default (bridge) network, no embedded DNS is available, and the container has its own networking namespace. In this situation we check if systemd-resolvd is used, in which case we skip systemd-resolvd, and configure the upstream DNS servers as DNS for the container. This situation is the same as is used currently, which means that dynamically switching DNS servers won't be supported for these containers. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a5324d6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This came up in a review of a5324d6, but for some reason that comment didn't find its way to GitHub, and/or I forgot to push the change. These files are "copied" by reading their content with ioutil.Readfile(), resolving the symlinks should therefore not be needed, and paths can be passed as-is; ```go func copyFile(src, dst string) error { sBytes, err := ioutil.ReadFile(src) if err != nil { return err } return ioutil.WriteFile(dst, sBytes, filePerm) } ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cf169b4) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added
status/2-code-review
area/systemd
area/networking
Member
Author
|
Opening as draft, so that we can discuss/consider this as backport |
|
Hi @thaJeztah. Any update on this backport? I'm trying to use Docker in a split DNS environment using |
|
Any hope this can land shortly in upcoming release? |
|
any news ? |
planthaber
added a commit
to dfki-ric/docker_image_development
that referenced
this pull request
Jun 8, 2021
planthaber
added a commit
to dfki-ric/docker_image_development
that referenced
this pull request
Jun 8, 2021
* remove manual DNS settings moby/moby#41374 * add DNS sectio to docker setup * fix bullet point identation in DNS doc * fix bold text
planthaber
added a commit
to dfki-ric/docker_image_development
that referenced
this pull request
Jun 8, 2021
* remove manual DNS settings moby/moby#41374 * add DNS sectio to docker setup * fix bullet point identation in DNS doc * fix bold text * add more metadata to images (git versions, parent image names)
|
The backports would be great :) |
Member
Author
|
I'm closing this PR, as 19.03 has not been maintained for 2 Years, and there are no plans for more 19.03.x patch releases. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport of:
Better selection of DNS server #41022 Better selection of DNS server
daemon.setupPathsAndSandboxOptions() skip resolving symlinks #41335 daemon.setupPathsAndSandboxOptions() skip resolving symlinks
fixes / addresses 18.09 breaks containers name resolution for non default networks on systems with systemd-resolved #38243 18.09 breaks containers name resolution for non default networks on systems with systemd-resolved
fixes / addresses Wrong resolv.conf used on Ubuntu 19 (systemd-resolved enabled) #39978 Wrong resolv.conf used on Ubuntu 19 (systemd-resolved enabled)
fixes / addresses Container /etc/resolv.conf does not update when /run/systemd/resolve/resolv.conf changes docker/for-linux#889 Container /etc/resolv.conf does not update when /run/systemd/resolve/resolv.conf changes
fixes / addresses dockerd should use 127.0.0.53 when requested docker/for-linux#979 dockerd should use 127.0.0.53 when requested
relates to resolvconf: use /run/systemd/resolve/resolv.conf if systemd-resolved manages DNS libnetwork#2385 (comment)
relates to Private DNS Fails on 0.8 with systemd-resolved kubernetes-sigs/kind#1594 (comment)
Commit e353e7e (#37485) updated selection of the
resolv.conffile to use in situations where systemd-resolvd is used as a resolver.If a host uses
systemd-resolvd, the system's/etc/resolv.conffile isupdated to set
127.0.0.53as DNS, which is the local IP address forsystemd-resolvd. The DNS servers that are configured by the user will now
be stored in
/run/systemd/resolve/resolv.conf, and systemd-resolvd actsas a forwarding DNS for those.
Originally, Docker copied the DNS servers as configured in
/etc/resolv.confas default DNS servers in containers, which failed to work if systemd-resolvd
is used (as
127.0.0.53is not available inside the container's networkingnamespace). To resolve this, e353e7e instead
detected if systemd-resolvd is in use, and in that case copied the "upstream"
DNS servers from the
/run/systemd/resolve/resolv.confconfiguration.While this worked for most situations, it had some downsides, among which:
advantage of addition functionality provided by it (such as per-interface
DNS servers)
not reflected in the container configuration, which could be problematic in
"developer" scenarios, when switching between networks.
This patch changes the way we select which resolv.conf to use as template
for the container's resolv.conf;
embedded DNS is available, we use
/etc/resolv.confunconditionally. Ifsystemd-resolvd is used, the embedded DNS forwards external DNS lookups to
systemd-resolvd, which in turn is responsible for forwarding requests to
the external DNS servers configured by the user.
DNS server that's configured in
/etc/resolv.conf. In this situation, noembedded DNS server is available, but the container runs in the host's
networking namespace, and can use the same DNS servers as the host (which
could be systemd-resolvd or DNSMasq
available, and the container has its own networking namespace. In this
situation we check if systemd-resolvd is used, in which case we skip
systemd-resolvd, and configure the upstream DNS servers as DNS for the
container. This situation is the same as is used currently, which means
that dynamically switching DNS servers won't be supported for these
containers.
Signed-off-by: Sebastiaan van Stijn github@gone.nl
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)