DNS not working in Docker Compose #115
Comments
boostpaal
changed the title
boostpaal
changed the title
|
Can you post strace logs? |
|
It appears that you are trying to connect to a DNS server on 127.0.0.11:53, but that there isn't a DNS server in the sandbox running on that port. When it comes to networking, the sandbox behaves like a VM. localhost is the sandbox's localhost. You might be able to talk to the DNS server on the host by using the host's IP address. Another thing you can try is enabling network passthrough. This makes networking behave more like a normal container at the cost of security. I am not sure if this will help as I think the sandbox runs in a network namespace with its own loopback on the host. |
boostpaal
changed the title
|
Network passthrough works but it's not a viable option for security reasons. I seems like Compose's native DNS server is the root of the problem. There might be a missing DNS feature that gVisor requires. I think submitting an issue to Compose would be the right way to go from here. |
|
The issue can be resolved with a workaround. Changing the DNS server in Compose is not enough: version: '2.3'
services:
apiconbug:
restart: always
image: apiconbug
tty: true
working_dir: /home/alpine/apiconbug
runtime: runsc
dns:
- 8.8.8.8However, which would render the same problem. When running Compose with runsc, you get two networks: $ docker network ls
NETWORK ID NAME DRIVER SCOPE
c9fcf0c8d7dc bridge bridge local
29cf0bbb8e49 nodebug_default bridge localThe $ docker network inspect 29cf0bbb8e49
[
{
"Name": "apiconbug_default",
"Id": "a3fcbc8dbf8c8500ff9eee3f4ca7328f7b1dd181ad601168ccbe48be4fee99ac",
"Created": "2018-11-30T09:50:39.643998227+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {}, // <--- EMPTY
"Labels": {
"com.docker.compose.network": "default",
"com.docker.compose.project": "apiconbug",
"com.docker.compose.version": "1.22.0"
}
}
]The bridge network has these Options: We then switched to using the bridge network: version: '2.3'
services:
apiconbug:
restart: always
image: apiconbug
tty: true
working_dir: /home/alpine/apiconbug
runtime: runsc
dns:
- 8.8.8.8
network_mode: "bridge"and voila, DNS lookups are now OK. Would be nice to know which of these options resolve the problem, what the problem actually is, and how to configure these options in Compose. We could possibly have changed This opens access to the hosts' local network, so be sure you know what you are exposing there. |
ianlewis
added
area: networking
|
I am getting error in apt update inside the ubuntu image when I run it with gvisor, with runc it work fine. Can someone tell me how to fix it? root@d846d6c54be4:/# cat /etc/resolv.conf error: |
|
I am having the same issue. DNS look up does not work with gVisor and netstack in the Docker container. But without gVisor it works.
|
|
I don't think that there is anything we can do to fix this on the gVisor side. Docker Compose seems to be assuming a shared loopback, which I don't think is conceptually compatible with network isolation. I think your only options are to not use network isolation (e.g. enable network passthrough in gVisor) or to fix, not use, or otherwise work around Docker Compose. |
I am not using Docker Compose. Just Docker Run. It only has default |
|
That looks like a different problem. Can you file a new issue and attach an strace log? |
|
@iangudger Opened #334 |
|
I confirm that DNS name is not working on docker-compose. |
|
Still not working with compose. Up! |
|
Same issue here |
|
Same issue |
|
You shouldnt edit /etc/resolv.conf in container directly. Leave it 127.0.0.11 in docker-compose.yml or *override.yml |
It's not working for me... |
|
Its not right when inside container you have external DNS. When you put other address than "127.0.0.11" docker lose self intercommunication between hosts if you are in stack or something. Don't put any change in containers resolv.conf. It break functionality. Edit your DNS by other method like dns settings in docker-compose.yml |
|
@sloslo4 you right, but anyway dns settings is ignored by docker-compose. |
|
Still not working, any predictions? |
|
Hopefully someone on the project can look at Docker compose soon, but there's no timeline right now. The problem is fundamentally what Ian notes above. The DNS server appears to be binding to localhost inside the container's network namespace. But the isolated container does not have direct access to the host network namespace unless network=host (passthrough mode) is enabled. For now the workaround suggested above seems reasonable, but I'm sure if there are any consequences wrt to service discovery, etc. (I don't know much about how Docker compose is using DNS and why it is doing what it is doing, which is why we need someone to dig in and understand that first.) |
|
I'm seeing the same behaviour since I changed from I have a container that runs VPN, so not being able to specify my VPN provider's DNS servers with |
|
I don't think this is an issue we can solve for good in gVisor as it has to do with how Docker binds to localhost for the DNS server. We can maybe document this better as it seems to be a fairly common issue. |
|
I added a tutorial to the website that will be available at https://gvisor.dev/docs/tutorials/docker-compose/ so I'm going to close this issue. If there are further issues you have with DNS and docker compose feel free to open up another issue with the details. |
Adds a Docker Compose tutorial to the website that shows how to start a Wordpress site and includes information about how to get DNS working. Fixes google#115 PiperOrigin-RevId: 330652842
Adds a Docker Compose tutorial to the website that shows how to start a Wordpress site and includes information about how to get DNS working. Fixes #115 PiperOrigin-RevId: 330652842
|
docker-compose using user defined networks no internal service names or host names resolved
docker-compose version 1.27.4, build 40524192 |
|
@mindon This issue is closed. Could you open a new issue with a bit more details about how to reproduce your problem? |
my mistake, it should be a docker-compose issue |
|
Did anyone file a bug with docker-compose or docker about this? If, so would you provide a link to the issue? |
DNS lookups fail in Docker Compose 2.3.
docker-compose.yml
test.js
Error:
$ uname -a Linux ubuntu-2 4.15.0-36-generic #39~16.04.1-Ubuntu SMP Tue Sep 25 08:59:23 UTC 2018 x86_64 x86_64 x86_64 GNU/LinuxI've tried using the
use-vcand other resolve options in Compose (http://man7.org/linux/man-pages/man5/resolv.conf.5.html) to force TCP over UDP, with no luck:The text was updated successfully, but these errors were encountered: