DNS resolution does not work on non-default docker networks.
richardstephens opened this issue · comments
Description
When starting a container with runsc and a non-default --network
, the container cannot resolve DNS, either to other containers or the internet.
The gVisor docs suggest use of --link
however the docker docs suggest this is deprecated and to set up custom networks instead.
Steps to reproduce
- create a new network
$ docker network create apps
- create postgres container
$ docker run -d \
--network apps \
--runtime runsc \
--name pgsql \
--restart unless-stopped \
-e PGDATA=/var/lib/postgresql/data/pgdata \
-e POSTGRES_PASSWORD=xxx \
-v /data/docker/postgres:/var/lib/postgresql/data \
postgres:14.2-bullseye
- create debug container and try and reach pgsql pod (or internet)
docker run --rm \
--network apps \
--runtime runsc \
-it alpine \
sh
/ # ping pgsql
ping: bad address 'pgsql'
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.15/main: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.15/community: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/community: No such file or directory
2 errors; 14 distinct packages available
/ #
The network is working - if i look up the IP address from the host, I can ping and connect to it just fine
$ docker network inspect apps
...snip...
"0c16ea2a79e9e2d44072baa0192b5a42de99435dd0d9e122756061ae174d7cc7": {
"Name": "pgsql",
"EndpointID": "0632eb4937fbf9406c95926e2fcba6ef7d35fbb26b09cf650409f6022b4f6939",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
/ # ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=42 time=1.532 ms
64 bytes from 172.18.0.2: seq=1 ttl=42 time=1.364 ms
If I remove the --runtime runsc
flag from the debug container, everything works as expected.
runsc version
runsc version release-20220425.0
spec: 1.0.2-dev
docker version (if using docker)
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.8.1-docker)
compose: Docker Compose (Docker Inc., v2.3.3)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 7
Running: 2
Paused: 0
Stopped: 5
Images: 13
Server Version: 20.10.14
Storage Driver: zfs
Zpool: rpool
Zpool Health: ONLINE
Parent Dataset: rpool/var
Space Used By Parent: 2157556128
Space Available: 11002439795919
Parent Quota: no
Compression: lz4
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc runsc
Default Runtime: runc
Init Binary: docker-init
containerd version: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc version: v1.0.3-0-gf46b6ba
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.10.0-14-amd64
Operating System: Debian GNU/Linux 11 (bullseye)
OSType: linux
Architecture: x86_64
CPUs: 48
Total Memory: 188.8GiB
Name: debian-2098da7c
ID: EHR6:EENE:W6XL:VKQE:WSNN:EVCJ:5YYZ:WUU2:A4CG:NFNH:22P7:RHMP
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
uname
Linux debian-2098da7c 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux
kubectl (if using Kubernetes)
No response
repo state (if built from source)
No response
runsc debug logs (if available)
No response
Most likely this is a dupe of #7469. But I will update after I run the instructions and look at the ipfilter rules.
Okay confirmed. This is a dupe of #7469 . Closing as duplicate.