google / gvisor

Application Kernel for Containers

Home Page:https://gvisor.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DNS resolution does not work on non-default docker networks.

richardstephens opened this issue · comments

Description

When starting a container with runsc and a non-default --network, the container cannot resolve DNS, either to other containers or the internet.

The gVisor docs suggest use of --link however the docker docs suggest this is deprecated and to set up custom networks instead.

Steps to reproduce

  1. create a new network
$ docker network create apps
  1. create postgres container
$ docker run -d  \
   --network apps \
   --runtime runsc \
   --name pgsql \
   --restart unless-stopped \
   -e PGDATA=/var/lib/postgresql/data/pgdata  \
   -e POSTGRES_PASSWORD=xxx \
   -v /data/docker/postgres:/var/lib/postgresql/data \
   postgres:14.2-bullseye
  1. create debug container and try and reach pgsql pod (or internet)
docker run --rm \
   --network apps \
   --runtime runsc \
   -it alpine \
   sh
/ # ping pgsql
ping: bad address 'pgsql'
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.15/main: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.15/community: temporary error (try again later)
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/community: No such file or directory
2 errors; 14 distinct packages available
/ # 

The network is working - if i look up the IP address from the host, I can ping and connect to it just fine

$ docker network inspect apps
...snip...
            "0c16ea2a79e9e2d44072baa0192b5a42de99435dd0d9e122756061ae174d7cc7": {
                "Name": "pgsql",
                "EndpointID": "0632eb4937fbf9406c95926e2fcba6ef7d35fbb26b09cf650409f6022b4f6939",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
/ # ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=42 time=1.532 ms
64 bytes from 172.18.0.2: seq=1 ttl=42 time=1.364 ms

If I remove the --runtime runsc flag from the debug container, everything works as expected.

runsc version

runsc version release-20220425.0
spec: 1.0.2-dev

docker version (if using docker)

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.1-docker)
  compose: Docker Compose (Docker Inc., v2.3.3)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 7
  Running: 2
  Paused: 0
  Stopped: 5
 Images: 13
 Server Version: 20.10.14
 Storage Driver: zfs
  Zpool: rpool
  Zpool Health: ONLINE
  Parent Dataset: rpool/var
  Space Used By Parent: 2157556128
  Space Available: 11002439795919
  Parent Quota: no
  Compression: lz4
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc runsc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3df54a852345ae127d1fa3092b95168e4a88e2f8
 runc version: v1.0.3-0-gf46b6ba
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.0-14-amd64
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: x86_64
 CPUs: 48
 Total Memory: 188.8GiB
 Name: debian-2098da7c
 ID: EHR6:EENE:W6XL:VKQE:WSNN:EVCJ:5YYZ:WUU2:A4CG:NFNH:22P7:RHMP
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

uname

Linux debian-2098da7c 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

Most likely this is a dupe of #7469. But I will update after I run the instructions and look at the ipfilter rules.

Okay confirmed. This is a dupe of #7469 . Closing as duplicate.