TransWikia.com

Docker container not using host /etc/resolv.conf

Super User Asked by Etienne Miret on December 7, 2021

Per Configure container DNS, docker containers should have a copy of the host /etc/resolv.conf and use it. For some reason I can’t find out, this isn’t working on my machine.

$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 172.18.0.xxx
nameserver 172.18.0.yyy
nameserver 8.8.8.8

$ docker run -it --rm alpine cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 8.8.8.8
nameserver 8.8.4.4
search home

I’m running Docker version 18.09.7, build 2d0083d, on Ubuntu 18.04.3 LTS.

I tried to restart the docker daemon after changes were made to my /etc/resolv.conf by openvpn, but I get the same result: resolv.conf in containers point to Google DNS.

dnsdockernetworking

2 Answers

I think what you are hitting here is a subnet conflict between OpenVPN's subnet, and local subnets that docker uses for containers internally. If you do ip addr and look for the bridge adapter that docker has created for your network, you will find a subnet range it has allocated to that bridge. Commonly it is 172.20.0.1/16 which will overlap your OpenVPN subnet. As that makes the OpenVPN DNS IP addresses "local to docker", it is removing them from the container's /etc/resolv.conf.

If you have multiple docker networks and don't know which bridge you should be looking at, you can do docker network list and take the network ID and prefix it with br0. For example a docker network with ID 28881c0a72ad is serviced by bridge adapter br0-28881c0a72ad.

There are a few solutions to this issue. One option is to change the default pool of addresses docker will use, by setting it in daemon.json:

vi /etc/docker/daemon.json
{
  "default-address-pools" : [
    {
      "base" : "172.240.0.0/16",
      "size" : 24
    }
  ]
}

Once done, restart your docker daemon to reconfigure the default network. Other networks will need to be deleted and recreated. Another solution is to create placeholder network that covers the range:

docker network create --driver=bridge --subnet 172.18.0.0/24 openvpn

Future networks created by docker-compose or similar tools will then not allocate to that subnet.

Answered by Stephen Badger on December 7, 2021

The resolv.conf file appears to be getting updated by multiple daemons, systemd and resolvconf. You may need to restart the docker daemon to pickup changes to the resolv.conf file after the latest change.

Once that's done, the second sentence (and following paragraph) explain the difference in the nameserver lines for anyone with a 127.0.0.1 nameserver:

Docker makes each container’s /etc/resolv.conf look like the /etc/resolv.conf of the host machine (where the docker daemon runs). When creating the container’s /etc/resolv.conf, the daemon filters out all localhost IP address nameserver entries from the host’s original file.

With your scenario, the docker engine may be configured with different name servers. There are various locations this value can be injected. If it's done in the systemd config files, then systemctl show docker | grep ExecStart should show an argument. Or it can be set with the /etc/docker/daemon.json file.

For other's that experience this issue, docker runs a DNS server internally that relays to servers (with the exception of localhost) for containers in user created networks. So a resolv.conf file with 127.0.0.53 will be expected when you don't use the default bridge. This allows containers to resolve each other using DNS.

Answered by BMitch on December 7, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP