I have docker container (lets say A) running on a host (lets say X). I would like the container to be able to have outbound connectivity to a DNS (ie ELB) that host X already has access to.
ie
container A ---> want to be able to curl an external ELB DNS endpoint...problem is container unable to resolve it!
host X ---> is able to curl the external ELB DNS endpoint already
Do either of these work for you?
$ docker run --dns 10.0.0.2 busybox nslookup google.com
Or edit your /etc/docker/daemon.json similar to:
{
"dns": ["10.0.0.2", "8.8.8.8"]
}
and restart the docker service
$ sudo systemctl docker restart
For more information, please see Fix Docker's networking DNS config and Container networking.
Related
I have a Docker container that uses the host network and when I run the container it takes the same resolv.conf of the host machine.
docker run -ti --network host ubuntu:18.04 /bin/bash
I have configured a VPN interface in my host that use an additional DNS server 10.10.0.5 and one search domain using the DNS server myvpndomain.com.
But the problem is when I start the container without being connected to the VPN it takes my usual /etc/resolv.conf. But once the container is started if I turn on my VPN interface I can see all machines on the VPN network including the VPN's DNS server: 10.10.0.5 (I can ping to it), but the DNS resolution configuration doesn't get updated automatically from host, I need to restart the container to get the new DNS configuration.
DNS configuration in the host machine after connected to VPN:
cat /etc/resolv.conf
search myvpndomain.com
nameserver 10.10.0.5
nameserver 80.58.61.250
nameserver 80.58.61.254
DNS configuration inside the container the container after connected to VPN:
cat /etc/resolv.conf
nameserver 80.58.61.250
nameserver 80.58.61.254
To update the DNS configuration after connecting my VPN I tried two solutions so far:
1) Adding a bind mount to host /etc/resolv.conf file into the container -v /etc/resolv.conf:/etc/resolv.conf to run command, but it does not work, I don't know why even updating host resolv.conf, the mounted resolv.conf in container does not update.
2) Adding --dns 127.0.0.53 --dns-search myvpndomain.com to run command, this works well as it uses the systemd-resolver and also adds the required search domain. But I would want to not rely on systemd-resolver to accomplish this.
Do you know a more clean solution that does not involve to use the systemd-resolver?
Maybe use Docker internal DNS 127.0.0.11 + dnsmasq?
PD: It's mandatory to use the host network the container --network host
I am setting up a microservices architecture using docker for each service. I am also using kong API gateway running in its own docker container. The docker host is Centos 7 running in a VM with an IP 192.168.222.76.
On the host command line, I can access the starter service on port 7000 fine. However, within the kong VM, I ping the IP address but cannot access the service. As you can see from the output below, it says "Host is unreachable".
I am starting docker with --icc=true and --iptables=true and I have made several suggested changes to the firewalld and rich rules, etc. but I continue to not be able to reach the other container from within the kong container.
I am starting the kong container with a named network "kong-net" and the kong database is instance is in the same docker network and THEY seem to be able to communicate. I have added my starter service container to the same network on start up and still no joy. The kong container CAN access the outside world, just not other docker containers on the same host.
Output is below:
[root#docker ~]# clear
[root#docker ~]# curl 192.168.222.76:7000/starter/hello
Hello Anonymous Person!!
[root#docker ~]# docker exec -it kong /bin/ash
# curl 192.168.222.76:7000/starter/hello
curl: (7) Failed to connect to 192.168.222.76 port 7000: Host is unreachable
# curl www.google.com
HTML returned properly...
Any help on this appreciated!
You must have to reach the other container with his container name.
Try this:
docker exec -t kong curl servicename:7000/starter/hello
Kong container and service containers must share the same network
I was able to get ICC working by disabling firewalld all together (stop, disable, mask with systemctl) and opening up everything in iptables. Now its just a matter of setting up rules to block inbound access except on the API gateway and SSH.
Thanks!
I have come across this problem before. If disabling the firewall fixes the problem, DO NOT leave the firewall disabled, this is a very big security concern. The proper way to go about it is firstly, reactivate the firewall and then add a network masquerade.
firewall-cmd --zone=public --add-masquerade --permanent
I'm trying to resolve a docker container address from the host. Windows host. Windows container. I've reviewed number of similar questions:
How do I resolve hostnames to Docker containers from the host?
Docker 1.10 access a container by it's hostname from a host machine
Docker - Windows Container Not Resolving Hosts
None of these questions address this specific question. Seems like a trivial operation and I simply don't understand why it doesn't work.
So for example
$ docker network create -d nat --subnet 172.25.0.0/16 test-net
$ docker container run --network test-net --name example-1 test/example1
Where test/example1 is simply an asp.net core web server.
So it seems to me I should be able to resolve the container name from the host based on the various clues I see in the above referenced answers. For example
$ nslookup example-1 172.25.0.1
$ nslookup example-1 127.0.0.11
$ nslookup example-1.test-net.docker 127.0.0.11
However nothing works.
Naturally I don't need this capability for production, but it would be very helpful for testing. I simply don't understand why I can't get this to work. What am I missing?
I am trying to run Ubuntu inside of Docker, but my network has several restrictions:
must use network's DNS, when I set it, I do not get a response, I suspect it is because the return address is the docker IP 172 ...
must use network's Proxy, I can set an env, but it is useless without DNS working
I am trying this:
docker run --dns=10.69.114.61 -it ubuntu
docker run --dns=172.17.0.1 -it ubuntu (docker0 interface IP)
Docker containers will use docker host's dns settings by default.
In order to specify DNS server:
docker run --dns=10.69.114.61 -it debian:jessie /bin/bash
root#299849f13f21:/# cat /etc/resolv.conf
nameserver 10.69.114.61
Needless to say you must supply your network's DNS server IP address to the --dns flag.
docker run --dns=<your DNS server IP> -it debian:jessie /bin/bash
As you pointed out you should specify HTTP_PROXY variable to use your proxy server.
I have started to use docker and liking it mostly because Docker containers are kind of light-weight VMs. But I am unable to figure out, how docker containers may be able resolve each-other's hostnames. They can connect to each other using there IPs, but not using their hostnames, I cannot even edit /etc/hosts in the containers to make up for that somehow. When I restart the containers, they get different IPs and hence I want to use the hostnames in place of IPs to communicate with each other. Let us say, I want to run Zookeeper instances of a Zookeeper cluster in the containers and I want to put the hostnames of the Zookeeper servers in the config (zoo.cfg) files.
As of Docker 1.10, if you create a distinct docker network, Docker will resolve hostnames intra-container-wise using an internal DNS server [1][2][3].
You can change the network hostname by specifying one with --name within the docker run. Otherwise the hostname will refer to the container id (12 char long hash, shown by docker container ls ).
See also:
Docker doesn't resolve hostname
When to use --hostname in docker?
Sources:
[1] = docker docs - Embedded DNS server in user-defined networks
[2] = Docker Engine release notes
- 1.10.0 (2016-02-04) - Networking
[3] = Docker pull requests - Vendoring libnetwork
It may be worth checking out Docker links (https://docs.docker.com/userguide/dockerlinks/). When you link to a running container, a host entry is added for the container you wish to connect to.
In their example they show
$ sudo docker run -t -i --rm --link db:db training/webapp /bin/bash
root#aed84ee21bde:/opt/webapp# cat /etc/hosts
172.17.0.7 aed84ee21bde
. . .
172.17.0.5 db
As you see here, they link the application they're in bash with to the container named db, and subsequently a host entry is added for db with the IP address of that container.
So in the instance of having zookeeper running, you could simply make the containers you start just link to zookeeper. I hope this helps!
Can depend on OS of container, but supposing that container runs Linux
you can check your DNS configuration this way:
cat /etc/resolv.conf
It can return something like:
nameserver 127.0.0.11
options ndots:0
/etc/resolv.conf is standard configuration file for DNS in UNIX-like OS-es.
In this particular case container is configured to use 127.0.0.11 as DNS server.
So container can query it to determine IP address of another container using it's host name.
You can check whether that host actually works by using nslookup command, e.g.:
nslookup redis 127.0.0.11
, which will contact DNS server 127.0.0.11 and ask to resolve host name "redis".
It can return something like:
Server: 127.0.0.11
Address 1: 127.0.0.11
Name: redis
Address 1: 172.21.0.3 counter-app_redis_1.counter-app_counter-net
, which would mean that host name resolved to ip 172.21.0.3.
In this specific case nameserver entry was added by using the following entry in the docker-compose.yml configuration file:
...
networks:
counter-net:
This root entry configured common bridge network shared by several docker containers.