DoH issues when running inside Docker, works fine from a native build (Ubuntu 20.04 LTS)

[TerryOtt]

Get the following when I run Flamethrower from inside Docker on Ubuntu 20.04 LTS:

$ docker run -it --network=host ns1labs/flame -c 1 -d 250 -q 1 -l 3 -r www.example.com -T AAAA -P doh -M POST 1.1.1.1/dns-query
binding to 0.0.0.0
flaming target(s) [1.1.1.1] on port 443 with 1 concurrent generators, each sending 1 queries every 250ms on protocol doh
query generator [static] contains 1 record(s)
0.998839s: send: 1, avg send: 1, recv: 1, avg recv: 1, min/avg/max resp: 0/0/0ms, in flight: 1, timeouts: 0
1.9991s: send: 0, avg send: 1, recv: 0, avg recv: 1, min/avg/max resp: 0/-nan/0ms, in flight: 1, timeouts: 0
2.99925s: send: 0, avg send: 1, recv: 0, avg recv: 1, min/avg/max resp: 0/-nan/0ms, in flight: 1, timeouts: 0
stopping, waiting up to 3s for in flight to finish...

------
run id      : 7fff46e52030
run start   : 2022-05-25T19:28:55Z
runtime     : 5.99976 s
total sent  : 1
total rcvd  : 1
min resp    : 0 ms
avg resp    : -nan ms
max resp    : 0 ms
avg r qps   : 1
avg s qps   : 1
avg pkt     : 44 bytes
tcp conn.   : 1
timeouts    : 1 (100%)
bad recv    : 0
net errors  : 0

$ 

When I build a brand new Ubuntu 20.04 LTS VM and install with:

$ sudo apt-get -y install g++ cmake libuv1-dev libldns-dev libgnutls28-dev libnghttp2-dev
$ git clone https://github.com/DNS-OARC/flamethrower.git
$ cd flamethrower
$ git checkout v0.11.0
$ mkdir build
$ cd build
$ cmake -DDOH_ENABLE=ON -DCMAKE_BUILD_TYPE=RelWithDebInfo ..
$ make

Suddenly, the same command works:

$ ./flame -c 1 -d 250 -q 1 -l 3 -r www.example.com -T AAAA -P doh -M POST 1.1.1.1/dns-query
binding to 0.0.0.0
flaming target(s) [1.1.1.1] on port 443 with 1 concurrent generators, each sending 1 queries every 250ms on protocol doh
query generator [static] contains 1 record(s)
0.989642s: send: 4, avg send: 4, recv: 4, avg recv: 4, min/avg/max resp: 3.42364/5.12165/9.67314ms, in flight: 1, timeouts: 0
1.99028s: send: 4, avg send: 4, recv: 4, avg recv: 4, min/avg/max resp: 2.46321/3.11916/3.69559ms, in flight: 1, timeouts: 0
2.99026s: send: 4, avg send: 4, recv: 4, avg recv: 4, min/avg/max resp: 6.76499/14.2015/29.0805ms, in flight: 1, timeouts: 0

------
run id      : 7ffd0b5ec660
run start   : 2022-05-25T19:04:52Z
runtime     : 2.99232 s
total sent  : 12
total rcvd  : 12
min resp    : 2.46321 ms
avg resp    : 7.48076 ms
max resp    : 29.0805 ms
avg r qps   : 4
avg s qps   : 4
avg pkt     : 44 bytes
tcp conn.   : 12
timeouts    : 0 (0%)
bad recv    : 0
net errors  : 0
responses   :
  NOERROR: 12

$

[weyrick]

Hi @TerryOtt can you please try again with docker tag 0.12.0-master?

[zephyia]

I am seeing the same issue, however if I use the tag suggested in the comment above it still doesnt work - did you ever identify the source of this issue?

[yagikota]

@zephyia cc.@weyrick

I'm in the same situation. Have you solved this issue since then? If so, , I'd like to know the solution.

[zephyia]

Nope, no fix I am aware of.On 1 Oct 2023, at 06:49, Kota @.***> wrote: ↑ @TerryOtt

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[yagikota]

I gave up to use docker... I manually installed dependancies and built, then worked on Ubuntu.

[yagikota]

I don't know why but after removing -DCMAKE_BUILD_TYPE=RelWithDebInfo from Dockerfile, I could build and send query using DoH.

FROM debian:bullseye-slim AS build

ENV BUILD_DEPS "g++ cmake make libldns-dev libnghttp2-dev libuv1-dev libgnutls28-dev pkgconf"
ENV DEBIAN_FRONTEND=noninteractive

RUN \
    apt-get update && \
    apt-get install --yes --no-install-recommends ${BUILD_DEPS}

COPY . /src

RUN \
    mkdir /tmp/build && \
    cd /tmp/build && \
-     cmake -DDOH_ENABLE=ON -DCMAKE_BUILD_TYPE=RelWithDebInfo /src && \
+     cmake -DDOH_ENABLE=ON  /src && \
    make all

FROM debian:bullseye-slim AS runtime

ENV RUNTIME_DEPS "libldns3 libuv1 nghttp2"

RUN \
    apt-get update && \
    apt-get install --yes --no-install-recommends ${RUNTIME_DEPS} && \
    rm -rf /var/lib/apt

COPY --from=build /tmp/build/flame /usr/local/bin/flame

ENTRYPOINT [ "/usr/local/bin/flame" ]

execute this command on M1 Mac.

docker run -it --network=host ns1labs/flame -c 1 -d 250 -q 1 -l 3 -r www.example.com -T AAAA -P doh -M POST 1.1.1.1/dns-query
binding traffic generators to 0.0.0.0
flaming target(s) [1.1.1.1] on port 443 with 1 concurrent generators, each sending 1 queries every 250ms on protocol doh
query generator [static] contains 1 record(s)
0.996346s: send: 3, avg send: 3, recv: 3, avg recv: 3, min/avg/max resp: 18.197/73.0057/177.524ms, in flight: 1, timeouts: 0
1.99703s: send: 2, avg send: 2, recv: 1, avg recv: 2, min/avg/max resp: 28.3297/28.3297/28.3297ms, in flight: 1, timeouts: 0
2.9964s: send: 0, avg send: 2, recv: 0, avg recv: 2, min/avg/max resp: 0/nan/0ms, in flight: 1, timeouts: 0
stopping, waiting up to 3s for in flight to finish...

------
run id      : ffffdd553ae8
run start   : 2023-10-03T11:39:17Z
runtime     : 5.9967 s
total sent  : 5
total rcvd  : 4
min resp    : 18.197 ms
avg resp    : nan ms
max resp    : 177.524 ms
avg r qps   : 2
avg s qps   : 2
avg pkt     : 44 bytes
tcp conn.   : 5
timeouts    : 1 (20%)
bad recv    : 0
net errors  : 0
responses   :
  NOERROR: 4

Reference

• https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html
• https://stackoverflow.com/questions/48754619/what-are-cmake-build-type-debug-release-relwithdebinfo-and-minsizerel

[yagikota]

I tried the following build pattern

1. CMAKE_BUILD_TYPE=Release
2. CMAKE_BUILD_TYPE=Debug
3. CMAKE_BUILD_TYPE=RelWithDebInfo
4. CMAKE_BUILD_TYPE=MinSizeRel

but when I used CMAKE_BUILD_TYPE=Debug or no build pattern like the above post, I could only build.

According to this, the meaning of these build types are like this:

1. Release: high optimization level, no debug info, code or asserts.
2. Debug: No optimization, asserts enabled, [custom debug (output) code enabled], debug info included in executable (so you can step through the code with a debugger and have address to source-file:line-number translation).
3. RelWithDebInfo: optimized, with debug info, but no debug (output) code or asserts.
4. MinSizeRel: same as Release but optimizing for size rather than speed.

So optimization maybe the reason why we can't send DoH query using Docker.

[yagikota]

@weyrick If you like, I'll make a PR about this issue.

[weyrick]

Thanks @yagikota. We wouldn't want the default build to be Debug though - it will greatly slow down traffic generation. I wonder if moving to bookworm-slim instead of bullseye-slim base image would help?

[yagikota]

OK! I'll try it and share the result.

Do you have any reason to use bookworm-slim?

[weyrick]

No, just that if optimization is making it fail (which is never supposed to happen) then perhaps mutating the versions of the compiler and/or dependencies will fix the mystery.

[yagikota]

I'll deal with this problem this weekend.