dnsname icon indicating copy to clipboard operation
dnsname copied to clipboard

Published 20 hours ago verified publisher icon containers

unexpected behavior when a container is attached to more than one network

Open abalage opened this issue 4 years ago • 4 comments

Hi,

I experienced the following situation. There are at least two CNI networks specified (CNI 1, CNI 2). Each has dnsname enabled. These networks are not overlapping.

If you join a container to both of these networks then:

  1. The container will have interfaces and IPs from both networks as expected.
  2. The container's resolv.conf will contain both network's name server like this.
nameserver 1.2.3.4
nameserver 5.6.7.8

Where 1.2.3.4 is authoritative to the domain of CNI 1, while 5.6.7.8 is authoritative to domain of CNI 2.

The problem with this approach is that host names on network 5.6.7.8 will never be resolved by the container as the first DNS server will always respond with NXDOMAIN as it is only authoritative to its own domain and does not forward request to 5.6.7.8 (it does not even suppose to). The resolver will only fall back to 5.6.7.8 when 1.2.3.4 does not respond as all.

See an explanation example here: https://unix.stackexchange.com/questions/150703/can-subsequent-nameservers-defined-in-etc-resolv-conf-be-used-if-the-previous-n

I am not sure whether this effect is intended, though I thought it may be a good idea to report it.

abalage avatar Feb 04 '20 21:02 abalage

Seeing this after opening #21 I'm wondering if it would not be a better design to have one config file per cni network and one dnsmasq process per container. Such a container specific dnsmasq would just include the config files of the networks it is bound to, solving this problem. Additionally the life cycle of the dnsmasq process and container would match, which would also solve #21.

AlbanBedel avatar May 19 '20 11:05 AlbanBedel

confirmed again 20/12/2021.

docker network create sqlnet
docker network create nginxnet
docker run --name web --network sqlnet webimage
docker run --name sql --network sqlnet sqlimage
docker network connect nginxnet web
docker run --name nginx --network nginxnet nginx

in sqlnet:

container web got ipaddress 10.89.0.2 container sql got ipaddress 10.89.0.3

in nginxnet:

container web got ipaddress 10.89.1.2

  1. after connect container web into nginxnet,and do docker restart web,web container won't able to resolve "sql" to ip,got

unknow name or service Error

  1. tried to modify domainName,doesnt work
>docker network inspect sqlnet
{
                "capabilities": {
                    "aliases": true
                },
                "domainName": "sql.net",
                "type": "dnsname"
            }

docker network inspect nginx.net
{
                "capabilities": {
                    "aliases": true
                },
                "domainName": "nginx.net",
                "type": "dnsname"
            }

Arryboom avatar Dec 20 '21 07:12 Arryboom

Hi, It is possible to forward queries to other network's dnsmasq using server= option in dnsmasq.conf

At least my POC seems to work: https://github.com/panumjp/dnsname/commit/885f47e7f96ed49e45683ea585453d73b639e1cf

panumjp avatar Jan 22 '22 19:01 panumjp

That won't work, as it will allow all containers to see all other containers via DNS - even those in networks they are not present in.

We have abandoned dnsname due to this issue and are working on a new, custom server implementation that will resolve this, to be release with Podman 4.0.

mheon avatar Jan 24 '22 14:01 mheon