https://bugzilla.redhat.com/show_bug.cgi?id=1128208
--- Comment #11 from Bill C. Riemers <briem...@redhat.com> --- Alright workaround in place. I just needed to add accept rules to iptables for port 53. e.g. # iptables -I INPUT -p udp --deport 53 -j ACCEPT # iptables -I INPUT -p tcp --deport 53 -j ACCEPT Now that I understand the bug. Let me give a fresh reproduce instructions. Prepartion: # echo "nameserver 127.0.0.1" > /etc/resolv.conf.loopback # chattr +i /etc/resolv.conf.loopback # echo "nameserver 208.67.222.222" > /etc/resolv.conf.opendns # echo "nameserver 208.67.220.220" >> /etc/resolv.conf.opendns # chattr +i /etc/resolv.conf.opendns # (cat /etc/resolv.conf.loopback /etc/resolv.conf.opendns) > /etc/resolv.conf.mixed # chattr +i /etc/resolv.conf.mixed Tests: 1. Opendns: # mount --bind /etc/resolv.conf.opendns /etc/resolv.conf # service docker restart # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 208.67.222.222 nameserver 208.67.220.220 Expected: nameserver 208.67.222.222 nameserver 208.67.220.220 Desired: nameserver 208.67.222.222 nameserver 208.67.220.220 2. Localhost: # mount --bind /etc/resolv.conf.localhost /etc/resolv.conf # service docker restart # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 8.8.8.8 nameserver 8.8.4.4 Expected: nameserver 8.8.8.8 nameserver 8.8.4.4 Desired: nameserver 172.17.42.1 nameserver 8.8.8.8 nameserver 8.8.4.4 3. Mixed: # mount --bind /etc/resolv.conf.mixed /etc/resolv.conf # service docker restart # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 8.8.8.8 nameserver 8.8.4.4 Expected: nameserver 8.8.8.8 nameserver 8.8.4.4 Desired: nameserver 172.17.42.1 nameserver 208.67.222.222 nameserver 208.67.220.220 4. Localhost then opendns: # mount --bind /etc/resolv.conf.localhost /etc/resolv.conf # service docker restart # umount /etc/resolv.conf # mount --bind /etc/resolv.conf.opendns /etc/resolv.conf # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 8.8.8.8 nameserver 8.8.4.4 Expected: nameserver 208.67.222.222 nameserver 208.67.220.220 Desired: nameserver 208.67.222.222 nameserver 208.67.220.220 5. Localhost then mixed: # mount --bind /etc/resolv.conf.localhost /etc/resolv.conf # service docker restart # umount /etc/resolv.conf # mount --bind /etc/resolv.conf.mixed /etc/resolv.conf # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 8.8.8.8 nameserver 8.8.4.4 Expected: nameserver 8.8.8.8 nameserver 8.8.4.4 Desired: nameserver 172.17.42.1 nameserver 208.67.222.222 nameserver 208.67.220.220 6. Opendns then localhost # mount --bind /etc/resolv.conf.opendns /etc/resolv.conf # service docker restart # umount /etc/resolv.conf # mount --bind /etc/resolv.conf.localhost /etc/resolv.conf # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 127.0.0.1 Expected: nameserver 8.8.8.8 nameserver 8.8.4.4 Desired: nameserver 172.17.42.1 nameserver 8.8.8.8 nameserver 8.8.4.4 7. Opendns then mixed # mount --bind /etc/resolv.conf.opendns /etc/resolv.conf # service docker restart # umount /etc/resolv.conf # mount --bind /etc/resolv.conf.mixed /etc/resolv.conf # docker run fedora grep nameserver /etc/resolv.conf # umount /etc/resolv.conf Result: nameserver 127.0.0.1 nameserver 208.67.222.222 nameserver 208.67.220.220 Expected: nameserver 8.8.8.8 nameserver 8.8.4.4 Desired: nameserver 172.17.42.1 nameserver 208.67.222.222 nameserver 208.67.220.220 In a nut shell, the current rules fail to work in that they depend on what is in the /etc/resolv.conf at the time the docker daemon is started, not at the time the file is referenced. That is why tests fail to produce the expected results. In many cases, the expect results are not is not the desired results. The desired results is that docker containers just work. In practice that simply won't happen by substituting in public DNS for the whole content of the resolv.conf file. Something that might work is if 127.0.0.1 is substituted with 172.17.42.1, and possibly appending public DNS values if that is the only entry. The only reason to append the public DNS values is the user needs to configure there local dns server to accept requests from the docker. (Although presumably this could be done with a set of firewall rules automatically.) While the public DNS behavior is broken, it is sufficent for some dockers to work. So in a worse case scenario it is reasonable to append those values. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ golang mailing list golang@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/golang
