Docker嵌入式DNS解析器如何工作? [英] how does Docker Embedded DNS resolver work?
问题描述
我知道Docker具有嵌入式Dns解析器.
当我在自己的网桥中运行容器时:
I know Docker has a embedded Dns resolver.
when I run a container in myself bridge:
$ docker run -it --rm --privileged --network=mybridge xxx bash
root@18243bfe6b50:/# cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0
root@18243bfe6b50:/# netstat -anop
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 127.0.0.11:45997 0.0.0.0:* LISTEN - off (0.00/0/0)
udp 0 0 127.0.0.11:49614 0.0.0.0:*
it shows there is a dns resolver, and iptables help do a port transfer.
root@18243bfe6b50:/# iptables -nvL -t nat
.....
Chain DOCKER_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 127.0.0.11 tcp dpt:53 to:127.0.0.11:45997
0 0 DNAT udp -- * * 0.0.0.0/0 127.0.0.11 udp dpt:53 to:127.0.0.11:49614
Chain DOCKER_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 127.0.0.11 0.0.0.0/0 tcp spt:45997 to::53
0 0 SNAT udp -- * * 127.0.0.11 0.0.0.0/0 udp spt:49614 to::53
but, which process is the dns resolver? I guess it is dockerd? but dockerd is running in host network namespace, obviously it is different with the container network namespace, also, I can not find dockerd has dns port listening in host:
root@test:~# netstat -tnop |grep dockerd
tcp 0 0 10.5.79.50:59540 10.5.79.50:2377 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp 0 0 127.0.0.1:35792 127.0.0.1:2377 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp6 0 0 10.5.79.50:2377 10.5.79.70:45934 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp6 0 0 127.0.0.1:2377 127.0.0.1:35792 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp6 0 0 10.5.79.50:2377 10.5.79.50:59540 ESTABLISHED 3332/dockerd off (0.00/0/0)
一个进程(dockerd)如何公开主机名称空间中的某些端口和其他名称空间(容器)中的某些端口?我读了一些代码,但仍然想不通,有人可以帮助回答吗?
how does one process(dockerd) expose some ports in host namespace and some ports in other namespace(container)? I read some code, but still can not figure out, could anyone help answer?
谢谢.
推荐答案
也许您已经发现Docker(又名Moby)在内部使用libnetwork
进行配置和 libnetwork类型和实际的沙盒允许通过网络名称空间.
Maybe you have already found that Docker (aka Moby) internally uses libnetwork
to configure and enable the embedded DNS resolver. Libnetwork binds the resolver to the container's loopback interface, so that DNS queries at 127.0.0.11
can be routed (via iptables) to the "backend DNS resolver" in the Docker Engine. See the libnetwork type and the actual ResolveName() code. The Sandbox for each container allows to route DNS queries through the network namespaces.
关于您的问题,一个进程如何在主机上和容器内部公开端口:在这种情况下,将处理器线程绑定到接口将是一个更合适的表达方式. Docker引擎创建一个容器并配置其网络名称空间,因此它还可以通过iptables配置容器的网络接口和数据包路由.将解析程序绑定到容器的内部接口是您在侦听端口53的主机上找不到任何进程的原因.
Regarding your question how one process can expose ports on the host and inside a container: in this case binding a handler thread to an interface would be a more appropriate expression. The Docker engine creates a container and configures its network namespace, so it can also configure the container's network interfaces and packet routing via iptables. Binding the resolver to the container's internal interface is the reason why you haven't found any process on the host listening on port 53.
这篇关于Docker嵌入式DNS解析器如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!