Docker:容器无法在专用网络上找到域 [英] Docker: container can't find domain on private network
问题描述
我试图找出在不同主机上运行的相同docker容器的问题,其中一个容器可以在专用网络上查找/ping/nslookup域,而另一个不能.一台主机是OSX 10.11,另一台是Ubuntu 16.04.两者都在运行docker 1.12.我正在使用 docker-compose 来启动我的应用程序,并且希望弄清楚正在发生的事情以及如何解决它,或者我可以在不诉诸于硬编码域的情况下进行一些配置更改或使容器在两个主机上的行为都相同的ip地址.
在OSX框中,我的域自动设置了以下dns名称服务器:
osx:$ cat/etc/resolv.conf域redact.lan名称服务器172.16.20.19域名服务器10.43.0.11 我知道大多数OSX工具未使用 resolv.conf ,但是系统偏好设置">网络"显示相同的设置.
我在Ubuntu 16机器上也有类似的设置(来自解决方案
更新后的答案(2017-06-20)
较新版本的Ubuntu(17.04+)不使用dnsmasq(现在使用systemd-resolved).您将在主机解析方面遇到类似的问题,但是此处的原始解决方案不再起作用.实际上,Docker容器甚至无法与systemd-resolvd通信,因为它在容器内部无法访问的位置中运行自己的DNS.
在较新版本的Ubuntu上,一个好的解决方案是将以下配置放在/etc/docker/daemon.json 中(如果不存在则创建此文件):
{"dns":["172.16.20.19","10.43.0.11"],"dns-search":["redacted.lan"]} 这使您可以配置DNS服务器和搜索域.上面的DNS IP来自原始问题,但是您也可以使用自己的自定义IP.您可能要匹配主机上的DNS配置.搜索域是可选的,您可以完全省略该行(请注意逗号!).同样,您可能想匹配您的主机.
本质上,这些daemon.json选项的作用是自动将DNS配置和搜索域注入到容器内的配置文件中,以查找在该守护程序上启动的任何容器.这是必要的,因为由于systemd-resolved的工作方式的限制,您不能使用主机上的systemd-resolved来解析容器内的DNS.该文档是此处./p>
原始答案
问题在于主机正在使用dnsmasq来解析私有IP,而Docker不在主机上使用dnsmasq.
简单的解决方法是关闭主机上的dnsmasq .
- 运行
sudo vi/etc/NetworkManager/NetworkManager.conf - 注释此行:
#dns = dnsmasq - 运行
sudo服务网络管理器重启
现在,您应该能够使用docker容器,它将正确解析您的私有DNS.
I'm trying to figure out a problem with identical docker containers being run on different hosts, where one container can find/ping/nslookup a domain on a private network, and another can't. One host is OSX 10.11, the other is Ubuntu 16.04. Both are running docker 1.12. I'm using docker-compose to bring up my application, and I'm hoping to figure out what is going on and how to fix it, or some configuration changes I could make without resorting to hardcoding domains or ip addresses that would make the container behave the same on both hosts.
On my OSX box, I have the following dns nameservers set automatically by my domain:
osx:$ cat /etc/resolv.conf
domain redacted.lan
nameserver 172.16.20.19
nameserver 10.43.0.11
I'm aware that resolv.conf isn't used by most OSX tools, but System Preferences > Network shows the same settings.
I have similar settings on my Ubuntu 16 box as well (command from https://askubuntu.com/questions/152593/command-line-to-list-dns-servers-used-by-my-system):
ubu:$ cat /etc/resolv.conf
nameserver 127.0.1.1
search redacted.lan
ubu:$ nmcli device show eno1 | grep IP4.DNS
IP4.DNS[1]: 172.16.20.19
IP4.DNS[2]: 10.43.0.11
Then, on both OSX and Ubuntu, I start my container with this:
$ docker run -it redacted_web bash
And then I run these commands to diagnose my problem:
$ apt-get update
$ apt-get install -y dnsutils
$ cat /etc/resolv.conf
$ nslookup redacted.lan
On OSX, the output from the last 2 commands is:
root@d19f49322fda:/app# cat /etc/resolv.conf
search local
nameserver 192.168.65.1
root@d19f49322fda:/app# nslookup redacted.lan
Server: 192.168.65.1
Address: 192.168.65.1#53
Name: redacted.lan
Address: 172.18.0.23
On Ubuntu, the output is:
root@91e82d652e07:/app# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
search redacted.lan
nameserver 8.8.8.8
nameserver 8.8.4.4
root@91e82d652e07:/app# nslookup redacted.lan
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find redacted.lan: NXDOMAIN
Possible differences I can think of:
- On OSX there is a vm running docker, where as on ubuntu it's native
- On Ubuntu, docker is run with
sudo, possibly picking up different configuration settings
Updated Answer (2017-06-20)
Newer versions of Ubuntu (17.04+) don't use dnsmasq (it now uses systemd-resolved). You'll run into a similar problem with host resolution, but the original solution here no longer works. In fact, Docker containers can't even communicate with systemd-resolvd because it's running its own DNS in a location that's unreachable from within a container.
A good solution on newer versions of Ubuntu is to put the following configuration in /etc/docker/daemon.json (create this file if it doesn't exist):
{
"dns": ["172.16.20.19", "10.43.0.11"],
"dns-search": ["redacted.lan"]
}
This allows you to configure the DNS servers and search domains. The DNS IPs above are from the original question, but you can use your own custom ones too. You probably want to match the DNS config on your host machine. Search domain is optional, and you could entirely omit that line (careful with your commas!). Again, you probably want to match your host machine.
Essentially, what these daemon.json options do, is automatically inject the DNS config and search domain into the config files inside the container for any container that is started on that daemon. This is necessary because you cannot use systemd-resolved from the host to resolve DNS within the container due to limitations of the way systemd-resolved works. The docs are here and here.
Original Answer
The problem is that the host is using dnsmasq to resolve the private IP and Docker is not using dnsmasq on the host.
The simple fix is to turn off dnsmasq on the host machine.
- Run
sudo vi /etc/NetworkManager/NetworkManager.conf - Comment out this line:
#dns=dnsmasq - Run
sudo service network-manager restart
Now, you should be able to use the docker container and it will resolve your private DNS correctly.
这篇关于Docker:容器无法在专用网络上找到域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
