Docker 嵌入式 DNS 解析器如何工作? [英] how does Docker Embedded DNS resolver work?
问题描述
我知道 Docker 有一个嵌入式 Dns 解析器.
当我在自己的桥中运行一个容器时:
I know Docker has a embedded Dns resolver.
when I run a container in myself bridge:
$ docker run -it --rm --privileged --network=mybridge xxx bash
root@18243bfe6b50:/# cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0
root@18243bfe6b50:/# netstat -anop
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 127.0.0.11:45997 0.0.0.0:* LISTEN - off (0.00/0/0)
udp 0 0 127.0.0.11:49614 0.0.0.0:*
it shows there is a dns resolver, and iptables help do a port transfer.
root@18243bfe6b50:/# iptables -nvL -t nat
.....
Chain DOCKER_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 127.0.0.11 tcp dpt:53 to:127.0.0.11:45997
0 0 DNAT udp -- * * 0.0.0.0/0 127.0.0.11 udp dpt:53 to:127.0.0.11:49614
Chain DOCKER_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 127.0.0.11 0.0.0.0/0 tcp spt:45997 to::53
0 0 SNAT udp -- * * 127.0.0.11 0.0.0.0/0 udp spt:49614 to::53
but, which process is the dns resolver? I guess it is dockerd? but dockerd is running in host network namespace, obviously it is different with the container network namespace, also, I can not find dockerd has dns port listening in host:
root@test:~# netstat -tnop |grep dockerd
tcp 0 0 10.5.79.50:59540 10.5.79.50:2377 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp 0 0 127.0.0.1:35792 127.0.0.1:2377 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp6 0 0 10.5.79.50:2377 10.5.79.70:45934 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp6 0 0 127.0.0.1:2377 127.0.0.1:35792 ESTABLISHED 3332/dockerd off (0.00/0/0)
tcp6 0 0 10.5.79.50:2377 10.5.79.50:59540 ESTABLISHED 3332/dockerd off (0.00/0/0)
一个进程(dockerd)如何暴露主机命名空间中的一些端口和其他命名空间(容器)中的一些端口?我读了一些代码,但仍然无法弄清楚,有人可以帮忙回答吗?
how does one process(dockerd) expose some ports in host namespace and some ports in other namespace(container)? I read some code, but still can not figure out, could anyone help answer?
谢谢.
推荐答案
也许你已经发现 Docker(又名 Moby)内部使用 libnetwork
来配置和 启用嵌入式 DNS 解析器.Libnetwork 将解析器绑定到容器的环回接口,以便可以将 127.0.0.11
处的 DNS 查询(通过 iptables)路由到 Docker 引擎中的后端 DNS 解析器".查看 libnetwork 类型 和实际的 ResolveName() 代码.每个容器的 沙盒 允许通过网络路由 DNS 查询命名空间.
Maybe you have already found that Docker (aka Moby) internally uses libnetwork
to configure and enable the embedded DNS resolver. Libnetwork binds the resolver to the container's loopback interface, so that DNS queries at 127.0.0.11
can be routed (via iptables) to the "backend DNS resolver" in the Docker Engine. See the libnetwork type and the actual ResolveName() code. The Sandbox for each container allows to route DNS queries through the network namespaces.
关于您的问题,一个进程如何在主机上和容器内公开端口:在这种情况下绑定处理程序线程到接口将是更合适的表达方式.Docker 引擎创建一个容器并配置其网络命名空间,因此它还可以通过 iptables 配置容器的网络接口和数据包路由.将解析器绑定到容器的内部接口是您在主机上没有发现任何进程在侦听端口 53 的原因.
Regarding your question how one process can expose ports on the host and inside a container: in this case binding a handler thread to an interface would be a more appropriate expression. The Docker engine creates a container and configures its network namespace, so it can also configure the container's network interfaces and packet routing via iptables. Binding the resolver to the container's internal interface is the reason why you haven't found any process on the host listening on port 53.
这篇关于Docker 嵌入式 DNS 解析器如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!