Reverse hostname lookup fails in user-defined networks with embedded DNS server

[dimaspivak]

Output of docker version:

Client:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:37:01 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.2
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   c3959b1
 Built:        Mon Feb 22 21:37:01 2016
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 10
 Running: 8
 Paused: 0
 Stopped: 2
Images: 40
Server Version: 1.10.2
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 60
 Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 3.13.0-24-generic
Operating System: Ubuntu 14.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 29.4 GiB
Name: myhostname.myemployer.com
ID: PO2A:QS2L:UA3R:FCYP:W452:DCSQ:OTGJ:EJSX:XYNI:RUTR:KAHK:NU35
WARNING: No swap limit support

Provide additional environment details (AWS, VirtualBox, physical, etc.):
Have reproduced this on physical systems and AWS.

List the steps to reproduce the issue:

1. Create a user-defined bridge network with docker network create .... For this example, I called mine "blahnetwork."
2. Start a Docker container in daemon mode, attaching it to the network, with /sbin/init. As an example:

docker run docker run -d --net=blahnetwork --net-alias=blah --hostname=blah centos:6.6 /sbin/init

This creates a container reachable within blahnetwork with the alias blah.
3. Use docker inspect to find out the IP address of this daemon container within blahnetwork. I got 192.168.124.6.
4. Test forward name resolution of containers in this network using the host utility:

docker run --net=blahnetwork centos:6.6 host blah
blah has address 192.168.124.6
Host blah not found: 3(NXDOMAIN)
Host blah not found: 3(NXDOMAIN)

1. That worked. Now test reverse resolution:

docker run --net=blahnetwork centos:6.6 host 192.168.124.6
Host 6.124.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

Describe the results you received:
Using just the embedded Docker daemon's DNS in 1.10, forward name resolution works great. Reverse name resolution fails, though.

Describe the results you expected:
I'd expect reverse resolution to work. A simple workaround of specifying each container's DNS server by passing the IP address of a separate daemon container running dnsmasq gives the expected behavior.

[dimaspivak]

Looks like the trouble here comes from the fact that I'm not specifying a --name when running the container and relying on --net-alias instead (so that I can have multiple containers with the same hostname on the same host, as long as they're in different networks). With --name specified, reverse lookup works. So bug seems to be with --net-alias?

[thaJeztah]

Not sure this is a bug, what would you expect the result to be if the container has multiple aliases set, but no name? e.g.

docker run -d --net=foo --net-alias=one --net-alias=two nginx

[dimaspivak]

Yeah, I recognized that possibility. Perhaps a good compromise would see
reverse lookup working if only one alias is set? I imagine my use case of
having multiple duplicate topologies on a host isolated by networks could
be a popular one.

On Thursday, March 3, 2016, Sebastiaan van Stijn notifications@github.com
wrote:

Not sure this is a bug, what would you expect the result to be if the
container has multiple aliases set, but no name? e.g.

docker run -d --net=foo --net-alias=one --net-alias=two nginx

—
Reply to this email directly or view it on GitHub
#20847 (comment).

[thaJeztah]

I think you'd want to have a canonical name for reverse lookup; not sure net-alias would be the best candidate for that, given that a container can join other networks or be disconnected, in which case the alias would no longer be there

[dimaspivak]

What if there were a way to use the hostname if specified? In our case, we
set hostname via -h to have tools using the result of hostname happy and
had tried --net-alias to get the DNS working while leaving container name
unset. Having this lookup off of container name just seems a strange choice
for networks since they can't be duplicated on a machine.

On Thursday, March 3, 2016, Sebastiaan van Stijn notifications@github.com
wrote:

I think you'd want to have a canonical name for reverse lookup; not sure
net-alias would be the best candidate for that, given that a container can
join other networks or be disconnected, in which case the alias would no
longer be there

—
Reply to this email directly or view it on GitHub
#20847 (comment).

[thaJeztah]

We've had discussions about that (using hostname), not sure if there's still plans to change this, but happily defer that question to @mavenugo who may know

[mavenugo]

This isnt related to hostname. It is related to the PTR handling by the embedded DNS for reverse lookup. It is by design that reverse-lookup is done only on the container name and not alias or links.
Especially because a container can have multiple aliases (via name, --net-alias and --link). And though DNS supports multiple PTR record, it is generally advised not to respond with multiple PTR records.

@sanimej is currently working on moby/libnetwork#974 to reply multiple A-records. But we have no plans for multiple reverse lookup records. I will let @sanimej decide on the best course forward.

[dimaspivak]

Any chance you can point me to where the PTR handling is done to return the
container name? I imagine since this is in the daemon's DNS, it might be
hard to change short of me running my own fork?

On Thursday, March 3, 2016, Madhu Venugopal notifications@github.com
wrote:

This isnt related to hostname. It is related to the PTR handling by the
embedded DNS for reverse lookup. It is by design that reverse-lookup is
done only on the container name and not alias or links.
Especially because a container can have multiple aliases (via name,
--net-alias and --link). And though DNS supports multiple PTR record, it is
generally advised not to respond with multiple PTR records.

@sanimej https://github.com/sanimej is currently working on
moby/libnetwork#974 moby/libnetwork#974 to
reply multiple A-records. But we have no plans for multiple reverse lookup
records. I will let @sanimej https://github.com/sanimej decide on the
best course forward.

—
Reply to this email directly or view it on GitHub
#20847 (comment).

[mavenugo]

@dimaspivak https://github.com/docker/libnetwork/blob/master/resolver.go#L173

[sanimej]

@dimaspivak
Looks like the trouble here comes from the fact that I'm not specifying a --name when running the container and relying on --net-alias instead

Your observation is correct. To give you the context, docker's service discovery has always been based on container name passed via --name. That is the reason why reverse mapping of IP points to --name.

The --net-alias option is relatively new, introduced in 1.10. If you have both --name and --net-alias you can see the reverse mapping of the IP points to the container name and not the alias. Since its a valid use case to pass --net-alias without --name it is indeed useful to have some reverse mapping available, may be to the one of the container's aliases if --name is not available. We can make this change after confirming that it won't cause any other issues.

Just curious, are you using the reverse mapping just for debugging or have some other use for it ?

[thaJeztah]

@sanimej what would be the behavior if multiple --net-alias is provided, and what if I docker network disconnect ..? (per my earlier comment #20847 (comment))

[dimaspivak]

Hi Santhosh,

I actually run Hadoop services in Docker in production, and they require
reverse name lookup to function properly. Was hoping this cool embedded DNS
would let me stop having to run my own dnsmasq :).

I definitely see why --net-alias doesn't get returned (since aliases are so
fluid on a network and multiple can be specified), but I still think
returning hostname if it's specified and name isn't at runtime would be a
pretty clean solution here.

On Friday, March 4, 2016, Sebastiaan van Stijn notifications@github.com
wrote:

@sanimej https://github.com/sanimej what would be the behavior if
multiple --net-alias is provided, and what if I docker network disconnect
..? (per my earlier comment #20847 (comment)
#20847 (comment))

—
Reply to this email directly or view it on GitHub
#20847 (comment).