18.09 breaks containers name resolution for non default networks on systems with systemd-resolved

[superseed]

Description

Briefly:

After upgrading to 18.09 from 18.06, on a system with systemd-resolved, containers attached to a bridge network that is not the default docker bridge can't resolve some names. Those names are the ones that can only resolved through a nameserver that is not "the first one".

More details from investigating:

Some background first: I've been using non-default bridge networks almost exclusively because of the known bad interaction between systemd-resolved's /etc/resolv.conf and the default docker network. In my case, I have a 192.168.* nameserver accessible through an interface, and another nameserver accessible through a vpn interface, resolving names internal to the vpn. With the default bridge, I would invariably end up with 8.8.8.8 in my container's /etc/resolv.conf which meant no internal name resolution. Using bridges other than the default, however, this was fixed perfectly thanks to docker's amazing internal DNS feature, which delegated to my host's resolver, systemd-resolved on 127.0.0.53 as instructed per my host's /etc/resolv.conf.

Now, as an aside, I see that the bad interaction between systemd-resolved and the default network has been "fixed" in 18.09 by copying systemd-resolved's stub resolv.conf instead of the one in /etc/ with 127.0.0.53 and stripping the local resolver. This is nice but it won't solve my problem (two interfaces with one nameserver each) though, because the stub resolv.conf is incomplete due to limitations of this config format: it ends up containing the first nameserver (192.168.*) and not the vpn interface one. I get half of the cookies, basically. But it's an improvement anyway, and I know it's impossible to fix completely without changing the default network's behavior (using the internal DNS).

To get to the point: I don't know if docker's internal DNS behavior was borked during the process of implementing the aforementioned fix, but I notice that now, name resolution requests emitted by the internal DNS (so, coming from a container on a non-default bridge network) are not addressed to 127.0.0.53 as they should (as per my host's /etc/resolv.conf) but rather to the 192.168.* nameserver, as per the stub resolv.conf which is incomplete. This means name resolution for names accessible only through the second nameserver is broken. In essence: the internal DNS uses the wrong nameserver, it should use the one in /etc/resolv.conf.

Final remark

Could we please have a daemon.json option to activate the same behavior on the default bridge as non-default bridges? I understand that breakage needs to be avoided and hence this behavior can't be had by default, but it would be nice to be able to ask the daemon for it. In my case, it would make building images much smoother :)

Steps to reproduce the issue:

1. Upgrade 18.06 to 18.09 on a systemd-resolved based system with multiple nameservers (on different interfaces?)
2. Start a container on a non-default bridge network
3. Try resolving names accessible only from one or the other nameserver

Describe the results you received:

In my case, it notably breaks pip install because internal pypi on vpn.

Describe the results you expected:

Not having a name resolution error!

Output of docker version:

Client:
 Version:           18.09.0-ce
 API version:       1.39
 Go version:        go1.11.2
 Git commit:        4d60db472b
 Built:             Fri Nov  9 00:05:34 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.0-ce
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.2
  Git commit:       4d60db472b
  Built:            Fri Nov  9 00:05:11 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 30
 Running: 1
 Paused: 0
 Stopped: 29
Images: 462
Server Version: 18.09.0-ce
Storage Driver: btrfs
 Build Version: Btrfs v4.19 
 Library Version: 102
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9f2e07b1fc1342d1c48fe4d7bbb94cb6d1bf278b.m
runc version: 079817cc26ec5292ac375bb9f47f373d33574949
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.19.2-arch1-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.43GiB
Name: tomfoolery
ID: 5OC7:CGAE:42HJ:OE2W:Y5HG:GFUR:4QBD:XKF3:5V5S:OXDQ:PEUR:5PP6
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

[olljanat]

@superseed sorry but I was not able to fully understand problem from your description.

Afaik, default behaviour on Linux and Docker is that first reachable nameserver on /etc/resolv.conf will be used for all request and secondary one will be used only if that goes down but it sounds like that you are assuming some other like behaviour?

[superseed]

Sorry, it's a pretty complicated mix of factors that make this problem appear. I'll try to rephrase it a bit more clearly.

Containers attached to networks that are not the default one (i.e. every network created by docker-compose, and every network created with docker network create) use Docker's internal DNS resolver, i.e. those containers have 127.0.0.11 in their /etc/resolv.conf. This internal DNS resolver just (afaict) delegates the actual work to the host's configured resolver, which really means that it queries whatever was in the host's /etc/resolv.conf.

In the case of a Linux box running systemd-resolved, this meant that a DNS query from a container would end up being resolved by systemd-resolved, as the host's /etc/resolv.conf is (in most cases) a symlink to /run/systemd/resolve/stub-resolv.conf which contains 127.0.0.53 (systemd-resolved's listening address).

However, after upgrading to 18.09, I noticed that some (explained later) DNS queries coming from those containers are not resolved anymore, when they did before. This seems to come from the fact that Docker's internal DNS does not query 127.0.0.53 anymore after the update. To be more precise, instead of just reading /etc/resolv.conf and querying the resolver configured there (nameserver 127.0.0.53) which has some amount of intelligence, it seems to read what's in /run/systemd/resolve/resolv.conf, which only lists a subset of the knowledge of systemd-resolved. Hence, information is missing and some DNS queries can not be resolved. In my case, the missing information is the notion of "per-interface DNS servers" (see below).

To cite systemd-resolved's manpage:

/ETC/RESOLV.CONF
       Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

       ·   systemd-resolved maintains the /run/systemd/resolve/stub-resolv.conf file for compatibility with
           traditional Linux programs. This file may be symlinked from /etc/resolv.conf. This file lists the
           127.0.0.53 DNS stub (see above) as the only DNS server. It also contains a list of search domains that
           are in use by systemd-resolved. The list of search domains is always kept up-to-date. Note that
           /run/systemd/resolve/stub-resolv.conf should not be used directly by applications, but only through a
           symlink from /etc/resolv.conf. This file may be symlinked from /etc/resolv.conf in order to connect all
           local clients that bypass local DNS APIs to systemd-resolved with correct search domains settings. This
           mode of operation is recommended.

       ·   A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above)
           as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local
           clients that bypass local DNS APIs to systemd-resolved. This file does not contain any search domains.

       ·   systemd-resolved maintains the /run/systemd/resolve/resolv.conf file for compatibility with traditional
           Linux programs. This file may be symlinked from /etc/resolv.conf and is always kept up-to-date,
           containing information about all known DNS servers. Note the file format's limitations: it does not
           know a concept of per-interface DNS servers and hence only contains system-wide DNS server definitions.
           Note that /run/systemd/resolve/resolv.conf should not be used directly by applications, but only
           through a symlink from /etc/resolv.conf. If this mode of operation is used local clients that bypass
           any local DNS API will also bypass systemd-resolved and will talk directly to the known DNS servers.

       ·   Alternatively, /etc/resolv.conf may be managed by other packages, in which case systemd-resolved will
           read it for DNS configuration data. In this mode of operation systemd-resolved is consumer rather than
           provider of this configuration file.

       Note that the selected mode of operation for this file is detected fully automatically, depending on
       whether /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf or lists 127.0.0.53 as DNS
       server.

There are a few important parts:

• Information is missing from /run/systemd/resolve/resolv.conf: "Note the file format's limitations: it does not know a concept of per-interface DNS servers and hence only contains system-wide DNS server definitions."
• In any case, applications should use /etc/resolve.conf (or glibc's functions or the D-Bus API) and not try to be too smart (= don't try to read systemd-resolved's own /run files).

[mattcarrier]

Just got stung by this

GCE metadata server is configured on a separate interface which means all internal project instances are unresolvable without going through systemd-resolved. I also had to revert back to 18.06 to get the previous behavior that kept the old /etc/resolv.conf file.

@superseed Did you end up finding a method to circumnavigate this so that you weren't stuck on 18.06?

[pirate]

You can try disabling systemd-resolvd entirely, not sure if it'll help in this instance but it's helped me resolve similar issues in the past with seeminly no adverse effects.

systemctl disable systemd-resolved
systemctl stop systemd-resolved
rm /etc/resolv.conf
echo "nameserver 1.1.1.1" > /etc/resolv.conf

# then verify it worked
dig example.com
# output should show the query was answered by 1.1.1.1 instead of 127.0.0.x

# and check to see if it affected DNS resolution behavior inside docker
systemctl restart docker
docker-compose up
docker-compose exec examplecontainer dig example.com

[mattcarrier]

@pirate Thanks for the response.

I think the main problem with circumnavigating systemd-resolved is that you don't get the extra features it provides like the concept of _ per-interface DNS servers_. This per-interface design allows them to get around the fact that the end-user may have primary DNS servers they require (which is the case in my scenario):

An example resolv.conf that shows my situation:

nameserver 1.1.1.1
nameserver 169.254.169.254
search ... google.internal

The problem is that if nameserver 1.1.1.1 fails to find something only in the google metadata server a simplistic resolv.conf resolution fails after the primary nameserver fails to come back with a resolution. systemd-resolved is able to deal with this issue by having per-interface DNS servers.

In my case it is a corporate nameserver I require for company internal resources and then obviously google's internal DNS via the metadata server that is required for inter-project internal resources.

[diogogmt]

Hitting the same problem here.

On GCE the interface ens8 is configured with the metadata nameserver 169.254.169.254, which is being set by systemd-resolved at /run/systemd/resolve/resolv.conf

The stub resolver at /run/systemd/resolve/stub-resolv.conf sets the nameserver to 127.0.0.53. That causes the hosts /etc/resolv.conf to have the nameserver set to 127.0.0.53 since it is using the stub.

If I create a container using the default bridge network, it uses the nameserver from /run/systemd/resolve/resolv.conf, not the stub(127.0.0.53). However, if I create a custom network using the bridge driver, it uses the stub nameserver, which breaks resolving internal records.

My question is; why does the default bridge network use the nameserver set on the interface, and custom bridge networks use the stub 127.0.0.53 nameserver?
Is there an option to make a custom bridge network bypass the stub resolver?