DNS resolution failure in compose stack with docker engine 19.03.9

[DevInsanity]

Description

Updating to docker-ce 19.03.9 breaks DNS resolution inside compose managed stack.

Steps to reproduce the issue:

Test docker-compose.yml file:

version: "3.7"
services:

  centos:
    image: "centos:7"
    init: true
    tty: true
    networks:
      test:

networks:
  test:

Start with docker-compose up -d
Run docker-compose exec centos ping -c 4 bbc.co.uk

Describe the results you received:

ping: bbc.co.uk: Name or service not known

Describe the results you expected:

PING bbc.co.uk (151.101.192.81) 56(84) bytes of data.
64 bytes from 151.101.192.81 (151.101.192.81): icmp_seq=1 ttl=58 time=10.8 ms
64 bytes from 151.101.192.81 (151.101.192.81): icmp_seq=2 ttl=58 time=29.7 ms
64 bytes from 151.101.192.81 (151.101.192.81): icmp_seq=3 ttl=58 time=12.2 ms
64 bytes from 151.101.192.81 (151.101.192.81): icmp_seq=4 ttl=58 time=11.0 ms

--- bbc.co.uk ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 6045ms
rtt min/avg/max/mdev = 10.887/15.981/29.704/7.941 ms

(The above output was obtained after rolling back docker engine to 19.03.8. No other packages were modified).

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.9
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        9d988398e7
 Built:             Fri May 15 00:25:18 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.9
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
  Git commit:       9d988398e7
  Built:            Fri May 15 00:23:50 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 13
  Running: 9
  Paused: 0
  Stopped: 4
 Images: 149
 Server Version: 19.03.9
 Storage Driver: aufs
  Root Dir: /var/lib/docker/aufs
  Backing Filesystem: extfs
  Dirs: 173
  Dirperm1 Supported: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-101-generic
 Operating System: Ubuntu 18.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.667GiB
 Name: diablos
 ID: VTPB:4JKM:NQFD:5PGF:J5LJ:CLSR:ZWBL:M4MN:BLJL:3APJ:XGAZ:FMYA
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support
WARNING: the aufs storage-driver is deprecated, and will be removed in a future release.

Output of docker version in working state (ie, rolled back):

Client: Docker Engine - Community
 Version:           19.03.9
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        9d988398e7
 Built:             Fri May 15 00:25:18 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.8
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       afacb8b7f0
  Built:            Wed Mar 11 01:24:19 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info in working state (ie, rolled back):

Client:
 Debug Mode: false

Server:
 Containers: 13
  Running: 9
  Paused: 0
  Stopped: 4
 Images: 149
 Server Version: 19.03.8
 Storage Driver: aufs
  Root Dir: /var/lib/docker/aufs
  Backing Filesystem: extfs
  Dirs: 173
  Dirperm1 Supported: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-101-generic
 Operating System: Ubuntu 18.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.667GiB
 Name: diablos
 ID: VTPB:4JKM:NQFD:5PGF:J5LJ:CLSR:ZWBL:M4MN:BLJL:3APJ:XGAZ:FMYA
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support
WARNING: the aufs storage-driver is deprecated, and will be removed in a future release.

Additional info

My /etc/resolv.conf file on host contains two nameserver entries. 192.168.5.1 (which is the host machine's own ip address, and is where a dnsmasq server is running) and 127.0.0.1.

daemon.json contains "dns": ["192.168.5.1","8.8.8.8"].

Running without docker-compose works fine. Ie:

$ docker run centos:7 ping -c 4 bbc.co.uk
PING bbc.co.uk (151.101.128.81) 56(84) bytes of data.
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=1 ttl=58 time=11.1 ms
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=2 ttl=58 time=13.0 ms
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=3 ttl=58 time=13.8 ms
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=4 ttl=58 time=11.8 ms

--- bbc.co.uk ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 11.170/12.489/13.829/1.044 ms

works in both versions.

Using docker-compose 1.25.5 in all cases.

[thaJeztah]

Thanks for reporting; the difference between running through docker-compose and your docker run, is that docker compose implicitly creates a network for the stack, and containers started will use that network by default.

When running a container using the default "bridge" network (docker run without specifying a network), docker's embedded DNS is not used (the container gets the DNS servers configured in its /etc/resolv.conf, and uses those DNS servers for resolution).
On the other hand, when running on a custom network, the container gets 127.0.0.11 configured as DNS, which is docker's embedded DNS; the embedded DNS facilitates resolution of other containers on the same network, and will act as a DNS forwarder for other DNS lookups; you can check the DNS server(s) that are configured inside the container;

# on the default "bridge" network
docker run --rm centos:7 cat /etc/resolv.conf
nameserver 8.8.8.8

# using a custom network
docker network create testnet
docker run --rm --network=testnet centos:7 cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

To reproduce the "compose" situation, you can create a custom network, and use that when running the container with docker run;

# create a custom "testnet" network
docker network create testnet

# run a container using that network, and try if DNS resolution works
docker run --rm --network=testnet centos:7 ping -c 4 bbc.co.uk
PING bbc.co.uk (151.101.128.81) 56(84) bytes of data.
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=1 ttl=59 time=0.841 ms
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=2 ttl=59 time=0.870 ms
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=3 ttl=59 time=0.895 ms
64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=4 ttl=59 time=0.897 ms

--- bbc.co.uk ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3025ms
rtt min/avg/max/mdev = 0.841/0.875/0.897/0.042 ms

Could you try if the issue reproduces in that situation as well (to determine if it's an issue in docker-compose or in the dockerd daemon itself (or the embedded DNS)?

If you're able to reproduce with the docker run (using a custom network); if you're able to run the daemon with "debug" mode enabled, and could check if the daemon logs provide information about the DNS lookups, that would be useful.

• To enable debug mode, add "debug": true in your daemon.json configuration file: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file. Make sure the file is well-formed JSON, otherwise the daemon would refuse to start
• Reload the docker daemon to reload the configuration and enable debug mode (sudo systemctl reload docker.service)
• Start the container with the custom network (and do the "ping")
• Check the daemon logs (either with journald (something like journalctl -xu docker.service), or checking the system logs; tail -n 500 /var/log/syslog

In the logs, look for messages containing [resolver] (but it's worth checking other messages around that).

In my case, the debug logs show;

May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.793004893Z" level=debug msg="Name To resolve: bbc.co.uk."
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.793205135Z" level=debug msg="[resolver] query bbc.co.uk. (A) from 172.18.0.2:36092, forwarding to udp:8.8.8.8"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.794944162Z" level=debug msg=event module=libcontainerd namespace=moby topic=/tasks/start
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.798451403Z" level=debug msg="[resolver] received A record \"151.101.64.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.798486305Z" level=debug msg="[resolver] received A record \"151.101.0.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.798500086Z" level=debug msg="[resolver] received A record \"151.101.192.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.798513149Z" level=debug msg="[resolver] received A record \"151.101.128.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.800389205Z" level=debug msg="IP To resolve 81.64.101.151"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.800514202Z" level=debug msg="[resolver] query 81.64.101.151.in-addr.arpa. (PTR) from 172.18.0.2:45492, forwarding to udp:8.8.8.8"
May 20 11:44:05 ubuntu-s-1vcpu-2gb-ams3-01 dockerd[16804]: time="2020-05-20T11:44:05.804734531Z" level=debug msg="[resolver] external DNS udp:8.8.8.8 responded with NXDOMAIN for \"81.64.101.151.in-addr.arpa.\""

[DevInsanity]

I've confirmed that the population of /etc/resolve.conf is working in the correct manner:

$ docker run --rm centos:7 cat /etc/resolv.conf
search private
nameserver 192.168.5.1
nameserver 8.8.8.8

$ docker network create testnet
014274b96d5fe8967b1b80ecadccfdc309fbcce143e651c81de0e4fbea476a63
$ docker run --rm --network=testnet centos:7 cat /etc/resolv.conf
search private
nameserver 127.0.0.11
options ndots:0

But attempting to ping still results in the name or service not known error.

$ docker run --rm --network=testnet centos:7 ping bbc.co.uk
ping: bbc.co.uk: Name or service not known

After enabling debugging, I get the following entries

May 20 12:57:21 diablos dockerd[15143]: time="2020-05-20T12:57:21.475192541+01:00" level=debug msg="Name To resolve: bbc.co.uk."
May 20 12:57:21 diablos dockerd[15143]: time="2020-05-20T12:57:21.476065777+01:00" level=debug msg="[resolver] query bbc.co.uk. (A) from 172.21.0.2:59870, forwarding to udp:192.168.5.1"
May 20 12:57:25 diablos dockerd[15143]: time="2020-05-20T12:57:25.476214624+01:00" level=debug msg="[resolver] external DNS udp:192.168.5.1 returned empty response for \"bbc.co.uk.\""
May 20 12:57:26 diablos dockerd[15143]: time="2020-05-20T12:57:26.478347824+01:00" level=debug msg="Name To resolve: bbc.co.uk.private."
May 20 12:57:26 diablos dockerd[15143]: time="2020-05-20T12:57:26.478614733+01:00" level=debug msg="[resolver] query bbc.co.uk.private. (A) from 172.21.0.2:36108, forwarding to udp:192.168.5.1"
May 20 12:57:30 diablos dockerd[15143]: time="2020-05-20T12:57:30.478754337+01:00" level=debug msg="[resolver] external DNS udp:192.168.5.1 returned empty response for \"bbc.co.uk.private.\""

Indicating that the dns server is returning an empty response. However, both nslookup and dig run on the same host machine targetting the same DNS server do get a valid response:

$ nslookup bbc.co.uk 192.168.5.1
Server:         192.168.5.1
Address:        192.168.5.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 151.101.192.81
Name:   bbc.co.uk
Address: 151.101.64.81
Name:   bbc.co.uk
Address: 151.101.0.81
Name:   bbc.co.uk
Address: 151.101.128.81
Name:   bbc.co.uk
Address: 2a04:4e42::81
Name:   bbc.co.uk
Address: 2a04:4e42:600::81
Name:   bbc.co.uk
Address: 2a04:4e42:200::81
Name:   bbc.co.uk
Address: 2a04:4e42:400::81

$ dig bbc.co.uk

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16609
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bbc.co.uk.                     IN      A

;; ANSWER SECTION:
bbc.co.uk.              216     IN      A       151.101.0.81
bbc.co.uk.              216     IN      A       151.101.64.81
bbc.co.uk.              216     IN      A       151.101.128.81
bbc.co.uk.              216     IN      A       151.101.192.81

;; Query time: 31 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Wed May 20 13:03:03 BST 2020
;; MSG SIZE  rcvd: 102

[thaJeztah]

Interesting; thanks for that additional info, that's useful

@arkodg any ideas from the top of your head?

My primary suspect would be moby/libnetwork#2520, but have not investigated yet (also looking if there have been fixes in newer versions of that dependency; miekg/dns@v1.1.27...v1.1.29)
/cc @SamWhited

[DevInsanity]

After rolling back again, I checked the debug logs when doing the ping test on 19.03.8:

May 20 13:23:02 diablos dockerd[23349]: time="2020-05-20T13:23:02.350442160+01:00" level=debug msg="Name To resolve: bbc.co.uk."
May 20 13:23:02 diablos dockerd[23349]: time="2020-05-20T13:23:02.350709624+01:00" level=debug msg="[resolver] query bbc.co.uk. (A) from 172.21.0.2:36181, forwarding to udp:192.168.5.1"
May 20 13:23:06 diablos dockerd[23349]: time="2020-05-20T13:23:06.350922869+01:00" level=debug msg="[resolver] read from DNS server failed, read udp 172.21.0.2:36181->192.168.5.1:53: i/o timeout"
May 20 13:23:06 diablos dockerd[23349]: time="2020-05-20T13:23:06.351148485+01:00" level=debug msg="[resolver] query bbc.co.uk. (A) from 172.21.0.2:38582, forwarding to udp:8.8.8.8"
May 20 13:23:06 diablos dockerd[23349]: time="2020-05-20T13:23:06.369854834+01:00" level=debug msg="[resolver] received A record \"151.101.0.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 13:23:06 diablos dockerd[23349]: time="2020-05-20T13:23:06.369961748+01:00" level=debug msg="[resolver] received A record \"151.101.192.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 13:23:06 diablos dockerd[23349]: time="2020-05-20T13:23:06.369988222+01:00" level=debug msg="[resolver] received A record \"151.101.64.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"
May 20 13:23:06 diablos dockerd[23349]: time="2020-05-20T13:23:06.370008320+01:00" level=debug msg="[resolver] received A record \"151.101.128.81\" for \"bbc.co.uk.\" from udp:8.8.8.8"

So, it looks like even then it was failing to use my internal DNS server, but it was falling back to the 8.8.8.8 DNS server. So, it looks like this fallback is what's stopped working.

The fact that it's failing to use my internal DNS hasn't caused issues for me, since everything that the containers normally to resolve is also within the same stack and so managed by Docker's internal DNS.

[DevInsanity]

Good news (for me at least). I've dug into my firewall rules and found the part that was incorrectly blocking docker from talking to my internal DNS (I'd only allowed 172.17.0.0/16, rather than 172.16.0.0/12), which makes things work for me at least.

What I've then confirmed is that if I stop my internal DNS server, running the ping test on the default network works correctly, but using the custom network fails in the same manner. So, it looks like the issue is that Docker's internal DNS resolver is no longer falling back to secondary DNS servers, which would cause problems whenever the first DNS server in /etc/resolv.conf on the host is unavailable.

[thaJeztah]

So, it looks like even then it was failing to use my internal DNS server, but it was falling back to the 8.8.8.8 DNS server. So, it looks like this fallback is what's stopped working.

Interesting; let me check if I can find code changes in that area. Looking for code changes in the dependency itself to check if there have been fixes in newer versions (miekg/dns@v1.1.27...v1.1.29), I did see miekg/dns#1087 around error handling. (previously it looks like we received an error, and in the current version we don't receive an error, but only an empty response)

Also found some changes in the client that made modifications to how timeouts are handled (which could be related); miekg/dns#691

[thaJeztah]

This touched code when reading information as well; not sure if relevant; miekg/dns#957

[thaJeztah]

Hm, I think I see the issue (it's in how the error is handled); working on a fix.

[thaJeztah]

Pull request is up; moby/libnetwork#2551