DNS lookup error in containers in rootless DIND (VPNkit)

[vvoland]

Description

If the upstream DNS server strips out IPv6 addresses, DNS lookups inside containers started in dind-rootless fail with NXDOMAIN even though the response seems to contain a valid IP addresses.

This is easily visible when trying to apk add in alpine containers:

$ docker run -d --privileged --rm --name dind-rootless -it docker:dind-rootless
$ docker exec -it ddt docker -H unix://run/user/1000/docker.sock  run --rm alpine apk add curl
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
bca4290a9639: Pull complete
Digest: sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
Status: Downloaded newer image for alpine:latest
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz
WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.19/main: DNS lookup error
WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.19/community: DNS lookup error
ERROR: unable to select packages:
  curl (no such package):
    required by: world[curl]

The same works correctly when running under regular rootful dind.

I was also able to reproduce the same behavior with 25 and 24 dind images.

Reproduce

EDIT: This only happens when the DNS server strips the IPv6 responses, so you need a setup like: #47628 (comment)

$ docker run -d --privileged --rm --name dind-rootless -it docker:dind-rootless
$ docker run -d --privileged --rm --name dind -it docker:dind

$ docker exec -it dind-rootless docker -H unix://run/user/1000/docker.sock  run --rm alpine nslookup alpinelinux.org
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
bca4290a9639: Pull complete
Digest: sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
Status: Downloaded newer image for alpine:latest
Server:         192.168.65.1
Address:        192.168.65.1:53

Non-authoritative answer:
Name:   alpinelinux.org
Address: 213.219.36.190
Name:   alpinelinux.org
Address: 213.219.36.190

** server can't find alpinelinux.org: NXDOMAIN


$ docker exec -it dind docker run --rm alpine nslookup alpinelinux.org
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
bca4290a9639: Pull complete
Digest: sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
Status: Downloaded newer image for alpine:latest
Server:         192.168.65.7
Address:        192.168.65.7:53

Non-authoritative answer:
Name:   alpinelinux.org
Address: 213.219.36.190

Non-authoritative answer:

Expected behavior

DNS lookups should work

docker version

Client:
 Cloud integration: v1.0.35+desktop.12
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:14:46 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.29.0 (143575)
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:02 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    26.0.0
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.1-desktop.1
    Path:     /Users/pawel/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.25.0-desktop.1
    Path:     /Users/pawel/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.27
    Path:     /Users/pawel/.docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/pawel/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.23
    Path:     /Users/pawel/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /Users/pawel/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.1.0
    Path:     /Users/pawel/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/pawel/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.6.3
    Path:     /Users/pawel/.docker/cli-plugins/docker-scout

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 2
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: pusk8nj7ic0o8sshcfrcwzad0
  Is Manager: true
  ClusterID: fydwewr8u5g3ndgqbakh967r4
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.65.3
  Manager Addresses:
   192.168.65.3:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 6.6.22-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 6
 Total Memory: 7.755GiB
 Name: docker-desktop
 ID: b00f1447-fb88-4bd8-aa26-ed40f28ed7ed
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 101
  Goroutines: 261
  System Time: 2024-03-25T12:24:53.214549167Z
  EventsListeners: 30
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/pawel/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Registry Mirrors:
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Additional Info

No response

[janorga]

Same issue here. It seems that nslookup tries to resolve for ipv4 and ipv6 (A and AAAA registries), but in DinD rootless the IPV6 resolution is buggy from child container, so it is responding NXDOMAIN in child container.

[dan0dbfe]

A workaround is to pass --dns 8.8.8.8 when starting rootless DIND.

Similarly if you specify the DNS server e.g. nslookup alpinelinux.org 8.8.8.8 you don't get NXDOMAIN.

EDIT: This seems to be triggered when host DNS returns no AAAA results even if it is NOERROR. I'm trying to replicate this using dnsmasq or adding no-aaaa to /etc/resolv.conf

[dan0dbfe]

Replication steps

1. Set up dnsmasq to listen on a non-127.*.*.* IP, e.g. 172.17.0.1 and filter away AAAA answers.

   • In /etc/dnsmasq.conf:
     • Set listen-address
     • Set bind-interfaces
   • In /etc/default/dnsmasq:
     • Set DNSMASQ_OPTS="--filter-AAAA"

2. Start dind with docker run -d --privileged --rm --name dind-rootless --dns 172.17.0.1 docker:dind-rootless

3. Run docker exec -it dind-rootless docker -H unix://run/user/1000/docker.sock run --rm alpine nslookup alpinelinux.org

Cause

Looks like dind-rootless mangles a NOERROR into NXDOMAIN, causing nslookup, getaddrinfo etc. to fail if no AAAA records are returned. This happens if you run an IPv4-only VPC and the VPC's DNS filters away AAAA answers.

Start a container like wbitt/network-multitool with dig pre-installed (since you likely can't install anything when getaddrinfo fails!)

$ docker exec -it dind-rootless docker -H unix://run/user/1000/docker.sock run --rm wbitt/network-multitool /bin/bash

f316402c685d:/# dig AAAA alpinelinux.org

; <<>> DiG 9.18.16 <<>> AAAA alpinelinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62429
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alpinelinux.org.		IN	AAAA

;; Query time: 0 msec
;; SERVER: 192.168.65.1#53(192.168.65.1) (UDP)
;; WHEN: Tue Nov 19 02:27:35 UTC 2024
;; MSG SIZE  rcvd: 33

NXDOMAIN is returned above!

However the query returns NOERROR when run outside of dind-rootless or in normal dind:

df9933b20621:/# dig AAAA alpinelinux.org

; <<>> DiG 9.18.16 <<>> AAAA alpinelinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32137
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 17 (Filtered)
;; QUESTION SECTION:
;alpinelinux.org.		IN	AAAA

;; Query time: 0 msec
;; SERVER: 192.168.10.111#53(192.168.10.111) (UDP)
;; WHEN: Tue Nov 19 02:36:54 UTC 2024
;; MSG SIZE  rcvd: 50

To run this in dind:

$ docker run -d --privileged --rm --name dind --dns 172.17.0.1 docker:dind
$ docker exec -it dind docker run --rm -it wbitt/network-multitool /bin/bash

[dan0dbfe]

Unsure why this doesn't print the resolver debug logs:

$ docker run -d --privileged --rm --name dind-rootless -it --dns 172.17.0.1 docker:dind-rootless -D
$ docker attach dind-rootless

I don't see anything wrong here in libnetwork/resolver.go:527. That's likely why it works properly in the usual dind. There must be some difference between rootless and normal dind that's causing this.

[dan0dbfe]

This looks like VPNKit and not Docker.

This appears to be the offending line, but I don't know OCaml.

[candrews]

How can we make progress on this issue?

My colleagues and I can't really go back to non-rootless dind so this is a big problem for us. I see moby/vpnkit#645 was suggested a few months ago with fix - can we move forward with it? If not, why not? I ask as I'm eager to help if I can.

[candrews]

moby/vpnkit#645 was merged!