docker 27.0.0~rc.1 does not use host dns

[trivialkettle]

Description

On debian arm64 the new docker-ce version 27 rc1 is already published, after an update my buildx node on this host could not build a docker image that pull from an internal git server.

on arm64:

#13 [linux/arm64 build 4/5] RUN nslookup <my-url>
#13 0.264 Server:		8.8.8.8
#13 0.264 Address:	8.8.8.8#53
#13 0.264 
#13 0.264 Non-authoritative answer:
#13 0.264 Name:	<my_url>
#13 0.264 Address: <some ip>
#13 0.264 

on amd64 node:

#15 [linux/amd64 build 4/5] RUN nslookup <my-url>
#15 0.468 Server:		<internal dns server>
#15 0.468 Address:	<internal dns server>#53
#15 0.468 
#15 0.468 Name:	<my-url>
#15 0.468 Address: <my-ip>
#15 0.468 

I compared /etc/resolv.conf of the buildkit container:
arm64 on v27:

cat /etc/resolv.conf 
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: <some ip>
# Overrides: []
# Option ndots from: internal 

arm64 on v26

/ # cat /etc/resolv.conf 
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver <some ip>

# Based on host file: '/etc/resolv.conf' (legacy)
# Overrides: []

amd64 on v26

cat /etc/resolv.conf 
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver <my dns server>
search <my dns search>

# Based on host file: '/etc/resolv.conf' (legacy)
# Overrides: []

I noticed on arm64 that the nameserver on v26 was moved to the line # ExtServers: [<ip>] on v27.
I could also manage to build successfully using docker buildx build --network=host

I know that v27 is not yet released, but maybe someone else runs into this too. Also how can I migrate to v27 and have workin DNS?

Reproduce

1. update docker to version 27.0.0-rc1
2. try nslookup for some internal dns name

Expected behavior

The correct IP should be resolved

docker version

docker --version
Docker version 27.0.0-rc.1, build 9dabf16

docker info

unfortunately I already downgraded and can not break the system to check `docker info`

Additional Info

No response

[robmry]

Hi @trivialkettle - thank you for reporting the issue.

Our understanding is that build containers started by a containerised buildkit don't get access to the local/site DNS.

resolv.conf in the build container started by buildkit will be based on the resolv.conf in the buildkit container which, since #47602 in 27.0-rc1, will always have nameserver 127.0.0.11.

But, buildkit doesn't run a resolver on 127.0.0.11 - which means the build container it starts has no access to the resolver on 127.0.0.11 (unless it's using host networking). Because of that, the build container uses the Google DNS fallback servers - and Google's DNS doesn't know about the local network's hosts, including the git server.

(For Docker-in-Docker, the nested Docker has its own internal resolver. So, it catches and forwards requests sent to 127.0.0.11 in containers it's created.)

It looks like we'll have to revert the changes in #47602, until buildkit runs its own resolver.

[corhere]

Use docker buildx build --network=host. See moby/buildkit#4524 (comment)

When network mode is unset then user should not make expectations about host DNS or interfaces being accessible by the container. Only thing they can expect is access to internet.

cc @tonistiigi for confirmation

[trivialkettle]

Hi @robmry

My setup is a gitlab-runner with the docker executer. I run a docker image and create a custom buildx builder to run the arm64 build on a remote node:

- >
      docker buildx
      create 
      --name local_remote_builder 
      --node local_builder 
      --platform linux/amd64,linux/386 
- >
      docker buildx
      create
      --name local_remote_builder
      --append
      --node arm64_builder
      --platform linux/arm64,linux/arm/v8,linux/armv7,linux/arm/v6
      ssh://user@remote

- docker buildx use local_remote_builder
- >
      docker buildx build
      --progress plain
      --platform "linux/amd64,linux/arm64/v8"
      --tag foo
      --push
      --provenance=false
      .

So yes, I have a containerized buildkit running on the remote node and someone starts another container to build the image. After downgrading to docker 26, the remote node has again access to the local DNS.

I also would be fine to specify --network host to the buildx build command as @corhere mentioned, I just need to know.

[robmry]

That makes sense - thank you.

The change that caused the issue is reverted for the 27.0 release, so you shouldn't need to do anything. We'll make sure buildkit's on board before trying again.