Warn when no external DNS nameservers are found

[robmry]

- What I did

• related to DNS Resolve issue after computer restart with restart unless stopped policy and a bridged network #49647
• related to IPv6 only: DNS changes #48290

Since commit 925b484 ("No fallback nameservers for internal resolver"), if the host's resolv.conf has no nameservers and no servers are supplied via config, the internal resolver will not use Google's DNS - so the container will not be able to resolve external DNS requests.

That can happen when containers are "restart always/unless-stopped" and the docker daemon starts before the host's DNS is configured.

So, highlight the issue (which may not be an error, but probably is).

- How I did it

Include a warning in the container's resolv.conf file.

Also, log a warning - logs currently say "No non-localhost DNS nameservers are left in resolv.conf. Using default external servers". But, that's misleading because it's from an initial resolv.conf setup, before the internal resolver configured without those fallbacks - we'll drop the fallbacks completely once the default bridge has an internal resolver).

- How to verify it

Updated unit test.

With an empty /etc/resolv.conf on the host ...

$ docker run --rm -ti --network b4 busybox cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# NO EXTERNAL NAMESERVERS DEFINED
# Overrides: []
# Option ndots from: internal

INFO[2025-04-17T09:49:54.159880089Z] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers
WARN[2025-04-17T09:49:54.161602381Z] DNS resolver has no external nameservers      cid=1ee4ac99aac0bba02692dedbb8168e11f2300f2bba82d6126eb461c8a6c9305a

- Human readable description for the release notes

- Add a warning to a container's `/etc/resolv.conf` when no upstream DNS servers were found.

[thaJeztah]

LGTM

[thaJeztah]

@robmry quick question (could be for a follow-up); would we be able to log a warning when loading the config?

I'm considering dockerd --validate to print a warning;

dockerd --validate
WARNING: yada yada yada
configuration OK

I should also dust-off my PR that prints the external resolvers in docker info, but I wasn't 100% sure at the time if it printed the correct info (for the systemd-resolvd case), but it's been a long time since I looked at it!

• [RFC] Add DNS configuration to /info endpoint #35506

[robmry]

@robmry quick question (could be for a follow-up); would we be able to log a warning when loading the config?

I'm considering dockerd --validate to print a warning;

In normal running, a network-connected Linux host with no external resolvers would be very unusual - it wouldn't be able to resolve DNS requests, so I don't think it would be surprising that its containers wouldn't resolve DNS either (at least, without a --dns option).

That's why the original change didn't worry about that case too much ... but the issue that's been raised seems to be caused by dockerd starting before the host's DNS is configured, and containers that start immediately because they're configured with a "restart" option.

So, by the time dockerd --validate gets run - the issue is very likely to have been resolved for the host, but not for those containers that started early ... I don't think the warning would help (and would most-likely never be seen anyway).

Without containers starting early, no DNS when the daemon starts isn't an issue. If the containers do start early, there will now be warnings in the logs - so I don't think it's worth adding extra warnings during startup either.

I should also dust-off my PR that prints the external resolvers in docker info, but I wasn't 100% sure at the time if it printed the correct info (for the systemd-resolvd case), but it's been a long time since I looked at it!

• [RFC] Add DNS configuration to /info endpoint #35506

That could be useful sometimes - but perhaps also misleading, because containers only snapshot the server's state when they start and the daemon-level DNS related options can be overridden per-container. Since you worked on that PR, I think we've dealt with the issues around localhost nameservers - mostly by making DNS lookups from the host's netns when a nameserver address is learnt from the host. (The default bridge network still uses Google's fallback servers in that case but, hopefully, we'll be able to hook it up to the internal resolver again soon - just need to sort out the buildkit issue.)

So, DNS config is per-container not per-daemon - and the config is now visible in comments in the container's /etc/resolv.conf ... perhaps adding DNS info to a running container's inspect output might be worthwhile though?