Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ubuntu, NetworkManager and Docker DNS workaround

Docker issues are frequently logged for DNS resolution in containers because it doens't inhert or get values for DNS from NetworkManager which leverages a built in dnsmasq to inteligently manage DNS.

Perminant workarround

sudo bash -c "echo listen-address=$(ip -4 addr show dev docker0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') > /etc/NetworkManager/dnsmasq.d/docker-bridge"
sudo systemctl reload NetworkManager
sudo bash -c 'echo -e "{\n\t\"dns\": [\"$(ip -4 addr show dev docker0 | grep -oP "(?<=inet\s)\d+(\.\d+){3}")\"]\n}" > /etc/docker/daemon.json'
sudo systemctl restart docker

Note:

  • makes dnsmasq plugin for network manager listen on the host's docker bridge interface
  • adds (clobbers!) the daemon.json - take care, could overwrite other customisations you already have there...

Per run workarround

The bash one liner below generates the dns attributes needed for docker

nm_dns=$(for d in $(nmcli device show | grep -E "^IP4.DNS" | grep -oP '(\d{1,3}\.){3}\d{1,3}'); do echo -n " --dns $d"; done)
sudo -E docker run -it --rm -e http_proxy -e https_proxy -e no_proxy $nm_dns ubuntu

Ain't pretty, but works... (until they change the nmcli output format or something)

Related Issues

Related issues with docker DNS:

@nicoulaj

This comment has been minimized.

Copy link

@nicoulaj nicoulaj commented Nov 21, 2018

The permanent fix works for me, but not at boot:

Nov 21 18:28:13 NetworkManager[283]: dnsmasq: failed to create listening socket for 172.17.0.1: Cannot assign requested address
Nov 21 18:28:13 dnsmasq[530]: failed to create listening socket for 172.17.0.1: Cannot assign requested address
Nov 21 18:28:13 dnsmasq[530]: FAILED to start up
Nov 21 18:28:13 NetworkManager[283]: <warn>  [1542821293.1743] dnsmasq[0x55cab5d25c50]: dnsmasq exited with error: Network access problem (address in use, permissions) (2)

If I restart NetworkManager after the boot, it works. Did you have this issue as well ?

@metal3d

This comment has been minimized.

Copy link

@metal3d metal3d commented Dec 5, 2018

Great ! but that's not sufficient for Fedora with firewalld.

What we need to do is to apply rules to let docker0 be able to accept dns requests. I'm using "internal" zone:

sudo firewall-cmd --add-interface=docker0 --zone=internal
sudo firewall-cmd --add-service=dns --zone=internal

# To make that permanent
sudo firewall-cmd --add-interface=docker0 --zone=internal --permanent
sudo firewall-cmd --add-service=dns --zone=internal --permanent
sudo firewall-cmd --reload
@metal3d

This comment has been minimized.

Copy link

@metal3d metal3d commented Dec 5, 2018

If you're interessed, I did a little service that add DNS entries in dnsmasq from docker hostnames, and a documentation to configure the system:
https://github.com/metal3d/docker-auto-dnsmasq

@zioalex

This comment has been minimized.

Copy link

@zioalex zioalex commented Mar 22, 2019

This works! Many thanks. I do not get how dnsmasq work locally at the host level at the ip address 127.0.0.1 if I specify to listen only at 172.17.0.1 !
...
Just found in the doc that Dnsmasq add the loopback interface by default. Great!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment