Closed kaysond closed 4 months ago
Interestingly, same behavior on Ubuntu 22.04.2 (Docker 24.0.5, libseccomp 2.5.3) and Debian 12 (Docker 24.0.7, libseccomp 2.5.4).
ok I think I've tracked down the issue. For some reason ping (and I'm guessing the image dns resulotion) are trying to resolve ipv6 addresses by default. For domains where requesting an AAAA record returns NXDOMAIN, it causes the 'bad address' response. If the AAAA request returns what appears to be a blank response, I guess it goes on to an A record request.
Now the interesting thing is that I don't use ipv6 anywhere in my network, so I'm not sure why ipv6 is being used for dns resolution.
Looks like this isn't container related: https://unix.stackexchange.com/questions/654660/how-to-resolve-ipv4-first-on-alpine-linux
If I run
docker run --rm -it alpine:latest ping -c3 <domains>
, some domains work, and others fail with 'ping bad address'. It seems completely random which work and which fail, but everything works fine with nslookup. It's not justping
, though, as the application I'm putting in the alpine base (meshcentral) is also unable to resolve those domains.This seems related to https://github.com/alpinelinux/docker-alpine/issues/155 and the libseccomp/docker/time64 issues except that all my dependency versions should be new enough to avoid these issues.
and
scmp_sys_resolver -a x86 clock_gettime64
= 403.No issues whatsoever if I run debian or ubuntu containers.