search

cohoe / workstation

Ansible scripts to configure desktop workstations.
4 stars 2 forks source link

Docker and systemd-resolved do not play nice #105

Closed cohoe closed 2 years ago

cohoe commented 3 years ago

https://github.com/docker/for-linux/issues/979

cohoe commented 3 years ago

https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback

Base systemd-resolved sockets:

gcohoe@caprica ~ » sudo netstat -lepunt | grep systemd
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      193        19225      1332/systemd-resolv 
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      193        19219      1332/systemd-resolv 
tcp6       0      0 :::5355                 :::*                    LISTEN      193        19222      1332/systemd-resolv 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           193        19224      1332/systemd-resolv 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           193        19218      1332/systemd-resolv 
udp6       0      0 :::5355                 :::*                                193        19221      1332/systemd-resolv

After applying DNSStubListenerExtra=172.17.0.1 to /etc/systemd/resolved.conf and restarting:

gcohoe@caprica ~ » sudo netstat -lepunt | grep systemd
tcp        0      0 172.17.0.1:53           0.0.0.0:*               LISTEN      193        206243     20645/systemd-resol 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      193        206241     20645/systemd-resol 
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      193        206235     20645/systemd-resol 
tcp6       0      0 :::5355                 :::*                    LISTEN      193        206238     20645/systemd-resol 
udp        0      0 172.17.0.1:53           0.0.0.0:*                           193        206242     20645/systemd-resol 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           193        206240     20645/systemd-resol 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           193        206234     20645/systemd-resol 
udp6       0      0 :::5355                 :::*                                193        206237     20645/systemd-resol

Per https://robinwinslow.uk/fix-docker-networking-dns I added this to /etc/docker/daemon.json (new):

{
  "dns": ["172.17.0.1"]
}

Then restarted docker.

A container now has:

[root@022f63b768c2 /]# cat /etc/resolv.conf 
search [REDACTED]
nameserver 172.17.0.1

And can ping things both inside and outside the VPN!

stromnet commented 2 years ago

Thanks for linking #979! That made me find this solution which works perfect!

MartinN3 commented 2 years ago

Would love this solution for my ubuntu LTS server but unfortunately ubuntu v20 doesnt have systemd-resolved in version required - bummer.

hypervtechnics commented 2 weeks ago

@cohoe For me there are connection timeouts when trying the lookup from a docker container. Do you know if any other firewall shenanigans have to be done to allow access to this IP?

For anyone else:

Yes the iptables blocked the access. I had to do: 

sudo iptables -I INPUT -i docker0 -p udp --dport 53 -j ACCEPT
sudo iptables -I INPUT -i docker0 -p tcp --dport 53 -j ACCEPT
cohoe commented 2 weeks ago

No idea. I didn't have to, but glad that worked.