search

docker / buildx

Docker CLI plugin for extended build capabilities with BuildKit
Apache License 2.0
3.58k stars 483 forks source link

Unable to Resolve host.docker.internal from Custom Network #2070

Open sbrajchuk opened 1 year ago

sbrajchuk commented 1 year ago

Contributing guidelines

I've found a bug and checked that ...

Description

You cannot resolve host.docker.internal while building with a custom builder that has been created with --driver-opt network=custom-net.

Expected behaviour

The host.docker.internal can be successfully resolved.

Actual behaviour

The resolution of host.docker.internal is not successful.

Buildx version

github.com/docker/buildx v0.11.2-desktop.4 b9955a86a20bf0112ebb4f14424bf59fc46ee179

Docker info

Client:
 Version:    24.0.6
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.4
    Path:     C:\Program Files\Docker\cli-plugins\docker-buildx.exe
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0-desktop.1
    Path:     C:\Program Files\Docker\cli-plugins\docker-compose.exe
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-dev.exe
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     C:\Program Files\Docker\cli-plugins\docker-extension.exe
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.7
    Path:     C:\Program Files\Docker\cli-plugins\docker-init.exe
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-sbom.exe
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-scan.exe
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  0.24.1
    Path:     C:\Program Files\Docker\cli-plugins\docker-scout.exe

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 76
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 5.15.90.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 7.698GiB
 Name: docker-desktop
 ID: 085a0b16-6bb1-4d62-b3b2-d966429648ee
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile

Builders list

NAME/NODE       DRIVER/ENDPOINT                STATUS  BUILDKIT             PLATFORMS
builder *       docker-container
  builder0      npipe:////./pipe/docker_engine running v0.12.2              linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6
test-builder    docker-container
  test-builder0 npipe:////./pipe/docker_engine running v0.12.2              linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6
default         docker
  default       default                        running v0.11.6+616c3f613b54 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6
desktop-linux   docker
  desktop-linux desktop-linux                  running v0.11.6+616c3f613b54 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6

Configuration

FROM alpine
RUN cat /etc/resolv.conf
RUN nslookup host.docker.internal
docker network create test-net
docker buildx create --name test-builder --driver-opt network=test-net
docker build --builder=test-builder .

Build logs

[internal] load build definition from Dockerfile
    transferring 109/0 0.038
[internal] load metadata for docker.io/library/alpine:latest
[internal] load .dockerignore
    transferring 2/0 0.004
[1/3] FROM docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
    resolve docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0/0 0.027
    sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa 3401967/3401967 0.552
    extracting 0/0 0.1
[2/3] RUN cat /etc/resolv.conf
    options ndots:0

    nameserver 8.8.8.8
    nameserver 8.8.4.4
    nameserver 2001:4860:4860::8888
    nameserver 2001:4860:4860::8844
[3/3] RUN nslookup host.docker.internal
    Server:     8.8.8.8
    Address:    8.8.8.8:53

    ** server can't find host.docker.internal: NXDOMAIN

    ** server can't find host.docker.internal: NXDOMAIN

Additional info

When DOCKER_BUILDKIT is set to 0, running docker build --network=test-net . performs as expected, although a deprecation warning is displayed.

crazy-max commented 1 year ago

You cannot resolve host.docker.internal while building with a custom builder

Not sure what's your use case here. Do you want to connect to a service on the host?

sbrajchuk commented 1 year ago

Yes, I need to connect to a service on the host, and it is possible, but only by using its IP address. Additionally, if I need to connect to another container that was started in the test network, it is also only possible by using its IP address.

sbrajchuk commented 1 year ago

I'm using Testcontainers. Application tests are initiated during the Dockerfile build process, and they require access to both the host and the container inside the build network, which I'm using to interact with Docker on the host. I relocated this container to a separate network to restrict access to Docker on the host from other containers.

krafel commented 1 year ago

Same here. When I try to access a custom docker network from a container started within docker:24.0.6-dind, I have to export DOCKER_BUILDKIT=0 to use the deprecated builder, otherwise the (host-)names of the containers in the custom docker network would not be resolved. I have a setup similar to @sbrajchuk wanting to fetch software from a repository provided by a container in the custom network.

build command inside the dind container is

docker build . -t my_fancy_new_container -f Containerfile --network=host
lpaolini commented 2 months ago

Same here, using Docker version 25.0.3 and BuildKit version 0.15.2.

If I'm understanding correctly, any Docker container belonging to a network forwards DNS requests to the Docker daemon. To do that, Docker replaces the default /etc/resolv.conf with custom configuration.

$ docker run -it --rm alpine cat /etc/resolv.conf
# DNS requests are forwarded to the host. DHCP DNS options are ignored.
nameserver 192.168.65.7

$ docker network create test-network
$ docker run -it --rm --network test-network alpine cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

Instead, builder containers, even when created with the option --driver-opt network=<network>, don't seem to be forwarding DNS request to the Docker daemon, apparently relying on hardcoded configuration only (Google DNS).

options ndots:0
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

For this reason, builder containers are unable to resolve any Docker host name, like host.docker.internal, or any other container host name in the same network.