Docker containers not run as root have DNS failure

ParadingLunatic · 21. Mai 2020

I'm not sure if this is an OMV issue, a Docker issue, a docker config issue, an image issue, or a local filesystem rights issue. It seems like some of my Docker containers that run their processes as a user other than root, have problems with DNS. For example, my Nextcloud container has been unable to check for updates. The process runs as www-data. When I run "docker -it -u www-data nextcloud /bin/bash" and then run "curl http://www.google.com", it fails to resolve the url. If I connect to the container as "docker -it nextcloud /bin/bash" and run "curl http://www.google.com" it returns data as expected.

I checked the rights of /etc/resolve.conf and it was set to rw only for root and no other permissions (600). After setting the permissions to 644, suddenly everything worked.

So my question is...is this issue caused by the container, by docker, by the docker config, or by the underlying FS permissions?

I have docker using a shared folder instead of the default /var/lib/docker location. When I created the Nextcloud instance, I pointed it to the location I wanted and it created the folder for me so the rights on the "config" folder should be correct. Although the config folder is mounted to /var/www/html within the container anyways.

I have docker running on an Ubuntu VM (completely separate from OMV), and I've never once run into this issue on it. Granted it's also using the default /var/lib/docker. When I've run into this issue on my OMV system, I would even test it on my Ubuntu system and wouldn't have the problem there.

ParadingLunatic · 22. Mai 2020

Ok, so I THINK the issue might have to do with a umask issue but not sure how/where. I checked the shared folder where my docker data is stored (we'll called it /dockershare/docker/...) at /dockershare/docker/containers/xxxxxxxxxxxxxx......every single hosts and resolve.conf file were all 640 with owner of root:root instead of 644 and root:root.

I really would love to get this fixed as it'll allow me to finally move some of my dockers off of the VM and on to OMV....as well as get rid of future headaches when I roll out future containers.

ParadingLunatic · 22. Mai 2020

That or it could be an ACL issue. I really have no clue. I'm almost tempted to nuke my entire docker configuration and start from scratch hoping to fix it.

ParadingLunatic · 22. Mai 2020

Well...I'm now at a point where I really don't know. I've pointed docker to a new location on my main storage disk (that is NOT a shared folder) and let it create the folder itself. Tried pulling and creating a new instance of FreshRSS (all this is while SSH in as root) just to test it out using docker-compose....failed. Loads of permission denied when it was trying to chmod during the setup. Checked to see if dockerd is running as root and it is. Decided to change it back to /var/lib/docker and try that as well. Same problem. So now I have no clue what the issue is or why I'm having it.

tornadox · 23. Mai 2020

Perhaps I have the same issue, no DNS inside docker containers.

My /etc/resolv.conf has 644 permissions. How can I solve this?

Problematic server:

root@mars:/# ls -la /etc/resolv.conf

-rw-r--r-- 1 root root 71 May 16 16:48 /etc/resolv.conf

PCduino3nano working:

root@pcduino3nano:/# ls -la /etc/resolv.conf

lrwxrwxrwx 1 root root 32 May 8 17:58 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

making a symlink doesn't fix the issue

Code

root@mars:~# docker run -t -i ubuntu /bin/bash
root@173885bb1bfa:/# apt update
Err:1 http://archive.ubuntu.com/ubuntu focal InRelease  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu focal-security InRelease  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
Building dependency tree       Reading state information... Done
All packages are up to date.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Alles anzeigen

I have this problem with Docker containers on one of my servers running OMV 5 on Debian 10.

Code

Temporary failure resolving

About this setup. I have recently installed OMV 5 on two x86 and one ARM server. The problem appears just on one of server, while inside the host os dns seems to work fine, I can install and upgrade packages, in docker containers it simply does not work. I tried to followw several guides, nothing helped so far. Also restored the image and reinstalled docker several time. Also the servers have identical OS images just with a few configuration changes related to disks. I've tried this guide https://development.robinwinsl…ix-docker-networking-dns/ and this https://www.dedoimedo.com/comp…container-no-network.html On all servers I get this

Code

root@mars:~# docker run busybox nslookup google.com
Server:         192.168.1.1
Address:        192.168.1.1:53

Non-authoritative answer:
Name:   google.com
Address: 172.217.20.174

*** Can't find google.com: No answer

On two servers it works (arm and x86):

Code

root@venus:~# docker run -t -i ubuntu /bin/bash
root@9e4dce3d6ad9:/# apt update
Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [107 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [107 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [98.3 kB]
Get:5 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [8273 B]
Get:6 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [60.9 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4673 B]
Get:9 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB] Get:10 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]                                                                                                                                                                                                                   Get:11 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]                                                                                                                                                                                                             Get:12 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [31.6 kB]                                                                                                                                                                                                       Get:13 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4673 B]                                                                                                                                                                                                      Get:14 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [104 kB]                                                                                                                                                                                                            Get:15 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [2903 B]                                                                                                                                                                                                      Fetched 13.6 MB in 10s (1389 kB/s)                                                                                                                                                                                                                                                            Reading package lists... Done
Building dependency tree       Reading state information... Done
All packages are up to date.
root@9e4dce3d6ad9:/#

Alles anzeigen

My router is running OpenWrt 19.07, I also reboot it amd delete the dhcp leases. Which resolved the problem that the installed could not auto configure networks. I also found and started a container with X and VNC. In browsers DNS works fines, but not in apt

Jetzt mitmachen!