Docker DNS 问题(容器级)

tag-icon tag-icon dns centos docker
Docker DNS 问题(容器级)

在安装一些第三方 bash 脚本(到容器中)后,我在私有 docker 网络上的 DNS 系统遇到了问题。

条目:我的主机系统是 CentOS 7.6,docker 版本 - 18.09.6,build 481bc77156。我用来运行容器的基本镜像是https://hub.docker.com/_/centos/ (还应用了一些额外的 Dockerfile 指令来启用 systemd:

FROM centos:7
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]

容器使用这样的参数运行:

docker run -dit --name="mycontainer" --restart always --privileged --net mynetwork -p 22004:22 --expose 80 --expose 443 local/centos-systemd:my_tag

之后,dns 就可以正常工作了(在容器级别):

[root@3e9a75147f38 /]# ping google.com
PING google.com (108.177.14.101) 56(84) bytes of data.
64 bytes from lt-in-f101.1e100.net (108.177.14.101): icmp_seq=1 ttl=47 time=4.71 ms
64 bytes from lt-in-f101.1e100.net (108.177.14.101): icmp_seq=2 ttl=47 time=5.12 ms
64 bytes from lt-in-f101.1e100.net (108.177.14.101): icmp_seq=3 ttl=47 time=5.10 ms
64 bytes from lt-in-f101.1e100.net (108.177.14.101): icmp_seq=4 ttl=47 time=5.21 ms

但是,一旦我通过第三方 bash 脚本安装了一些额外的 Web 环境,域解析到容器就会失败:

[root@docker /]# ping google.com
ping: google.com: Name or service not known

在文件 /etc/resolv.conf 中没有任何变化:

[root@docker /]# cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

通过 ip 地址 ping 可以正常工作:

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=4.59 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=4.66 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=4.62 ms

一些附加数据:

# docker inspect network mynetwork
<...>
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
<...>

在安装 bash 脚本之前:

[root@3e9a75147f38 /]# traceroute google.com
traceroute to google.com (173.194.73.100), 30 hops max, 60 byte packets
 1  gateway (172.18.0.1)  0.038 ms  0.021 ms  0.020 ms
 2  10.112.119.1 (10.112.119.1)  0.451 ms  0.572 ms  0.660 ms
 3  121.spb.net.selectel.ru (188.93.17.121)  1.069 ms  1.033 ms  1.018 ms
 4  62.spb.net.selectel.ru (188.93.17.62)  1.308 ms  1.286 ms  1.127 ms
 5  188.93.16.145 (188.93.16.145)  6.547 ms  6.527 ms  6.543 ms
 6  74.125.244.181 (74.125.244.181)  1.342 ms 74.125.244.133 (74.125.244.133)  1.217 ms 74.125.244.180 (74.125.244.180)  1.173 ms
 7  216.239.42.53 (216.239.42.53)  5.326 ms  5.940 ms 216.239.42.85 (216.239.42.85)  4.915 ms
 8  209.85.249.173 (209.85.249.173)  5.050 ms  5.021 ms  4.799 ms
 9  64.233.175.175 (64.233.175.175)  4.784 ms 72.14.236.115 (72.14.236.115)  4.941 ms  4.754 ms

[root@3e9a75147f38 /]# dig google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1288
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             197     IN      A       173.194.73.100
google.com.             197     IN      A       173.194.73.139
google.com.             197     IN      A       173.194.73.138
google.com.             197     IN      A       173.194.73.102
google.com.             197     IN      A       173.194.73.113
google.com.             197     IN      A       173.194.73.101

;; Query time: 2 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Tue Jun 11 02:49:37 UTC 2019
;; MSG SIZE  rcvd: 135

安装 bash 脚本后:

[root@docker /]# traceroute google.com
google.com: Name or service not known
Cannot handle "host" cmdline arg `google.com' on position 1 (argc 1)

[root@docker /]# dig google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

放置在此专用网络中的其他容器可以正确使用 DNS,直到未安装此 bash 脚本。此脚本安装了大量数据和服务(带有 nginx、httpd、mysql、nodejs 等的 Web 环境),我无法对其进行调试并找出破坏 DNS 的具体时刻。

关于如何修复此 DNS 问题,有什么想法吗?

相关内容