What is correct way to fix name resolution from Docker container?
I have clean Ubuntu MATE 16.04.6 LTS installed.
I installed Docker from repository here with:
sudo apt-get install docker.io
and added my user to docker group with
sudo usermod -a -G docker $USER
then I downloaded Ubuntu 19.04 container with
docker pull ubuntu:19.04
and tried to run apt update inside it
docker run -it ubuntu:19.04 apt update
but got network errors:
$ docker run -it ubuntu:19.04 apt update Err:1 http://archive.ubuntu.com/ubuntu disco InRelease Temporary failure resolving 'archive.ubuntu.com' Err:2 http://security.ubuntu.com/ubuntu disco-security InRelease Temporary failure resolving 'security.ubuntu.com' Err:3 http://archive.ubuntu.com/ubuntu disco-updates InRelease Temporary failure resolving 'archive.ubuntu.com' Err:4 http://archive.ubuntu.com/ubuntu disco-backports InRelease Temporary failure resolving 'archive.ubuntu.com' Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/disco/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/disco-updates/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/disco-backports/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/disco-security/InRelease Temporary failure resolving 'security.ubuntu.com' W: Some index files failed to download. They have been ignored, or old ones used instead.
The /etc/resolv.conf inside container is the following:
$ docker run -it ubuntu:19.04 cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 8.8.8.8 nameserver 8.8.4.4
The host system has internet, the NetworkManager is used with default settings:
$ cat /etc/NetworkManager/NetworkManager.conf [main] plugins=ifupdown,keyfile,ofono dns=dnsmasq [ifupdown] managed=false
all files on the system are unchanged - the debsums --changed --all --silent command returns nothing.
The requested output of iptables -S is below:
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
Which settings should I change to fix DNS (name resolution) from Docker container?
Notes:
- I know about disabling DNS masquerading (
#dns=dnsmasq), but I do not want to use this option. - I got the same result while using Docker-CE from docker.com.
- The system installed from netinstall mini.iso does not suffer from aforementioned problem. It uses
ifupdown. So the NetworkManager is the root of this problem.
The solution for docker run is very simple - we need to choose host network with --network host option:
docker run -it --network host ubuntu:19.04 apt update
and then the problem will be solved.
But it also should be noted that docker build has --network option only starting only from 18.04 LTS. So if we need docker build --network host for 16.04 LTS we need to use docker-ce package from docker.com.