rkt driver does not support --dns=host

[blalor]

Nomad v0.5.0
rkt Version: 1.19.0

The rkt driver provides the dns_servers task config option, but it only accepts IP addresses. Per rkt run --help:

      --dns=			name servers to write in /etc/resolv.conf. Pass 'host' to use host's resolv.conf. Pass 'none' to ignore CNI DNS config

The rkt driver should support single-item lists with host or none values to mirror the rkt run command-line arguments. This will enable proper DNS resolver config without having to hard-code IP addresses into the jobspec.

[schmichael]

Thanks for the bug report @blalor!

PR #2028 implements the behavior you described. However, I ran into issues when testing it.

--dns=host doesn't seem to work for me. I'm on Ubuntu 16.04 and tested with rkt 1.17 and 1.19.

Setting a DNS server works as expected:

sudo rkt run docker://ubuntu --volume=hostbin,kind=host,source=/bin --mount=volume=hostbin,target=/foo --insecure-options=all --debug=true --exec=/foo/ping --dns=8.8.8.8-- google.com

# Outputs expected ping output

Setting --dns=none works as expected (ping fails):

sudo rkt run docker://ubuntu --volume=hostbin,kind=host,source=/bin --mount=volume=hostbin,target=/foo --insecure-options=all --debug=true --exec=/foo/ping --dns=none -- google.com

# Outputs: [780411.369776] ubuntu[5]: ping: unknown host google.com

However, settings --dns-host does not work as expectd. Ping fails as if I had specified --dns=none:

sudo rkt run docker://ubuntu --volume=hostbin,kind=host,source=/bin --mount=volume=hostbin,target=/foo --insecure-options=all --debug=true --exec=/foo/ping --dns=host -- google.com

# Same output as --dns=none

I get the same results when running via nomad but wanted to try to make it as easy to reproduce as possible.

Obviously no one is running ping in nomad, so if this is just an issue with my contrived example and everything works as expected in practice I'll be more than happy to merge the PR!

Thanks again for the report!

[blalor]

I think the issue is your host's /etc/resolv.conf; mine looks like:

# generated by /etc/NetworkManager/dispatcher.d/50-update-dnsmasq-resolv-conf; do not edit
nameserver 10.0.2.15
search node.consul bsd.local
options single-request-reopen

no --dns

[root@localhost ~]# rkt run --insecure-options=image docker://centos --exec=/bin/bash -- -c "cat /etc/resolv.conf ; ping -c 1 www.google.com"
[32445.091499] centos[5]: # Generated by NetworkManager
[32445.091810] centos[5]: nameserver 192.168.122.1
[32465.107961] centos[5]: ping: unknown host www.google.com

That's weird; looks like the centos image has a default (broken) /etc/resolv.conf.

--dns=8.8.8.8

[root@localhost ~]# rkt run --insecure-options=image docker://centos --dns=8.8.8.8 --exec=/bin/bash -- -c "cat /etc/resolv.conf ; ping -c 1 www.google.com"
[32484.560674] centos[5]: # Generated by rkt run
[32484.561118] centos[5]: nameserver 8.8.8.8
[32494.586660] centos[5]: PING www.google.com (172.217.1.4) 56(84) bytes of data.
[32494.587128] centos[5]: --- www.google.com ping statistics ---
[32494.587522] centos[5]: 1 packets transmitted, 0 received, 100% packet loss, time 0ms

That works; note the generated /etc/resolv.conf.

--dns=host

[root@localhost ~]# rkt run --insecure-options=image docker://centos --dns=host --exec=/bin/bash -- -c "cat /etc/resolv.conf ; ping -c 1 www.google.com"
[32509.293299] centos[5]: # generated by /etc/NetworkManager/dispatcher.d/50-update-dnsmasq-resolv-conf; do not edit
[32509.293611] centos[5]: nameserver 10.0.2.15
[32509.293824] centos[5]: search node.consul bsd.local
[32509.294015] centos[5]: options single-request-reopen
[32509.360266] centos[5]: PING www.google.com (216.58.219.228) 56(84) bytes of data.
[32509.360533] centos[5]: 64 bytes from lga25s41-in-f228.1e100.net (216.58.219.228): icmp_seq=1 ttl=61 time=19.3 ms
[32509.360815] centos[5]: --- www.google.com ping statistics ---
[32509.361147] centos[5]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[32509.361324] centos[5]: rtt min/avg/max/mdev = 19.327/19.327/19.327/0.000 ms

Good; matches my host's /etc/resolv.conf.

--dns=none

[root@localhost ~]# rkt run --insecure-options=image docker://centos --dns=none --exec=/bin/bash -- -c "cat /etc/resolv.conf ; ping -c 1 www.google.com"
[32519.232226] centos[5]: # Generated by NetworkManager
[32519.232944] centos[5]: nameserver 192.168.122.1
[32539.248154] centos[5]: ping: unknown host www.google.com

Same as the first example.

So I think it's your host that has config incompatible with the container…

[blalor]

Also, thanks for jumping in this!

[schmichael]

I think the issue is your host's /etc/resolv.conf

Ah, of course. I have dnsmasq installed on the host so resolv.conf points to it, but the container can't connect to it.

Thanks for helping me debug my own issue, and we'll get this into the 0.5.1 release.

[blalor]

Yay! Thank you!

[Shaiful082]

hi guys, i am having same issue with dns, i tried with --dns=8.8.8.8 but still not able to resolve !

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.