Use host netns for host's ext-dns servers

The internal resolver needs to know whether to make requets to external DNS servers from the container's network namespace or the host's. The original rule was that requests were always made from the container's namespace, unless the nameserver was on a localhost address on the host. IPv6 nameservers were left in the container's /etc/resolv.conf. Commit 4e8d9a4 modified that so that IPv6 nameservers were also used as external nameservers. The internal resolver accessed them from the host namespace if the container's initial set of endpoints were IPv4-only, or the nameserver address contained a zone-id, (or the nameserver was on the IPv6 loopback address). That would break if initial IPv6 endpoints were disconnected from the container, leaving it with no IPv6 address. Once IPv6-only networks are allowed, another exception would need to be made for IPv4 nameservers (they'd need to be accessed from the host's namespace). Instead of doing that ... this change simplifies things, if a nameserver address is read from the host's /etc/resolv.conf, it'll work in the host's namespace. So, the rule is now simply that nameservers read from the host's resolv.conf are accessed from the host's namespace. DNS servers added as overrides ('--dns') are accessed from the container's namespace (as before). Signed-off-by: Rob Murray <rob.murray@docker.com>
2026-01-11 18:51:37 +00:00 · 2024-07-30 18:26:17 +01:00
parent 344039b9ae
commit d29767431c
7 changed files with 21 additions and 26 deletions
--- a/libnetwork/internal/resolvconf/resolvconf.go
+++ b/libnetwork/internal/resolvconf/resolvconf.go
@@ -239,10 +239,8 @@ func (rc *ResolvConf) TransformForLegacyNw(ipv6 bool) {
 //   - Add internalNS as a nameserver.
 //   - Remove other nameservers, stashing them as ExtNameServers for the
 //     internal resolver to use.
-//   - Mark ExtNameServers that must be used in the host namespace.
+//   - Mark ExtNameServers that must be accessed from the host namespace.
 //   - If no ExtNameServer addresses are found, use the defaults.
-//   - Return an error if an "ndots" option inherited from the host's config, or
-//     supplied in an override is not valid.
 //   - Ensure there's an 'options' value for each entry in reqdOptions. If the
 //     option includes a ':', and an option with a matching prefix exists, it
 //     is not modified.
@@ -251,24 +249,21 @@ func (rc *ResolvConf) TransformForIntNS(
 	internalNS netip.Addr,
 	reqdOptions []string,
 ) ([]ExtDNSEntry, error) {
-	// The transformed config must list the internal nameserver.
-	newNSs := []netip.Addr{internalNS}
-	// Filter out other nameservers, keeping them for use as upstream nameservers by the
-	// internal nameserver.
+	// Add each of the nameservers read from the host's /etc/hosts or supplied as an
+	// override to ExtNameServers, for the internal resolver to talk to. Addresses
+	// read from host config should be accessed from the host's network namespace
+	// (HostLoopback=true). Addresses supplied as overrides are accessed from the
+	// container's namespace.
 	rc.md.ExtNameServers = nil
 	for _, addr := range rc.nameServers {
-		// Extract this NS. Mark addresses that did not come from an override, but will
-		// definitely not work in the container's namespace as 'HostLoopback'. Upstream
-		// requests for these servers will be made in the host's network namespace. (So,
-		// '--dns 127.0.0.53' means use a nameserver listening on the container's
-		// loopback interface. But, if the host's resolv.conf contains 'nameserver
-		// 127.0.0.53', the host's resolver will be used.)
 		rc.md.ExtNameServers = append(rc.md.ExtNameServers, ExtDNSEntry{
 			Addr:         addr,
-			HostLoopback: !rc.md.NSOverride && (addr.IsLoopback() || (addr.Is6() && !ipv6) || addr.Zone() != ""),
+			HostLoopback: !rc.md.NSOverride,
 		})
 	}
-	rc.nameServers = newNSs
+
+	// The transformed config only lists the internal nameserver.
+	rc.nameServers = []netip.Addr{internalNS}

 	// If there are no external nameservers, and the only nameserver left is the
 	// internal resolver, use the defaults as ext nameservers.
--- a/libnetwork/internal/resolvconf/resolvconf_test.go
+++ b/libnetwork/internal/resolvconf/resolvconf_test.go
@@ -350,15 +350,15 @@ func TestRCTransformForIntNS(t *testing.T) {
 		{
 			name:          "IPv4 only",
 			input:         "nameserver 10.0.0.1",
-			expExtServers: []ExtDNSEntry{mke("10.0.0.1", false)},
+			expExtServers: []ExtDNSEntry{mke("10.0.0.1", true)},
 		},
 		{
 			name:  "IPv4 and IPv6, ipv6 enabled",
 			input: "nameserver 10.0.0.1\nnameserver fdb6:b8fe:b528::1",
 			ipv6:  true,
 			expExtServers: []ExtDNSEntry{
-				mke("10.0.0.1", false),
-				mke("fdb6:b8fe:b528::1", false),
+				mke("10.0.0.1", true),
+				mke("fdb6:b8fe:b528::1", true),
 			},
 		},
 		{
@@ -366,7 +366,7 @@ func TestRCTransformForIntNS(t *testing.T) {
 			input: "nameserver 10.0.0.1\nnameserver fdb6:b8fe:b528::1",
 			ipv6:  false,
 			expExtServers: []ExtDNSEntry{
-				mke("10.0.0.1", false),
+				mke("10.0.0.1", true),
 				mke("fdb6:b8fe:b528::1", true),
 			},
 		},
@@ -395,7 +395,7 @@ func TestRCTransformForIntNS(t *testing.T) {
 			name:          "IPv6 addr, IPv6 enabled",
 			input:         "nameserver fd14:6e0e:f855::1",
 			ipv6:          true,
-			expExtServers: []ExtDNSEntry{mke("fd14:6e0e:f855::1", false)},
+			expExtServers: []ExtDNSEntry{mke("fd14:6e0e:f855::1", true)},
 		},
 		{
 			name:  "IPv4 and IPv6 localhost, IPv6 disabled",
@@ -421,7 +421,7 @@ func TestRCTransformForIntNS(t *testing.T) {
 			ipv6:  true,
 			expExtServers: []ExtDNSEntry{
 				mke("127.0.0.53", true),
-				mke("fd3e:2d1a:1f5a::1", false),
+				mke("fd3e:2d1a:1f5a::1", true),
 			},
 		},
 		{
--- a/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6,_ipv6_disabled.golden
+++ b/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6,_ipv6_disabled.golden
@@ -1,5 +1,5 @@
 nameserver 127.0.0.11

 # Based on host file: '/etc/resolv.conf' (internal resolver)
-# ExtServers: [10.0.0.1 host(fdb6:b8fe:b528::1)]
+# ExtServers: [host(10.0.0.1) host(fdb6:b8fe:b528::1)]
 # Overrides: []
--- a/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6,_ipv6_enabled.golden
+++ b/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6,_ipv6_enabled.golden
@@ -1,5 +1,5 @@
 nameserver 127.0.0.11

 # Based on host file: '/etc/resolv.conf' (internal resolver)
-# ExtServers: [10.0.0.1 fdb6:b8fe:b528::1]
+# ExtServers: [host(10.0.0.1) host(fdb6:b8fe:b528::1)]
 # Overrides: []
--- a/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_localhost,_IPv6_private,_IPv6_enabled.golden
+++ b/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_localhost,_IPv6_private,_IPv6_enabled.golden
@@ -1,5 +1,5 @@
 nameserver 127.0.0.11

 # Based on host file: '/etc/resolv.conf' (internal resolver)
-# ExtServers: [host(127.0.0.53) fd3e:2d1a:1f5a::1]
+# ExtServers: [host(127.0.0.53) host(fd3e:2d1a:1f5a::1)]
 # Overrides: []
--- a/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_only.golden
+++ b/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_only.golden
@@ -1,5 +1,5 @@
 nameserver 127.0.0.11

 # Based on host file: '/etc/resolv.conf' (internal resolver)
-# ExtServers: [10.0.0.1]
+# ExtServers: [host(10.0.0.1)]
 # Overrides: []
--- a/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv6_addr,_IPv6_enabled.golden
+++ b/libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv6_addr,_IPv6_enabled.golden
@@ -1,5 +1,5 @@
 nameserver 127.0.0.11

 # Based on host file: '/etc/resolv.conf' (internal resolver)
-# ExtServers: [fd14:6e0e:f855::1]
+# ExtServers: [host(fd14:6e0e:f855::1)]
 # Overrides: []