Skip to content

Commit 925b484

Browse files
robmryrobmry
committed
No fallback nameservers for internal resolver
The internal resolver now uses any namesever found in the host's /etc/resolv.conf as an external nameserver, and it's accessed from the host's network namespace. Before this change, when no external nameservers were found (so the host had no entries in /etc/resolv.conf) Google's DNS servers were used as fallbacks, always accessed from the container's network namespace. If a container's initial set of endpoints had IPv6 enabled, the IPv6 nameservers were included. Now we have IPv6-only networks, a similar exception would be needed for Google's IPv4 nameservers... don't include them if there are no IPv4 endpoints. However, only the initial set of endpoints was considered. As networks are connected/disconnected, IPv4 or IPv6 connectivity may be lost. Unlike nameservers read from the host's /etc/resolv.conf, there is no way to tell which fallback nameservers (v4/v6) might work from the host's namespace. So, using the host's namespace isn't a good solution. Since we want to get away from using fallback nameservers anyway, this change removes them. If a host has no /etc/resolv.conf entries, but a container does need to use DNS, it'll need to be configured with servers via '--dns'. Signed-off-by: Rob Murray <[email protected]>
1 parent d297674 commit 925b484

12 files changed

Lines changed: 5 additions & 136 deletions

libnetwork/internal/resolvconf/resolvconf.go

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -245,7 +245,6 @@ func (rc *ResolvConf) TransformForLegacyNw(ipv6 bool) {
245245
// option includes a ':', and an option with a matching prefix exists, it
246246
// is not modified.
247247
func (rc *ResolvConf) TransformForIntNS(
248-
ipv6 bool,
249248
internalNS netip.Addr,
250249
reqdOptions []string,
251250
) ([]ExtDNSEntry, error) {
@@ -265,16 +264,6 @@ func (rc *ResolvConf) TransformForIntNS(
265264
// The transformed config only lists the internal nameserver.
266265
rc.nameServers = []netip.Addr{internalNS}
267266

268-
// If there are no external nameservers, and the only nameserver left is the
269-
// internal resolver, use the defaults as ext nameservers.
270-
if len(rc.md.ExtNameServers) == 0 && len(rc.nameServers) == 1 {
271-
log.G(context.TODO()).Info("No non-localhost DNS nameservers are left in resolv.conf. Using default external servers")
272-
for _, addr := range defaultNSAddrs(ipv6) {
273-
rc.md.ExtNameServers = append(rc.md.ExtNameServers, ExtDNSEntry{Addr: addr})
274-
}
275-
rc.md.UsedDefaultNS = true
276-
}
277-
278267
// For each option required by the nameserver, add it if not already present. If
279268
// the option is already present, don't override it. Apart from ndots - if the
280269
// ndots value is invalid and an ndots option is required, replace the existing

libnetwork/internal/resolvconf/resolvconf_test.go

Lines changed: 4 additions & 72 deletions
Original file line numberDiff line numberDiff line change
@@ -340,7 +340,6 @@ func TestRCTransformForIntNS(t *testing.T) {
340340
name string
341341
input string
342342
intNameServer string
343-
ipv6 bool
344343
overrideNS []string
345344
overrideOptions []string
346345
reqdOptions []string
@@ -355,16 +354,6 @@ func TestRCTransformForIntNS(t *testing.T) {
355354
{
356355
name: "IPv4 and IPv6, ipv6 enabled",
357356
input: "nameserver 10.0.0.1\nnameserver fdb6:b8fe:b528::1",
358-
ipv6: true,
359-
expExtServers: []ExtDNSEntry{
360-
mke("10.0.0.1", true),
361-
mke("fdb6:b8fe:b528::1", true),
362-
},
363-
},
364-
{
365-
name: "IPv4 and IPv6, ipv6 disabled",
366-
input: "nameserver 10.0.0.1\nnameserver fdb6:b8fe:b528::1",
367-
ipv6: false,
368357
expExtServers: []ExtDNSEntry{
369358
mke("10.0.0.1", true),
370359
mke("fdb6:b8fe:b528::1", true),
@@ -373,86 +362,29 @@ func TestRCTransformForIntNS(t *testing.T) {
373362
{
374363
name: "IPv4 localhost",
375364
input: "nameserver 127.0.0.53",
376-
ipv6: false,
377365
expExtServers: []ExtDNSEntry{mke("127.0.0.53", true)},
378366
},
379367
{
380368
// Overriding the nameserver with a localhost address means use the container's
381369
// loopback interface, not the host's.
382370
name: "IPv4 localhost override",
383371
input: "nameserver 10.0.0.1",
384-
ipv6: false,
385372
overrideNS: []string{"127.0.0.53"},
386373
expExtServers: []ExtDNSEntry{mke("127.0.0.53", false)},
387374
},
388375
{
389-
name: "IPv4 localhost, ipv6 enabled",
390-
input: "nameserver 127.0.0.53",
391-
ipv6: true,
392-
expExtServers: []ExtDNSEntry{mke("127.0.0.53", true)},
393-
},
394-
{
395-
name: "IPv6 addr, IPv6 enabled",
376+
name: "IPv6 only",
396377
input: "nameserver fd14:6e0e:f855::1",
397-
ipv6: true,
398378
expExtServers: []ExtDNSEntry{mke("fd14:6e0e:f855::1", true)},
399379
},
400380
{
401-
name: "IPv4 and IPv6 localhost, IPv6 disabled",
402-
input: "nameserver 127.0.0.53\nnameserver ::1",
403-
ipv6: false,
404-
expExtServers: []ExtDNSEntry{
405-
mke("127.0.0.53", true),
406-
mke("::1", true),
407-
},
408-
},
409-
{
410-
name: "IPv4 and IPv6 localhost, ipv6 enabled",
381+
name: "IPv4 and IPv6 localhost",
411382
input: "nameserver 127.0.0.53\nnameserver ::1",
412-
ipv6: true,
413383
expExtServers: []ExtDNSEntry{
414384
mke("127.0.0.53", true),
415385
mke("::1", true),
416386
},
417387
},
418-
{
419-
name: "IPv4 localhost, IPv6 private, IPv6 enabled",
420-
input: "nameserver 127.0.0.53\nnameserver fd3e:2d1a:1f5a::1",
421-
ipv6: true,
422-
expExtServers: []ExtDNSEntry{
423-
mke("127.0.0.53", true),
424-
mke("fd3e:2d1a:1f5a::1", true),
425-
},
426-
},
427-
{
428-
name: "IPv4 localhost, IPv6 private, IPv6 disabled",
429-
input: "nameserver 127.0.0.53\nnameserver fd3e:2d1a:1f5a::1",
430-
ipv6: false,
431-
expExtServers: []ExtDNSEntry{
432-
mke("127.0.0.53", true),
433-
mke("fd3e:2d1a:1f5a::1", true),
434-
},
435-
},
436-
{
437-
name: "No host nameserver, no iv6",
438-
input: "",
439-
ipv6: false,
440-
expExtServers: []ExtDNSEntry{
441-
mke("8.8.8.8", false),
442-
mke("8.8.4.4", false),
443-
},
444-
},
445-
{
446-
name: "No host nameserver, iv6",
447-
input: "",
448-
ipv6: true,
449-
expExtServers: []ExtDNSEntry{
450-
mke("8.8.8.8", false),
451-
mke("8.8.4.4", false),
452-
mke("2001:4860:4860::8888", false),
453-
mke("2001:4860:4860::8844", false),
454-
},
455-
},
456388
{
457389
name: "ndots present and required",
458390
input: "nameserver 127.0.0.53\noptions ndots:1",
@@ -496,7 +428,7 @@ func TestRCTransformForIntNS(t *testing.T) {
496428
rc.OverrideOptions(tc.overrideOptions)
497429
}
498430
intNS := netip.MustParseAddr(tc.intNameServer)
499-
extNameServers, err := rc.TransformForIntNS(tc.ipv6, intNS, tc.reqdOptions)
431+
extNameServers, err := rc.TransformForIntNS(intNS, tc.reqdOptions)
500432
if tc.expErr != "" {
501433
assert.Check(t, is.ErrorContains(err, tc.expErr))
502434
return
@@ -559,7 +491,7 @@ func TestRCTransformForIntNSInvalidNdots(t *testing.T) {
559491
content := "nameserver 8.8.8.8\n" + tc.options
560492
rc, err := Parse(bytes.NewBuffer([]byte(content)), "/etc/resolv.conf")
561493
assert.NilError(t, err)
562-
_, err = rc.TransformForIntNS(false, netip.MustParseAddr("127.0.0.11"), tc.reqdOptions)
494+
_, err = rc.TransformForIntNS(netip.MustParseAddr("127.0.0.11"), tc.reqdOptions)
563495
assert.NilError(t, err)
564496

565497
val, found := rc.Option("ndots")

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6,_ipv6_disabled.golden

Lines changed: 0 additions & 5 deletions
This file was deleted.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6_localhost,_ipv6_enabled.golden

Lines changed: 0 additions & 5 deletions
This file was deleted.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6_localhost,_IPv6_disabled.golden renamed to libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_and_IPv6_localhost.golden

File renamed without changes.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_localhost,_IPv6_private,_IPv6_disabled.golden

Lines changed: 0 additions & 5 deletions
This file was deleted.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_localhost,_IPv6_private,_IPv6_enabled.golden

Lines changed: 0 additions & 5 deletions
This file was deleted.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv4_localhost,_ipv6_enabled.golden

Lines changed: 0 additions & 5 deletions
This file was deleted.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv6_addr,_IPv6_enabled.golden renamed to libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/IPv6_only.golden

File renamed without changes.

libnetwork/internal/resolvconf/testdata/TestRCTransformForIntNS/No_host_nameserver,_iv6.golden

Lines changed: 0 additions & 6 deletions
This file was deleted.

0 commit comments

Comments
 (0)