-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: DNS service discovery in Docker to replace /etc/hosts #767
Comments
ping @phemmer |
👍 |
I strongly advise against this. By implementing this behavior, you are preventing users from running DNS servers within docker.
I think this should be avoided as well. If you want the container to search multiple networks, adjust the
I think it might be better to instead forward all and only queries which are not part of a docker "network_name" domain.
The 2nd & 3rd items are actually related. In a nutshell, both boil down to the idea that docker provided DNS records should live within their own domain. Meaning the full DNS record for a container would be something like |
As @phemmer says, this isn't ok. The same thing was said on the docker-dev list - https://groups.google.com/d/msg/docker-dev/WXkMiPJqh7I/onY0k7yLAwAJ |
Couple of (maybe stupid) questions I have:
|
For the Address records it can be 1 hour. We can even go lower because this is only for the records in the namespace of docker networks; Hence its going to be a local lookup.
Today the service discovery is based on the container name passed via --name option. The same behavior will continue for DNS service discovery as well.
The intent is to seamlessly replace the current /etc/hosts based service discovery. So the user experience will not change. Pluggable DNS will be added after 1.10 release. |
Yes, that is what I implied because the docker DNS server can only resolve the names in the domain of docker networks. I will reword it to be explicit. |
That would be a mistake. We should have never confused container name and hostname. We should fix that behaviour in 1.10:
I know why we made the choice we did ( |
@dave-tucker @sanimej lets have all the discussions around |
+1 to replace updating /etc/hosts with an embedded DNS server. Does the engine have an IP on all networks that it creates? Couldn't we just use that IP as the |
@fermayo No, the engine doesn't have an IP on all the networks. Allocating one IP per host for multi-host networks may not be ideal. If we have to go down this path I think it can be made to work with one IP allocated per network and the using the same IP on all the hosts for DNS resolution; the embedded server is always local. For the resolution yes, the |
Hi, Did you consider using the NSS layer of LibC for name resolution? (/etc/nsswitch.conf) It seems to me that running and routing to a DNS server internally and updating / configuring it seems to be a bigger job than creating a small NSS backend which connects to docker-daemon and asks for the service ip. The communication could be done using a unix socket which is "volumed" in by default somewhere under /var/lib/docker and friends. Cheers, Tamas |
@smil2k Relying on nss wouldn't work for a lot of software which doesn't use the libc resolver. I would also argue that standing up an NSS library would be no easier than an actual DNS server, and I think likely harder. |
@phemmer: Those software which does not use NSS, would not work by adding resolv.conf entries, and never worked with the existing /etc/hosts solution. (as /etc/hosts being red by the "files" NSS backend). An nss plugin is much simpler tool with inherently much less moving parts (which means stability and less maint effort) than a DNS server, which must be protected, updated internally, packets must be routed to it etc... Of course it is EASIER to use an existing go dns server library and stitch it to the existing pile. |
@smil2k |
I could imagine uclibc as one. I really curious, so please don't take is as an offense. |
@phemmer it would be good if you can share your comments ASAP. we are running short of time for getting this in for the release. |
resolv.conf and /etc/hosts way pre-date libnss. Those are pretty universal On Mon, Dec 28, 2015 at 8:07 AM, Tamas notifications@github.com wrote:
|
Is there a design proposal for what a pluggable system should look like? Would it be appropriate to open a new issue to discuss it? I have some specific needs that I think could be implemented as a plugin, and I don't mind getting started on trying to add some plugin support, but I don't want to invest the time if my ideas are significantly different than the docker team's plans and would not be merged. |
@clinta can you please open a proposal with your ideas and we can discuss it before you start to implement the plugin. |
Hi, |
@BediarSofiane you can read more about it in docker docs. https://docs.docker.com/engine/userguide/networking/configure-dns/ |
Service discovery in Docker currently relies on updating the container's /etc/hosts file. This resulted in issues like corrupted /etc/hosts file in some cases #17190. Its also not a scalable approach.
This proposal outlines the design for a DNS based service discovery in Docker with the following goals..
Going forward we will support a pluggable DNS model (similar to IPAM). But its not covered in this proposal.
Docker daemon will act as a embedded DNS server for all the containers in a host. From the container point of view nameserver will be available at the loopback address. When the container is launched the loopback address will be the only nameserver populated in /etc/resolv.conf file. DNS queries from the container will be handled by the Docker process.
Short name (ie: only container name) resolutions will be done in the scope of the networks to which the container is connected to. For a qualified name container_name.network_name resolution will be done only if the container is attached to that network.
If --dns or the dns optoins were passed in the docker run command, DNS queries will be forwarded to those external servers if the name can't be resolved by the embedded DNS server.
The embedded DNS server will be enabled for all user created networks. /etc/hosts file will not be updated for containers on those networks. Only exception is the
containers in the default bridge network (docker0 bridge) with the link option which will continue to use /etc/hosts file. This is to provide backward compatibility for apps relying on that behavior.
The embedded DNS server in Docker is to resolve only the service names offered by Docker containers (local or across hosts). It can't replace any other local or non-local DNS servers used to resolve other services/host names in the cluster.
The text was updated successfully, but these errors were encountered: