IPVLAN L3 is not forwarding non Docker DNS requests outside of the container anymore #47662
Description
- Originally posted by @josoko in IPVLAN L3 is not forwarding non Docker DNS requests outside of the container anymore #47655
The source of my request is this discussion:
https://forums.docker.com/t/ipvlan-l3-mode-driver-confusion/140569/6
But I am not able to bring an IPVLAN L3 config to a status where it will forward DNS requests to an Docker external DNS server.
I did a Docker Zabbix setup, which should be able to resolve Network related FQDN's which are not part of Docker environment for monitoring purposes. Every other Public IP address is reachable from the Docker containers (8.8.8.8, an network internal systems which are not part of the Docker environment).
Reproduce
To test the network behaviour i deployed a busybox into the existing Docker Zabbix network:
$ docker run -itd --rm --name busybox2 \
--network 60_zbx_net_backend \
--ip 172.16.101.30 \
--dns 212.25.1.1 \
busybox
da594a28bb7662decf9e3bbc51acfde3153253116a50593f371aec4601a2a084Here the docker network inspect:
$ docker network inspect 60_zbx_net_backend
[
{
"Name": "60_zbx_net_backend",
"Id": "aef0aeb73b06c5c0a3125c420288b937580a25d1fed7d21fae96f6b883617aa4",
"Created": "2024-03-30T00:18:26.205715177+01:00",
"Scope": "local",
"Driver": "ipvlan",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.16.101.16/28"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"025b19d33527aca787065de649f6cd0b9b9dc3eb08505ad2c39d3a523e85764e": {
"Name": "60-zabbix-web-nginx-pgsql-1",
"EndpointID": "9963cd234c39156675ff5880f82c834d0706311c32ec0ad570b719243d5ca16c",
"MacAddress": "",
"IPv4Address": "172.16.101.18/28",
"IPv6Address": ""
},
"63f894fae9efb4f7d62204824716df66a8162797b62506dd53ad6dab676039c4": {
"Name": "60-zabbix-server-1",
"EndpointID": "0b48d688304826978b7193d9c27cad7eb5752994dc79edc0f76a45b4d39b4101",
"MacAddress": "",
"IPv4Address": "172.16.101.19/28",
"IPv6Address": ""
},
"bdd102c370cc414e507176c7205ac4e1b3b4864b300ec5ac9ce17533b54074cc": {
"Name": "60-postgres-server-1",
"EndpointID": "b7f62cf53ec0b77f09153c80cf93b0a84e29d85657751abdf10edd471189b5d6",
"MacAddress": "",
"IPv4Address": "172.16.101.21/28",
"IPv6Address": ""
},
"da594a28bb7662decf9e3bbc51acfde3153253116a50593f371aec4601a2a084": {
"Name": "busybox2",
"EndpointID": "db23feaeae4d70683384d54767d5b1eedf0730a72d1a121afce522ecfc2addd1",
"MacAddress": "",
"IPv4Address": "172.16.101.30/28",
"IPv6Address": ""
},
"e1a99d4846a4f6199382a4ae1b80d09b30bace78ae8d48afed7762b28176a32c": {
"Name": "60-zabbix-agent-1",
"EndpointID": "397fca45e45bbd96a83010ce599f5833a90874c3702145dbd9fcce7c99172e3b",
"MacAddress": "",
"IPv4Address": "172.16.101.20/28",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.enable_ipv6": "false",
"ipvlan_mode": "l3",
"parent": "eno1"
},
"Labels": {
"com.docker.compose.network": "zbx_net_backend",
"com.docker.compose.project": "60",
"com.docker.compose.version": "2.25.0"
}
}
]Here a default /etc/resolv.conf output of the busybox:
$ docker exec -it busybox2 sh
# cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.
nameserver 127.0.0.11
search lan.mydomain.com (changed)
options ndots:0
# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [212.25.1.1]
# Overrides: [nameservers]
# Option ndots from: internaldocker version
$ docker info
Client: Docker Engine - Community
Version: 26.0.0
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.13.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.25.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 8
Running: 4
Paused: 0
Stopped: 4
Images: 8
Server Version: 26.0.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-18-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.24GiB
Name: geko
ID: 31466756-f345-41ef-8e38-4c1e517fd994
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional info
How can I enforce the Docker containers/host to forward external DNS requests outside of the Docker environment? That was working in earlier Docker versions. If this has been restricted I am asking, why? In a IPVLAN L3 environment the user is responsible to protect its network by using firewalls etc. This function is essential in L3 network.