On tis, 2014-04-29 at 11:24 -0400, Simo Sorce wrote: > On Tue, 2014-04-29 at 17:15 +0200, Alexander Larsson wrote: > > On tis, 2014-04-29 at 14:15 +0200, Jaroslav Reznik wrote: > > > = Proposed System Wide Change: Default Local DNS Resolver = > > > https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver > > > > > > Change owner(s): P J P <pjp@xxxxxxxxxxxxxxxxx>, Pavel Šimerda > > > <pavlix@xxxxxxxxxx>, Tomas Hozza <thozza@xxxxxxxxxx> > > > > > > To install a local DNS resolver trusted for the DNSSEC validation running on > > > 127.0.0.1:53. This must be the only name server entry in /etc/resolv.conf. > > > > This is gonna conflict a bit with docker, and other users of network > > namespaces, like systemd-nspawn. When docker runs, it picks up the > > current /etc/resolv.conf and puts it in the container, but the container > > itself runs in a network namespace, so it gets its own loopback device. > > This will mean 127.0.0.1:53 points to the container itself, not the > > host, so dns resolving in the container will not work. > > > > Not sure how to fix something like that though... > > Any way we can redirect the connection to the host ? > > On the host we cannot listen on 0.0.0.0 so we cannot make unbound > available through normal routing on a different interface. > > However we can perhaps make it listen on a special virtual interface > dedicated to let containers talk to other processes on the host maybe ? > (could even be other privileged containers). There is a question of what > addresses to use though ... I don't see any nice way to make this "just work" in docker (i.e. without changes to docker). Docker as well as the host sets up 127.0.0.1/8 for the loopback device, so any 127.0.0.* will get routed to the local loopback. The only ways to have a ip available to both the host and the container are to either have a ip not in the 127.0.0.x range (thus this will be forwarded to the default gw, i.e. the host) or to set up some kind of forwarding of a port in 127.0.0.x (i.e. use iptables). The later needs to be done by docker, as its what sets up the network interfaces for the container. So, without changes to docker the option seems to be to set up another local interface with address range different than 127.0.0.1 and have the dns server listen to that. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
