aacebedo / dnsdock Goto Github PK

View Code? Open in Web Editor NEW

597.0 22.0 91.0 1.41 MB

DNS service discovery for Docker containers

License: MIT License

Go 97.89% Dockerfile 2.11%

dnsdock's Introduction

dnsdock

DNS server for automatic docker container discovery. Simplified version of crosbymichael/skydock.

This project was initially created and maintained by tonistiigi.

Differences from skydock

No raft / simple in-memory storage - Does not use any distributed storage and is meant to be used only inside single host. This means no ever-growing log files and memory leakage. AFAIK skydock currently does not have a state machine so the raft log always keeps growing and you have to recreate the server periodically if you wish to run it for a long period of time. Also the startup is very slow because it has to read in all the previous log files.
No TTL heartbeat - Skydock sends heartbeats for every container that reset the DNS TTL value. In production this has not turned out to be reliable. What makes this worse it that if a heartbeat has been missed, skydock does not recover until you restart it. Dnsdock uses static TTL that does not count down. You can override it for a container and also change it without restarting(before updates). In most cases you would want to use TTL=0 anyway.
No dependency to other container - Dnsdock does not use a separate DNS server but has one built in. Linking to another container makes recovery from crash much harder. For example skydock does not recover from skydns crash even if the crashed container is restarted.
A records only for now.
No support for Javascript plugins.
There’s a slight difference in a way image names are extracted from a container. Skydock uses the last tag set on image while dnsdock uses the specific tag that was used when the container was created. This means that if a new version of an image comes out and untags the image that your container still uses, the DNS requests for this old container still work.

Build

There are two ways to build the tool

Building with devbox:

Install devbox on your host and execute the following commands:

$> devbox run test
$> devbox run --env GOARCH=[amd64|arm] build

Building using a devcontainer:

Install VSCode devcontainer extension or devpod and execute the following commands:

$> go get ./...
$> mkdir -p build && GOARCH=[amd64|arm] go build -o build/dnsdock ./cmd/dnsdock

Usage

Dnsdock connects to Docker Remote API and keeps an up to date list of running containers. If a DNS request matches some of the containers their local IP addresses are returned.

Format for a request matching a container is: <anything>.<container-name>.<image-name>.<environment>.<domain>.

environment and domain are static suffixes that are set on startup. Defaults to docker.
image-name is last part of the image tag used when starting the container.
container-name alphanumerical part of container name.

You can always leave out parts from the left side. If multiple containers match then they are all returned. Wildcard requests are also supported.

> dig *.docker
...
;; ANSWER SECTION:
docker.			0	IN	A	172.17.0.5
docker.			0	IN	A	172.17.0.3
docker.			0	IN	A	172.17.0.2
docker.			0	IN	A	172.17.0.7

> dig redis.docker
...
;; ANSWER SECTION:
redis.docker.		0	IN	A	172.17.0.3
redis.docker.		0	IN	A	172.17.0.2

> dig redis1.redis.docker
...
;; ANSWER SECTION:
redis1.redis.docker.		0	IN	A	172.17.0.2

> dig redis1.*.docker
...
;; ANSWER SECTION:
redis1.*.docker.		0	IN	A	172.17.0.2

Setup

DNS listening port needs to be bound to the docker0 inferface so that its available to all containers. To avoid this IP changing during host restart add it to the docker default options.

If you use systemd (present on Fedora and recent Ubuntu versions), edit /lib/systemd/system/docker.service and add the options to the command you will see in the ExecStart section, the run sudo systemctl daemon-reload.
If you do not, Open file /etc/default/docker and add --bip=172.17.0.1/24 --dns=172.17.0.1 to DOCKER_OPTS variable.

Restart docker daemon after you have done that (sudo service docker restart).

Now you only need to run the dnsdock container:

docker run -d -v /var/run/docker.sock:/var/run/docker.sock --name dnsdock -p 172.17.0.1:53:53/udp aacebedo/dnsdock [--opts]

-d starts container as daemon
-v /var/run/docker.sock:/var/run/docker.sock shares the docker socket to the container so that dnsdock can connect to the Docker API.
-p 172.17.0.1:53:53/udp exposes the default DNS port to the docker0 bridge interface.

Additional configuration options to dnsdock command:

--dns=":53": Listen DNS requests on this address
--docker="unix://var/run/docker.sock": Path to the docker socket
--domain="docker": Domain that is appended to all requests
--environment="": Optional context before domain suffix
--help: Show this message
--http=":80": Listen HTTP requests on this address
--nameserver="8.8.8.8:53": DNS server for unmatched requests
--ttl=0: TTL for matched requests
--verbose: Verbose output
--tlsverify: enable mutual TLS between dnsdock and Docker
--tlscacert="$HOME/.docker/ca.pem": Path to CA certificate
--tlscert="$HOME/.docker/cert.pem": Path to client certificate
--tlskey="$HOME/.docker/key.pem": Path to client certificate private key
--all: Process all container even if they are stopped
--forcettl: Change TTL value of responses coming from remote servers

If you also want to let the host machine discover the containers add nameserver 172.17.0.1 to your /etc/resolv.conf.

SELinux and Fedora / RHEL / CentOS

Mounting docker daemon’s unix socket may not work with default configuration on these platforms. Please use selinux-dockersock to fix this. More information in #11.

TLS Authentication

Instead of connecting to the Docker daemon’s UNIX socket, you may prefer to connect via a TLS-protected TCP socket (for example, if you are running Swarm). The -tlsverify option enables TLS, and the three additional options (-tlscacert, -tlscert and -tlskey) must also be specified. Alternatively, you may set the DOCKER_TLS_VERIFY environment variable to a non-empty value and the DOCKER_CERTS to a directory containing files named ca.pem, cert.pem and key.pem.

You may build this into your own container with this example Dockerfile:

FROM aacebedo/dnsdock

ENV DOCKER_TLS_VERIFY 1
ENV DOCKER_CERTS /certs

CMD ["-docker=tcp://172.17.0.1:2376"]

Use a volume (-v /path/to/certs:/certs) to give the container access to the certificate files, or build the certificates into the image if you have access to a secure private image registry.

HTTP Server

For easy overview and manual control dnsdock also includes HTTP server that lets you configure the server using a JSON API.

# show all active services
curl http://dnsdock.docker/services

# show a service
curl http://dnsdock.docker/services/serviceid

# add new service manually
curl http://dnsdock.docker/services/newid -X PUT --data-ascii '{"name": "foo", "image": "bar", "ip": "192.168.0.3", "ttl": 30}'

# remove a service
curl http://dnsdock.docker/services/serviceid -X DELETE

# change a property of an existing service
curl http://dnsdock.docker/services/serviceid -X PATCH --data-ascii '{"ttl": 0}'

# set new default TTL value
curl http://dnsdock.docker/set/ttl -X PUT --data-ascii '10'

Overrides from ENV metadata (DEPRECATED WILL BE REMOVED IN NEXT RELEASE)

If you wish to fine tune the DNS response addresses you can define specific environment variables during container startup. This overrides the default matching scheme from container and image name.

Supported ENV variables are DNSDOCK_NAME, DNSDOCK_IMAGE, DNSDOCK_ALIAS, DNSDOCK_TTL.

docker run -e DNSDOCK_NAME=master -e DNSDOCK_IMAGE=mysql -e DNSDOCK_TTL=10 \
           --name mymysql mysqlimage
# matches master.mysql.docker

docker run -e DNSDOCK_ALIAS=db.docker,sql.docker -e DNSDOCK_TTL=10 \
           --name mymysql mysqlimage
# matches db.docker and sql.docker

Overrides with docker labels

If you wish to fine tune the DNS response addresses you can define specific labels during container creation. This overrides the default matching scheme from container and image name.

Supported labels are com.dnsdock.ignore, com.dnsdock.alias, com.dnsdock.name, com.dnsdock.tags, com.dnsdock.image, com.dnsdock.ttl, com.dnsdock.region, and com.dnsdock.ip_addr

docker run -l com.dnsdock.name=master -l com.dnsdocker.image=mysql -l com.dnsdock.ttl=10 \
           --name mymysql mysqlimage
# matches master.mysql.docker

docker run -l com.dnsdock.alias=db.docker,sql.docker -l com.dnsdock.ttl=10 \
           --name mymysql mysqlimage
# matches db.docker and sql.docker

Service metadata syntax by progrium/registrator is also supported.

docker run -l com.dnsdock.tags=master -l com.dnsdock.name=mysql -l com.dnsdock.region=us2 \
           --name mymysql mysqlimage
# matches master.mysql.us2.docker

If you want dnsdock to skip processing a specific container set its com.dnsdock.ignore label.

You can force the value of the IP address returned in the DNS record with the com.dnsdock.ip_addr label. This can be useful if you have a reverse proxy such as traefik in a container with mapped port and you want to redirect your clients to the front server instead of an internal docker container ip address.

OSX Usage

Original tutorial: http://www.asbjornenge.com/wwc/vagrant_skydocking.html

If you use docker on OSX via Vagrant you can do this to make your containers discoverable from your main machine.

In your Vagrantfile add the following to let your virtual machine accept packets for other IPs:

config.vm.provider :virtualbox do |vb|
  vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
end

Then route traffic that matches you containers to your virtual machine internal IP:

sudo route -n add -net 172.17.0.0 <VAGRANT_MACHINE_IP>

Finally, to make OSX use dnsdock for requests that match your domain suffix create a file with your domain ending under /etc/resolver (for example /etc/resolver/myprojectname.docker) and set its contents to nameserver 172.17.0.1.

coreos-vagrant usage

You can autostart the dnsdock service in the user-data file of coreos-vagrant. Everytime you vagrant up this CoreOs vagrant instance the dnsdock service will be running and start discovering your other services.

Add the following snippet under the units part:

- name: dnsdock.service
      enable: true
      command: start
      content: |
        [Unit]
        Description=dnsdock
        After=docker.service
        Requires=docker.service

        [Service]
        EnvironmentFile=/etc/environment
        ExecStartPre=/bin/sh -c '/usr/bin/docker rm -f dnsdock || ls > /dev/null'
        ExecStartPre=/bin/sh -c '/usr/bin/docker pull aacebedo/dnsdock'
        ExecStart=/usr/bin/docker run -v /var/run/docker.sock:/var/run/docker.sock --name dnsdock -p ${COREOS_PRIVATE_IPV4}:53:53/udp aacebedo/dnsdock
        ExecStop=/bin/sh -c '/usr/bin/docker stop dnsdock  || ls > /dev/null'

Lots of code in this repo is directly influenced by skydns and skydock. Many thanks to the authors of these projects.

dnsdock's People

Contributors

Stargazers

Watchers

dnsdock's Issues

v1.16.0 needs `--nameserver` option to resolve other domains than containers.

-nameserver option in v1.15.0 has the default value 8.8.8.8:53, but the options in v1.16.0 seems null.
So in a container I can not ping domains like google.com.

[Documentation] Clarify how containers are matched with names

I spent quite some time before understanding how names are mapped to container, the documentation says :

'Dnsdock connects to Docker Remote API and keeps an up to date list of running containers. If a DNS request matches some of the containers their local IP addresses are returned.'

Is the name of the container matched to the DNS query ? That sounded like a reasonable assumption to me when reading the docs but it's actually not the case!

It took me some time to discover that the name of the IMAGE used to create the container was matched in priority.

if you have 2 containers (named titi and tata) started from the same image "alpine:3.2" for example

dig titi.docker -> no answer section
dig alpine.docker -> addresses of both titi and tata in the answer section (in random order)
dig titi.alpine.docker -> address of titi
dig tata.alpine.docker -> address of tata

Simply linking two containers

Hey there, I did run into another issue which you might know how to solve. Let's say I have two containers:

DB Container

docker run -d --dns 172.17.42.1 \
-e DNSDOCK_NAME=foobar \
-e DNSDOCK_IMAGE=postgres \
-e POSTGRESQL_USER=foobar \
-e POSTGRESQL_PASS=foobar \
-e POSTGRESQL_DB=foobar \
orchardup/postgresql

Now when I query for the container within the host shell everything is fine: dig @172.17.42.1 foobar.postgres.docker

App Container

Now I build an app container https://gist.github.com/steffenmllr/8d14cda1ef73bd418f15 and try to start it with: docker run --dns 172.17.42.1 -d -t appspace/appname the container can not connect to the postgres instance because he can not resolve the dns request.

Add DNS cache

It seems that internal DNS doesn't use any cache for forwarded requests, maybe to add this feature just for the sake of performance?

can run under boot2docker?

I'd love to see is some discussion/instruction of what needs to be done different when running under boot2docker, I'm assuming the part where you share the host's /var/run/docker.sock as a volume isn't going to work.

I found some instructions here:
http://www.devopslife.com/2014/08/08/docker-boot2docker-and-dns-resolution-of-containers.html

It's aimed at skydock but the first part would be the same I think. However in comments people say this no longer works for docker 1.3.1 due to some change

I'd also love to see an example fig.yml for running dnsdock as a service under fig

Wrong build instructions?

I don't know go or rocker but I'm trying to contribute a solution to #68 , and I am stuck :

if git describe --contains HEAD &>/dev/null; then export VERSIONARGS="-var DNSDockVersion=`git describe --contains HEAD`"; else unset VERSIONARGS; fi
echo $VERSIONARGS
-var DNSDockVersion=v1.13.1
rocker build -var Arch=amd64 ${VERSIONARGS} -var OutputDir=/tmp  
Incorrect Usage.

NAME:
   build - launches a build for the specified Rockerfile

USAGE:
   command build [command options] [arguments...]

OPTIONS:
   --file, -f "Rockerfile"              rocker build file to execute
   --auth, -a                       Username and password in user:password format
   --build-arg [--build-arg option --build-arg option]  Set build-time variables, can pass multiple of those, format is key=value (default [])
   --var [--var option --var option]            set variables to pass to build tasks, value is like "key=value"
   --vars [--vars option --vars option]         Load variables form a file, either JSON or YAML. Can pass multiple of this.
   --no-cache                       supresses cache for docker builds
   --reload-cache                   removes any cache that hit and save the new one
   --cache-dir "~/.rocker_cache"            Set the directory where the cache will be stored
   --no-reuse                       suppresses reuse for all the volumes in the build
   --push                       pushes all the images marked with push to docker hub
   --pull                       always attempt to pull a newer version of the FROM images
   --attach                     attach to a container in place of ATTACH command
   --meta                       add metadata to the tagged images, such as user, Rockerfile source, variables and git branch/sha
   --print                      just print the Rockerfile after template processing and stop
   --demand-artifacts                   fail if artifacts not found for {{ image }} helpers
   --id                         override the default id generation strategy for current build
   --artifacts-path                     put artifacts (files with pushed images description) to the directory
   --no-garbage                     remove the images from the tail if not tagged
   --push-retry "0"                 number of retries for failed image pushes

flag provided but not defined: -var DNSDockVersion%

The last line looks interesting. What did I do wrong?

adding additional CNAME records

First of all thx for providing dnsdock, it's a nice tool to add simple dns/service discovery inside docker.

For my use case I would like to add multiple hostname/aliases to a single running container. For this reason I'd like to be able to add "arbitrary" CNAME records into dns.

Does this sound like a valid use case for dnsdock?
Is this something that is supported by dnsdock already or something you could imagine to add?

Multihost environment?

Could this be used in a multi host environment using both consul and the docker overlay driver? Maybe I missed something, but I did not see any mention of this.

Wrong A records when using n-th depth domain names

Version: tonistiigi/dnsdock:v1.10.0

Docker-compose file:

drupal:
  build: .
  dockerfile: Dockerfile.loc
  volumes_from:
    - data
  links:
    - mariadb
    - solr
    - redis
    - blackfire
  environment:
    - DNSDOCK_ALIAS=www.docker.sparkfabrik.docker.loc
  restart: always
mariadb:
  extends:
    file: docker-compose.common.yml
    service: mariadb
  volumes_from:
    - data
  environment:
    - DNSDOCK_ALIAS=mysql.www.docker.sparkfabrik.docker.loc

DIG output:

~ ❯ dig @172.17.42.1 mysql.www.docker.sparkfabrik.docker.loc

; <<>> DiG 9.8.3-P1 <<>> @172.17.42.1 redis.www.docker.sparkfabrik.docker.loc
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17281
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;redis.www.docker.sparkfabrik.docker.loc. IN A

;; ANSWER SECTION:
mysql.www.docker.sparkfabrik.docker.loc. 0 IN A 172.17.42.7
mysql.www.docker.sparkfabrik.docker.loc. 0 IN A 172.17.42.3

Where 172.17.42.7 is the ip of the drupal container.

Any ideas ?

ps

More inspiration

Take a look at: https://github.com/blalor/docker-hosts

Also maybe borrow the registration metadata idea from:
https://github.com/progrium/registrator

That way containers can include discovery metadata that works for both systems.

Run on docker for windows/mac

Is it possible to run on on new docker for windows/mac?

container can't access DNS server while host can

I followed your instructions and let the dnsdocker container listen on the docker0 interface and ip 172.17.42.1. I can access and query it successfully from the host, but no container is able to connect to it using this ip (they all have IPs from the range 172.17.42.1/24). If I use the actual (changing) IP from the dnsdock container, the clients can connect successfully.

Any idea what the problem might be?

Github releases don't match docker hub tags

It looks like you recently updated the latest tag in the Docker hub, but I noticed that releases on Github number up to v1.12.0 whereas you only have up to v1.10.0 in the Docker hub. I'm assuming that latest in the Docker hub matches v1.12.0 in Github, but I don't have anyway of finding out.

Alias not working inside ubuntu containers

I'm able to use the alias in my docker host but not inside the containers.

Here is the log from dns dock when I run a container with an alias:
2015/09/03 13:19:34 Added service: f685a5b79f7b7331d7f61d1619ea72bf645f6b6a4be2317b1513bb5bbd938a56 {cdos_session_run_1 memcached 172.17.0.6 -1 ["session.cloud"]}

When I try to resolve the alias inside an ubuntu container:
With the full name:

root@769f59ceb4d4:/usr/local/cdos/exosphere# dig cdos_session_run_1.memcached.cloud

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> cdos_session_run_1.memcached.cloud
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35519
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cdos_session_run_1.memcached.cloud. IN A

;; ANSWER SECTION:
cdos_session_run_1.memcached.cloud. 0 IN A  172.17.0.6

;; Query time: 1 msec
;; SERVER: 172.17.42.1#53(172.17.42.1)
;; WHEN: Thu Sep 03 13:20:48 UTC 2015
;; MSG SIZE  rcvd: 102

With the alias:

root@769f59ceb4d4:/usr/local/cdos/exosphere# dig session.cloud

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> session.cloud
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34616
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;session.cloud.         IN  A

;; AUTHORITY SECTION:
cloud.          0   IN  SOA dnsdock.cloud. dnsdock.dnsdock.cloud. 1441285200 28800 7200 604800 0

;; Query time: 10 msec
;; SERVER: 172.17.42.1#53(172.17.42.1)
;; WHEN: Thu Sep 03 13:20:53 UTC 2015
;; MSG SIZE  rcvd: 106

The command option format has been changed from `-<option>` to `--<option>` in v1.16.0.

It's not good and should be documented.

dnsdock on Windows 7?

I saw Weave doesn't work with Docker on Windows - and was interested in using dnsdock for Docker that's installed on Windows. Is this possible or recommended? Thanks so much

Build in a busybox image?

Thank you so much for dnsdock - it's a great service and I make heavy use of it.

That said, it would be great if there were builds of it that were based on a lighter-weight container so that this 8 MB binary doesn't pull down 400 MB of Debian and golang layers just to run a statically-linked binary.

(I've solved that internally by building dnsdock and putting it into a busybox image.)

What would you think about shipping an official container based on something very lightweight, like progrium/busybox or https://registry.hub.docker.com/_/busybox/?

Docker hub tags

Is there any reason why the last two tagged releases here on GitHub haven't been tagged on Docker Hub? Latest there is v1.10.0:

I'm currently using latest but always prefer to use tagged versions when possible.

/var/run/docker.sock fails with fig/docker-compose

I had huge problems turning your (working) example docker command into a fig|docker-compse.yml. After some hours of trial and error I found that using the volume "/run/docker.sock" instead of "/var/run/docker.sock" dnsdock can be fired up via docker-compose.

The background is that at least on debian and coreos /var/run is just a symlink to /run.

Containers not discoverable from host

I try to access my containers from my mac os HOST.
I followed the description of the page and modified the nic2 in the vm. So now I can ping the containers by IP

sudo route -n add -net 172.17.0.0 192.168.59.103

ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3): 56 data bytes

My next step was to also access the container via its dnsdock domain name. So I added a file in /etc/resolver/project.docker with

nameserver 172.17.42.1

I am still not able to ping the container via its dns name. Any idea what this can be or how I can verify my setup is correct?

Getting this to work with nginx

First of thanks for making an simplified to skydock. I'm trying to get dnsdock to work with nginx but somehow it does not really resolve the request.

Here is my setup:

nginx

server {
    resolver 172.17.42.1 valid=5s;
    resolver_timeout 5s;

    server_name some.domain.com;
    set $dns app.docker;

    proxy_set_header   Host                 $http_host;
    proxy_set_header   X-Real-IP            $remote_addr;
    proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto    $scheme;
    proxy_redirect     off;


    location / {
        proxy_pass http://$dns:3000;

    }

}

Dockerfile

FROM dockerfile/nodejs
MAINTAINER Steffen Mueller <[email protected]>
WORKDIR /app
ADD . /app
RUN npm install --production
EXPOSE 3000
CMD ["npm", "start"]

Startup command:

docker run -d -dns 172.17.42.1 my/app

If I do a dig @172.17.42.1 app.docker the dns resolves. Any idea why nginx does not resolve the request ?

wrong service stop detection when using signals

I have an nginx container. My nginx configuration is mounted on it, and when I tweak it, I would like to be able to reload the configuration without restarting the container. The nginx docs show that sending a HUP signal to the master process should do the trick. With docker compose, you can do this by issuing the following command :

docker-compose kill -s HUP webserver

When I do that, dnsdock logs this :

2015/08/24 12:25:50 Stopped service: 747bc57f0d326be9464bfe2253496848dd99e3963e680bc7741ddaac9b8a792c

I would expect it to not detect this false positive.

The switch statement that takes care of this is too naïve, it should inspect the kill arguments.

Set content-type header to json

Doing this should make the result display nicely, especially if you have something like JsonView installed.

Container not accesible by hostname by application

My issue is essentially, exactly this one: crosbymichael/skydock#92

I have a set of Dockers running: dnsdock, a Redis server, and a Scala Play app.

All of their hostnames are resolved correctly when, for example, using redis-cli from my local machine, or pinging from one another.

The problem is that when the Play app connects to the Redis server, it cannot resolve it's hostname (but it can connect to it using the container's IP)

Dig (and ping, and redis-cli) resolves the hostname just fine:
dig @172.17.42.1 +short redis-dev.redis.docker
172.17.0.6

But I can't get the application to do so.
Trying a connection through the Python3 REPL (using the pymongo package) yields the same result.

EDIT: Adding that I'm using Linux Mint 17.2 as my host, and Ubuntu 14.02 in my Play application.

docker-compose version 2 service definiton breaks dnsdock

dnsdock is unable to register containers running inside the new network groups of docker-compose version 2.

Logs show the following (notice the <nil>):

2016/02/22 00:41:39 Added service: d90f35986816e301f2144ebc0ec97c159cc8da741ef34b3fb1ac9f65a3d26719 {name_foo_1 bar1 <nil> -1 []}

Container recognized but DNS not updated

Hi there,

I just pulled the latest image and I can reach the dnsdock.docker, however when I run a 2nd container, it comes up in the services list, however I cannot ping the container_name.docker.

open /root/.docker/cert.pem: no such file or directory

regression from #25

via @jverdeyen

Enable multiple DNS forwarders

I'm having an issue setting the dnsdock nameserver as my primary DNS server.
I need to be able to forward the DNS queries for our internal private domains through dnsdock.

For example:

my /etc/resov.conf file:

nameserver 192.168.99.100 **DNSDOCK host container IP
nameserver 10.191.1.5
nameserver 10.180.1.5

If I try to resolve a name like jenkins01.service.cloud I get back a name conflict IP 127.0.53.53

Server:    192.168.99.100
Address 1: 192.168.99.100

Name:      jenkins01.service.cloud
Address 1: 127.0.53.53

Is there any other way to resolve this issue?

UPDATED
In the readme file it lists there is a option to specify a different fallback DNS server -nameserver="8.8.8.8:53": DNS server for unmatched requests
Is that nameserver option configured by environment variables?

UPDATED
I figured it out, the nameserver can be specified as an argument when running the docker container

My question now is:
Can you support multiple DNS forwarders?

Dockerhub?

Since I see that the project has changed maintainers, will the aacebedo version be made available on Dockerhub?

Strange (container's) IP addresses resolved by dnsdock

Some strange behaviors that I observed but not figured out:

After some time Dnsdock may start to resolve some strange addresses:
> nslookup client.manager.bbooks.dk (client.manager.bbooks.dk is a DNS name of the container taken from by custom container's label)

Non-authoritative answer:
Name: client.manager.bbooks.dk
Addresses: 6.99.108.105
          172.18.0.2

Correct address is 172.18.0.2 don't know what is 6.99.108.105, when dnsdock responses this way
> ping client.manager.bbooks.dk:

The ping request could not find the host client.manager.bbooks.dk. Check the name and
Try again

though > ping 172.18.0.2 is reachable.

So have to restart dnsdock container to get rid of 6.99.108.105.

Any suggestions?

curl and ipv6

When I try contacting a container with curl, it fails unless I use the -4 option

curl mam.web.docker   
curl: (6) Could not resolve host: mam.web.docker

curl -4 mam.web.docker
<!DOCTYPE html>
<html>
    <head>
    </head>
    <body>
        Hello World !!!
    </body>
</html>

Thanks

Please add support for external networks

It looks like dnsdock doesn't work when containers are attached to a custom network. Consider an example:

First. Create a custom network:

docker network create --subnet 172.25.0.0/16 test

Second. Make containers use this network:

version: "2"

services:
  web1:
    image: nginx
    dns: 172.25.0.1
    environment:
      - DNSDOCK_NAME=node1
      - DNSDOCK_IMAGE=test
    networks:
      test:
        ipv4_address: 172.25.0.11

  dnsdock:
    image: tonistiigi/dnsdock
    volumes:
      - /var/run/docker.sock:/run/docker.sock
    ports:
      - 53/udp
      - 8080:80
    networks:
      test:
        ipv4_address: 172.25.0.22

  tester:
    image: ubuntu
    command: bash -c "ping node1.test.docker -c3"
    links:
      - web1
      - dnsdock
    dns: 172.25.0.22
    networks:
      test:
        ipv4_address: 172.25.0.33

networks:
  test:
    external: true

When I run Docker Compose, the output I see is:

dnsdock_1  | 2016/07/31 17:24:18 Added service: c9a99bbf7783ba5d822504829ba91e762b8c472379e5e529933c13d014b20d09 {dnsdockexperiment_dnsdock_1 dnsdock <nil> -1 []}
dnsdock_1  | 2016/07/31 17:24:18 Added service: c9a99bbf7783ba5d822504829ba91e762b8c472379e5e529933c13d014b20d09 {dnsdockexperiment_dnsdock_1 dnsdock <nil> -1 []}
dnsdock_1  | 2016/07/31 17:24:18 Added service: 08bd9894a14abf223bbdfe87ea97d108cd51fe2ab52a141024f18e3654273302 {node1 test <nil> -1 []}
dnsdock_1  | 2016/07/31 17:24:18 Added service: 8e4a4f0ea0305c426e7518a987287c1f813861366f89be4ed07626ae597ebc10 {clever_blackwell ubuntu <nil> -1 []}
dnsdock_1  | 2016/07/31 17:24:18 Added service: a7b85cbde6b0166e285c48673c41b47c181e1a9922a1d340cd5f7a38b2003c6a {dnsdockexperiment_tester_1 ubuntu <nil> -1 []}
tester_1   | ping: unknown host node1.test.docker
dnsdock_1  | 2016/07/31 17:24:18 Stopped service: a7b85cbde6b0166e285c48673c41b47c181e1a9922a1d340cd5f7a38b2003c6a
dnsdockexperiment_tester_1 exited with code 2

Here's what dig says:

dig @172.25.0.22 node1.test.docker
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @172.25.0.22 node1.test.docker
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55868
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;node1.test.docker.     IN  A

;; Query time: 1 msec
;; SERVER: 172.25.0.22#53(172.25.0.22)
;; WHEN: Sun Jul 31 13:28:15 EDT 2016
;; MSG SIZE  rcvd: 64

Here's what curl says:

curl http://172.25.0.22/services
{
    "08bd9894a14abf223bbdfe87ea97d108cd51fe2ab52a141024f18e3654273302": {
        "Name": "node1",
        "Image": "test",
        "Ip": "",
        "Ttl": -1,
        "Aliases": []
    },
    "c9a99bbf7783ba5d822504829ba91e762b8c472379e5e529933c13d014b20d09": {
        "Name": "dnsdockexperiment_dnsdock_1",
        "Image": "dnsdock",
        "Ip": "",
        "Ttl": -1,
        "Aliases": []
    }
}

Here's what docker inspect says:

docker inspect 08bd
[
    {
        "Id": "08bd9894a14abf223bbdfe87ea97d108cd51fe2ab52a141024f18e3654273302",
        ...
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "940e18a4793035e36674f4e29d5f1ec3f0fa97ed39d5d02be45a4f6f8b1bc395",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "443/tcp": null,
                "80/tcp": null
            },
            "SandboxKey": "/var/run/docker/netns/940e18a47930",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "test": {
                    "IPAMConfig": {
                        "IPv4Address": "172.25.0.11"
                    },
                    "Links": null,
                    "Aliases": [
                        "08bd9894a14a",
                        "web1"
                    ],
                    "NetworkID": "e8c5a53271330faf10d186bb73f1cc512c8153f69644a4350b12a6912dfe4cea",
                    "EndpointID": "2f9f6a82e79c401d0910526dbefd81317eab312d2ce80234043d48d434cfa19e",
                    "Gateway": "172.25.0.1",
                    "IPAddress": "172.25.0.11",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:19:00:0b"
                }
            }
        }
    }
]

I assume that dnsdock only looks at top level IPAddress and ignores the Networks collection. The top level IPAddress is OK when in bridge mode, but once you switch to external network, it's always empty.

Please consider adding support for this scenario.

dig dnsdocker.docker works, curl dnsdocker.docker doesn't

From one container I am able to ping another container but any attempt to do a higher-level request such as curl fails citing that it 'could not resolve host'. Any theories/suggestions why? Both containers are based off Ubuntu 14.04

root@ac69fc055883:/app# dig dnsdock.docker

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> dnsdock.docker
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35804
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dnsdock.docker.            IN  A

;; ANSWER SECTION:
dnsdock.docker.     0   IN  A   172.17.3.48

;; Query time: 1 msec
;; SERVER: 172.17.42.1#53(172.17.42.1)
;; WHEN: Tue Aug 04 17:16:58 UTC 2015
;; MSG SIZE  rcvd: 62

But when I curl...

root@fab381760c0e:/app# strace -o /tmp/wtf -fF curl -v http://dnsdock.docker/services
* Hostname was NOT found in DNS cache
* Could not resolve host: dnsdock.docker
* Closing connection 0
curl: (6) Could not resolve host: dnsdock.docker

cant get resolver to work

HI.
I trying to setup dnsdock and I have the container running but when I run curl http://dnsdock.docker/services I get the following error:

curl: (6) Could not resolve host: dnsdock.docker

When i run dig .docker I get : " no matches found: *.docker"

I am using linux mint 17 and here is my /etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search lan
nameserver 172.17.42.1

What I am doing wrong?

Manage Multiples Nameservers

Hi,

First, thank you for this container ! Nice & easy :)

In production, we use multiples dns servers. I see the dnsdock actually manage only one dns external server (google by default).

I tried to read the go script, and i found this code :
In the function handleOrForward, when you call the Exchange function of the dns client library,
you read directly the config structure, with the nameserver.

I sugget to :

split the nameserver string with comma separator into a array (or something equivalent in go)
count the nameservers
while err != nil and all the servers have not yet been tested
- randomize and take a another nameserver
- try it :)
- go out the 'while' or take another nameserver
clear the array!

Maybe the array must be created on constructor and release at the end (use a error server list in this case)

I prefer use the random function to balance the charge, but one by one is nice too :)

-> only one server, nothing change!
-> with multiples servers, we use the same syntax than skydns/skydock

thank you for your attention :)

ps : sorry i'm not a golang dev, i can't do it myself !

Discussion: remove capability to rename container with HTTP PATCH

Dealing with use cases where dnsdock may not run in the same daemon that it manages and where for some reason event stream may go down and lose data, the changes coming from docker daemon and manually by user are easy to get mixed up and not easy to solve.

more background in #27

I'm suggesting to make container names immutable(docker rename remains the exception) and change it so PATCH request may only change the TTL value and nothing else(or other values can only be changed on containers created with HTTP server). This was always the intention for this method for me.

Because this would be a behaviour breaking change I'm leaving this out here for counter arguments for some time.

I would also release v2.0 so accidental updates should be limited.

Renaming containers doesn't update dnsdock names

Once a container is launched with a particular name, it sticks until the container is removed:

$ docker run --name one -d httpd
ee030eb30dc69e04eade85dd535707b8d768fc42dd4524bcb37721873c1b4868
$ docker logs dnsdock 2>&1 | grep ee03
2015/06/25 15:41:11 Added service: ee030eb30dc69e04eade85dd535707b8d768fc42dd4524bcb37721873c1b4868 {one httpd 172.17.0.155 -1 []}
$ host one.httpd.dnsdock
one.httpd.dnsdock has address 172.17.0.155
$ docker rename one two
$ docker logs dnsdock 2>&1 | grep ee03
2015/06/25 15:41:11 Added service: ee030eb30dc69e04eade85dd535707b8d768fc42dd4524bcb37721873c1b4868 {one httpd 172.17.0.155 -1 []}
$ host two.httpd.dnsdock
Host two.httpd.dnsdock not found: 3(NXDOMAIN)
$ host one.httpd.dnsdock
one.httpd.dnsdock has address 172.17.0.155

Perhaps this is because Docker's events API doesn't report on name changes?

Ubuntu 16.04 and dnsmasq

While trying to set up dnsdock on ubuntu 16.04 i discovered that 16.04 has default system configured in such a way that network manager is using dnsmasq running on local ip address (in my case it's 127.0.1.1 and port 53).

While editing the /etc/resolv.conf works until the machine restarts (or config is overwritten by any other means), i found that one can also configure dnsmasq to use the dnsdock only for .docker domains by creating a file /etc/NetworkManager/dnsmasq.d/local-docker.conf with

server=/docker/172.17.0.1

while running dnsdock as dnsdock -dns="172.17.0.1:53" (since 127.0.1.1:53 is taken by dnsmasq).

The difference is that the DNS for non-docker domains remains under the NetworkManager's control and there will be no need to amend /etc/resolv.conf on every restart. Whether that is a pro or a con, it's up to you :)

Add a contribution guide

I'm trying to contribute, but I haven't written any Go before. There is no guide, so here is what I tried (and what failed) :

docker build -t dnsdock .
Sending build context to Docker daemon 1.176 MB
Sending build context to Docker daemon 
Step 0 : FROM golang:1.4.1
Trying to pull repository docker.io/golang ...
7b9d831c9cf1: Download complete 
511136ea3c5a: Download complete 
8771fbfe935c: Download complete 
0e30e84e9513: Download complete 
c90a56bfe7dd: Download complete 
6b030fdd4748: Download complete 
5b691e49c664: Download complete 
1ea09c2dbbab: Download complete 
d560761777e0: Download complete 
6c9ce5fcafa4: Download complete 
fdaf64c52e5d: Download complete 
d6429349e0af: Download complete 
b77e2c7c5469: Download complete 
4fb0e42c842e: Download complete 
2fb1c97e2c4f: Download complete 
Status: Image is up to date for docker.io/golang:1.4.1
 ---> 7b9d831c9cf1
Step 1 : ADD . /go/src/github.com/tonistiigi/dnsdock
 ---> ea5393a16d9d
Removing intermediate container dc8915aff99f
Step 2 : RUN cd /go/src/github.com/tonistiigi/dnsdock &&     go get -v github.com/tools/godep &&     godep restore &&     go install -ldflags "-X main.version `git describe --tags HEAD``if [[ -n $(command git status --porcelain --untracked-files=no 2>/dev/null) ]]; then echo "-dirty"; fi`" ./...
 ---> Running in 75ac8d1c6379
github.com/tools/godep (download)
github.com/tools/godep/Godeps/_workspace/src/github.com/kr/fs
github.com/tools/godep/Godeps/_workspace/src/github.com/pmezard/go-difflib/difflib
github.com/tools/godep/Godeps/_workspace/src/golang.org/x/tools/go/vcs
github.com/tools/godep
/bin/sh: 1: [[: not found
 ---> 59b5fc05a44a
Removing intermediate container 75ac8d1c6379
Step 3 : ENTRYPOINT /go/bin/dnsdock
 ---> Running in 351e2eed1185
 ---> a4efd3e6ee49
Removing intermediate container 351e2eed1185
Successfully built a4efd3e6ee49

Notice the /bin/sh: 1: [[: not found part ? What did I do wrong ?

can not resolve host names

I am using https://vagrantcloud.com/yungsang/boxes/boot2docker with two modifications

  config.vm.provider "virtualbox" do |v|
    v.memory = 2048
    v.cpus = 4
    v.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
  end

  config.vm.network "private_network", ip: "192.168.10.11"

I added the needed entries for the docker daemon config.vm.provision :shell, inline: "echo EXTRA_ARGS='--bip=172.17.42.1/16 --dns 172.17.42.1' > /var/lib/boot2docker/profile && cat /var/lib/boot2docker/profile"

and started dnsdock

  config.vm.provision :docker do |d|
    d.run "dnsdock",
      image: "tonistiigi/dnsdock",
      args: "--name dnsdock -v /var/run/docker.sock:/var/run/docker.sock -p 172.17.42.1:53:53/udp -p 8080:80"

When I call dig *.docker from inside an container e.g. zservice I get nothing until I add @172.17.42.1
What I also see is that there is this nameserver in the zservice container.

root@z-service:/# cat /etc/resolv.conf
nameserver 10.0.2.3
root@z-service:/# dig @172.17.42.1 docker

; <<>> DiG 9.9.5-8-Debian <<>> @172.17.42.1 docker
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57080
;; flags: qr rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;docker.                IN  A

;; ANSWER SECTION:
docker.         0   IN  A   172.17.0.157
docker.         0   IN  A   172.17.0.158
docker.         0   IN  A   172.17.0.159
docker.         0   IN  A   172.17.0.160
docker.         0   IN  A   172.17.0.161
docker.         0   IN  A   172.17.0.164
docker.         0   IN  A   172.17.0.156

;; Query time: 6 msec
;; SERVER: 172.17.42.1#53(172.17.42.1)
;; WHEN: Thu Jan 22 16:24:35 UTC 2015
;; MSG SIZE  rcvd: 178

root@z-service:/#

Am I right that there should be the Ip Adress of DNSdock or the one of the gateway 172.17.42.1.
So I wonder why is the nameserver not set correctly in the container?

    "NetworkSettings": {
        "Bridge": "docker0",
        "Gateway": "172.17.42.1",
        "IPAddress": "172.17.0.160",
        "IPPrefixLen": 16,
        "MacAddress": "02:42:ac:11:00:a0",
        "PortMapping": null,
        "Ports": {
            "8884/tcp": [
                {
                    "HostIp": "0.0.0.0",
                    "HostPort": "8884"
                }
            ]
        }
    },

nginx errors when resolving

Hey there - it's me again :)

Having some weird issue with nginx (nginx/1.7.5) . My error log is full of:

2014/10/17 10:42:21 [error] 25000#0: unexpected RR type 6
2014/10/17 10:42:21 [error] 25000#0: no A or CNAME types in DNS response

My nginx config uses:

    resolver 172.17.42.1 valid=1s;
    resolver_timeout 5s;

Also if recreate and start my docker container couple of times the nginx resolver does not find the container IP. After restarting the dnsdock container and nginx it works again.

Did you ran into similar problems ?

support other networks than default bridge bridge

docker allows to connect your containers to custom networks. currently, dockdns only looks at the NetworkSettings.IPAddress, which is empty in some cases (e.g. when using docker-compose --x-networking up).

Could dnsdock also looks at other networks by exploring NetworkSettings.Networks.<network>.IPAddress and add multiple dns entries, one for each network ?

"NetworkSettings": {
        "Bridge": "",
        "SandboxID": "",
        "HairpinMode": false,
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "Ports": null,
        "SandboxKey": "",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null,
        "EndpointID": "",
        "Gateway": "",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "IPAddress": "",
        "IPPrefixLen": 0,
        "IPv6Gateway": "",
        "MacAddress": "",
        "Networks": {
            "mynetwork": {
                "EndpointID": "",
                "Gateway": "",
                "IPAddress": "",
                "IPPrefixLen": 0,
                "IPv6Gateway": "",
                "GlobalIPv6Address": "",
                "GlobalIPv6PrefixLen": 0,
                "MacAddress": ""
            }
        }
    }

Currently inspect is checked like :

service.Ip = net.ParseIP(inspect.NetworkSettings.IPAddress)

DNS Forwarding only tries the first of multiple name servers

If you configure multiple name servers via -nameserver=10.10.10.2:53,8.8.8.8:53 and try to resolve a name that does not end in .docker (or whatever you have configured -domain to be) you will see that it only tries the first server, prints a log message that it is trying the next server, but then just sends the failure response and returns.

PR #73 will try all name servers and will only fail when each of those name servers have failed to resolve.

bad reply for --net=host containers

should probably either send nothing or send the bridge ip?

% dig docker.
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.8.3-P1 <<>> @nozomi docker.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14691
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;docker.                IN  A

;; ANSWER SECTION:
docker.         0   IN  A   10.9.4.1

;; Query time: 0 msec
;; SERVER: 10.9.4.1#53(10.9.4.1)
;; WHEN: Fri Jun 26 17:56:33 2015
;; MSG SIZE  rcvd: 49
% drill docker.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6145
;; flags: qr rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; docker.  IN  A

;; ANSWER SECTION:
docker. 0   IN  A   10.9.4.1
docker. 0   IN  A   \# 0

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.9.4.1
;; WHEN: Fri Jun 26 17:56:07 2015
;; MSG SIZE  rcvd: 49

Modified name scheme

dnsdock has been quite useful, thank you for contributing it to the OSS community.

Currently dnsdock automagically registers names with this scheme:

<anything>.<container-name>.<image-name>.<environment>.<domain>

However, in my case the image-name doesn't really make sense. For example, I have a zookeeper image that is used to spawn a cluster (of 3 containers), and I'd prefer their names be zookeeper[n].staging.example.com (e.g. zookeeper2.staging.example.com). The same is true of other containers as well (e.g. kafka1.development.example.com). To this end, is there a way to skip over the image-name part altogether? Alternatively, is there an environment variable that we can set which would completely override this scheme and allow dnsdock to register an arbitrary name for a container? (Would you accept PRs for either of these?)

Use Labels instead of ENV variables for metadata?

Would it make sense to use labels instead of env variables instead?

https://github.com/tonistiigi/dnsdock#overrides-from-env-metadata

Stops resolving and error forwarding DNS

Sometimes after such lines:

Started container '99ed36e6da255b330883883679e649583bd4fd8053675c13ab669b06c9337c1f'
2016/11/11 23:36:13 Added service: 99ed36e6da255b330883883679e649583bd4fd8053675c13ab669b06c9337c1f {bbooks_manager-backend_1 bbooks_manager-backend 172.19.0.2 -1 [backend.manager.bbooks.docker]}

It stops to resolve - output just freezes, nslookup while this tells DNS request timed out. timeout was 2 seconds. After some a minute, continues to resolve.

Quite ofeten this error in the log:

Error forwarding DNS: read udp 172.17.0.2:50358->192.168.1.1:53: i/o timeout: fatal, no more nameservers to try

The same story if DNS is 8.8.8.8. Those problems happens quite often, and make impossible to use dnsdock as proxy DNS.

Any advice or suggestions on those issues?

Containers can't use dnsdock service

I can't tell if I'm doing something wrong, or if I've found a bug. I'm just trying to get my containers to use the dnsdock service, but for some reason it's always timing out. First, my /etc/resolv.conf on my host:

$ cat /etc/resolv.conf
nameserver 172.17.42.1
search docker

I start up the dnsdock container:

$ docker run -d -v /var/run/docker.sock:/var/run/docker.sock --name dnsdock -p 172.17.42.1:53:53/udp tonistiigi/dnsdock

It's up and running:

$ docker ps
CONTAINER ID        IMAGE                COMMAND             CREATED             STATUS              PORTS                    NAMES
55e19490f1b3        tonistiigi/dnsdock   "/go/bin/dnsdock"   2 seconds ago       Up 1 seconds        172.17.42.1:53->53/udp   dnsdock

And I can ping that container by hostname on my host:

$ host dnsdock
dnsdock.docker has address 172.17.0.3
dnsdock.docker mail is handled by 0 dnsdock.docker.

And it shows up just in the REST request:

$curl -s http://dnsdock.docker/services | jq .
{
      "55e19490f1b304636857d9c19f6df7c5a1a20917d7d06e25a54a0256cc5f83d0": {
    "Aliases": [],
    "Ttl": -1,
    "Ip": "172.17.0.3",
    "Image": "dnsdock",
    "Name": "dnsdock"
  }
}

Now, I start up a 2nd container to use that dns:

$ docker run -i -t --dns=172.17.42.1 centos:centos6 /bin/bash

DNSDock see it:

curl -s http://dnsdock.docker/services | jq .
{
  "bc187c9ca3a220586ecdeeb9314c69a85be60eecdd96b9a00c8f9a8c355008a6": {
    "Aliases": [],
    "Ttl": -1,
    "Ip": "172.17.0.4",
    "Image": "centos",
    "Name": "sleepy_archimedes"
  },
  "55e19490f1b304636857d9c19f6df7c5a1a20917d7d06e25a54a0256cc5f83d0": {
    "Aliases": [],
    "Ttl": -1,
    "Ip": "172.17.0.3",
    "Image": "dnsdock",
    "Name": "dnsdock"
  }
}

And the /etc/resolv.conf inside the new container looks ok:

root@bc187c9ca3a2 /]# cat /etc/resolv.conf
nameserver 172.17.42.1
search docker

But when I try to use it it just hangs and then eventually times out:

[root@bc187c9ca3a2 /]# host dnsdock.docker
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

So what am I doing wrong? Thanks.

Unable to start dnsdock container

$ docker run -d -v /var/run/docker.sock:/var/run/docker.sock --name dnsdock -p 172.17.42.1:53:53/udp tonistiigi/dnsdock
$ docker logs dnsdock
2015/03/25 02:25:30 Error connecting to docker socket: Get http://unix.sock/v1.15/containers/json?all=0&size=0: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

docker package docker.x86_64 0:1.5.0-1.el7