Comments (9)
ca0abinary
commented on July 20, 2024
2
I can verify that the test I wrote in the issue above is fixed with the latest release of docker 26.1. Thanks for the comments, I forgot to loop back around and check this out!
from moby.
thaJeztah
commented on July 20, 2024
I think this may be related to a security fix that fixed internal-only networks being able to access external DNS servers; GHSA-mq39-4gv4-mvpx
In this case, "external" would be the dns service, which is part of the same network, but the internal resolver likely won't take that into account; @robmry any thoughts?
from moby.
thaJeztah
commented on July 20, 2024
Oh! Looks like a PR was opened that looks related;
from moby.
robmry
commented on July 20, 2024
Ah, yes! Thank you for re-opening this as a moby issue.
As @thaJeztah says, it's fallout from the security fix that went too far. The new PR should sort things out.
from moby.
divStar
commented on July 20, 2024
While I absolutely see the point if this fix, how are we supposed to work around this issue? I'd use --dns ..., but do I have to use it in every container? Or can I just recreate the network in a manner, that would allow this behavior?
I know I shouldn't do it for security reasons, but it's a homelab and I don't feel like extending every single docker-compose file to contain the DNS entry. Besides: I run Traefik and pihole within the same internal network, but also use pihole with the host IP at port 53.
What's the correct solution and is there a way to restore the previous behavior?
from moby.
thaJeztah
commented on July 20, 2024
@divStar did you try with docker 26.1.3? A fix was merged and included in that version; #47832
from moby.
thaJeztah
commented on July 20, 2024
Thanks for confirming!
from moby.
divStar
commented on July 20, 2024
Thank you! It seems to work for just about any container I use - except Jellyfin, but I suppose it's because of Traefik seeing two networks (I use a regular bridge network and a macvlan) and assigning weird IP addresses. The external access seems fixed though, at least from what I understand.
from moby.
akerouanton
commented on July 20, 2024
@divStar Without more details it's hard to pinpoint what's going wrong in your environment. You could try to ask on our community Slack, on our forum, or in the Discussions tab here on GH.
If your container is connected to multiple networks, it might be due to bad network precedence during DNS resolution or something along this line. If you're currently using an unqualified container name (eg. foobar), you could try to use a qualified name instead (eg. foobar.<network_name>).
from moby.
Related Issues (20)
- `docker image ls --filter=reference=docker.io/$MY/$IMG` != `docker image ls --filter=reference=$MY/$IMG`
- Pass proxy settings from host system for Windows containers HOT 1
- Rootless docker cannot start containers bound to different IPs but the same port
- Problem with moby-engine install on raspberry zero w with bullseye.
- containerd: classic builder fails to preserve platform information correctly HOT 1
- Cannot create new containers HOT 1
- Running docker containers in existing network namespace (netns) HOT 5
- Failing tests on Apple Chip Mac HOT 2
- [swarm mode] Random published port not accessible upfront using . It needs an update
- New volume mount subpath - does not create sub directory if it doesn't ee HOT 1
- Add an option to start docker without any containers regardless of their restart policy
- Docker starts containers with restart policy `on-failure` after host reset HOT 1
- failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: “docker-entrypoint.sh”: executable file not found in $PATH: unknown
- [grafana/loki-docker-driver] Docker rootless error mounting "cgroup" to rootfs at "/sys/fs/cgroup"
- A potential goleak in cluster.go HOT 1
- Docker keeps cached manifests and indicies forever somewhere. HOT 6
- Docker compose argument to replace env_file directive, or argument to enable host environment passthrough
- UDP Response Timeout in Bridge Mode Networking HOT 2
- docker cp --parents should exist, analogous to GNU cp --parents
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from moby.