Trouble publishing a UDP port on an IP alias

General
1

So I built a docker container that runs dnscache (from djbdns/dbndns). It’s running:

root@rome:~# docker -H :2375 ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                              NAMES
4c47ff914f5d        jeff/jdns1          "/init.sh"          53 minutes ago      Up 53 minutes       172.17.2.110:53->53/tcp, 172.17.2.110:53->53/udp   grave_cray
root@rome:~#

Inside the container dnscache is listening on 53/udp

root@rome:~# docker -H :2375 exec -ti 4c47 netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp6 0 0 [::]:domain [::]:*
root@rome:~#

This dnscache actually works inside the container:

root@rome:~# docker -H :2375 exec -ti 4c47 dig +short @127.0.0.1 google.com
173.194.204.101
173.194.204.138
173.194.204.100
173.194.204.139
173.194.204.102
173.194.204.113
root@rome:~#

More proof this dnscache is actually getting used (inside the container):

root@rome:~# docker -H :2375 exec -ti 4c47 ls -l /etc/dnscache/log/main/current
-rw-r–r-- 1 dnslog dnslog 10440 Mar 2 16:08 /etc/dnscache/log/main/current
root@rome:~# date -u
Wed Mar 2 16:08:54 UTC 2016
root@rome:~#

But, even though the docker host see the udp port listening (172,17.2.110 is an ip alias) it doesn’t respond.

root@rome:~# netstat -uln | grep 172.17.2.110:53
udp 0 0 172.17.2.110:53 0.0.0.0:*
root@rome:~# dig +short @172.17.2.110 google.com
;; connection timed out; no servers could be reached
root@rome:~#

Any idea what’s going on?

2

This is no joke. I’ve “dockerized” several tcp services over the past two weeks. Works fine. With UDP ports it just doesn’t work. I think I provided ample evidence above.

3

@seamanjeff If you have a minimal, consistently reproducible example I highly suggest filing an issue at https://github.com/docker/docker/issues/new, this is more of a Q&A forum than a bug tracker.

4

Well, I’m not sure entirely what was going on before but now I’ve got it working.

I’ll put this up on bitbucket later but for now, this is a Dockerfile for dnscache:

FROM ubuntu:trusty

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get install -y dbndns wget

ENV DNSCACHE_USER=dnscache
ENV GID=1000
ENV UID=1000
ENV DNSCACHE_DIR=/etc/$DNSCACHE_USER
ENV ROOT=$DNSCACHE_DIR/root
ENV SERVERS_DIR=$ROOT/servers
ENV IP_DIR=$ROOT/ip

RUN groupadd $DNSCACHE_USER -g $GID && useradd $DNSCACHE_USER -s /bin/false -d $DNSCACHE_DIR -u $UID -g $GID
RUN mkdir $DNSCACHE_DIR $ROOT $SERVERS_DIR $IP_DIR

ENV CACHESIZE=100000000
ENV IP=0.0.0.0
ENV IPSEND=0.0.0.0
ENV CLIENT_IPS=“10 127.0.0.0.1 172.17 192.168”

RUN dd if=/dev/urandom of=/etc/dnscache/seed bs=128 count=1 && chmod 600 /etc/dnscache/seed

RUN wget -qO- ftp://ftp.internic.net/domain/named.root | perl -ane ‘if ($F[2] eq “A”) {print “$F[3]\n”;}’ > $SERVERS_DIR/@

RUN (cd $IP_DIR; touch $CLIENT_IPS)

RUN chown -R dnscache /etc/dnscache

CMD /usr/bin/dnscache < /etc/dnscache/seed 2>&1

To start it:

$ ./start_dnscache jaddns6:latest 192.168.1.212

start_dnscache:

#!/bin/bash
docker run
–detach=true
–publish=$2:53:53/udp
–name=jaddns
–read-only
$1

Note that the disk is read-only. It dispenses with DJB’s daemontools and multilog and does it the “docker way”. The logs can be stored and rotated using switches to the docker run command.

I plan to also do one for tinydns and then allow dnscache to find the tinydns to implement split-horizon dns with two cooperating Docker containers.

1 Like