#Quickstart DNS issue

I'm trying to test dagger but I'm stuck with this error:

go run ./main.go
#1 resolve image config for docker.io/library/golang:1.19
#1 ERROR: failed to do request: Head "https://registry-1.docker.io/v2/library/golang/manifests/1.19": dial tcp: lookup registry-1.docker.io on 10.87.0.1:53: server misbehaving
------
 > resolve image config for docker.io/library/golang:1.19:
------
panic: input:1: container.from failed to do request: Head "https://registry-1.docker.io/v2/library/golang/manifests/1.19": dial tcp: lookup registry-1.docker.io on 10.87.0.1:53: server misbehaving

Please visit https://dagger.io/help#go for troubleshooting guidance.

goroutine 1 [running]:
main.main()
        /home/XX/hello-dagger/ci/main.go:28 +0x3e9
exit status 2

I don't understand why the container is using this dns address, I tried to docker system prune as I found this address in /var/lib/docker/overlay2 path with no improvement...

Has anyone encountered this issue already?

docker version 23.0.1
/etc/resolv.conf :

# Generated by NetworkManager
nameserver 1.1.1.1
nameserver 8.8.8.8

/etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  mycomputer
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters

👋 can you check if setting _EXPERIMENTAL_DAGGER_SERVICES_DNS=0 as an env variable work?

Running into this too, @fallen kindle this env var does not seem to change anything

cc @wide pawn

using v0.5.1 and brand new buildkit container

cc @strange lotus

looks like if i delete the buildkit container again, export the env var, and then run dagger it creates it with the variable set and future dagger commands work

that's the intended method for setting it 👍

not sure why it didn't work with services DNS though. hmm

if you're willing to flip the env var back on and troubleshoot, can you cat /etc/resolv.conf and /etc/resolv.conf.upstream in the engine container?

/etc/resolv.conf contains

/ # cat /etc/resolv.conf
# dagger dnsmasq server
nameserver 10.87.0.1

and resolv.conf.upstream is my host's resolv.conf

which has

nameserver 10.200.128.5

which is my local network's dns server

(it also runs dnsmasq, if that is of interest)

interesting. is 10.200.128.5 reachable from the engine container? (nslookup google.com 10.200.128.5)

it is not

/ # nslookup 10.200.128.5
Server:         10.87.0.1
Address:        10.87.0.1:53

** server can't find 5.128.200.10.in-addr.arpa: REFUSED

oh sorry,

/ # nslookup google.com 10.200.128.5
Server:         10.200.128.5
Address:        10.200.128.5:53

Non-authoritative answer:
Name:   google.com
Address: 142.250.65.174

Non-authoritative answer:
Name:   google.com
Address: 2607:f8b0:4006:80e::200e

yes it is

hm interesting, let me see if dnsmasq is logging anywhere useful

I dont see anything in /var/log

and what does nslookup google.com say? (trying to use the 10.87 DNS here)

# nslookup -debug google.com 
Server:         10.87.0.1
Address:        10.87.0.1:53

Query #0 completed in 0ms:
** server can't find google.com: REFUSED

Query #1 completed in 0ms:
** server can't find google.com: REFUSED

sorry lol pasted the wrong one

lol np. hmm...

welp, time for the big guns: apk add strace; strace -f -p $dnsmasq_pid &; nslookup google.com

unfortunately apk add runs into a similar issue... 😆

oh, true

classic dns

is there anything else in /etc/resolv.conf.upstream? or is it literally just that nameserver line?

just a search line

ok, new idea: pkill dnsmasq; /usr/sbin/dnsmasq -u root --conf-file=/run/containers/cni/dnsname/dagger/dnsmasq.conf -d --log-debug &

and then try another nslookup

/var/log # pkill dnsmasq; /usr/sbin/dnsmasq -u root --conf-file=/run/containers/cni/dnsname/dagger/dnsmasq.conf -d --log-debug &
/var/log # dnsmasq: started, version 2.87 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile
dnsmasq: using only locally-known addresses for dagger.local
dnsmasq: failed to read /etc/resolv.conf.upstream: Permission denied
dnsmasq: no servers found in /etc/resolv.conf.upstream, will retry
dnsmasq: read /run/containers/cni/dnsname/dagger/addnhosts - 16 addresses

🤔

/var/log # ls -al /etc/resolv.conf.upstream
-rw-r--r--    1 root     root            82 Mar 20 23:06 /etc/resolv.conf.upstream
/var/log # whoami
root

...selinux? apparmor?

no selinux, but yeah it's likely apparmor

i suppose the container needs a cap

yeah maybe. we do a kind of funny thing with that file, it's originally mounted in to /etc/resolv.conf via Docker and then we "move" the mount to a new path by bind-mounting it again and unmounting the original path. (which apparently works.)

not sure if that matters

i mean, you can cat it, so it's kind of odd that dnsmasq can't read it

but i'm not sure what apparmor's rules are

yeah interesting that i can cat it

it is possible that dnsmasq is forking itself and dropping permissions

yeah. it should be running as root though, and /proc/<pid>/status seems to have the same Cap* 🤔

i don't know much about apparmor, is there anything you can do on your side to troubleshoot there?

oh, yeah there we go

[26303.838148] audit: type=1400 audit(1679354910.133:934): apparmor="DENIED" operation="open" profile="dnsmasq" name="/etc/resolv.conf.upstream" pid=3018223 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

nice

where does this get enforced? i'm guessing outside of the container at the kernel level? is there a host-side config that lets it reach /etc/resolv.conf or something, and the paths just match up inside/outside?

oh, i guess we don't even run dnsmasq with services DNS disabled (so disabling services isn't evidence of /etc/resolv.conf even being allowed)

i will have to look this up

i guess apparmor is configured to care about execve(/usr/sbin/dnsmasq) or something, and the rule fires even for containers, not caring about mount namespaces since it's enforced at the kernel level? you mentioned using dnsmasq on the host too so that would explain why those rules might be configured

looks like there is a policy specifically for /usr/sbin/dnsmasq that restricts the files it can read

yeah there are several dnsmasqs, on the host there's NetworkManager

interesting, that's annoying. i mean, we could rename it to try to dodge apparmor rules 😂

lolol

there are a few files/directories allowed such as

 /etc/dnsmasq.d/ r,                       
 /etc/dnsmasq.d/* r,                      
 /etc/dnsmasq.d-available/ r,             
 /etc/dnsmasq.d-available/* r,            
 /etc/ethers r,                           
 /etc/NetworkManager/dnsmasq.d/ r,        
 /etc/NetworkManager/dnsmasq.d/* r,       
 /etc/NetworkManager/dnsmasq-shared.d/ r, 
 /etc/NetworkManager/dnsmasq-shared.d/* r,
 /etc/dnsmasq-conf.conf r,                
 /etc/dnsmasq-resolv.conf r,              

makes sense. wonder where that's configured, maybe just package distribution defaults?

yup default from arch

i guess we could use one of those filenames, depending on how widespread those defaults are

those are going to be the defaults everywhere

https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/usr.sbin.dnsmasq

oh nice

opened https://github.com/dagger/dagger/pull/4799 for this, thanks for troubleshooting! 👍

np!

Thank you guys

closing this