Issues with reaching the internet from LXC - DNS issue

yogi · November 10, 2019, 3:31pm

I am having issues reaching the internet from created LXC containers. In an Alpine container “apk add” gives an error, but after - echo "151.101.112.249 dl-cdn.alpinelinux.org" >> /etc/hosts – it works. Any suggestion of how to fix the DNS error.

Proof:
~ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/edge/main: temporary error (try again later)

1 errors; 11111 distinct packages available
~ # nslookup dl-cdn.alpinelinux.org
nslookup: can’t resolve ‘(null)’: Name does not resolve

~ # echo “151.101.112.249 dl-cdn.alpinelinux.org” >> /etc/hosts
~ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
v20190925-3000-g9fcc748e66 [http://dl-cdn.alpinelinux.org/alpine/edge/main]
v20190925-3014-g8f8945adaa [http://dl-cdn.alpinelinux.org/alpine/edge/community]
OK: 11121 distinct packages available

simos · November 10, 2019, 3:43pm

Hi!

In my case, with default LXD configuration, it works.

$ lxc launch images:alpine/3.10 alpine
Creating alpine
Starting alpine
$ lxc shell alpine
alpine:~# apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
v3.10.3-19-g7f993019c4 [http://dl-cdn.alpinelinux.org/alpine/v3.10/main]
v3.10.3-13-g8068beb776 [http://dl-cdn.alpinelinux.org/alpine/v3.10/community]
OK: 10336 distinct packages available
alpine:~#

Can you show the output of the following? Assuming that your default profile (lxc profile show default) specifies the lxdbr0 managed interface).

lxc network show lxdbr0

yogi · November 10, 2019, 3:44pm

~$ lxc network show lxdbr0
config:
  ipv4.address: 10.245.138.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:758e:6455:e369::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/containers/server
managed: true
status: Created
locations:
- none

And lxc profile
~$ lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
used_by:
- /1.0/containers/server

yogi · November 10, 2019, 4:05pm

Upon a reboot the DNS issue is still there, so it was’nt a firewall issue.

simos · November 10, 2019, 7:54pm

Your containers do not get a DHCP lease, therefore they do not get their network autoconfigured.

Most likely there is a DNS server already running on the host and does not allow the DNS/DHCP server from within LXD to work. Any other DNS server on your host should NOT bind on the lxdbr0 interface.
To verify whether this is the case, please run on the host:

sudo lsof -i :domain

yogi · November 11, 2019, 9:06am

I ran lsof -i :domain which indicated the unbound resolver that I had installed on the host was indeed the issue. I uninstalled unbound on the host, and now everything is now working.

Would it be possible to install unbound within a LXC container on the host, then use that as a DNS resolver for the host. ?

simos · November 11, 2019, 12:26pm

I haven’t tried this. The potential problem is that the host will not have DNS until after the container has started and is ready to serve requests. In addition, you would need to configure the container to use a DNS server other than the one provided by DHCP from LXD. If you have a test computer, you can experiment.

unbound, however, by default should not bind to other interfaces other than loopback, unless you specify those other network interfaces. If I were you, I would make sure that unbound does not bind to lxdbr0.