Skip to content

Instantly share code, notes, and snippets.

@sbonds
Last active February 6, 2019 00:54
Show Gist options
  • Save sbonds/dc72b458848e8b72aba6028d140d72c4 to your computer and use it in GitHub Desktop.
Save sbonds/dc72b458848e8b72aba6028d140d72c4 to your computer and use it in GitHub Desktop.
LearnChef: Try Inspec Docker DNS Issues

On the step:

# git clone https://github.com/learn-chef/auditd.git

I get:

Cloning into 'auditd'...
fatal: unable to access 'https://github.com/learn-chef/auditd.git/': Could not resolve host: github.com

The DNS config inside the workstation looks like this:

# cat /etc/resolv.conf
search <my internal domain>
nameserver 127.0.0.11
options ndots:0

The setup for this is as follows:

Host OS: CentOS7

$ cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)

Docker version

$ docker --version
Docker version 1.13.1, build 774336d/1.13.1

User setup and initial config:

# useradd -m learnchef
# usermod --groups docker learnchef
# su - learnchef
$ pip install --user docker-compose
$ vi ~/.bashrc
export PATH=$PATH:$HOME/.local/bin
$ . ~/.bashrc
$ mkdir learn-inspec
$ cd learn-inspec
$ curl -C - -O  https://raw.githubusercontent.com/learn-chef/inspec/master/docker-compose.yml
$ cat docker-compose.yml
version: '3'
services:
  workstation:
    container_name: workstation
    image: learnchef/inspec_workstation
    stdin_open: true
    tty: true
    links:
      - target
    volumes:
      - .:/root
  target:
    image: learnchef/inspec_target
    stdin_open: true
    tty: true

$ docker-compose version
docker-compose version 1.23.2, build 1110ad0
docker-py version: 3.7.0
CPython version: 2.7.5
OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017

Getting the Docker images going

$ docker-compose pull
Pulling target      ... done
Pulling workstation ... done

$ docker-compose up -d
Creating network "learn-inspec_default" with the default driver
Creating learn-inspec_target_1 ... done
Creating workstation           ... done

$ docker exec -it workstation bash
root@e81dcdc8f026:/#
root@e81dcdc8f026:/# inspec version
2.0.17

# git clone https://github.com/learn-chef/auditd.git
Cloning into 'auditd'...
fatal: unable to access 'https://github.com/learn-chef/auditd.git/': Could not resolve host: github.com
@sbonds
Copy link
Author

sbonds commented Feb 6, 2019

I found some good reading in the pull request where the embedded DNS server was created, but no smoking gun for why it seems unable to forward to a working DNS IP: moby/libnetwork#841

@sbonds
Copy link
Author

sbonds commented Feb 6, 2019

FOUND IT

The nameserver was configured to only respond to local subnets, not random bridged IP ranges. Those were added to named.conf in the allow-recursion section and (no surprise) DNS works now.

I also disabled Docker debugging and restarted it before I forgot and came back to gigabyte sized log files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment