Conflicts with systemd-resolved
RyanRamchandar opened this issue · 7 comments
Sometimes when the device is restarted the dnsmasq container will be stuck in a reboot loop with the logs showing the following error:
dnsmasq: failed to create listening socket for port 53: Address in use
Reason - it's conflicting with systemd-resolved on port 53
Host device: Ubuntu 18.04
uname -a
Linux umbrela-bridge 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 17:59:52 UTC 2018
I guess you'd have to heed the advice of the Stack Overflow article and disable systemd-resolved listener or run the container on a different external port with something like -p 5353:53/tcp -p 5353:53/udp. But neither of these are really something we can solve in the container or this image.
Is there something you are proposing we change in this image or documentation to help with this?
There still exists an issue after disabling systemd-resolved or setting DNSStubListener=no since now DNS lookups don't seem to be happening at all. For example, I can ping 8.8.8.8 but not ping google.com.
Is the container missing a config like --listen-address, a mount like /etc/resolv.conf or something else to allow DNS lookups?
For starts, how are you running the container and what is the output of ss -ntu on the host? The dnsmasq inside the container listens on 0.0.0.0 TCP and UDP by default. Assuming the container is mapping the host ports correctly, I don't see why it wouldn't work. Might be worth checking iptables and the NAT table specifically to see where port 53 is being sent.
Okay I think I figured out what was wrong... I was running the container with --network=host:
docker run \
--network=host \
--cap-add=NET_ADMIN \
-d \
--restart=always \
andyshinn/dnsmasq:2.78 \
--interface=eth0 \
--dhcp-range=10.10.10.11,10.10.10.254,12h \
--log-facility=-
And switching to -p port mapping seems to have fixed it. Though I don't entirely know why. It might have something to do with the container network being isolated from the host now.
docker run \
-p 53:53/tcp \
-p 53:53/udp \
--cap-add=NET_ADMIN \
-d \
--restart=always \
andyshinn/dnsmasq:2.78 \
--interface=eth0 \
--dhcp-range=10.10.10.11,10.10.10.254,12h \
--log-facility=-
Now the log seems happy, and ping google.com resolves.
# docker logs dnsmasq
dnsmasq[1]: started, version 2.78 cachesize 150
dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp[1]: DHCP, IP range 10.10.10.11 -- 10.10.10.254, lease time 12h
dnsmasq[1]: reading /etc/resolv.conf
dnsmasq[1]: using nameserver 8.8.8.8#53
dnsmasq[1]: using nameserver 8.8.4.4#53
dnsmasq[1]: read /etc/hosts - 7 addresses
It is possible that --network=host needs something more than just --cap-add=NET_ADMIN to listen properly. You'd probably just have to do some debugging with ss or netstat to figure out what is listening where. The port mapping way should accomplish the same thing.
I'd be happy to accept a README pull request that gives this as an example of how to use the container as a host forwarder.
Thanks Andy.
An unfortunate result of using the port mapping instead of --network=host is that the container can no longer see the interfaces of the host and the following commands no longer work:
--interface=eth0 \
--dhcp-range=10.10.10.11,10.10.10.254,12h \