Notes to self

How to solve DNS resolution in Fedora 32 Docker containers

After little trouble with running Docker in Fedora 31 I found myself yet again in a similar situation. This time the DNS inside Docker containers could not resolve github.com hostname.

This was the welcome of a first Docker build on Fedora 32:

...
Step 12/32 : RUN export MIX_ENV=k8s_develop &&     cd backend &&     MIX_ENV=k8s_develop mix deps.get &&     MIX_ENV=k8s_develop mix release k8s_develop &&     cd ..
 ---> Running in 12a32a3ac7cf
* Getting currency_conversion (https://github.com/jshmrtn/currency-conversion.git)
fatal: unable to access 'https://github.com/jshmrtn/currency-conversion.git/': Could not resolve host: github.com
** (Mix) Command "git --git-dir=.git fetch --force --quiet --progress" failed

Is GitHub down? Am I connected to the Internet? It does seem to work in my Firefox…

Using ping from your host system worked fine:

workstation$ ping github.com
PING github.com (140.82.118.4) 56(84) bytes of data.
64 bytes from github.com (140.82.118.4): icmp_seq=1 ttl=50 time=263 ms
64 bytes from github.com (140.82.118.4): icmp_seq=2 ttl=50 time=359 ms

…but no luck in Docker. Could not resolve host: github.com.

This is what happened to me this week after upgrading my Fedora 31 to Fedora 32.

In my particular case it seems to be an issue with the firewall (it’s always the firewall or SELinux isn’t is?). What worked for me was to add IP masquerading to the firewalld zone I am on. IP masquerading allows internal systems access the host’s network.

Find out the right interface with ip addr show:

$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
...
4: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f8:59:71:33:11:f2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.42.3/24 brd 192.168.42.255 scope global dynamic noprefixroute wlp4s0
       valid_lft 16928sec preferred_lft 16928sec
    inet6 fe80::68a7:8161:7367:e450/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
...

In my case I am on wlp4s0 interface.

Let’s find its zone:

$ sudo firewall-cmd --get-zone-of-interface=wlp4s0
FedoraWorkstation

Cool.

Now we simply enable masquerading for this zone, reload firewalld configuration and restart Docker:

$ sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo systemctl restart docker

And that’s it. After this little change I was able to build my containers again.

Work with me

I have some availability for contract work. I can be your fractional CTO, a Ruby on Rails engineer, or consultant. Write me at strzibny@strzibny.name.

RSS