Docker container cannot resolve website names, but can ping their ip

Question

When I tried to

apt-get update

in a container based on ubuntu.

I got an error like this.

Temporary failure resolving 'archive.ubuntu.com'.

When I tried to ping the ip of 'archive.ubuntu.com', it's ok.

But when I tried to ping 'archive.ubuntu.com', it showed me

uknown host archive.ubuntu.com

So I tried several ways I can find on the internet, like this.

echo "91.189.92.201 archive.ubuntu.com" >> /etc/hosts

Then I can ping 'archive.ubuntu.com'

But other websites are still not linkable by name.

I tried to add a line to /etc/default/docker, like this

DOCKER_OPTS="--dns 8.8.8.8 --dns 114.114.114.114 --dns 8.8.4.4"

Then i restart docker service, and attach to the container, to see this

cat /etc/resolv.conf

and the results

root@d9d5bbdb11de:/# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 8.8.8.8 
nameserver 8.8.4.4

I don't know if that works for it.

ps, i can ping 8.8.8.8, 114.114.114.114, 8.8.4.4.

For some reasons, I tried to figure it out where it is a firewall problem, so i used iptables out of the containers.

iptables-save.

And here are the results when I iptables-save out of containers.

wjy@wjy-VirtualBox:~$ sudo iptables-save [sudo] wjy 的密码： 

# Generated by iptables-save v1.6.0 on Sat Mar  4 16:06:53 2017

*nat :PREROUTING ACCEPT [28:1772] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [253:15867] :POSTROUTING ACCEPT [253:15867] :DOCKER - [0:0]

-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

-A DOCKER -i docker0 -j RETURN COMMIT

# Completed on Sat Mar  4 16:06:53 2017

# Generated by iptables-save v1.6.0 on Sat Mar  4 16:06:53 2017

*filter :INPUT ACCEPT [1211:567114] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1254:152567] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0]

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A DOCKER-ISOLATION -j RETURN COMMIT

# Completed on Sat Mar  4 16:06:53 2017

It may be a host, dns or iptable problem. But I don't know what to do to make all my containers resolve the website names and link to the internet. If you met the similar situation or know how to solve it, please do me a favour. Thanks a lot.

Answer 1

I experimented exactly that error staying behind a proxy on the host machine. I mean, if your docker host machine have set proxy settings. I'll explain how I solved it, maybe could be useful to you if is your case or useful to others.

There are 3 places to configure proxy settings:

• At OS level:

It depends of the OS, usually you can put http_proxy=http://yourproxy:port/ at /etc/environment

• At Docker engine level:

You must create folder and file at /etc/systemd/system/docker.service.d/http-proxy.conf containing:

[Service]
Environment="HTTP_PROXY=http://yourproxy:port/"

• And the last one (don't forget to reboot after last two steps), you must put it also as environment var on Dockerfile to build it!!

Example of Dockerfile:

FROM ubuntu:latest
ENV HTTP_PROXY http://yourproxy:port/
RUN apt-get update

Maybe this is your problem like mine was.

My advise is don't touch iptables and don't touch DNS. Recreating containers docker do the needed jobs itself automatically. If you need to touch there, something went wrong. Only be sure to have internet access fully working on docker host machine.

Good luck.