DNS resolver not working with Docker

Hello, I’m currently writing a paper on Zero Trust Architectures and OpenZiti.

My use case, for demonstration purposes, is a device streaming video to a video server, to which clients can connect to watch the stream. I made a custom docker compose infrastructure. My Ziti network is working correctly but I have a problem with the tunnelers:

I installed the tunnelers on the streaming device and the video server (docker containers using Debian). I have a service configured and devices are correctly enrolled. But I get an error with the DNS from OpenZiti:

DEBUG ziti-edge-tunnel:resolvers.c:95 init_libsystemd() Dynamically loaded libsystemd                                                            
DEBUG ziti-edge-tunnel:resolvers.c:343 try_libsystemd_resolver() Could not detect systemd init system                                            
DEBUG ziti-edge-tunnel:resolvers.c:359 try_libsystemd_resolver() Could not create system DBus client
DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(grep -q '^nameserver' /etc/resolv.conf) returned 256
sed: cannot rename /etc/sedGM3hoS: Device or resource busy
ERROR ziti-edge-tunnel:utils.c:31 run_command_va() cmd{sed -z -i 's/nameserver/nameserver\nnameserver/' /etc/resolv.conf} failed: 1024
/2/No such file or directory
DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(sed -z -i 's/nameserver/nameserver\nnameserver/' /etc/resolv.conf) returned 1024

I have searched the error, and it looks like a Docker issue when trying to modify /etc/resolv.conf with “sed -i …”, sed creates a new file then replaces the destination with the new file, which changes the file inode, which is forbidden by Docker since the file is mounted from the host.

If I manually change the file using vim for example and add “name server”, then the Ziti DNS resolver works properly. It also works if I add the DNS entry in the docker compose file.

My question is:

Do you know a workaround this ? Like a Docker option to enable, or a way to modify the sed command called by the Ziti tunneler ?

Thank you !

Hi @Meh, Welcome to the forum and to OpenZiti!

Using docker and OpenZiti can be done, but it’s important to understand the subtle nuances of how docker networking and OpenZiti work together. To get a better answer to your question, could you provide a diagram of your setup? It sounds to me like you’re trying to use docker for segmentation all on the same machine? Is that the case? I am trying to understand the overall network view of your setup. If everything is on the same machine, I think you’ll going to end up having a harder time than if you use virtual machines instead of docker due to the nuances of docker/containers. Having an overview diagram will help tremendously. I want to make sure we’re giving you the best advice.

I personally have not invested much time in getting intercepts working within docker. Usually, I’m finding myself using docker to host services, so traffic goes into docker, but I’m never using docker to initiate outbound traffic over OpenZiti (outbound toward some other underlay resource happens, just not outbound over OpenZiti)

I will say though, if you are using a single machine, virtual machines will be a much more realisitc excample of how OpenZiti works, particularly if you ‘bridge’ the VMs to the network to get its own IP address.

Could you provide us a diagram of the setup you’re trying to test? Is docker vital to the setup? Thanks

Thank you for the welcome and your answer

Indeed I am using Docker for segmentation. Everything is on 1 machine. It is not mandatory that I use Docker, I chose this because I followed the docker / docker compose quickstart guide and wanted to use it as a template and add a few things. I’m open to switch to VMs if you think it’s an easier solution.

Right now, this is only to learn OpenZiti and to provide a demonstration, not for production, but I have a usecase that involves an embedded device (running linux) sending a camera stream to a video server.

Basically, I want to tunnel the video stream trough Openziti and to the video server. Right now, this is working only if I manually add the Ziti DNS.

Here is my setup :

Note: I’m only using 1 edge router for simplicity and have additional networks so what every machine can talk to the controller.

Thank you for your help

@Meh The Debian streaming device in network A is running container image openziti/ziti-edge-tunnel, but the container is not fully configured to have the necessary devices and privileges to manage DNS and IP routes for the Docker host’s Debian OS. Your alternatives are:

  1. Install the Debian package for ziti-edge-tunnel on the Debian device.
  2. Configure the ziti-edge-tunnel container to run with elevated privileges and necessary devices to manage the Debian OS’s DNS, tun device, and IP routes.

I’ve linked to the relevant docs for each alternative. My guess is that installing the Debian package is the best approach because Ziti will provide the necessary network path, i.e. there’s no need to attach the Debian streaming device directly to the Docker network.

@qrkourier @TheLumberjack

Actually, I’m already running ziti-edge-tunnel installer from the package.

I solved the problem the following way :

  • Inside the docker container of the machine streaming, I added a command to the entrypoint script to unmount /etc/resolv.conf and rewrite it :

umount /etc/resolv.conf && echo 'nameserver 
ptions ndots:0' | tee /etc/resolv.conf

I also added a sleep in my entrypoint script, so that the video stream would wait a bit after the tunneler was launched, so that the DNS and the path to the video server might be updated. Now everything works !

Thank you for your help again !

1 Like

I’m glad you got it working, but I don’t quite understand where the Debian package was used. Did you mean that you installed the Debian package in the RTMP client container image and then executed the tunneler with the entrypoint script?

Yes that’s exactly that !

Sorry my initial post wasn’t very clear !

That’s an interesting technique. Thanks for sharing.