How can I trigger a reload of resolv.conf in my containers?

Question

When running containers on startup I noticed some were using resolv.conf before systemd-resolved had updated it from the default using DHCP. This meant that containers that started too early after boot could not resolve anything and needed to be restarted to use the proper DNS settings. This is happening for different reasons for both rkt and Docker; Docker's method for updating resolv.conf inside containers is not compatible with the overlay filesystem driver and since systemd-resolved does not update the file in-place (rather creates a temporary one and renames) rkt's bind mounting does not update what the container sees.

Currently I am using a hacky systemd.unit to delay the network-online.target which docker.service and my rkt pods depend on.

[Unit]
Description=Wait for DNS

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/bin/sh -c 'while ! getent ahosts google.com >dev/null; do sleep 1; done'

[Install]
WantedBy=network-online.target

But this significantly delays my start-up time

# systemd-analyze blame
         18.068s wait-for-dns.service
         ...

and if resolv.conf changes again it won't help. So I was wondering if there's a more elegant solution to my problem. Idealy I'd like to be able to trigger a resolv.conf update in both rkt and Docker containers every time it changes.

Answer 1

Run containers on a user defined network so they will use the embedded DNS server that will forward lookups to the systems DNS.

The default docker0 bridge has some special rules that were left in place for legacy support. Using a mounted /etc/resolv.conf is one of those legacy things.

If rkt doesn't support the same type of DNS then the general solution could be to setup a DNS server like Unbound to be a local forwarding resolver. Then containers have a static DNS server to reference.