Add support for resolving IPv6 container hostnames

flaktack · flaktack · commit c8924c9b0015 · 2022-12-11T12:44:54.000+01:00
diff --git a/src/systemd_resolved_docker/dockerdnsconnector.py b/src/systemd_resolved_docker/dockerdnsconnector.py
@@ -2,7 +2,7 @@
 import threading
 from typing import List
 
-from dnslib import A, CLASS, DNSLabel, QTYPE, RR
+from dnslib import A, AAAA, CLASS, DNSLabel, QTYPE, RR
 from dnslib.proxy import ProxyResolver
 from dnslib.server import DNSServer
 
@@ -72,7 +72,10 @@ def handle_hosts(self, hosts):
                 hn = self.as_allowed_hostname(host_name)
                 mh.host_names.append(hn)
 
-                rr = RR(hn, QTYPE.A, CLASS.IN, 1, A(host.ip))
+                if isinstance(host.ip, ipaddress.IPv4Address):
+                    rr = RR(hn, QTYPE.A, CLASS.IN, 1, A(host.ip.exploded))
+                else:
+                    rr = RR(hn, QTYPE.AAAA, CLASS.IN, 1, AAAA(host.ip.exploded))
                 zone.append(rr)
                 host_names.append(hn)
 
diff --git a/src/systemd_resolved_docker/dockerwatcher.py b/src/systemd_resolved_docker/dockerwatcher.py
@@ -1,10 +1,13 @@
+import ipaddress
+from typing import List, Union
+
 import docker
 
 from threading import Thread
 
 
 class DockerHost:
-    def __init__(self, host_names, ip, interface=None):
+    def __init__(self, host_names: List[str], ip: Union[ipaddress.IPv4Address, ipaddress.IPv6Address], interface=None):
         self.host_names = host_names
         self.ip = ip
         self.interface = interface
@@ -85,22 +88,25 @@ def collect_from_containers(self):
             name = c.attrs['Name'][1:]
             settings = c.attrs['NetworkSettings']
             for netname, network in settings.get('Networks', {}).items():
-                ip = network.get('IPAddress', False)
-                if not ip or ip == "":
+                ips = [network[field] for field in ['IPAddress', 'GlobalIPv6Address'] if
+                       field in network and network[field] != ""]
+                if not ips:
                     if netname == 'host':
-                        ip = self.default_host_ip
+                        ips = [self.default_host_ip]
                     else:
                         continue
 
                 # record the container name DOT network
                 # eg. container is named "foo", and network is "demo",
                 #     so create "foo.demo" domain name
                 # (avoiding default network named "bridge")
-                record = domain_records.get(ip, [*common_hostnames])
-                if netname != "bridge":
-                    record.append('%s.%s' % (name, netname))
+                for ip in ips:
+                    ipr = ipaddress.ip_address(ip)
+                    record = domain_records.get(ipr, [*common_hostnames])
+                    if netname != "bridge":
+                        record.append('%s.%s' % (name, netname))
 
-                domain_records[ip] = record
+                    domain_records[ipr] = record
 
         for ip, hosts in domain_records.items():
             domain_records[ip] = list(filter(lambda h: h not in duplicate_hostnames, hosts))
diff --git a/src/systemd_resolved_docker/utils.py b/src/systemd_resolved_docker/utils.py
@@ -1,14 +1,11 @@
 import ipaddress
 import urllib.parse
 from pyroute2 import NDB
-from typing import List
+from typing import List, Union
 
 
 class IpAndPort:
-    ip: ipaddress.ip_address
-    port: int
-
-    def __init__(self, ip: ipaddress.ip_address, port: int):
+    def __init__(self, ip: Union[ipaddress.IPv4Address, ipaddress.IPv6Address], port: int):
         self.ip = ip
         self.port = port
 
diff --git a/test/integration/functions.sh b/test/integration/functions.sh
@@ -44,6 +44,13 @@ docker_ip() {
   docker inspect --format '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $container_id
 }
 
+docker_ipv6() {
+  local container_id=$1
+  shift;
+
+  docker inspect --format '{{range.NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' $container_id
+}
+
 docker_name() {
   local container_id=$1
   shift;
diff --git a/test/integration/test_ipv6.sh b/test/integration/test_ipv6.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+. ./functions.sh
+
+exec 10<<EOF
+version: "2.1"
+services:
+  webserver:
+    image: nginx
+    labels:
+     - $TEST_LABEL
+    networks:
+      - network
+  broker:
+    image: redis
+    labels:
+     - $TEST_LABEL
+    networks:
+      - network
+
+networks:
+  network:
+    driver: bridge
+    enable_ipv6: true
+    labels:
+     - $TEST_LABEL
+    ipam:
+      driver: default
+      config:
+        - subnet: 2001:db8:a::/64
+          gateway: 2001:db8:a::1
+EOF
+
+exec 20<<EOF
+version: "2.1"
+services:
+  broker:
+    image: redis
+    labels:
+     - $TEST_LABEL
+    networks:
+      - network
+
+networks:
+  network:
+    driver: bridge
+    enable_ipv6: true
+    labels:
+     - $TEST_LABEL
+    ipam:
+      driver: default
+      config:
+        - subnet: 2001:db8:b::/64
+          gateway: 2001:db8:b::1
+EOF
+
+ALLOWED_DOMAINS=.docker,.$TEST_PREFIX start_systemd_resolved_docker
+
+docker-compose --file /dev/fd/10 --project-name $TEST_PREFIX up --detach --scale webserver=2
+
+broker1_ip=$(docker_ipv6 ${TEST_PREFIX}_broker_1)
+webserver1_ip=$(docker_ipv6 ${TEST_PREFIX}_webserver_1)
+webserver2_ip=$(docker_ipv6 ${TEST_PREFIX}_webserver_2)
+
+query_ok     broker.$TEST_PREFIX $broker1_ip
+query_ok   1.broker.$TEST_PREFIX $broker1_ip
+
+query_ok     webserver.$TEST_PREFIX $webserver1_ip
+query_ok     webserver.$TEST_PREFIX $webserver2_ip
+query_ok   1.webserver.$TEST_PREFIX $webserver1_ip
+query_ok   2.webserver.$TEST_PREFIX $webserver2_ip
+
+query_ok     broker.docker $broker1_ip
+
+docker-compose --file /dev/fd/20 --project-name ${TEST_PREFIX}_2 up --detach
+query_fail   broker.docker
diff --git a/test/integration/test_proxy.sh b/test/integration/test_proxy.sh
@@ -10,13 +10,15 @@ docker network create --label $TEST_LABEL $NETWORK > /dev/null
 container_id=$(docker_run resolvetest1 --hostname resolvetest1)
 container_ip=$(docker_ip ${container_id})
 
-dns_ip=$(docker network inspect bridge --format '{{ range .IPAM.Config }}{{ .Gateway }}{{ end }}')
-
-query_ok   resolvetest1.docker $container_ip
-
-# Case 1: generated domains are resolved in containers on the default network
-#         The DNS server is provided explicitly, since it was not provided to the daemon
-docker run --dns $dns_ip       --rm alpine sh -c "apk add bind-tools && host resolvetest1.docker"
-
-# Case 2: generated domains are resolved in containers on other networks
-docker run  --network $NETWORK --rm alpine sh -c "apk add bind-tools && host resolvetest1.docker"
+# The default bridge may have multiple ips/gateways, for example if IPv6 is enabled
+for gateway_ip in $(docker network inspect bridge --format '{{ range .IPAM.Config }}{{ .Gateway }} {{ end }}');
+do
+  query_ok   resolvetest1.docker $container_ip
+
+  # Case 1: generated domains are resolved in containers on the default network
+  #         The DNS server is provided explicitly, since it was not provided to the daemon
+  docker run --dns $gateway_ip   --rm alpine sh -c "apk add bind-tools && host resolvetest1.docker"
+
+  # Case 2: generated domains are resolved in containers on other networks
+  docker run  --network $NETWORK --rm alpine sh -c "apk add bind-tools && host resolvetest1.docker"
+done
