diff options
author | Fabricio Voznika <fvoznika@google.com> | 2019-09-05 11:13:59 -0700 |
---|---|---|
committer | Ian Lewis <ianlewis@google.com> | 2019-09-10 13:43:32 +0900 |
commit | cac17854648c71d00e8067314fd144525964dd53 (patch) | |
tree | b445d8c834d61e49e7bce238bb424b5ddf051982 | |
parent | 5c09a0e59e9a2abcc266bd0903a3a54eee81ff66 (diff) |
Add that Docker user defined network doesn't work to the FAQ
-rw-r--r-- | content/docs/user_guide/FAQ.md | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/content/docs/user_guide/FAQ.md b/content/docs/user_guide/FAQ.md index 22cda44bc..c266446dc 100644 --- a/content/docs/user_guide/FAQ.md +++ b/content/docs/user_guide/FAQ.md @@ -27,6 +27,14 @@ Binaries run in gVisor should be built for the Yes. Please see the [Docker Quick Start](/docs/user_guide/docker/). +### Can I run Kubernets pods using gVisor. + +Yes. Please see the [Docker Quick Start](/docs/user_guide/kubernetes/). + +### What's the security model? + +See the [Security Model](../../architecture_guide/security/). + ## Troubleshooting ### My container runs fine with `runc` but fails with `runsc` @@ -70,8 +78,22 @@ sudo chown root:root /usr/local/bin/runsc sudo chmod 0755 /usr/local/bin/runsc ``` -### What's the security model? +### My container cannot resolve another container's name when using Docker user defined bridge -See the [Security Model](../../architecture_guide/security/). +Docker user defined bridge uses an embedded DNS server bound to the loopback +interface on address 127.0.0.10. This requires access to the host network in +order to communicate to the DNS server. runsc network is isolated from the +host, therefore it cannot access the DNS server on the host network without +breaking the sandbox isolation. There are a few different workarounds you can +try: + +* Use default bridge network with `--link` to connect containers. Default + bridge doesn't use embedded DNS. +* Use [`--network=host`][host-net] option in runsc, however beware that it will + use the host network stack and is less secure. +* Use IPs instead of container names. +* Use [Kubernetes][k8s]. Container name lookup works fine in Kubernetes. [old-linux]: /docs/user_guide/networking/#gso +[host-net]: /docs/user_guide/networking/#network-passthrough +[k8s]: /docs/user_guide/kubernetes
\ No newline at end of file |