Drone + nftables: Could not resolve host: gitlab.com in drone/git

roman7722 · June 13, 2022, 9:18am

I use drone with nftables. For nftables, I need to set the ip address and port to allow the drone/git, otherwise during cloning I get an error : Could not resolve host: gitlab.com

Drone and agent server run configuration:

docker run --ip 172.17.0.2 \
  --volume=/var/run/docker.sock:/var/run/docker.sock \
  --volume=/var/lib/drone:/data \
  --env=DRONE_GITLAB_SERVER=https://gitlab.com \
  --env=DRONE_GITLAB_CLIENT_ID=XXXXXXXXXXXXXXXXXXXXXX \
  --env=DRONE_GITLAB_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXX \
  --env=DRONE_RPC_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXX \
  --env=DRONE_RUNNER_CAPACITY=10 \
  --env=DRONE_SERVER_HOST=ci.example.com \
  --env=DRONE_SERVER_PROTO=http \
  --env=DRONE_TLS_AUTOCERT=false \
  --env=DRONE_USER_CREATE=username:some_my_account,admin:true \
  --env=DRONE_LOGS_DEBUG=false \
  --env=DRONE_AGENTS_ENABLED=false \
  --env=TZ=Europe/Moscow \
  --publish=81:80 \
  --restart=always \
  --detach=true \
  --name=drone \
  drone/drone

docker run --ip 172.17.0.3 \
  --volume=/var/run/docker.sock:/var/run/docker.sock \
  --env=DRONE_RPC_SERVER=http://ci.example.com \
  --env=DRONE_RPC_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXX \
  --env=DRONE_RUNNER_CAPACITY=10 \
  --env=DRONE_RUNNER_NAME=XXXXXXXXXXXXXXXXXXXXXXXX \
  --publish=127.0.0.1:3000:3000 \
  --restart=always \
  --detach=true \
  --name=agent \
  drone/agent

/etc/docker/daemon.json

{
    "iptables": false,
    "fixed-cidr": "172.17.0.0/16"
}

/lib/systemd/system/docker.service

ExecStart=
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H fd:// -H tcp://0.0.0.0:2375

nftables.config:

table ip nat {
	chain PREROUTING {
		fib daddr type local jump DOCKER
	}

	chain POSTROUTING {
		oifname != "docker0" ip saddr 172.17.0.0/16 masquerade
		ip saddr 172.17.0.2 ip daddr 172.17.0.2 tcp dport 81 masquerade
		ip saddr 172.17.0.3 ip daddr 172.17.0.3 tcp dport 3000 masquerade
		ip saddr 172.17.0.5 ip daddr 172.17.0.5 tcp dport 5432 masquerade
	}

	chain OUTPUT {
		ip daddr != 127.0.0.0/8 fib daddr type local jump DOCKER
	}

	chain DOCKER {
		iifname "docker0" return
		iifname != "docker0" ip daddr 127.0.0.1 tcp dport 81 dnat to 172.17.0.2:81
		iifname != "docker0" ip daddr 127.0.0.1 tcp dport 3000 dnat to 172.17.0.3:3000
		iifname != "docker0" ip daddr 127.0.0.1 tcp dport 5432 dnat to 172.17.0.5:5432
	}
}
table inet filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept
		icmp type echo-request accept
		ct state established,related accept
		tcp dport { 22, 80, 443 } counter accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		oifname "docker0" ct state established,related accept
		oifname "docker0" jump DOCKER
		iifname "docker0" oifname != "docker0" accept
		iifname "docker0" oifname "docker0" accept
		jump DOCKER-USER
		jump DOCKER-ISOLATION-STAGE-1
	}

	chain DOCKER-USER {
		return
	}

	chain DOCKER {
		iifname != "docker0" oifname "docker0" ip daddr 172.17.0.2 tcp dport 81 accept
		iifname != "docker0" oifname "docker0" ip daddr 172.17.0.3 tcp dport 3000 accept
		iifname != "docker0" oifname "docker0" ip daddr 172.17.0.5 tcp dport 5432 accept
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" jump DOCKER-ISOLATION-STAGE-2
		return
	}

syslog during clone:

Jun 13 11:51:55 myhostname systemd-udevd[42985]: Using default interface naming scheme 'v245'.
Jun 13 11:51:55 myhostname systemd-udevd[42985]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 13 11:51:55 myhostname systemd[4740]: var-lib-docker-overlay2-3e12b2b60a9f2f8fd8bccb481338e9f5f0409adfda3df3ec3bbd045865dfa7b1\x2dinit-merged.mount: Succeeded.
Jun 13 11:51:55 myhostname systemd[1]: var-lib-docker-overlay2-3e12b2b60a9f2f8fd8bccb481338e9f5f0409adfda3df3ec3bbd045865dfa7b1\x2dinit-merged.mount: Succeeded.
Jun 13 11:51:55 myhostname systemd[4740]: var-lib-docker-overlay2-3e12b2b60a9f2f8fd8bccb481338e9f5f0409adfda3df3ec3bbd045865dfa7b1-merged.mount: Succeeded.
Jun 13 11:51:55 myhostname systemd[1]: var-lib-docker-overlay2-3e12b2b60a9f2f8fd8bccb481338e9f5f0409adfda3df3ec3bbd045865dfa7b1-merged.mount: Succeeded.
Jun 13 11:51:55 myhostname kernel: [299241.717612] br-906e09917cef: port 1(vethc7cb20e) entered blocking state
Jun 13 11:51:55 myhostname kernel: [299241.717613] br-906e09917cef: port 1(vethc7cb20e) entered disabled state
Jun 13 11:51:55 myhostname kernel: [299241.717717] device vethc7cb20e entered promiscuous mode
Jun 13 11:51:55 myhostname kernel: [299241.719740] br-906e09917cef: port 1(vethc7cb20e) entered blocking state
Jun 13 11:51:55 myhostname kernel: [299241.719741] br-906e09917cef: port 1(vethc7cb20e) entered forwarding state
Jun 13 11:51:55 myhostname kernel: [299241.719778] br-906e09917cef: port 1(vethc7cb20e) entered disabled state
Jun 13 11:51:55 myhostname systemd-udevd[42995]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 13 11:51:55 myhostname systemd-udevd[42995]: Using default interface naming scheme 'v245'.
Jun 13 11:51:55 myhostname systemd-udevd[42995]: vethabfac44: Could not generate persistent MAC: No data available
Jun 13 11:51:55 myhostname systemd-udevd[42985]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 13 11:51:55 myhostname systemd-udevd[42985]: vethc7cb20e: Could not generate persistent MAC: No data available
Jun 13 11:51:55 myhostname containerd[595]: time="2022-06-13T11:51:55.179450760+03:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
Jun 13 11:51:55 myhostname containerd[595]: time="2022-06-13T11:51:55.181718639+03:00" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
Jun 13 11:51:55 myhostname containerd[595]: time="2022-06-13T11:51:55.182007818+03:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Jun 13 11:51:55 myhostname containerd[595]: time="2022-06-13T11:51:55.182427373+03:00" level=info msg="starting signal loop" namespace=moby path=/run/containerd/io.containerd.runtime.v2.task/moby/2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e pid=43020 runtime=io.containerd.runc.v2
Jun 13 11:51:55 myhostname systemd[4740]: run-docker-runtime\x2drunc-moby-2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e-runc.FHikpt.mount: Succeeded.
Jun 13 11:51:55 myhostname systemd[1]: run-docker-runtime\x2drunc-moby-2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e-runc.FHikpt.mount: Succeeded.
Jun 13 11:51:55 myhostname kernel: [299242.030629] eth0: renamed from vethabfac44
Jun 13 11:51:55 myhostname kernel: [299242.030938] IPv6: ADDRCONF(NETDEV_CHANGE): vethc7cb20e: link becomes ready
Jun 13 11:51:55 myhostname kernel: [299242.030978] br-906e09917cef: port 1(vethc7cb20e) entered blocking state
Jun 13 11:51:55 myhostname kernel: [299242.030979] br-906e09917cef: port 1(vethc7cb20e) entered forwarding state
Jun 13 11:51:55 myhostname kernel: [299242.031005] IPv6: ADDRCONF(NETDEV_CHANGE): br-906e09917cef: link becomes ready
Jun 13 11:52:00 myhostname dockerd[41859]: time="2022-06-13T11:52:00.518594332+03:00" level=info msg="ignoring event" container=2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Jun 13 11:52:00 myhostname containerd[595]: time="2022-06-13T11:52:00.519848569+03:00" level=info msg="shim disconnected" id=2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e
Jun 13 11:52:00 myhostname containerd[595]: time="2022-06-13T11:52:00.520387530+03:00" level=warning msg="cleaning up after shim disconnected" id=2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e namespace=moby
Jun 13 11:52:00 myhostname containerd[595]: time="2022-06-13T11:52:00.520582800+03:00" level=info msg="cleaning up dead shim"
Jun 13 11:52:00 myhostname containerd[595]: time="2022-06-13T11:52:00.541259951+03:00" level=warning msg="cleanup warnings time=\"2022-06-13T11:52:00+03:00\" level=info msg=\"starting signal loop\" namespace=moby pid=43111 runtime=io.containerd.runc.v2\n"
Jun 13 11:52:00 myhostname kernel: [299247.143942] br-906e09917cef: port 1(vethc7cb20e) entered disabled state
Jun 13 11:52:00 myhostname kernel: [299247.144235] vethabfac44: renamed from eth0
Jun 13 11:52:00 myhostname kernel: [299247.153394] br-906e09917cef: port 1(vethc7cb20e) entered disabled state
Jun 13 11:52:00 myhostname kernel: [299247.154161] device vethc7cb20e left promiscuous mode
Jun 13 11:52:00 myhostname kernel: [299247.154164] br-906e09917cef: port 1(vethc7cb20e) entered disabled state
Jun 13 11:52:00 myhostname systemd-udevd[43130]: vethabfac44: Failed to get link config: No such device
Jun 13 11:52:00 myhostname systemd-udevd[43130]: vethabfac44: Failed to get link config: No such device
Jun 13 11:52:01 myhostname dockerd[41859]: time="2022-06-13T11:52:01.999208934+03:00" level=warning msg="[resolver] connect failed: dial udp 188.120.247.2:53: connect: network is unreachable"
Jun 13 11:52:01 myhostname dockerd[41859]: time="2022-06-13T11:52:01.999272184+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 13 11:52:01 myhostname dockerd[41859]: time="2022-06-13T11:52:01.999324934+03:00" level=warning msg="[resolver] connect failed: dial udp 188.120.247.2:53: connect: network is unreachable"
Jun 13 11:52:02 myhostname dockerd[41859]: time="2022-06-13T11:52:01.999347286+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 13 11:52:03 myhostname dockerd[41859]: time="2022-06-13T11:52:03.496466830+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 13 11:52:03 myhostname dockerd[41859]: time="2022-06-13T11:52:03.496574865+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 13 11:52:03 myhostname systemd[1]: run-docker-netns-3bd048c65f41.mount: Succeeded.
Jun 13 11:52:03 myhostname systemd[4740]: run-docker-netns-3bd048c65f41.mount: Succeeded.
Jun 13 11:52:03 myhostname systemd[4740]: var-lib-docker-containers-2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e-mounts-shm.mount: Succeeded.
Jun 13 11:52:03 myhostname systemd[1]: var-lib-docker-containers-2fc5085cc390983e34dd83cecfe5cba3295ee36cb0d6de4db69738469bb8b50e-mounts-shm.mount: Succeeded.
Jun 13 11:52:03 myhostname systemd[1]: var-lib-docker-overlay2-3e12b2b60a9f2f8fd8bccb481338e9f5f0409adfda3df3ec3bbd045865dfa7b1-merged.mount: Succeeded.
Jun 13 11:52:03 myhostname systemd[4740]: var-lib-docker-overlay2-3e12b2b60a9f2f8fd8bccb481338e9f5f0409adfda3df3ec3bbd045865dfa7b1-merged.mount: Succeeded.

Drone server and agent can ping gitlab.com because they are allowed in nftables.

How can I set the ip and port for the drone/git manually?
Maybe I can assemble the drone/git image manually and specify the IP address there?

roman7722 · June 16, 2022, 10:25am

All the same, I managed to figure out and fix the docker and nftables configuration files.

Now it works!

/etc/docker/daemon.json must be:

{
  "iptables": false,
  "fixed-cidr": "172.17.0.0/25",
  "default-address-pools": [
    {
      "base":"172.17.0.0/16",
      "size":24
    }
  ]
}

nftables.config like this:

table inet filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept
		icmp type echo-request accept
		ct state established,related accept
		tcp dport { 22, 80, 443 } accept
		ip6 saddr { fe80::/10 } tcp dport 2375 accept
		ip saddr { 172.17.0.0/16 } tcp dport 2375 accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter  jump DOCKER-USER
		counter  jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state established,related counter accept
		oifname "docker0" counter jump DOCKER
		iifname "docker0" oifname != "docker0" counter accept
		iifname "docker0" oifname "docker0" counter accept
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain DOCKER {
		iifname != "docker0" oifname "docker0" ip daddr 172.17.0.2 tcp dport 81 accept
		iifname != "docker0" oifname "docker0" ip daddr 172.17.0.3 tcp dport 3000 accept
		iifname != "docker0" oifname "docker0" ip daddr 172.18.0.5 tcp dport 5432 accept
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
		counter return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter return
	}

	chain DOCKER-USER {
		counter return
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local counter jump DOCKER
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
	}

	chain DOCKER {
		iifname "docker0" counter packets 4409 bytes 264540 return
		iifname != "docker0" ip daddr 127.0.0.1 tcp dport 81 dnat to 172.17.0.2:81
		iifname != "docker0" ip daddr 127.0.0.1 tcp dport 3000 dnat to 172.17.0.3:3000
		iifname != "docker0" ip daddr 127.0.0.1 tcp dport 5432 dnat to 172.18.0.5:5432
	}
}

That is all