mDNS, Avahi and Docker non-root containers

72 points by gnanesh 5 years ago | 42 comments
  • viraptor 5 years ago
    I made a project to solve this issue from the other end in my home network: https://gitlab.com/viraptor/docker_mdns

    You can run the app on the host with docker containers and traefik and any service.local domain configured in labels will be announced via mdns. Services themselves don't have to be mdns aware and will be registered/removed as they come up/down. It works without traefik too, but you have to include the port then as well.

    • pottertheotter 5 years ago
      This is timely! I installed Wireshark last night for fun and have been looking at traffic on my network. There's quite a bit from mDNS, which is all new to me.
      • voltagex_ 5 years ago
        I can highly recommend taking a look at the traffic going across your network as well. With an OpenWRT or Ubiquiti router, you may even be able to mirror your WAN port to something Wireshark can see - it's definitely eye-opening.
        • pottertheotter 5 years ago
          I've been thinking about getting a Ubiquiti Dream Machine Pro or a similar setup and would love to look at the traffic there. Right now I just have an Orbi router with two satellites.
          • voltagex_ 5 years ago
            I'm sure there are cheaper options with a port mirroring function, but one of the entry level Ubiquiti switches plus a controller running in a VM would work, too. Hmm, I should definitely investigate cheaper options.
          • sigjuice 5 years ago
            Or even easier, just plug in a laptop directly without a router.
            • nitrogen 5 years ago
              This is much riskier though! If you happen to have any running services, or are missing any updates, your laptop may quickly find itself part of a botnet, or your shared disks shared more widely than you intended[0].

              [0] Back in the Web 1.0 era, there were lots of Windows PCs connected directly to the Internet with file and printer sharing enabled. People wrote search engines and download tools for scraping them.

        • teddyh 5 years ago
          http://zeroconf.org/

          http://www.dns-sd.org/

          http://www.multicastdns.org/

          • giancarlostoro 5 years ago
            I'm a big fan of Zeroconf / MDNS / Avahi / Bonjour (it has many names due to the differing packages that can be used for it across platforms). It's a great way to make any type of service discoverable, whether it's a web service, or what have you. Having had used something like Eureka from Netflix I think mdns is way simpler, especially on Linux, if you can install Avahi all you need to do is write an XML file to a directory and you're broadcasting a service immediately.
            • ken 5 years ago
              Zeroconf is fantastic for discovering services, but hardly anyone supports it. Apple removed it from Safari, 3 years ago [1]. It's been an open feature request in Chromium for 11 years [2], and in Firefox for 18 years [3].

              The only major database I know which supports it is Postgres (it's disabled by default) [4]. On MySQL, it's an open work item, untouched for 13 years [5].

              Last I checked, no major web framework broadcasts its service using Zeroconf.

              Zeroconf service broadcast is so easy to implement (really) and such a tremendous help to users that I don't understand why developers aren't falling over themselves to implement it.

              [1]: https://apple.stackexchange.com/questions/299700 [2]: https://bugs.chromium.org/p/chromium/issues/detail?id=13573 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=173804 [4]: https://www.postgresql.org/docs/9.1/runtime-config-connectio... [5]: https://dev.mysql.com/worklog/?sc=id&sd=ASC&pg=3

              • apearson 5 years ago
                The browser support you listed is for listing out the available sites. The browsers still support mdns for name resolution. Zeroconf is used in Google Cast and Airplay for service discovery.
                • ken 5 years ago
                  As Apple's Bonjour page points out, addressing and naming is only 2/3 of it. If that's all you support, then you still depend on users knowing the name, and typing it with no mistakes -- not exactly "zero configuration". 1980's AppleTalk was better than that.

                  How do browsers 'support mDNS for name resolution'? Isn't that a feature of the OS? I can "ping NAS.local" (without a DNS server) just as easily as I can go to "http://NAS.local", and ping.c doesn't appear to have any mDNS code.

                • lilyball 5 years ago
                  Apple removed the built-in display of _http._tcp. services. I don’t know why they chose to do this, but very few applications ever bothered to advertise this service. By far the most common use-case was for printer configuration UIs, which can be found specifically with the _printer._sub._http._tcp subtype. Apple’s print configuration UIs still expose a way to get to the printer web interface and this presumably uses _printer._sub._http._tcp.

                  Having said all that, I do wish Safari still supported it.

                • amaccuish 5 years ago
                  Yes I just wish microsoft hadn't complicated it with LLMNR.

                  All sorts of things use mDNS now (chromecast, spotify, printers, thermostats). And finally windows will start to support mDNS so hopefully we can finally settle on one good autodiscovery protocol and get rid of the horror that is SSDP.

                  • giancarlostoro 5 years ago
                    I believe Microsoft finally added mdns to Windows 10, you might have to install it as a component yourself though. It's not yet available under Win32 though by the sound of it.
                    • ComputerGuru 5 years ago
                      Here’s some documentation: https://docs.microsoft.com/en-us/uwp/api/Windows.Networking....

                      Lots of new core APIs added in Windows 10 aren’t available via Win32 even if they have nothing to do with packages, unfortunately. It’s extremely convoluted but you can use the Windows.Sdk, Contracts, or CsWinRT packages to interop with the WinRT APIs from a C++, C#, or now even rust application but depending on which APIs you consume you may need to use a Windows Application Project appx/msix wrapper to package your code and associate it with a package ID unlocking the APIs for use.

                      (I have a hello world project demonstrating a WPF .NET Core project hosting a custom control consisting of a single text block that displays your current location via the Geolocator API and it requires four different individually user-created projects in the Visual Studio solution and a minimum half-a-dozen NuGet dependencies just to make it happen. It’s a terrible, terrible mess.)

                      • goont 5 years ago
                        There is an API exposed in Windns.h but it doesn't work very well. It's awkward to use and doesn't pick up on services being added and removed. See `DnsService*`, etc in https://docs.microsoft.com/en-us/windows/win32/api/windns/.
                    • arminiusreturns 5 years ago
                      I'm the opposite. I strongly dislike these services as I feel they are not needed in many situations and open up the vulnerability potential, especially if your system is ever on a network not controlled by you (laptop at cafe, etc). I turn them all off/disable/uninstall them.
                      • ken 5 years ago
                        If you're on an untrusted network, run a firewall. An open network port isn't much safer just because you're not announcing it. People looking to attack your local web service at Starbucks probably know how to portscan.
                        • arminiusreturns 5 years ago
                          The point is that instead of an open port for a service you close all the ports you dont need open, and then firewall what you do need. I'm saying stuff like avahi isn't needed in my case so I turn it off and of course thats not the only measure so I run a firewall amongst other things...
                    • L3viathan 5 years ago
                      > If it is IPv6, it's nearly impossible to remember the address.

                      Why should that be the case? If you have 1000 nodes, you could organize your network such that node one gets prefix::00:01, node two gets prefix::00:02, node 138 gets prefix::01:38, etc.

                      There is so much space in IPv6 that you can group things more logically than was ever doable in the IPv4 world.

                      • ac29 5 years ago
                        "But still, on most of the local systems, we don't have a DNS server and we have to remember the IP addresses of the systems."

                        Perhaps I'm misunderstanding this, but why would your systems not have access to a local DNS server? My routers respond just fine to DNS queries for "hostname.local"-like requests without using something like mDNS.

                        • rlpb 5 years ago
                          This only works if your router arranges this through its DHCP server, and even then only if everything on your network uses DHCP and the DNS server supplied by it. This is not widely the case, and with devices that roam across wifi networks it's likely not even true for your devices. mDNS provides peer-to-peer discovery that does not require any supporting network infrastructure.
                          • ac29 5 years ago
                            There's no reason this requires DHCP, or even for the DNS server to be on the router. You could assign static IPs everywhere and still have the DNS server perform lookups to its hosts file.
                            • rlpb 5 years ago
                              Yes, of course. I took it as a given that any alternative solution would have to be automatic and so manual configuration of hosts wasn't an option. If you think it is an option, then the answer to your question is obvious: mDNS does it automatically, so you don't have to maintain the mapping and it works for automatic IP address assignments.
                        • badrabbit 5 years ago
                          This is such a pet-peeve for me. A noisy network service turned on by default where most users won't use it,but all users are exposed to the network through it. (Edit: I mean in most Linux Distros not in this example, of course I have no problem with anyone intentionally doing anything to their own system)

                          In my opinion, modern systems shouldn't run services in case something needs them, they should be dynamically loaded and unloaded (isn't this what dbus is for??). If Chrome needs mDNS it can ask for it. If network resources are accessed at login, the login processes can request avahi to be loaded and then unloaded once they're done. What really feels like insult to injury is how systemd was forced on unwilling users because of features like this, yet avahi,cups,etc... Just sit there idle even if you didn't start any application that has a need for them.

                          I think maybe I am seeing it from the wrong perspective?

                          • dreamcompiler 5 years ago
                            > This is such a pet-peeve for me. A noisy network service...

                            Complaints like this about mDNS are my pet peeve. Back in the day networks were 1000 times slower and we had Appletalk and dynamic peer-to-peer LAN networking was absolutely effortless. It was plug-and-play, networking-for-dummies easy. And nobody had to explain to their Mom over the phone what an IP address was.

                            But Appletalk was chatty and that bugged people with large enterprise LANs. So Apple turned it off and invented mDNS which was less chatty and used modern DNS protocols. It made LAN setup about half as easy as Appletalk but by that time everybody had gotten used to typing IP addresses into their printers as if that was "normal." Or they just gave up on peer-to-peer connections entirely.

                            So now not many people use mDNS and it's not nearly as chatty as Appletalk and our networks are 1000 times faster and a tiny bit of LAN traffic is nothing; nothing compared to the value mDNS would bring if people just used it. But no. Let's complain about how chatty it is and continue using LANs full of multi-teraflop computers that have no way to ask their neighbors what their damned IP addresses are.

                            Yes I'm bitter.

                            • badrabbit 5 years ago
                              Look, I will never ever use mDNS. I have never ever needed to use mDNS because I don't mind using an IP address. We have our preferences but why are you forcing your preference on people?

                              I am very bitter about this too. I turn on a computer and it broadcasts excessive details about itself to anyone that will listen to it.it does things I did not ask it to do and refuses to do things I need it to do because people like you think there is one way everyone should do things.

                              What on earth is stopping you from turning on Avahi and using mDNS right now? Clicking on a checkbox in system settings? What else is there to it?

                              I will continue to complain on how chatty this and a plethora of other things are. Actually their chattiness is not the issue, the fact that they sent even one packet of that protocol is my issue, or more importantly that they listened on that port offerinf network services on my client computer. So, now when there's a vulnerability abusing that service, a service no one uses, well too bad then right? A network service is an exposure, people/apps should opt into not opt out of exposures!

                            • rlpb 5 years ago
                              > A noisy network service turned on by default...

                              It's not installed by default in the author's example; they specifically install it in the Docker image.

                              > In my opinion, modern systems shouldn't run services in case something needs them, they should be dynamically loaded and unloaded (isn't this what dbus is for??).

                              That's exactly how it works in Debian today.

                              > ...how systemd was forced on unwilling users because of features like this...

                              systemd wasn't forced on anyone. If you're an "unwilling user", use a distribution that doesn't use systemd! But systemd does support socket activation, which is the exact feature you're claiming doesn't exist!

                              • badrabbit 5 years ago
                                I meant on distros not on OP's example.

                                > systemd wasn't forced on anyone. If you're an "unwilling user", use a distribution that doesn't use systemd! But systemd does support socket activation, which is the exact feature you're claiming doesn't exist!

                                It was forced on existing users. If someone gives you the choice between moving to a different house or accepting something and staying where you are, if you don't like that thing you just got forced out of your house,if you accept that thing you were forced into accepting it. If someone puts a gun to your head and asks for your money, the fact that you can chose to die does not mean your money was not taken from you by force when you opt to live.

                                I did not claim socket activation does not exist, I even mentiones dbus as a way. I said it was not being used, services are just left running. Even GPG has a service that just idles.

                              • m463 5 years ago
                                I agree with you.

                                Personally, I wish there was a way at install time to completely opt-out of these unneeded and overpromiscuous services.

                                My linux machines don't print, I don't use any peer-to-peer dns on any of my machines, I don't need advanced routing protocols, etc...

                                Another thing I notice is an ubuntu machine I'm using runs 10-15 evolution contacts/calendars/etc processes and all I do on that machine is compile.

                                • badrabbit 5 years ago
                                  Yes, even windows asks you if it's a private and public network and if you want to allow sharing,etc... This doesn't need to be controversial, an install time checkbox to enable/disable these services can decide this for the user. And I will bet good money most users will opt-out. Just like telemetery.