Closed5
コンテナビルド(docker build)時にapt installができないおま環問題
Kota UENISHI結論からいうとDocker DaemonがDNSなしで動いていたようだった
動く環境
$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.1
動かない環境
$ cat /etc/resolv.conf
# Generated by NetworkManager
search flets-east.jp iptvf.jp
nameserver 2400:40(一応マスクしとくけどなんかのIPv6アドレス)
この nameserver がダメなだけっぽい
ping 2400:4050:a3(...)
ping: connect: Network is unreachable
放置されたIssue
直接的には dns resolution issue when host has only ipv6 nameserver in /etc/resolv.conf #2936 と完全同件
with now on my host ❯ cat /etc/resolv.conf buildkit works fine
# Generated by NetworkManager
search home
nameserver 8.8.8.8
nameserver 4.4.4.4
nameserver 2a01:cb00:39e:8700:7ec1:77ff:fe02:b170
ワークアラウンドとしては Support --dns or --addn-hosts for docker build #5779 のこのコメント だろうなということになる。
- configure the daemon to use a different default DNS for containers (this can be configured through
daemon.json)
もうひとつのワークアラウンドは IPv4のDNSを設定する、だとは思うがうまくうごいていない
結論
動いていないnameserverが設定されたまま更新されていなかったので、systemd-resolved のスタブモード でシンボリックリンクを張って解決した
# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
再現
Dockerfile1
FROM ubuntu AS runner
RUN apt update
RUN apt install -yq emacs-nox libssl3t64
これでビルドするとこうなる。 apt update は通るが apt install のときに「そんなパッケージはない」と言われる。
$ docker build -f Dockerfile1 --progress plain . --no-cache
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile1
#1 transferring dockerfile: 116B done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/library/ubuntu:latest
#2 DONE 0.0s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [1/3] FROM docker.io/library/ubuntu:latest
#4 CACHED
#5 [2/3] RUN apt update
#5 0.109
#5 0.109 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
#5 0.109
#5 0.124 Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
#5 0.124 Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
#5 0.124 Ign:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
#5 0.124 Ign:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
#5 1.124 Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
#5 1.124 Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
#5 1.125 Ign:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
#5 1.125 Ign:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
#5 3.125 Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
#5 3.125 Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
#5 3.125 Ign:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
#5 3.126 Ign:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
#5 7.126 Err:1 http://archive.ubuntu.com/ubuntu noble InRelease
#5 7.126 Temporary failure resolving 'archive.ubuntu.com'
#5 7.126 Err:2 http://security.ubuntu.com/ubuntu noble-security InRelease
#5 7.126 Temporary failure resolving 'security.ubuntu.com'
#5 7.126 Err:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
#5 7.126 Temporary failure resolving 'archive.ubuntu.com'
#5 7.126 Err:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
#5 7.126 Temporary failure resolving 'archive.ubuntu.com'
#5 7.129 Reading package lists...
#5 7.136 Building dependency tree...
#5 7.137 Reading state information...
#5 7.137 All packages are up to date.
#5 7.137 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/noble/InRelease Temporary failure resolving 'archive.ubuntu.com'
#5 7.137 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/noble-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
#5 7.137 W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/noble-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'
#5 7.137 W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/noble-security/InRelease Temporary failure resolving 'security.ubuntu.com'
#5 7.137 W: Some index files failed to download. They have been ignored, or old ones used instead.
#5 DONE 7.2s
#6 [3/3] RUN apt install -yq emacs-nox libssl3t64
#6 0.126
#6 0.126 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
#6 0.126
#6 0.128 Reading package lists...
#6 0.135 Building dependency tree...
#6 0.135 Reading state information...
#6 0.135 E: Unable to locate package emacs-nox
#6 ERROR: process "/bin/sh -c apt install -yq emacs-nox libssl3t64" did not complete successfully: exit code: 100
------
> [3/3] RUN apt install -yq emacs-nox libssl3t64:
0.126
0.126 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
0.126
0.128 Reading package lists...
0.135 Building dependency tree...
0.135 Reading state information...
0.135 E: Unable to locate package emacs-nox
------
Dockerfile1:3
--------------------
1 | FROM ubuntu AS runner
2 | RUN apt update
3 | >>> RUN apt install -yq emacs-nox libssl3t64
4 |
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c apt install -yq emacs-nox libssl3t64" did not complete successfully: exit code: 100
紛らわしいポイントは、 apt update がすり抜けてしまってるところだ。ここが Ign ですり抜けてしまってて「ネットワークつながってるのでは?」となる。実際つながってはいる。
調査
Dockerfile2
FROM nicolaka/netshoot AS builder
RUN ip a
RUN ping -c 4 1.1.1.1
RUN curl http://www.google.com/
RUN apt update
RUN apt install -yq wget lld
これをビルドするとこうなる
$ docker build -f Dockerfile2 --progress plain . --no-cache
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile2
#1 transferring dockerfile: 182B done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/nicolaka/netshoot:latest
#2 DONE 0.0s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [1/6] FROM docker.io/nicolaka/netshoot:latest
#4 CACHED
#5 [2/6] RUN ip a
#5 0.109 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
#5 0.109 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
#5 0.109 inet 127.0.0.1/8 scope host lo
#5 0.109 valid_lft forever preferred_lft forever
#5 0.109 inet6 ::1/128 scope host proto kernel_lo
#5 0.109 valid_lft forever preferred_lft forever
#5 0.109 72: eth0@if73: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
#5 0.109 link/ether 06:40:35:d5:4f:fd brd ff:ff:ff:ff:ff:ff link-netnsid 0
#5 0.109 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
#5 0.109 valid_lft forever preferred_lft forever
#5 DONE 0.2s
#6 [3/6] RUN ping -c 4 1.1.1.1
#6 0.115 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
#6 0.123 64 bytes from 1.1.1.1: icmp_seq=1 ttl=53 time=8.76 ms
#6 1.127 64 bytes from 1.1.1.1: icmp_seq=2 ttl=53 time=11.1 ms
#6 2.125 64 bytes from 1.1.1.1: icmp_seq=3 ttl=53 time=8.34 ms
#6 3.126 64 bytes from 1.1.1.1: icmp_seq=4 ttl=53 time=8.35 ms
#6 3.126
#6 3.126 --- 1.1.1.1 ping statistics ---
#6 3.126 4 packets transmitted, 4 received, 0% packet loss, time 3003ms
#6 3.126 rtt min/avg/max/mdev = 8.340/9.132/11.082/1.138 ms
#6 DONE 3.2s
#7 [4/6] RUN curl http://www.google.com/
#7 0.129 curl: (6) Could not resolve host: www.google.com
#7 ERROR: process "/bin/sh -c curl http://www.google.com/" did not complete successfully: exit code: 6
------
> [4/6] RUN curl http://www.google.com/:
0.129 curl: (6) Could not resolve host: www.google.com
------
Dockerfile2:5
--------------------
3 | RUN ip a
4 | RUN ping -c 4 1.1.1.1
5 | >>> RUN curl http://www.google.com/
6 | RUN apt update
7 | RUN apt install -yq wget lld
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c curl http://www.google.com/" did not complete successfully: exit code: 6
注目ポイントは 1.1.1.1 はping通るけど curl の名前参照で失敗しているところ。
いちおう変な設定がないか確認しておく
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
6c0abd7aa904 bridge bridge local
69b78d712711 host host local
9991b9df5279 none null local
$ ls /etc/docker/daemon.json
ls: cannot access '/etc/docker/daemon.json': No such file or directory
そもそも設定ファイルがないので全部デフォルトで動いていると期待してよい。
環境
$ uname -srvmpio
Linux 6.17.8-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 14 Nov 2025 06:54:20 +0000 x86_64 unknown unknown GNU/Linux
$ docker info
Client:
Version: 28.5.2
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.29.1
Path: /usr/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: 2.40.3
Path: /usr/lib/docker/cli-plugins/docker-compose
Server:
Containers: 15
Running: 0
Paused: 0
Stopped: 15
Images: 55
Server Version: 28.5.2
Storage Driver: overlay2
Backing Filesystem: btrfs
Supports d_type: true
Using metacopy: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 1c4457e00facac03ce1d75f7b6777a7a851e5c41.m
runc version:
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.17.8-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 62.68GiB
Name: nausicaa
ID: b82475d5-5f62-448b-ade3-d875fa1e36d9
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
$ fastfetch
-` (redacted)@(redacted)
.o+` -----------------
`ooo/ OS: Arch Linux x86_64
`+oooo: Kernel: Linux 6.17.8-arch1-1
`+oooooo: Uptime: 1 hour, 27 mins
-+oooooo+: Packages: 888 (pacman)
`/:-:++oooo+: Shell: bash 5.3.3
`/++++/+++++++: Display (DELL U2718Q): 3840x2160 @ 0.98x in 28", 60 Hz [External]
`/++++++++++++++: DE: Xfce4 4.20
`/+++ooooooooooooo/` WM: Xfwm4 (X11)
./ooosssso++osssssso+` WM Theme: Default
.oossssso-````/ossssss+` Theme: Adwaita [GTK2/3/4]
-osssssso. :ssssssso. Icons: elementary [GTK2/3/4]
:osssssss/ osssso+++. Font: Noto Sans CJK JP (18pt) [GTK2/3/4]
/ossssssss/ +ssssooo/- Cursor: Adwaita
`/ossssso+/:- -:/+osssso+- Terminal: tmux 3.5a
`+sso+:-` `.-/+oso: CPU: AMD Ryzen 5 5600X (6) @ 4.65 GHz
`++:. `-/+/ GPU: NVIDIA GeForce RTX 3060 Lite Hash Rate [Discrete]
.` `/ Memory: 9.24 GiB / 62.68 GiB (15%)
Swap: Disabled
Disk (/): 1.20 TiB / 1.82 TiB (66%) - btrfs
Disk (/data): 181.98 GiB / 931.51 GiB (20%) - btrfs
Disk (/data2): 7.58 TiB / 12.73 TiB (60%) - btrfs
Disk (/oldhome): 685.75 GiB / 894.24 GiB (77%) - btrfs
Local IP (enp6s0): (redacted)
Locale: en_US.UTF-8
原因
DNS がビルド時には見れないため。見れない原因はランタイムが対応していないとかではなく、ビルド時にIPv6のDNS設定のビルド時のコンテナへの注入(?)が上手くいってないためと想像される。
なので、この場合bridgeにつないだり、 --network host を明示的に設定しても解決にならなそうで、 IPv4のDNS設定を渡すしかなさそうである。上記ブログの記事なるように、 dockerd に --dns 8.8.8.8 を渡したら普通に動いた。
それだとサステイナブルじゃないので、 /etc/docker/daemon.json を作って動かすことにした
$ cat /etc/docker/daemon.json
{
"dns": [
"1.1.1.1",
"8.8.8.8"
]
}
$ sudo systemctl restart docker
これでビルドしてみる
$ docker build -f Dockerfile1 . --no-cache
[+] Building 66.7s (7/7) FINISHED docker:default
=> [internal] load build definition from Dockerfile1 0.0s
=> => transferring dockerfile: 116B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [1/3] FROM docker.io/library/ubuntu:latest 0.0s
=> [2/3] RUN apt update 8.7s
=> [3/3] RUN apt install -yq emacs-nox libssl3t64 56.1s
=> exporting to image 1.8s
=> => exporting layers 1.8s
=> => writing image sha256:7c358cc8e8d29deb57ea90e6c96c66da5a5c691676de5a2595ab49e4b2dacacb 0.0s
というわけでサクッと動いて解決
Kota UENISHIメンテナンス
この設定 daemon.json のメンテナンスめんどくさい・・・というか IPv6 のアドレス理解してほしい
手元のラップトップをAnsibleで管理するとかだるいので、どうしたものか悩ましい
Kota UENISHI解決策2
Docker daemonで IPv6 を明示的に有効にするのは
$ cat /etc/docker/daemon.json
{
"ipv6": true
}
こうだとGeminiに教えてもらったのでやってみたところNGだったので、これはつまりそもそも nameserver がNGであったということで、そもそもあの値(IPv6 nameserver)なんだったん?ということになる。 flets.jp とか書いてあるからルーターから降ってきたぽいが、いまはもう固定でやっているので
$ ls -l /etc/|grep resolv
-rw-r--r-- 1 root root 109 Oct 24 09:17 resolv.conf
当然だけど消したらいくつか名前解決できなくなった
$ dig www.google.com
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
; <<>> DiG 9.20.15 <<>> www.google.com
;; global options: +cmd
;; no servers could be reached
systemd-resolved をみるとスタブファイルを作ってあるのでそれをリンクしろとかいてある
$ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
[sudo] password for kuenishi:
$ dig www.google.com
; <<>> DiG 9.20.15 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8514
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 113 IN A 216.58.220.132
;; Query time: 11 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Nov 22 18:12:17 JST 2025
;; MSG SIZE rcvd: 59
これはまあそう
だけど、やっぱりビルドは成功しない
(snip)
#5 [2/3] RUN apt update
#5 0.118
#5 0.118 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
#5 0.118
#5 5.137 Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
#5 5.137 Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
daemon.json を消して再起動したら動いた。これでおま環が解決した!!
(resolv.cfon の スタブモードをちゃんと維持するのが大事そう)
このスクラップは3日前にクローズされました