CoreDNS unreachable inside sandbox (10.43.0.10:53 connection refused) on both macOS and Linux #504
Description
Agent Diagnostic
- OpenClaw agent (Leo) running inside the sandbox investigated the issue
- Ran
nslookup google.com→ connection refused to 10.43.0.10:53 - Ran
cat /etc/resolv.conf→ nameserver 10.43.0.10 (k3s CoreDNS) - Ran
curl -v https://google.com→ proxy at 10.200.0.1:3128 returns 403 Forbidden - Tested on Mac (Docker Desktop) AND GCP Linux (Docker Engine) — identical failure
- CoreDNS pod shows Running via
kubectl get pods -Abut port 53 is unreachable from sandbox - Tried: adding DNS policy (port 53 to 10.43.0.10), HOSTALIASES, manual IP injection — none worked
- Conclusion: CoreDNS service IP is not routable from within sandbox pods
Description
DNS resolution fails inside every sandbox. CoreDNS is listed as Running but 10.43.0.10:53 is unreachable (connection refused) from sandbox pods. This breaks all internet-dependent features (web search, WebSocket connections, channel logins). The HTTP proxy at 10.200.0.1:3128 exists but returns 403 for most domains.
Expected: DNS resolution works inside the sandbox so agents can access the internet.
Reproduction Steps
- openshell gateway start
- openshell provider create --name my-claude --type anthropic --credential api_key=KEY
- openshell sandbox create --name steve --from openclaw --provider my-claude
- Inside sandbox: nslookup google.com
- Result: connection refused to 10.43.0.10:53
Environment
- OS: macOS (Docker Desktop) AND Debian 12 on GCP e2-medium
- Docker: Docker Engine 29.3.0 (GCP), Docker Desktop (Mac)
- OpenShell: v0.0.12 (GCP), v0.0.11 (Mac)
- Both environments show identical failure
Logs
Agent-First Checklist
- I pointed my agent at the repo and had it investigate this issue
- I loaded relevant skills (e.g.,
debug-openshell-cluster,debug-inference,openshell-cli) - My agent could not resolve this — the diagnostic above explains why