search

apptainer / singularity

Singularity has been renamed to Apptainer as part of us moving the project to the Linux Foundation. This repo has been persisted as a snapshot right before the changes.
https://github.com/apptainer/apptainer
Other
2.53k stars 424 forks source link

`--net` breaks DNS resolution #2641

Closed gmkurtzer closed 5 years ago

gmkurtzer commented 5 years ago

Version of Singularity:

3.0.2

Expected behavior

The --net options (even when given without --dns option) should properly configure a reasonable default DNS nameserver (like 8.8.8.8 rather then 127.0.0.53).

Actual behavior

It don't work.

Steps to reproduce behavior

$ sudo singularity exec --net centos7-devel.sif grep ^nameserver /etc/resolv.conf 
nameserver 127.0.0.53

$ sudo singularity shell --net centos7-devel.sif 
Singularity centos7-devel.sif:/home/gmk/Containers> ping yahoo.com
ping: yahoo.com: Name or service not known
Singularity centos7-devel.sif:/home/gmk/Containers> echo "nameserver 8.8.8.8" > /etc/resolv.conf 
Singularity centos7-devel.sif:/home/gmk/Containers> ping yahoo.com
PING yahoo.com (72.30.35.10) 56(84) bytes of data.
64 bytes from media-router-fp2.prod1.media.vip.bf1.yahoo.com (72.30.35.10): icmp_seq=1 ttl=45 time=70.2 ms
64 bytes from media-router-fp2.prod1.media.vip.bf1.yahoo.com (72.30.35.10): icmp_seq=2 ttl=45 time=69.8 ms
^C
--- yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 69.822/70.058/70.295/0.354 ms
cclerget commented 5 years ago

@gmkurtzer I'm mitigate with a "DNS by default (like 8.8.8.8)", some users/admins want control that, and some sites doesn't allow DNS requests on arbitrary servers and restrict them to internal DNS. So it may be safer to add a configuration directive like default nameserver in singularity.conf and leave it empty by default. Thoughts ?

gmkurtzer commented 5 years ago

Well, right now we have a default, and it doesn't work. I would recommend to pull the nameserver entry from the host's /etc/resolv.conf or come up with a logical sane.

jscook2345 commented 5 years ago

I tend to agree with @cclerget here in that if you are creating your own network namespace you should probably configure that yourself. But it's hard to know without some use cases.

Do we have any users we can ping who use the --net feature often and see what they think?

gmkurtzer commented 5 years ago

I just dug a bit more, and it seems like /etc/resolv.conf is being bound into the container from the configuration file (config resolv_conf = yes), and my version of Ubuntu is doing some Systemd DNS resolution magic (which just makes me cringe) which is not available to the container once we are in a different network namespace.

Upon thinking about it further, and knowing the above, I'm not sure there is a sane default we can use which is better then the current behavior.

A followup feature request might be to parse the resolv.conf file, look for a localhost address (127.x.x.x), and provide a warning that this DNS server will not be available from within a different network namespace from the host.

Writing this one off as a Systemd feature.