packit-as-a-service[bot]
commented
5 months ago podman e2e tests failed on RHEL. @containers/packit-build please check.
Closed mheon closed 3 months ago
packit-as-a-service[bot]
commented
5 months ago podman e2e tests failed on RHEL. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago podman system tests failed on RHEL. @containers/packit-build please check.
mheon
commented
5 months ago Hm. I think we might need a patched Netavark in the VMs to make this work.
packit-as-a-service[bot]
commented
5 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago podman e2e tests failed on RHEL. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago podman e2e tests failed on RHEL. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago podman e2e tests failed on RHEL. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago podman e2e tests failed on RHEL. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
5 months ago podman system tests failed on RHEL. @containers/packit-build please check.
Luap99
commented
5 months ago Hm. I think we might need a patched Netavark in the VMs to make this work.
Well yeah that is the problem with the compatibility issues with nv/av.
Rethinking this I don't think the filename is the best idea given its compatibility issues on updates. What do you think about using a xattr on the file to indicate this? We would still need to update both, but if we just update one it will not cause any weird side effects because the old aardavrk-dns will just ignore it.
Luap99
commented
5 months ago Rethinking this I don't think the filename is the best idea given its compatibility issues on updates. What do you think about using a xattr on the file to indicate this? We would still need to update both, but if we just update one it will not cause any weird side effects because the old aardavrk-dns will just ignore it.
Nevermind, looks like tmpfs and "user." xattrs are rather new, it was just added last year so this would get us in trouble on older kernels.
Luap99
commented
3 months ago @mheon Can you rebase this, I think tests should work now
packit-as-a-service[bot]
commented
3 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
3 months ago Integration tests failed. @containers/packit-build please check.
mheon
commented
3 months ago Fixed v4 tests. Unfortunately needed a new HashMap in the backend. Still trying to figure out why v6 is broken.
mheon
commented
3 months ago Ah, that was easy, forgot to ask for AAAA record. Tests now passing locally.
mheon
commented
3 months ago @Luap99 Should be ready
packit-as-a-service[bot]
commented
3 months ago Ephemeral COPR build failed. @containers/packit-build please check.
packit-as-a-service[bot]
commented
3 months ago Integration tests failed. @containers/packit-build please check.
mheon
commented
3 months ago Ah, tests are failing because an NXDOMAIN is still a 0 return code... Need to fix that
mheon
commented
3 months ago Ready for merge
openshift-ci[bot]
commented
3 months ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Luap99, mheon
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Internal networks cannot connect to the internet thanks to routing, but they can connect to Aardvark, which will happily forward their DNS requests to the internet.
This could theoretically be used to build a data-exfiltration sidechannel.
Fix this by identifying internal networks with a filename suffix (using a character disallowed in actual network names to ensure we don't conflict with another network) and explicitly setting their DNS servers to an empty list (and refusing to set per-container DNS at all). We could actually error on finding DNS servers in an internal network, but silently ignoring prevents possible compatibility issues with Netavark.