search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.83k stars 2.42k forks source link

Podman network dns option not working with the DNS plugin enabled #20911

Closed aleksanderdidriksen closed 11 months ago

aleksanderdidriksen commented 11 months ago

Issue Description

In Podman 4.6.1 and Podman 4.7.0 it will not pass the DNS resolvers options specified on the network to the container when the DNS plugin is enabled using bridge network. However, it will still correctly populate /etc/resolv.conf with container to container name resolution.

In Podman 4.4.1 the file /etc/resolv.conf is correctly populated inside of the container with DNS resolvers specified using --dns when the DNS plugin is enabled.

According to latest docs podman-network-create, options: --dns=ip Set network-scoped DNS resolver/nameserver for containers in this network. If not set, the host servers from /etc/resolv.conf is used. It can be overwritten on the container level with the podman run/create --dns option. This option can be specified multiple times to set more than one IP.

Steps to reproduce the issue

  1. Install latest Podman: Podman 4.6.1 (Oracle Linux 9) or Podman 4.7.0 (Fedora CoreOS latest stable)
  2. Create a new network with DNS plugin enabled with or without any --dns option provided.
  3. Run any container using the created network, tested on Ubuntu 22.04 LTS and Oracle Linux 9 (RHEL-based)
  4. Failing to resolve DNS inside of the running container due to no DNS resolvers present in: /etc/resolv.conf

Describe the results you received

When /etc/resolv.conf is: search my.domain nameserver 8.8.8.8

Running: podman network create, stdout: podman1 podman run -it --rm --network podman1 container-registry.oracle.com/os/oraclelinux:9 cat /etc/resolv.conf

search dns.podman nameserver 10.89.0.1

Running: podman network create --dns 8.8.8.8, stdout: podman2 podman run -it --rm --network podman2 --dns 8.8.8.8 container-registry.oracle.com/os/oraclelinux:9 cat /etc/resolv.conf

search dns.podman nameserver 10.89.1.1

Running: podman network create --disable-dns, stdout: podman3 podman run -it --rm --network podman3 container-registry.oracle.com/os/oraclelinux:9 cat /etc/resolv.conf

search my.domain nameserver 8.8.8.8

Running: podman run -it --rm --network default container-registry.oracle.com/os/oraclelinux:9 cat /etc/resolv.conf

search my.domain nameserver 8.8.8.8

Describe the results you expected

When /etc/resolv.conf is: search my.domain nameserver 8.8.8.8

When DNS plugin is enabled and no --dns option is provided, /etc/resolv.conf inside of the container should be like in Podman 4.4.1: search dns.podman my.domain nameserver 10.89.0.1 8.8.8.8

When DNS plugin is enabled and --dns 8.8.8.8 option is provided when creating the network (network_dns_servers: 8.8.8.8), /etc/resolv.conf inside of the container should be: search dns.podman nameserver 10.89.0.1 8.8.8.8

podman info output

host:
  arch: amd64
  buildahVersion: 1.32.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-3.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 99.14
    systemPercent: 0.47
    userPercent: 0.39
  cpus: 2
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: coreos
    version: "39"
  eventLogger: journald
  freeLocks: 2048
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.5.9-300.fc39.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 3270246400
  memTotal: 4074442752
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.8.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.8.0
    package: netavark-1.8.0-2.fc39.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.8.0
  ociRuntime:
    name: crun
    package: crun-1.11-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.11
      commit: 11f8d3dc9fc4bb8a0adcff5ba8bd340f24612701
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231004.gf851084-1.fc39.x86_64
    version: |
      pasta 0^20231004.gf851084-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 0h 23m 15.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphRootAllocated: 10132369408
  graphRootUsed: 1822347264
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 4.7.0
  Built: 1695838680
  BuiltTime: Wed Sep 27 18:18:00 2023
  GitCommit: ""
  GoVersion: go1.21.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.7.0

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Fedora CoreOS Stable v 39.20231101.3.0 Driver: bridge

Additional information

No response

Luap99 commented 11 months ago

The 4.4.1 behavior was broken, adding the upstream sever into the containers resolv.conf means they can bypass aardvark-dns and fail to resolve container names. The given upstream dns servers are given to aardvark-dns and it will forward accordingly so this still works correctly. see #https://github.com/containers/podman/issues/17499