Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootless: no DNS for containers within created network + host not using resolved stub resolver #11222

Closed
dustymabe opened this issue Aug 12, 2021 · 4 comments · Fixed by #11230
Closed

rootless: no DNS for containers within created network + host not using resolved stub resolver #11222

dustymabe opened this issue Aug 12, 2021 · 4 comments · Fixed by #11230
Assignees
@Luap99
Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@dustymabe
Copy link
Contributor

On Fedora CoreOS we're currently not using the DNS stub resolver in systemd-resolved. There was a change in the podman 3:3.2.2-1.fc34 -> 3:3.2.3-1.fc34 transition that broke DNS for containers within a created network for this case.

Reproducer (on FCOS):

# as non-root user
podman network create testnetwork
podman run --rm -it --network=testnetwork registry.fedoraproject.org/fedora:34 getent hosts google.com
echo $?

To get an FCOS machine to test you can use podman machine (see article)

There is a lot more context on this bug over in coreos/fedora-coreos-tracker#923
@dustymabe dustymabe mentioned this issue Aug 12, 2021
Closed
@Luap99
Copy link
Member

Luap99 commented Aug 12, 2021

Where is /etc/resolv.conf symlinked and what is the content of the file?

@drobakowski
Copy link

drobakowski commented Aug 12, 2021
edited
Loading 

> ls -la /etc/resolv.conf
lrwxrwxrwx. 1 root root 39 Jul 29 12:38 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
> cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 10.0.0.2
search ec2.internal

Rootless container:

> podman run --rm -it --network=testnetwork registry.fedoraproject.org/fedora:34 bash
> ls -la /etc/resolv.conf
-rw-r--r--. 1 root root 39 Aug 12 23:50 /etc/resolv.conf
[root@7030a4fe145f /]# cat /etc/resolv.conf
search dns.podman
nameserver 10.88.3.1

@Luap99
Copy link
Member

Luap99 commented Aug 16, 2021

Thank you, I will work on this today.

@Luap99 Luap99 self-assigned this Aug 16, 2021
@Luap99 Luap99 added the In Progress This issue is actively being worked by the assignee, please do not work on this at this time. label Aug 16, 2021
@Luap99 Luap99 mentioned this issue Aug 16, 2021
Merged
@Luap99
Copy link
Member

Luap99 commented Aug 16, 2021

PR #11230

Luap99 added a commit to Luap99/libpod that referenced this issue Aug 16, 2021
@Luap99
Fix rootless cni dns without systemd stub resolver
2a8c414 
When a host uses systemd-resolved but not the resolved stub resolver the
following symlinks are created: `/etc/resolv.conf` ->
`/run/systemd/resolve/stub-resolv.conf` -> `/run/systemd/resolve/resolv.conf`.
Because the code uses filepath.EvalSymlinks we put the new resolv.conf
to `/run/systemd/resolve/resolv.conf` but the `/run/systemd/resolve/stub-resolv.conf`
link does not exists in the mount ns.
To fix this we will walk the symlinks manually until we reach the first
one under `/run` and use this for the resolv.conf file destination.

This fixes a regression which was introduced in e73d482.

Fixes containers#11222

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Luap99 added a commit to Luap99/libpod that referenced this issue Aug 19, 2021
@Luap99
Fix rootless cni dns without systemd stub resolver
15fff7d 
When a host uses systemd-resolved but not the resolved stub resolver the
following symlinks are created: `/etc/resolv.conf` ->
`/run/systemd/resolve/stub-resolv.conf` -> `/run/systemd/resolve/resolv.conf`.
Because the code uses filepath.EvalSymlinks we put the new resolv.conf
to `/run/systemd/resolve/resolv.conf` but the `/run/systemd/resolve/stub-resolv.conf`
link does not exists in the mount ns.
To fix this we will walk the symlinks manually until we reach the first
one under `/run` and use this for the resolv.conf file destination.

This fixes a regression which was introduced in e73d482.

Fixes containers#11222

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Luap99 Luap99

Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix rootless cni dns without systemd stub resolver Luap99/libpod
3 participants
@drobakowski @dustymabe @Luap99