No non-localhost DNS nameservers are left in resolv.conf. Using default external servers.

[greenpau]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

Steps to reproduce the issue:

1. The /etc/resolv.conf is being managed by NetworkManager. The is a DNS server itself.

# Generated by NetworkManager
search localdomain.local
nameserver 127.0.0.1

2. Start a container:

sudo ./bin/podman --log-level debug run -it nicolaka/netshoot bash

3. The network config look like this:

{
   "cniVersion": "0.4.0",
   "name": "podman",
   "plugins": [
      {
         "type": "bridge",
         "bridge": "cni-podman0",
         "isGateway": true,
         "ipMasq": true,
         "ipam": {
            "type": "host-local",
            "routes": [
               {
                  "dst": "0.0.0.0/0"
               }
            ],
            "ranges": [
               [
                  {
                     "subnet": "192.168.124.0/24",
                     "gateway": "192.168.124.1"
                  }
               ]
            ],
            "dns": {
                "nameservers": [
                    "127.0.0.1"
                ]
            }
         }
      },
      {
         "type": "portmap",
         "capabilities": {
            "portMappings": true
         }
      },
      {
         "type": "firewall",
         "backend": "nftables"
      }
   ]
}

Describe the results you received:

As part of output I see:

INFO[0000] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]

Describe the results you expected:

I expect the use of localhost 127.0.0.1 resolver, not 8.8.8.8/8.8.4.4

See

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

$ podman -v
podman version 1.6.4

Output of podman info --debug:

$ podman info --debug
debug:
  compiler: gc
  git commit: ""
  go version: go1.12.12
  podman version: 1.6.4
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.6-1.module+el8.1.1+5259+bcdd613a.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.6, commit: 6ffbb2ec70dbe5ba56e4bfde946fb04f19dd8bbf'
  Distribution:
    distribution: '"rhel"'
    version: "8.1"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 478993223680
  MemTotal: 540217061376
  OCIRuntime:
    name: runc
    package: runc-1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 10737414144
  SwapTotal: 10737414144
  arch: amd64
  cpus: 64
  eventlogger: journald
  kernel: 4.18.0-147.5.1.el8_1.x86_64
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: slirp4netns-0.4.2-2.git21fdece.module+el8.1.1+5460+3ac089c3.x86_64
    Version: |-
      slirp4netns version 0.4.2+dev
      commit: 21fdece2737dc24ffa3f01a341b8a6854f8b13b4
  uptime: 759h 59m 59.65s (Approximately 31.62 days)
registries:
  blocked: null
  insecure: null
  search:
  - registry.redhat.io
  - registry.access.redhat.com
  - quay.io
  - docker.io
store:
  ConfigFile: /home/greenpau/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-0.7.2-1.module+el8.1.1+5259+bcdd613a.x86_64
      Version: |-
        fuse-overlayfs: version 0.7.2
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  GraphRoot: /home/greenpau/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /run/user/1000/containers
  VolumePath: /home/greenpau/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.4-2.module+el8.1.1+5363+bf8ff1af.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):

N/A

Additional Details:

Traced the message to containers/libpod/pkg/resolvconf/resolvconf.go nad subsequently to generateResolvConf() function in containers/libpod/libpod/container_internal_linux.go:

    // Ensure that the container's /etc/resolv.conf is compatible with its
    // network configuration.
    // TODO: set ipv6 enable bool more sanely
    resolv, err := resolvconf.FilterResolvDNS(contents, true, c.config.CreateNetNS)
    if err != nil {
        return "", errors.Wrapf(err, "error parsing host resolv.conf")
    }

Then, there is this snippet:

    // If the user provided dns, it trumps all; then dns masq; then resolv.conf
    switch {
    case len(c.config.DNSServer) > 0:
        // We store DNS servers as net.IP, so need to convert to string
        for _, server := range c.config.DNSServer {
            nameservers = append(nameservers, server.String())
        }

However, in my case c.config.DNSServer is empty. Perhaps, DNS configuration is not a part of IPAM? 🤔

[greenpau]

Basically, I cannot have the 127.0.0.1 resolver.

Essentially, I would need to start a container with --dns arg set to some external resolver, e.g.

sudo ./bin/podman --log-level debug run --dns "10.10.10.10,10.20.20.20" -it nicolaka/netshoot bash

[mheon]

We can't use anything on the host's localhost interface - the container cannot connect to anything bound there. We fall back automatically to alternate servers to ensure the container has at least some servers to connect to. It may be possible to convince your DNS server to also bind to the bridge that Podman creates, and then manually specify the bridge IP as a DNS server.

…

On Sat, Mar 14, 2020, 13:58 Paul G. ***@***.***> wrote: *Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)* /kind feature *Description* *Steps to reproduce the issue:* 1. The /etc/resolv.conf is being managed by NetworkManager. The is a DNS server itself. # Generated by NetworkManager search localdomain.local nameserver 127.0.0.1 1. Start a container: sudo ./bin/podman --log-level debug run -it nicolaka/netshoot bash 1. The network config look like this: { "cniVersion": "0.4.0", "name": "podman", "plugins": [ { "type": "bridge", "bridge": "cni-podman0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "routes": [ { "dst": "0.0.0.0/0" } ], "ranges": [ [ { "subnet": "192.168.124.0/24", "gateway": "192.168.124.1" } ] ], "dns": { "nameservers": [ "127.0.0.1" ] } } }, { "type": "portmap", "capabilities": { "portMappings": true } }, { "type": "firewall", "backend": "nftables" } ] } *Describe the results you received:* As part of output I see: INFO[0000] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4] *Describe the results you expected:* I expect the use of localhost 127.0.0.1 resolver, not 8.8.8.8/8.8.4.4 See *Additional information you deem important (e.g. issue happens only occasionally):* *Output of podman version:* $ podman -v podman version 1.6.4 *Output of podman info --debug:* $ podman info --debug debug: compiler: gc git commit: "" go version: go1.12.12 podman version: 1.6.4 host: BuildahVersion: 1.12.0-dev CgroupVersion: v1 Conmon: package: conmon-2.0.6-1.module+el8.1.1+5259+bcdd613a.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.6, commit: 6ffbb2ec70dbe5ba56e4bfde946fb04f19dd8bbf' Distribution: distribution: '"rhel"' version: "8.1" IDMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 MemFree: 478993223680 MemTotal: 540217061376 OCIRuntime: name: runc package: runc-1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a.x86_64 path: /usr/bin/runc version: 'runc version spec: 1.0.1-dev' SwapFree: 10737414144 SwapTotal: 10737414144 arch: amd64 cpus: 64 eventlogger: journald kernel: 4.18.0-147.5.1.el8_1.x86_64 os: linux rootless: true slirp4netns: Executable: /usr/bin/slirp4netns Package: slirp4netns-0.4.2-2.git21fdece.module+el8.1.1+5460+3ac089c3.x86_64 Version: |- slirp4netns version 0.4.2+dev commit: 21fdece2737dc24ffa3f01a341b8a6854f8b13b4 uptime: 759h 59m 59.65s (Approximately 31.62 days) registries: blocked: null insecure: null search: - registry.redhat.io - registry.access.redhat.com - quay.io - docker.io store: ConfigFile: /home/greenpau/.config/containers/storage.conf ContainerStore: number: 0 GraphDriverName: overlay GraphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-0.7.2-1.module+el8.1.1+5259+bcdd613a.x86_64 Version: |- fuse-overlayfs: version 0.7.2 FUSE library version 3.2.1 using FUSE kernel interface version 7.26 GraphRoot: /home/greenpau/.local/share/containers/storage GraphStatus: Backing Filesystem: xfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" ImageStore: number: 1 RunRoot: /run/user/1000/containers VolumePath: /home/greenpau/.local/share/containers/storage/volumes *Package info (e.g. output of rpm -q podman or apt list podman):* podman-1.6.4-2.module+el8.1.1+5363+bf8ff1af.x86_64 *Additional environment details (AWS, VirtualBox, physical, etc.):* N/A *Additional Details:* Traced the message to containers/libpod/pkg/resolvconf/resolvconf.go nad subsequently to generateResolvConf() function in containers/libpod/libpod/container_internal_linux.go: // Ensure that the container's /etc/resolv.conf is compatible with its // network configuration. // TODO: set ipv6 enable bool more sanely resolv, err := resolvconf.FilterResolvDNS(contents, true, c.config.CreateNetNS) if err != nil { return "", errors.Wrapf(err, "error parsing host resolv.conf") } Then, there is this snippet: // If the user provided dns, it trumps all; then dns masq; then resolv.conf switch { case len(c.config.DNSServer) > 0: // We store DNS servers as net.IP, so need to convert to string for _, server := range c.config.DNSServer { nameservers = append(nameservers, server.String()) } However, in my case c.config.DNSServer is empty. Perhaps, DNS configuration is not a part of IPAM? 🤔 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#5501>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCAVR7JAP7ZD2GHAOW3RHPATRANCNFSM4LJPQNCQ> .

[greenpau]

It may be possible to convince your DNS server to also bind to
the bridge that Podman creates, and then manually specify the bridge IP as
a DNS server.

I run coredns on 0.0.0.0:53 in the main networking namespace. The server uses NetworkManager to manage DNS. The NetworkManager DNS configured for 127.0.0.1.

The local coredns has a number of upstream servers:

$ cat /etc/coredns/Corefile
.:53 {
    errors
    health
    template ANY AAAA . {
        rcode NOERROR
    }
    prometheus :9153
    forward . 10.10.10.10 10.20.20.20
    cache 30
    reload
}

@mheon , is there a way to configure 10.10.10.10 10.20.20.20 via CNI network config such that libpod would respect it?

[mheon]

resolv.conf in the container is controlled by Podman, not CNI, so CNI config is the wrong place to look. We presently don't have the ability to do this, but it's coming in as part of the addition of a new configuration file (containers.conf) that @rhatdan is working on.

[greenpau]

but it's coming in as part of the addition of a new configuration file (containers.conf) that @rhatdan is working on.

@mheon , 👍 thank you! for now, I will just pass DNS args.