move network alias validation to container create

Podman 4.0 currently errors when you use network aliases for a network which has dns disabled. Because the error happens on network setup this can cause regression for old working containers. The network backend should not validate this. Instead podman should check this at container create time and also for network connect. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-10-20 04:34:01 +08:00 · 2021-09-27 14:21:50 +02:00
parent d0950f3efe
commit 1c8926285d
4 changed files with 43 additions and 31 deletions
--- a/libpod/network/cni/run.go
+++ b/libpod/network/cni/run.go
@ -186,9 +186,6 @@ outer:
 		}
 		return errors.Errorf("requested static ip %s not in any subnet on network %s", ip.String(), network.libpodNet.Name)
 	}
-	if len(netOpts.Aliases) > 0 && !network.libpodNet.DNSEnabled {
-		return errors.New("cannot set aliases on a network without dns enabled")
-	}
 	return nil
 }

--- a/libpod/network/cni/run_test.go
+++ b/libpod/network/cni/run_test.go
@ -966,6 +966,26 @@ var _ = Describe("run CNI", func() {
 			})
 		})

+		It("setup with aliases but dns disabled should work", func() {
+			runTest(func() {
+				defNet := types.DefaultNetworkName
+				intName := "eth0"
+				setupOpts := types.SetupOptions{
+					NetworkOptions: types.NetworkOptions{
+						ContainerID: stringid.GenerateNonCryptoID(),
+						Networks: map[string]types.PerNetworkOptions{
+							defNet: {
+								InterfaceName: intName,
+								Aliases:       []string{"somealias"},
+							},
+						},
+					},
+				}
+				_, err := libpodNet.Setup(netNSContainer.Path(), setupOpts)
+				Expect(err).ToNot(HaveOccurred())
+			})
+		})
+
 	})

 	Context("invalid network setup test", func() {
@ -1052,27 +1072,6 @@ var _ = Describe("run CNI", func() {
 			})
 		})

-		It("setup with aliases but dns disabled", func() {
-			runTest(func() {
-				defNet := types.DefaultNetworkName
-				intName := "eth0"
-				setupOpts := types.SetupOptions{
-					NetworkOptions: types.NetworkOptions{
-						ContainerID: stringid.GenerateNonCryptoID(),
-						Networks: map[string]types.PerNetworkOptions{
-							defNet: {
-								InterfaceName: intName,
-								Aliases:       []string{"somealias"},
-							},
-						},
-					},
-				}
-				_, err := libpodNet.Setup(netNSContainer.Path(), setupOpts)
-				Expect(err).To(HaveOccurred())
-				Expect(err.Error()).To(ContainSubstring("cannot set aliases on a network without dns enabled"))
-			})
-		})
-
 		It("setup without networks", func() {
 			runTest(func() {
 				setupOpts := types.SetupOptions{
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@ -1262,6 +1262,14 @@ func (c *Container) NetworkConnect(nameOrID, netName string, aliases []string) e
 	// get network status before we connect
 	networkStatus := c.getNetworkStatus()

+	network, err := c.runtime.network.NetworkInspect(netName)
+	if err != nil {
+		return err
+	}
+	if !network.DNSEnabled && len(aliases) > 0 {
+		return errors.Wrapf(define.ErrInvalidArg, "cannot set network aliases for network %q because dns is disabled", netName)
+	}
+
 	if err := c.runtime.state.NetworkConnect(c, netName, aliases); err != nil {
 		return err
 	}
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@ -234,13 +234,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
 }

 func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Container, retErr error) {
-	// Validate the container
-	if err := ctr.validate(); err != nil {
-		return nil, err
-	}
-	if ctr.config.IsInfra {
-		ctr.config.StopTimeout = 10
-	}
 	// normalize the networks to names
 	// ocicni only knows about cni names so we have to make
 	// sure we do not use ids internally
@ -265,11 +258,26 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
 			if err != nil {
 				return nil, err
 			}
+			network, err := r.network.NetworkInspect(netName)
+			if err != nil {
+				return nil, err
+			}
+			if !network.DNSEnabled {
+				return nil, errors.Wrapf(define.ErrInvalidArg, "cannot set network aliases for network %q because dns is disabled", netName)
+			}
 			netAliases[netName] = aliases
 		}
 		ctr.config.NetworkAliases = netAliases
 	}

+	// Validate the container
+	if err := ctr.validate(); err != nil {
+		return nil, err
+	}
+	if ctr.config.IsInfra {
+		ctr.config.StopTimeout = 10
+	}
+
 	// Inhibit shutdown until creation succeeds
 	shutdown.Inhibit()
 	defer shutdown.Uninhibit()