From 869fceb0fdd13e1bc9085f72544839d51adc9a20 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Wed, 28 May 2025 14:11:42 +0200 Subject: [PATCH 1/3] update c/common to latest main Contains the resolv.conf setup changes. Signed-off-by: Paul Holzinger --- go.mod | 2 +- go.sum | 4 +-- .../common/libnetwork/resolvconf/resolv.go | 26 ++++++++++++++----- vendor/modules.txt | 2 +- 4 files changed, 23 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 209149c1a4..45e8dbe8d0 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.7.1 github.com/containers/buildah v1.40.1-0.20250523151639-b535d02d0ee1 - github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f + github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.8.6 github.com/containers/image/v5 v5.35.1-0.20250526152843-c64593da00e4 diff --git a/go.sum b/go.sum index 997406e340..7962a48e31 100644 --- a/go.sum +++ b/go.sum @@ -68,8 +68,8 @@ github.com/containernetworking/plugins v1.7.1 h1:CNAR0jviDj6FS5Vg85NTgKWLDzZPfi/ github.com/containernetworking/plugins v1.7.1/go.mod h1:xuMdjuio+a1oVQsHKjr/mgzuZ24leAsqUYRnzGoXHy0= github.com/containers/buildah v1.40.1-0.20250523151639-b535d02d0ee1 h1:3bNWDmqh9tx0iAXPzBJugj/oC0nTD9yTXCyIu/Mj/LE= github.com/containers/buildah v1.40.1-0.20250523151639-b535d02d0ee1/go.mod h1:8BVLrM6nRl/dRMYxZ+TrmoWPXzkCY99rZOYvJoXpIyE= -github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f h1:308Ex0+3+gBSpDPJrFCQIhALdD8YC7jzaXuxSFZgFiA= -github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f/go.mod h1:efNRNweihnq5nXALnAPDXTpC7uJtnFV4pNuETTfvI8s= +github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355 h1:vK7TVpONcQzWHR4dAEnLkLeCrKNB61UhLDpwAXFIIto= +github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355/go.mod h1:efNRNweihnq5nXALnAPDXTpC7uJtnFV4pNuETTfvI8s= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.8.6 h1:9SeAXK+K2o36CtrgYk6zRXbU3zrayjvkrI8b7/O6u5A= diff --git a/vendor/github.com/containers/common/libnetwork/resolvconf/resolv.go b/vendor/github.com/containers/common/libnetwork/resolvconf/resolv.go index 30b82d8072..8e47078e05 100644 --- a/vendor/github.com/containers/common/libnetwork/resolvconf/resolv.go +++ b/vendor/github.com/containers/common/libnetwork/resolvconf/resolv.go @@ -30,17 +30,28 @@ type Params struct { // IPv6Enabled will filter ipv6 nameservers when not set to true. IPv6Enabled bool // KeepHostServers can be set when it is required to still keep the - // original resolv.conf content even when custom Nameserver/Searches/Options + // original resolv.conf nameservers even when explicit Nameservers // are set. In this case they will be appended to the given values. KeepHostServers bool + // KeepHostSearches can be set when it is required to still keep the + // original resolv.conf search domains even when explicit search domains + // are set in Searches. + KeepHostSearches bool + // KeepHostOptions can be set when it is required to still keep the + // original resolv.conf options even when explicit options are set in + // Options. + KeepHostOptions bool // Nameservers is a list of nameservers the container should use, - // instead of the default ones from the host. + // instead of the default ones from the host. Set KeepHostServers + // in order to also keep the hosts resolv.conf nameservers. Nameservers []string // Searches is a list of dns search domains the container should use, - // instead of the default ones from the host. + // instead of the default ones from the host. Set KeepHostSearches + // in order to also keep the hosts resolv.conf search domains. Searches []string // Options is a list of dns options the container should use, - // instead of the default ones from the host. + // instead of the default ones from the host. Set KeepHostOptions + // in order to also keep the hosts resolv.conf options. Options []string // resolvConfPath is the path which should be used as base to get the dns @@ -121,7 +132,8 @@ func unsetSearchDomainsIfNeeded(searches []string) []string { // New creates a new resolv.conf file with the given params. func New(params *Params) error { // short path, if everything is given there is no need to actually read the hosts /etc/resolv.conf - if len(params.Nameservers) > 0 && len(params.Options) > 0 && len(params.Searches) > 0 && !params.KeepHostServers { + if len(params.Nameservers) > 0 && len(params.Options) > 0 && len(params.Searches) > 0 && + !params.KeepHostServers && !params.KeepHostOptions && !params.KeepHostSearches { return build(params.Path, params.Nameservers, unsetSearchDomainsIfNeeded(params.Searches), params.Options) } @@ -140,12 +152,12 @@ func New(params *Params) error { searches := unsetSearchDomainsIfNeeded(params.Searches) // if no params.Searches then use host ones // otherwise make sure that they were no explicitly unset before adding host ones - if len(params.Searches) == 0 || (params.KeepHostServers && len(searches) > 0) { + if len(params.Searches) == 0 || (params.KeepHostSearches && len(searches) > 0) { searches = append(searches, getSearchDomains(content)...) } options := params.Options - if len(options) == 0 || params.KeepHostServers { + if len(options) == 0 || params.KeepHostOptions { options = append(options, getOptions(content)...) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 8bf9b07669..480c3ee728 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -142,7 +142,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f +# github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355 ## explicit; go 1.23.3 github.com/containers/common/internal github.com/containers/common/internal/attributedstring From 75dc508e98bdc2f1f23ea9bece3910e8bb25871e Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Wed, 28 May 2025 14:12:09 +0200 Subject: [PATCH 2/3] libpod: don't force only network search domains We like to append the host servers in that case so that we do not only force dns.podman. Fixes: #24713 Fixes: https://issues.redhat.com/browse/RHEL-83787 Signed-off-by: Paul Holzinger --- libpod/container_internal_common.go | 22 +++++++++++++--------- test/e2e/run_networking_test.go | 13 ++++++++----- 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 88ff2d9b2f..b6196dba7e 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -2254,13 +2254,16 @@ func (c *Container) addResolvConf() error { } // Set DNS search domains - search := networkSearchDomains - + var search []string + keepHostSearches := false if len(c.config.DNSSearch) > 0 || len(c.runtime.config.Containers.DNSSearches.Get()) > 0 { customSearch := make([]string, 0, len(c.config.DNSSearch)+len(c.runtime.config.Containers.DNSSearches.Get())) customSearch = append(customSearch, c.runtime.config.Containers.DNSSearches.Get()...) customSearch = append(customSearch, c.config.DNSSearch...) search = customSearch + } else { + search = networkSearchDomains + keepHostSearches = true } options := make([]string, 0, len(c.config.DNSOption)+len(c.runtime.config.Containers.DNSOptions.Get())) @@ -2273,13 +2276,14 @@ func (c *Container) addResolvConf() error { } if err := resolvconf.New(&resolvconf.Params{ - IPv6Enabled: ipv6, - KeepHostServers: keepHostServers, - Nameservers: nameservers, - Namespaces: namespaces, - Options: options, - Path: destPath, - Searches: search, + IPv6Enabled: ipv6, + KeepHostServers: keepHostServers, + KeepHostSearches: keepHostSearches, + Nameservers: nameservers, + Namespaces: namespaces, + Options: options, + Path: destPath, + Searches: search, }); err != nil { return fmt.Errorf("building resolv.conf for container %s: %w", c.ID(), err) } diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index a97ecd84e0..13e1fb81db 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -1152,24 +1152,27 @@ EXPOSE 2004-2005/tcp`, ALPINE) session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) - session = podmanTest.Podman([]string{"run", "--name", "con1", "--network", net, CITEST_IMAGE, "nslookup", "con1"}) + // Note apline nslookup tries to resolve all search domains always and returns an error if one does not resolve. + // Because we leak all host search domain into the container we have no control over if it resolves or not. + // Thus use "NAME." to indicate the name is full and no search domain should be tried. + session = podmanTest.Podman([]string{"run", "--name", "con1", "--network", net, CITEST_IMAGE, "nslookup", "con1."}) session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) - session = podmanTest.Podman([]string{"run", "--name", "con2", "--pod", pod, "--network", net, CITEST_IMAGE, "nslookup", "con2"}) + session = podmanTest.Podman([]string{"run", "--name", "con2", "--pod", pod, "--network", net, CITEST_IMAGE, "nslookup", "con2."}) session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) - session = podmanTest.Podman([]string{"run", "--name", "con3", "--pod", pod2, CITEST_IMAGE, "nslookup", "con1"}) + session = podmanTest.Podman([]string{"run", "--name", "con3", "--pod", pod2, CITEST_IMAGE, "nslookup", "con1."}) session.WaitWithDefaultTimeout() Expect(session).Should(ExitWithError(1, "")) - Expect(session.OutputToString()).To(ContainSubstring("server can't find con1.dns.podman: NXDOMAIN")) + Expect(session.OutputToString()).To(ContainSubstring("NXDOMAIN")) session = podmanTest.Podman([]string{"run", "--name", "con4", "--network", net, CITEST_IMAGE, "nslookup", pod2 + ".dns.podman"}) session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) - session = podmanTest.Podman([]string{"run", "--network", net, CITEST_IMAGE, "nslookup", hostname}) + session = podmanTest.Podman([]string{"run", "--network", net, CITEST_IMAGE, "nslookup", hostname + "."}) session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) }) From 89b8e233854b747c19215e82534e995e5ba001a0 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Mon, 2 Jun 2025 18:45:19 +0200 Subject: [PATCH 3/3] test/system: check --dns-option behavior We should fully replace the options, now that we vendored the libnetwork/resolvconf changes into podman this just works. Fixes: #22399 Signed-off-by: Paul Holzinger --- test/system/500-networking.bats | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index f0b7d52312..4b1b297af7 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -902,11 +902,21 @@ EOF @test "podman network rm --dns-option " { dns_opt=dns$(random_string) run_podman run --rm --dns-opt=${dns_opt} $IMAGE cat /etc/resolv.conf - is "$output" ".*options ${dns_opt}" "--dns-opt was added" + # Note that we must fully replace all host option so make a match for line start/end as well + # https://github.com/containers/podman/issues/22399 + assert "$output" =~ ".*^options ${dns_opt}\$" "--dns-opt was added" dns_opt=dns$(random_string) run_podman run --rm --dns-option=${dns_opt} $IMAGE cat /etc/resolv.conf - is "$output" ".*options ${dns_opt}" "--dns-option was added" + assert "$output" =~ ".*^options ${dns_opt}\$" "--dns-option was added" + + # now check with a custom network as well + local net=net-$(safename) + run_podman network create $net + run_podman run --rm --network $net --dns-option=${dns_opt} $IMAGE cat /etc/resolv.conf + assert "$output" =~ ".*^options ${dns_opt}\$" "--dns-option was added with custom network" + + run_podman network rm -f $net } # bats test_tags=ci:parallel