-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Podman netavark/aardvark-dns in container fails e2e tests #13533
Comments
@cevich I played around with this and was able to figure out the cause, problem is
My suggestion is to never test dns with I tried Here are my steps and working example. [root@fedora ~]# podman --network-backend netavark run --privileged -v /dev/fuse:/dev/fuse:Z -v /var/tmp/tmp.KkVmGQxqxK:/tmp:Z -it fedora:37 bash
[root@31384c95607e /]# dnf install podman fuse-overlayfs -y
# populate /etc/containers/storage.conf so it uses fuse-overlayfs
# populate /etc/containers/containers.conf with needed config
[root@31384c95607e /]# podman network create test
[root@31384c95607e /]# podman run --network test --name hello nicolaka/netshoot:latest dig hello
; <<>> DiG 9.16.22 <<>> hello
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56771
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello. IN A
;; ANSWER SECTION:
hello. 0 IN A 10.89.0.3
;; Query time: 0 msec
;; SERVER: 10.89.0.1#53(10.89.0.1)
;; WHEN: Mon Mar 21 12:29:36 UTC 2022
;; MSG SIZE rcvd: 50 TLDR
|
I don't understand this. The container should still have a valid resolv.conf. Why would running aardvark fail in this case? |
@cevich btw you package list says |
@Luap99 |
@Luap99 Its mainly because the second container contains the podman run -it --net=host --cgroupns=host --privileged quay.io/podman/stable bash
# inside container
podman network create test
# run any container with --network test |
The second container contains the correct entry for me:
|
@Luap99 Does |
@Luap99 Try |
It should not work since |
Yes dns does not work but this is not related too /etc/resolv.conf. The hostns would be correct since we started the parent container with --net=host. The problem is that I cannot ping/curl from within the container to the outside of the system, so the general network connectivity is broken. |
@Luap99 Yes any address in hostns is not accessible, in my reproducer all host address is unreachable and But anyways after playing around I think case with both I'll close this issue once we have a concrete statement about |
This should work! I disabled friewalld and it started working with dnsname. I have nor yet tested with aardvark. |
@Luap99 Yes as I mentioned it works after plumbing, also works if you pass |
Yes it should work out of the box, I need to investigate why I had to disable firewalld. What is your content in the hosts and containers /etc/resolv.conf? |
@Luap99 It works for |
On first container is it carried from host , but it is fine on the second container if i do nothing. @Luap99 Did you try docker yet ? |
I don't understand what any of this has to do with docker? I just used the So we have to fix this netavark to make sure systemd-run is only used when systemd is running. @cevich Can you add |
@Luap99 I meant
I think Irrespective of
|
Re: --net=host and --dns "Because it was always done this way" 😁 Seriously, I'm absolutely not against changing the setup to suit our needs. Even in a super-privileged container, I'm sure there's a limit to how much the container can affect changes on the host, so some test skipping is also okay. Otherwise, please don't wait on me to test changes. You're able to go directly hands-on to mess with the setup however you like. Just clone my #13376 and use |
@cevich Yes i think if we are not able to make it work in most generic way then I see no harm in skipping and we can have separate task for few tests. So this should not be a blocker. But I think we can keep this issue open till we are sure about this. |
In many cases we should already have separate (non-containerized) tests, so only skipping incompatible is necessary.
Yep, and if you think we need to do something like add |
This is clearly a bug in netavark, we just should not use systemd-run when systemd is not running. Just checking if |
Newer containerized F36 testing results (annotated log) - Should these tests be skipped also? |
Well they should work too but this is the same problem as in the other tests, feel free to skip them until we fix it or add the |
@cevich The fix for this is in netavark v1.0.2. |
@Luap99 Does it also work without disabling the firewalld in the host or we still have to do it in CI. |
I haven't tried the new patch yet but i can give it it a try. |
CI runs without firewalld AFAIK, I have not looked why it is failing with firewalld. |
I believe that's right, ya, we do not install firewalld explicitly. |
Thanks guys, I'll keep an eye out for that version number |
Okay, I'm now seeing |
I can confirm, with 1.0.2 the test-failures originally reported have been fixed. Though now we have new ones (yay!). I'll open a new issue for them. |
New issue ref: #13931 |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
When executing the podman e2e tests inside a F36 super-privledged-container, there are several failures which all report name-resolution errors.
Steps to reproduce the issue:
/var/tmp/go/src/github.com/containers/podman
/var/tmp/tmp.KkVmGQxqxK
podman run --rm --privileged --net=host --cgroupns=host -v /var/tmp/tmp.KkVmGQxqxK:/tmp:Z -v /dev/fuse:/dev/fuse -v /var/tmp/go:/var/tmp/go:Z --workdir /var/tmp/go/src/github.com/containers/podman -e CONTAINER=1 '-e NETWORK_BACKEND=netavark' '-e GOSRC=/var/tmp/go/src/github.com/containers/podman' '-e CIRRUS_USER_PERMISSION=admin' '-e CIRRUS_LAST_GREEN_BUILD_ID=5325573969936384' '-e CTR_FQIN=quay.io/libpod/fedora_podman:c5140433071243264' '-e CIRRUS_DEFAULT_BRANCH=main' '-e FEDORA_CONTAINER_FQIN=quay.io/libpod/fedora_podman:c5140433071243264' '-e PRIOR_FEDORA_CACHE_IMAGE_NAME=prior-fedora-c5140433071243264' '-e CIRRUS_REPO_ID=6707778565701632' '-e TEST_ENVIRON=container' '-e VM_IMAGE_NAME=fedora-c5140433071243264' '-e CIRRUS_REPO_FULL_NAME=containers/podman' '-e CIRRUS_REPO_OWNER=containers' '-e OCI_RUNTIME=crun' '-e SCRIPT_BASE=./contrib/cirrus' '-e GOCACHE=/var/tmp/go/cache' '-e FEDORA_CACHE_IMAGE_NAME=fedora-c5140433071243264' '-e CIRRUS_USER_COLLABORATOR=true' '-e CI_NODE_TOTAL=55' '-e CIRRUS_SHELL=/bin/bash' '-e CIRRUS_PR=13376' '-e CIRRUS_BASE_BRANCH=main' '-e FEDORA_NAME=fedora-36' '-e CIRRUS_REPO_CLONE_HOST=github.com' '-e CIRRUS_CI=true' '-e PODBIN_NAME=podman' '-e CIRRUS_BUILD_ID=5182796640550912' '-e DISTRO_NV=fedora-36' '-e GOPATH=/var/tmp/go' '-e TEST_FLAVOR=int' '-e CIRRUS_BASE_SHA=32fd5d885a648c65158a2127332f9b0a0f2d6fa0' '-e CIRRUS_REPO_NAME=podman' '-e CIRRUS_REPO_CLONE_URL=https://github.com/containers/podman.git' '-e CIRRUS_PR_DRAFT=true' '-e PRIV_NAME=root' '-e CI_NODE_INDEX=29' '-e CIRRUS_TASK_ID=5853207413915648' '-e CIRRUS_ENV=/tmp/cirrus-env-task-5853207413915648-e1fbbc6e-4064-4d94-b383-3f4f2bd2503d' '-e CIRRUS_CHANGE_IN_REPO=9bef86b31e8873249bbd250cba4141f03f83115d' '-e CIRRUS_ARCH=amd64' '-e CIRRUS_WORKING_DIR=/var/tmp/go/src/github.com/containers/podman' '-e CI=true' '-e CIRRUS_OS=linux' '-e CIRRUS_LAST_GREEN_CHANGE=a5e327941423983529b771a03691dc2fe2390e0f' '-e CIRRUS_BRANCH=pull/13376' '-e CIRRUS_TASK_NAME=int\ podman\ fedora-36\ root\ container' quay.io/libpod/fedora_podman:c5140433071243264 bash -c './contrib/cirrus/setup_environment.sh && ./contrib/cirrus/runner.sh'
Describe the results you received:
Annotated results: https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/5853207413915648/html/int-podman-fedora-36-root-container.log.html
Describe the results you expected:
All tests pass
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Build from source
Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Ref.: #13376
The text was updated successfully, but these errors were encountered: