DNS not working for F30/F31 images on F31 s390x host

[tuan-hoang1]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

1. Upgrading F30 to F31 on s390x host.

2. Remove all existing containers.

3. # podman run --rm -ti registry.fedoraproject.org/fedora:31 bash (same for F30/UBI8 image)

Failed to run, tried ip link add cni-podman0 type bridge from #4114 and it's ok. Using --network host is also ok.

4. Inside container:

[root@276ec67309be /]# echo nameserver 1.1.1.1 > /etc/resolv.conf 
[root@276ec67309be /]# yum update
Fedora Modular 31 - s390x                                                                                                                                     0.0  B/s |   0  B     00:00    
Failed to download metadata for repo 'fedora-modular'
Error: Failed to download metadata for repo 'fedora-modular'
[root@276ec67309be /]# curl 1.1.1.1
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare-lb</center>
</body>
</html>

Same effect for public DNS server and local DNS server.

Describe the results you received:
Everything works fine on F30 host before upgrading.
Networking seems to work, but DNS failed.
alpine, debian, ubuntu images work fine.

Describe the results you expected:
DNS works

Additional information you deem important (e.g. issue happens only occasionally):
journalctl -u systemd-udevd shows no error.
Output of iptables -nvL : https://tpaste.us/xk1v
Output of iptables -t nat -nvL : https://tpaste.us/yZN0

Output of podman version:

Version:            1.6.2
RemoteAPI Version:  1
Go Version:         go1.13.1
OS/Arch:            linux/s390x

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.13.1
  podman version: 1.6.2
host:
  BuildahVersion: 1.11.3
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.2-1.fc31.s390x
    path: /usr/bin/conmon
    version: 'conmon version 2.0.2, commit: c4d7c60ebcd4ef3caa24b26222e15d067a6f3a90'
  Distribution:
    distribution: fedora
    version: "31"
  MemFree: 15548116992
  MemTotal: 16819347456
  OCIRuntime:
    name: crun
    package: crun-0.10.6-1.fc31.s390x
    path: /usr/bin/crun
    version: |-
      crun version 0.10.6
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 0
  SwapTotal: 0
  arch: s390x
  cpus: 32
  eventlogger: journald
  hostname: m35lp37.lnxne.boe
  kernel: 5.4.0-20190930.rc0.git0.6133e3e4bada.301.fc30.s390x
  os: linux
  rootless: false
  uptime: 12m 11.3s
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions:
    overlay.mountopt: nodev,metacopy=on
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  ImageStore:
    number: 6
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.2-2.fc31.s390x

Additional environment details (AWS, VirtualBox, physical, etc.):
LPAR hypervisor (kind of baremetal for s390x) and KVM hypervisor.

[mheon]

Suspect it's something like the firewall plugin.

Can you include sudo iptables -nvL and sudo iptables -t nat -nvL

[tuan-hoang1]

@mheon : iptables on the host I assume. I already copied above.
Output of iptables -nvL : https://tpaste.us/xk1v
Output of iptables -t nat -nvL : https://tpaste.us/yZN0

[mheon]

Hm. I see firewall plugin rules. And they're getting hit.

[mheon]

@mccv1r0 Poke - mind taking a look? Nothing jumps out to me as being out of place here.

[mccv1r0]

@tuan-hoang1

Do we know if this Is this S390 specific? I tried # podman run --rm -ti registry.fedoraproject.org/fedora:31 bash on an x86_64 VM and can curl the usual places.

I might not have all needed context. re: "Inside the container" #4, Why is echo nameserver 1.1.1.1 > /etc/resolv.conf being done? Is 1.1.1.1 a real nameserver?

[tuan-hoang1]

@mccv1r0 : Yes it works on x86_64. 1.1.1.1 is just like 8.8.8.8 being public dns server.

[rhatdan]

I think this is Architecture specific, This would be better opened as a Bugzilla, since this is not something upstream necessarily can fix. Reopen if I am mistaken.

[tuan-hoang1]

RHBZ : https://bugzilla.redhat.com/show_bug.cgi?id=1793048