Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify /etc/resolv.conf when connecting/disconnecting #13191

Merged
merged 1 commit into from
Feb 10, 2022
Merged

Modify /etc/resolv.conf when connecting/disconnecting #13191

merged 1 commit into from
Feb 10, 2022

Conversation

mheon
Copy link
Member

@mheon mheon commented Feb 9, 2022

The podman network connect and podman network disconnect commands give containers access to different networks than the ones they were created with; these networks can also have DNS servers associated with them. Until now, however, we did not modify resolv.conf as network membership changed.

With this PR, podman network connect will add any new nameservers supported by the new network to the container's
/etc/resolv.conf, and podman network disconnect command will do the opposite, removing the network's nameservers from
/etc/resolv.conf.

Fixes #9603

Still to-do: do this for /etc/hosts as well. That's slightly lower priority and will happen after RC5.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 9, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 9, 2022
@mheon mheon force-pushed the resolvconf_fixes branch 5 times, most recently from c266d38 to 8ef6cfa Compare February 9, 2022 22:53
@mheon
Copy link
Member Author

mheon commented Feb 10, 2022

This should go green, @containers/podman-maintainers PTAL

TomSweeneyRedHat
TomSweeneyRedHat reviewed Feb 10, 2022
View reviewed changes
libpod/container_internal_linux.go Outdated
for _, netAddress := range netInt.Subnets {
// Note: only using To16() does not work since it also returns a valid ip for ipv4
if netAddress.IPNet.IP.To4() == nil && netAddress.IPNet.IP.To16() != nil {
ipv6 = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we break out of these loops on true?

TomSweeneyRedHat
TomSweeneyRedHat reviewed Feb 10, 2022
View reviewed changes
libpod/container_internal_linux.go
// hold the container lock, so there should be no risk of parallel
// modification.
if _, err := resolvconf.Build(path, ns, search, options); err != nil {
return errors.Wrapf(err, "error adding new nameserver to container %s resolv.conf", c.ID())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consideration

Suggested change
return errors.Wrapf(err, "error adding new nameserver to container %s resolv.conf", c.ID())
return errors.Wrapf(err, "error adding new nameserver to resolv.conf in container %s", c.ID())

TomSweeneyRedHat
TomSweeneyRedHat reviewed Feb 10, 2022
View reviewed changes
libpod/container_internal_linux.go
}

if _, err := resolvconf.Build(path, newNS, search, options); err != nil {
return errors.Wrapf(err, "error removing nameservers from container %s resolv.conf", c.ID())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you change the one above, do a similar thing here.

giuseppe
giuseppe reviewed Feb 10, 2022
View reviewed changes
libpod/container_internal_linux.go
Comment on lines +2204 to +2205
// We're rewriting the container's resolv.conf as part of this, but we
// hold the container lock, so there should be no risk of parallel
// modification.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how to prevent the container doesn't read a half-written file?

If we cannot use an atomic rename, do we need to temporarily pause the container and manually open and write the file to not depend on the undocumented ioutil.WriteFile behavior that it writes the file in-place?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't we use rename?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would break the bind mount

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding an optional pause/unpause should be enough initially. This is a temporary solution until we rewrite Aardvark to write firewall rules to allow containers to access it via a single address, even as their network membership changes, so the fix doesn't need to be permanent either. Given this I don't want to make the behavior too strongly integrated.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mheon, please create a jira card for that future work

@mheon
Modify /etc/resolv.conf when connecting/disconnecting
87cca4e 
The `podman network connect` and `podman network disconnect`
commands give containers access to different networks than the
ones they were created with; these networks can also have DNS
servers associated with them. Until now, however, we did not
modify resolv.conf as network membership changed.

With this PR, `podman network connect` will add any new
nameservers supported by the new network to the container's
/etc/resolv.conf, and `podman network disconnect` command will do
the opposite, removing the network's nameservers from
`/etc/resolv.conf`.

Fixes containers#9603

Signed-off-by: Matthew Heon <[email protected]>
@baude
Copy link
Member

baude commented Feb 10, 2022

/hold
/lgtm

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 10, 2022
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 10, 2022
@rhatdan
Copy link
Member

rhatdan commented Feb 10, 2022

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 10, 2022
@openshift-merge-robot openshift-merge-robot merged commit 0144413 into containers:main Feb 10, 2022
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@vrothberg vrothberg vrothberg left review comments

@baude baude baude left review comments

@giuseppe giuseppe giuseppe left review comments

Assignees

@baude baude

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DNS and other errors after original network is disconnected
7 participants
@mheon @baude @rhatdan @giuseppe @vrothberg @TomSweeneyRedHat @openshift-merge-robot