-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changed host network configuration is not reflected to containers created with --network host
#10026
Comments
I believe we copied the behaviour of Docker for this. One issue with not copying the contents, is the contents become non writable from within the container. Since you don't want the container to modify the hosts resolv.conf. |
@rhatdan You are right I just tested this with docker. |
Concur, this is a Docker compat measure. For folks who don't want this, we added the |
Will application in the container react to a changed resolve.conf file? Some apps at least from my experience read resolver info only once on start. |
If you do a -v /etc/resolv.conf:/etc/resolv.conf it should work as long as the resolver file is not renamed and replaced. There is no guarantee that any application will reread the /etc/resolv.conf ever. |
A friendly reminder that this issue had no activity for 30 days. |
OK to close. |
Unfortunately I had not spare time to follow this up until today. I appreciated all your suggestions and tried them out, but without any luck. Even if I use host > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1 host > podman container run --rm -ti --dns=none -v /etc/resolv.conf:/etc/resolv.conf alpine:latest sh
guest > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1 Then I change the host > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.160.0.1
nameserver 10.160.2.88
nameserver 2620:113:80c0:8080:10:160:2:88
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2620:113:80c0:8080:10:160:0:1
nameserver 192.168.1.1 I then check again the file from the container, expecting to see the above changes reflected: guest > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1 But that's not the case. Am I doing something wrong here or have I hit a bug? |
Fix #5. If you run secbox for the first time while you are not yet connected to the company VPN, you won't be able to reach out to the internal network resources even after you connect your host system to the VPN. This commit makes the container works with all the network resources independently from when the container was created at the first instance. /etc/resolv.conf is copied over the container from the host system by podman during the container creation. If your host /etc/resolv.conf changes after the container creation, let's say you connect to your company's VPN, the newly added nameservers (provided by the company via DHCP) won't be reflected within the container /etc/resolv.conf. Bind mounting /etc/resolv.conf would be an option, but unfortunately NetworkManager replace the host /etc/resolv.conf instead of updating its content in place. This of course breaks the bind mount. The solution I adopted here is to use a copy of /etc/resolv.conf maintained by secbox, which takes care of syncing it at every run with the host one, without delete or rename the file. For more info check [0][1][2]. [0] containers/podman#11042 [1] containers/podman#10026 [2] #5
/kind bug
Description
If I create a container with
--network host
the host's file/etc/resolv.conf
is copied within the container. When I later connect the host to a VPN which reconfigure the resolvers, by passing new DNS servers via DHCP, these changes are not reflected inside the container.Steps to reproduce the issue:
create a container with
--network host
change your host
/etc/resolv.conf
From the container, try to resolve a domain name which is only resolvable with the new configured DNS servers.
Describe the results you received:
This prevent me to access new available network resources from the container.
Describe the results you expected:
I'd like to continue to use the container as I would do from the host system after I connected the host to the VPN.
Output of
podman version
:Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
Yes
The text was updated successfully, but these errors were encountered: