Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changed host network configuration is not reflected to containers created with --network host #10026

Closed
StayPirate opened this issue Apr 14, 2021 · 9 comments
Closed

Changed host network configuration is not reflected to containers created with --network host #10026

StayPirate opened this issue Apr 14, 2021 · 9 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. stale-issue

Comments

@StayPirate
Copy link

/kind bug

Description

If I create a container with --network host the host's file /etc/resolv.conf is copied within the container. When I later connect the host to a VPN which reconfigure the resolvers, by passing new DNS servers via DHCP, these changes are not reflected inside the container.

Steps to reproduce the issue:

  1. create a container with --network host

  2. change your host /etc/resolv.conf

  3. From the container, try to resolve a domain name which is only resolvable with the new configured DNS servers.

Describe the results you received:

This prevent me to access new available network resources from the container.

Describe the results you expected:

I'd like to continue to use the container as I would do from the host system after I connected the host to the VPN.

Output of podman version:

Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.16
Git Commit:   c640670e85c4aaaff92741691d6a854a90229d8d
Built:        Sun Feb 21 16:29:46 2021
OS/Arch:      linux/amd64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 14, 2021
@StayPirate StayPirate mentioned this issue Apr 14, 2021
Closed
@Luap99
Copy link
Member

Luap99 commented Apr 16, 2021

I think the problem is that we copy the content in /etc/resolv.conf before we bind mount it in the container. I think when --network host is used we can directly bind mount /etc/resolv.conf and /etc/hosts.

@mheon @baude WDYT?

@rhatdan
Copy link
Member

rhatdan commented Apr 16, 2021

I believe we copied the behaviour of Docker for this. One issue with not copying the contents, is the contents become non writable from within the container. Since you don't want the container to modify the hosts resolv.conf.

@Luap99
Copy link
Member

Luap99 commented Apr 16, 2021

@rhatdan You are right I just tested this with docker.

@mheon
Copy link
Member

mheon commented Apr 16, 2021

Concur, this is a Docker compat measure.

For folks who don't want this, we added the --dns=none flag to disable Podman's management of /etc/resolv.conf, then you can bind-mount in the original from the host.

@alitvak69
Copy link

Will application in the container react to a changed resolve.conf file? Some apps at least from my experience read resolver info only once on start.

@rhatdan
Copy link
Member

rhatdan commented Apr 16, 2021

If you do a -v /etc/resolv.conf:/etc/resolv.conf it should work as long as the resolver file is not renamed and replaced.

There is no guarantee that any application will reread the /etc/resolv.conf ever.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@alitvak69
Copy link

OK to close.

@Luap99 Luap99 closed this as completed May 17, 2021
@StayPirate
Copy link
Author

Unfortunately I had not spare time to follow this up until today. I appreciated all your suggestions and tried them out, but without any luck.

Even if I use --dns=none and -v /etc/resolv.conf:/etc/resolv.conf, /etc/resolv.conf inside the container does not reflect the changes I make to the host's one. Here what I did:

host > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1
host > podman container run --rm -ti --dns=none -v /etc/resolv.conf:/etc/resolv.conf alpine:latest sh
guest > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1

Then I change the /etc/resolv.conf in the host.

host > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.160.0.1
nameserver 10.160.2.88
nameserver 2620:113:80c0:8080:10:160:2:88
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2620:113:80c0:8080:10:160:0:1
nameserver 192.168.1.1

I then check again the file from the container, expecting to see the above changes reflected:

guest > cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1

But that's not the case. Am I doing something wrong here or have I hit a bug?

@StayPirate StayPirate mentioned this issue Jul 25, 2021
Closed
StayPirate added a commit to StayPirate/secbox that referenced this issue Jul 27, 2021
@StayPirate
Reflect host DNS resolver changes to the container
ce2a463 
Fix #5.

If you run secbox for the first time while you are not yet connected to
the company VPN, you won't be able to reach out to the internal network
resources even after you connect your host system to the VPN. This
commit makes the container works with all the network resources
independently from when the container was created at the first instance.

/etc/resolv.conf is copied over the container from the host system by
podman during the container creation. If your host /etc/resolv.conf
changes after the container creation, let's say you connect to your
company's VPN, the newly added nameservers (provided by the company via
DHCP) won't be reflected within the container /etc/resolv.conf.
Bind mounting /etc/resolv.conf would be an option, but unfortunately
NetworkManager replace the host /etc/resolv.conf instead of updating its
content in place. This of course breaks the bind mount.
The solution I adopted here is to use a copy of /etc/resolv.conf
maintained by secbox, which takes care of syncing it at every run with
the host one, without delete or rename the file.

For more info check [0][1][2].

[0] containers/podman#11042
[1] containers/podman#10026
[2] #5
@StayPirate StayPirate mentioned this issue Jul 27, 2021
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. stale-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rhatdan @alitvak69 @mheon @openshift-ci-robot @StayPirate @Luap99