-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman doesn't start aardvark-dns
when in an LXC container
#18783
Comments
I should note that in our actual environment, we are using Quadlet. It may be that Quadlet is the cause of not starting the dns server. |
Please add |
I'm not sure if it is the same issue, but I have hit upon aardvark-dns not starting in an LXC container as well and perhaps it will help. It happens as:
The issue here is that since podman is running in a user namespace (the LXC container), it considers it as rootless. netavark in rootless mode uses
It works when you login as root directly and do not use sudo/su to switch privileges. It could be the same issue if Quadlet does not run podman with a proper user session, which is possible, I guess. |
Sorry for the lack of reply, I couldn't find much free time while on a work trip. I think @aither64 is exactly right. I should have clarified that I am running these commands as root within a rootless LXC container. It appears that somehow podman is miss identifying the situation as a rootless podman environment, and adding |
Do you have the CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities in the LXC container? @giuseppe Do we need to check for |
@Luap99 yes that seems like a better check. We need to talk to the |
@Luap99 I do have CAP_SYS_ADMIN and CAP_NET_ADMIN in the LXC container.
|
AFAIK bounding does not mean you have those caps it just means you may gain those via exec().
CapEff is important here |
You have them in the bounding set, it means you can gain them but you haven't them |
Of course, that makes sense. Then correct, I don't have those capabilities:
|
@abalmos have you run that as root in the LXC container? Because I do have them as root:
|
@aither64 Your right, as root I seem to have them.
|
Can you show me a full |
The following commands are run as root from an LXC container, but without a proper systemd user session as I've described above. podman run --rm -it --network test --log-level debug fedora:38 bash
podman info
You might notice the backing file system being unknown, it is ZFS with a modified signature -- I don't think this matters in this case. I think it can be related to podman being run in a user namespace:
|
That is it, if I read the logs correctly podman's @giuseppe PTAL, this seems concerning that both function behave differently. Not sure why you added the uidmapping check? |
A friendly reminder that this issue had no activity for 30 days. |
I just wanted to report that this issue is not stale. We noticed it again today after some system updates. |
@giuseppe Can you respond to #18783 (comment)? The fact that podman and c/storage have a different meaning of what IsRootless() means is concerning to me. c/storage checks for the init userns while podman is happy with uid 0 and CAP_SYS_ADMIN. I think the podman check makes more sense in the context of nested containers. There should be no need for the network code to fall into the rootless logic as this makes things much slower with extra slirp4netns setup. |
yeah it is messy :/ The c/storage meaning is related to what the kernel allows us to do, since some features are not enabled when we are not in the initial user namespace (e.g. idmapped mounts except for tmpfs, or not using "-o user" for overlay), while the expectation for rootless podman is to behave more as root when running in a user namespace especially for the nested-podman use case. Should the network code really be like |
I think check net_admin for the network code would make sense but needs likely some bigger change that I don't want to do right now to fix this. My main issue is that basically all the code I moved to c/common breaks in these nested container scenarios because I changed the code from rootless.IsRootless() in podman to unshare.IsRootless() in c/storage. |
No this is not fixed by any of the XDG changes. |
Issue Description
Inside an LXC container, podman does not start
aardvark-dns
. This breaks container DNS resolution when a podman network is used because podman still properly re-writes the containers/etc/resolve.conf
to point to (expected to be running)aardvark-dns
.I do not see this issue when using a very similar environment, but on metal rather than an LXC.
After starting the
aardvark-dns
daemon by hand with/usr/libexec/podman/aardvark-dns --config /run/containers/storage/networks/aardvark-dns -p 53 run
, everything works as expected for the remainder of the LXC container's lifetime.I understand that this environment may not be available to the podman developers. I am willing to do some debugging, but so far I have not been able to identity any error or other logging which may indicate the issue.
Steps to reproduce the issue
Steps to reproduce the issue
podman network create test
podman run --rm -it --network test fedora:38 bash
getent hosts example.org
<-- this returns nothing.Without the
--network
flaggetent hosts example.org
returns2606:2800:220:1:248:1893:25c8:1946 example.org
.After starting
aardvark-dns
with/usr/libexec/podman/aardvark-dns --config /run/containers/storage/networks/aardvark-dns -p 53 run
on the host, then the DNS resolution works even with the--network
flag on podman.Describe the results you received
DNS resolution doesn't work.
Describe the results you expected
DNS resolution to work.
podman info output
I can not easily upgrade the environment to podman 4.5.1, but based on the changelog, I do not think this issue is addressed.
The text was updated successfully, but these errors were encountered: