fix --dns and --network conflict #3579
Conversation
QiWang19
changed the title
QiWang19
force-pushed
the
dns_net
branch
2 times, most recently
from
00d03d0
to
eda7b05
Compare
|
Should also conflict with Man pages should be updated to say this also. |
|
@rhatdan sure, but don't see docker return conflict error with --dns-option and |
cmd/podman/create.go
Outdated
| @@ -77,6 +77,10 @@ func createInit(c *cliconfig.PodmanCommand) error { | |||
| logrus.Warn("setting security options with --privileged has no effect") | |||
| } | |||
|
|
|||
| if (c.IsSet("dns") || c.IsSet("dns-opt") || c.IsSet("dns-search")) && c.IsSet("network") { | |||
There was a problem hiding this comment.
you'll need to check --net as well.
|
I think we need to check if |
|
LGTM assuming happy tests |
docs/podman-run.1.md
Outdated
| @@ -212,7 +212,7 @@ Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda: | |||
|
|
|||
| **--dns**=*dns* | |||
|
|
|||
| Set custom DNS servers | |||
| Set custom DNS servers. Invalid if using **--dns** with **--network** that is not set to host. | |||
There was a problem hiding this comment.
I think this is
Invalid if --network is set to host.
Is it invalid also if --network is set to a different container?
Is it invalid if --network is set to None?
docs/podman-run.1.md
Outdated
| @@ -224,11 +224,11 @@ The **/etc/resolv.conf** file in the image will be used without changes. | |||
|
|
|||
| **--dns-option**=*option* | |||
|
|
|||
| Set custom DNS options | |||
| Set custom DNS options. Invalid if using **--dns-option** with **--network** that is not set to host. | |||
There was a problem hiding this comment.
I think this is
Invalid if --network is set to host.
Is it invalid also if --network is set to a different container?
Is it invalid if --network is set to None?
docs/podman-run.1.md
Outdated
|
|
||
| **--dns-search**=*domain* | ||
|
|
||
| Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) | ||
| Set custom DNS search domains. Invalid if using **--dns-search** and **--network** that is not set to host. (Use --dns-search=. if you don't wish to set the search domain) |
There was a problem hiding this comment.
I think this is
Invalid if --network is set to host.
Is it invalid also if --network is set to a different container?
Is it invalid if --network is set to None?
docs/podman-run.1.md
Outdated
| @@ -501,7 +501,7 @@ This works for both background and foreground containers. | |||
|
|
|||
| **--network**, **--net**=*mode* | |||
|
|
|||
| Set the Network mode for the container: | |||
| Set the Network mode for the container. Invalid if using **--dns**, **--dns-option**, or **--dns-search** with **--network** that is not set to host. | |||
There was a problem hiding this comment.
This should be a Node, I think the --net and --network can only be used with without none, host or container:NAME.
cmd/podman/create.go
Outdated
| } else if c.IsSet("net") { | ||
| setNet = c.String("net") | ||
| } | ||
| if (c.IsSet("dns") || c.IsSet("dns-opt") || c.IsSet("dns-search")) && setNet != "" && setNet != "host" { |
There was a problem hiding this comment.
I think this should be blocked if setNet == NONE, and CONTAINER:?
There was a problem hiding this comment.
So it should return error
if (c.IsSet("dns") || c.IsSet("dns-opt") || c.IsSet("dns-search")) && (setNet == "none" || setNet == "host" || strings.HasPrefix("container:")
because it makes no sense to set /etc/resolv.conf if --network=host or --network=none?
There was a problem hiding this comment.
DNS configuration options are only disallowed when --net=container:$id is set. Other values (host, bridge, etc) seem fine. --net=none is a possible exception - I don't think it matters, so we can either allow or deny.
There was a problem hiding this comment.
If none doesn't matter, I choose to allow none and docker doesn't block none either.
There's another kind of --network 'ns:<path>': path to a network namespace to join, will this be influenced with --dns*?
To only disallow if --net container:id or --network container:id
if (c.IsSet("dns") || c.IsSet("dns-opt") || c.IsSet("dns-search")) && setNet != "" && strings.HasPrefix(setNet, "container:")
There was a problem hiding this comment.
Oh, --net=ns: should also disallow DNS options - good catch
There was a problem hiding this comment.
Shouldn't we allow dns with ns:? I'd say it is a valid combination
There was a problem hiding this comment.
ns attempts to grab /etc/resolv.conf and /etc/hosts from a special path... somewhere in /run, I think? On the assumption that 'ip netns create' made the namespace (it also makes resolv.conf and hosts).
it works with |
|
/approve |
|
Alright, given that this works with |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon, QiWang19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
Ok fix the docs to explain what is going on, and then we can merge. |
|
I still think we should fail on --net=none, since resolv.conf makes no sense in this situation. You are basically informing the user that he/she probably made a mistake. |
|
|
|
The doc said build --network supports container, but I didn't see the code? |
|
I view the build thing as a Buildah problem - @TomSweeneyRedHat Mind checking that out to see if things work properly there? |
QiWang19
force-pushed
the
dns_net
branch
2 times, most recently
from
e9df097
to
6ee20fb
Compare
Close containers#3553 This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set. Signed-off-by: Qi Wang <qiwan@redhat.com>
|
@mheon too many PR's and too many comments. What do you think needs to be tested on the Buildah side with this? |
|
@TomSweeneyRedHat The original issue, #3553 - the --dns flags conflicting with --net when net != host |
|
@TomSweeneyRedHat #3553 (comment) |
|
@mheon I played with I remember having a conversation with @nalind about similar behaviour for another option in the build that was ignored until the from/create container command set it. I believe this is expected, but I'll let him correct me. So at this point I think we should go forward with this PR once @QiWang19 finishes up her tests and if we need to circle back and touch up the build functionality we can. |
|
/lgtm |
|
there's no issue with --dns* flag, they take effect during the build and do not change the /etc/resolv.conf in the final container.
|
|
@QiWang19 please do open a Buildah bug on this. I'm not 100% sure it's a bug, but we can always close it if we find out it is not. |
github-actions
bot
added
the
locked - please file new issue/PR
Close #3553
This PR makes --dns and --network flag mutually exclusive for podman build and create. Returns conflict error if both flags are set.
Signed-off-by: Qi Wang qiwan@redhat.com