Merge pull request #14062 from Luap99/resolv.conf
libpod: host netns keep same /etc/resolv.conf
This commit is contained in:
		
						commit
						2e75cb72ca
					
				|  | @ -2123,15 +2123,9 @@ func (c *Container) makeBindMounts() error { | |||
| 			} | ||||
| 		} else { | ||||
| 			if !c.config.UseImageResolvConf { | ||||
| 				newResolv, err := c.generateResolvConf() | ||||
| 				if err != nil { | ||||
| 				if err := c.generateResolvConf(); err != nil { | ||||
| 					return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID()) | ||||
| 				} | ||||
| 				err = c.mountIntoRootDirs("/etc/resolv.conf", newResolv) | ||||
| 
 | ||||
| 				if err != nil { | ||||
| 					return errors.Wrapf(err, "error assigning mounts to container %s", c.ID()) | ||||
| 				} | ||||
| 			} | ||||
| 
 | ||||
| 			if !c.config.UseImageHosts { | ||||
|  | @ -2288,23 +2282,25 @@ rootless=%d | |||
| } | ||||
| 
 | ||||
| // generateResolvConf generates a containers resolv.conf
 | ||||
| func (c *Container) generateResolvConf() (string, error) { | ||||
| func (c *Container) generateResolvConf() error { | ||||
| 	var ( | ||||
| 		nameservers          []string | ||||
| 		networkNameServers   []string | ||||
| 		networkSearchDomains []string | ||||
| 	) | ||||
| 
 | ||||
| 	hostns := true | ||||
| 	resolvConf := "/etc/resolv.conf" | ||||
| 	for _, namespace := range c.config.Spec.Linux.Namespaces { | ||||
| 		if namespace.Type == spec.NetworkNamespace { | ||||
| 			hostns = false | ||||
| 			if namespace.Path != "" && !strings.HasPrefix(namespace.Path, "/proc/") { | ||||
| 				definedPath := filepath.Join("/etc/netns", filepath.Base(namespace.Path), "resolv.conf") | ||||
| 				_, err := os.Stat(definedPath) | ||||
| 				if err == nil { | ||||
| 					resolvConf = definedPath | ||||
| 				} else if !os.IsNotExist(err) { | ||||
| 					return "", err | ||||
| 					return err | ||||
| 				} | ||||
| 			} | ||||
| 			break | ||||
|  | @ -2314,17 +2310,17 @@ func (c *Container) generateResolvConf() (string, error) { | |||
| 	contents, err := ioutil.ReadFile(resolvConf) | ||||
| 	// resolv.conf doesn't have to exists
 | ||||
| 	if err != nil && !os.IsNotExist(err) { | ||||
| 		return "", err | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	ns := resolvconf.GetNameservers(contents) | ||||
| 	// check if systemd-resolved is used, assume it is used when 127.0.0.53 is the only nameserver
 | ||||
| 	if len(ns) == 1 && ns[0] == "127.0.0.53" { | ||||
| 	if !hostns && len(ns) == 1 && ns[0] == "127.0.0.53" { | ||||
| 		// read the actual resolv.conf file for systemd-resolved
 | ||||
| 		resolvedContents, err := ioutil.ReadFile("/run/systemd/resolve/resolv.conf") | ||||
| 		if err != nil { | ||||
| 			if !os.IsNotExist(err) { | ||||
| 				return "", errors.Wrapf(err, "detected that systemd-resolved is in use, but could not locate real resolv.conf") | ||||
| 				return errors.Wrapf(err, "detected that systemd-resolved is in use, but could not locate real resolv.conf") | ||||
| 			} | ||||
| 		} else { | ||||
| 			contents = resolvedContents | ||||
|  | @ -2347,21 +2343,21 @@ func (c *Container) generateResolvConf() (string, error) { | |||
| 
 | ||||
| 	ipv6, err := c.checkForIPv6(netStatus) | ||||
| 	if err != nil { | ||||
| 		return "", err | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	// Ensure that the container's /etc/resolv.conf is compatible with its
 | ||||
| 	// network configuration.
 | ||||
| 	resolv, err := resolvconf.FilterResolvDNS(contents, ipv6, c.config.CreateNetNS) | ||||
| 	resolv, err := resolvconf.FilterResolvDNS(contents, ipv6, !hostns) | ||||
| 	if err != nil { | ||||
| 		return "", errors.Wrapf(err, "error parsing host resolv.conf") | ||||
| 		return errors.Wrapf(err, "error parsing host resolv.conf") | ||||
| 	} | ||||
| 
 | ||||
| 	dns := make([]net.IP, 0, len(c.runtime.config.Containers.DNSServers)+len(c.config.DNSServer)) | ||||
| 	for _, i := range c.runtime.config.Containers.DNSServers { | ||||
| 		result := net.ParseIP(i) | ||||
| 		if result == nil { | ||||
| 			return "", errors.Wrapf(define.ErrInvalidArg, "invalid IP address %s", i) | ||||
| 			return errors.Wrapf(define.ErrInvalidArg, "invalid IP address %s", i) | ||||
| 		} | ||||
| 		dns = append(dns, result) | ||||
| 	} | ||||
|  | @ -2412,20 +2408,15 @@ func (c *Container) generateResolvConf() (string, error) { | |||
| 	destPath := filepath.Join(c.state.RunDir, "resolv.conf") | ||||
| 
 | ||||
| 	if err := os.Remove(destPath); err != nil && !os.IsNotExist(err) { | ||||
| 		return "", errors.Wrapf(err, "container %s", c.ID()) | ||||
| 		return errors.Wrapf(err, "container %s", c.ID()) | ||||
| 	} | ||||
| 
 | ||||
| 	// Build resolv.conf
 | ||||
| 	if _, err = resolvconf.Build(destPath, nameservers, search, options); err != nil { | ||||
| 		return "", errors.Wrapf(err, "error building resolv.conf for container %s", c.ID()) | ||||
| 		return errors.Wrapf(err, "error building resolv.conf for container %s", c.ID()) | ||||
| 	} | ||||
| 
 | ||||
| 	// Relabel resolv.conf for the container
 | ||||
| 	if err := c.relabel(destPath, c.config.MountLabel, true); err != nil { | ||||
| 		return "", err | ||||
| 	} | ||||
| 
 | ||||
| 	return destPath, nil | ||||
| 	return c.bindMountRootFile(destPath, "/etc/resolv.conf") | ||||
| } | ||||
| 
 | ||||
| // Check if a container uses IPv6.
 | ||||
|  | @ -2600,17 +2591,21 @@ func (c *Container) createHosts() error { | |||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	if err := os.Chown(targetFile, c.RootUID(), c.RootGID()); err != nil { | ||||
| 	return c.bindMountRootFile(targetFile, config.DefaultHostsFile) | ||||
| } | ||||
| 
 | ||||
| // bindMountRootFile will chown and relabel the source file to make it usable in the container.
 | ||||
| // It will also add the path to the container bind mount map.
 | ||||
| // source is the path on the host, dest is the path in the container.
 | ||||
| func (c *Container) bindMountRootFile(source, dest string) error { | ||||
| 	if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	if err := label.Relabel(targetFile, c.MountLabel(), false); err != nil { | ||||
| 	if err := label.Relabel(source, c.MountLabel(), false); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 
 | ||||
| 	if err = c.mountIntoRootDirs(config.DefaultHostsFile, targetFile); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| 	return c.mountIntoRootDirs(dest, source) | ||||
| } | ||||
| 
 | ||||
| // generateGroupEntry generates an entry or entries into /etc/group as
 | ||||
|  |  | |||
|  | @ -656,6 +656,15 @@ EOF | |||
|     run_podman run --network $netname --rm $IMAGE cat /etc/resolv.conf | ||||
|     is "$output" "search dns.podman.*" "correct search domain" | ||||
|     is "$output" ".*nameserver $subnet.1.*" "integrated dns nameserver is set" | ||||
| 
 | ||||
|     # host network should keep localhost nameservers | ||||
|     if grep 127.0.0. /etc/resolv.conf >/dev/null; then | ||||
|         run_podman run --network host --rm $IMAGE cat /etc/resolv.conf | ||||
|         is "$output" ".*nameserver 127\.0\.0.*" "resolv.conf contains localhost nameserver" | ||||
|     fi | ||||
|     # host net + dns still works | ||||
|     run_podman run --network host --dns 1.1.1.1 --rm $IMAGE cat /etc/resolv.conf | ||||
|     is "$output" ".*nameserver 1\.1\.1\.1.*" "resolv.conf contains 1.1.1.1 nameserver" | ||||
| } | ||||
| 
 | ||||
| @test "podman run port forward range" { | ||||
|  | @ -723,4 +732,19 @@ EOF | |||
|     is "${#lines[@]}" "5" "expect 5 host entries in /etc/hosts" | ||||
| } | ||||
| 
 | ||||
| @test "podman run /etc/* permissions" { | ||||
|     userns="--userns=keep-id" | ||||
|     if ! is_rootless; then | ||||
|         userns="--uidmap=0:1111111:65536 --gidmap=0:1111111:65536" | ||||
|     fi | ||||
|     # check with and without userns | ||||
|     for userns in "" "$userns"; do | ||||
|         # check the /etc/hosts /etc/hostname /etc/resolv.conf are owned by root | ||||
|         run_podman run $userns --rm $IMAGE stat -c %u:%g /etc/hosts /etc/resolv.conf /etc/hostname | ||||
|         is "${lines[0]}" "0\:0" "/etc/hosts owned by root" | ||||
|         is "${lines[1]}" "0\:0" "/etc/resolv.conf owned by root" | ||||
|         is "${lines[2]}" "0\:0" "/etc/hosts owned by root" | ||||
|     done | ||||
| } | ||||
| 
 | ||||
| # vim: filetype=sh | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue