libpod: make use of new pasta option from c/common

pasta added a new --map-guest-addr to option that maps a to the actual
host ip. This is exactly what we need for host.containers.internal
entry. So we now make use of this option by default but still have to
keep the exclude fallback because the option is very new and some
users/distros will not have it yet.

This also fixes an issue where the --dns-forward ip were not used when
using the bridge network mode, only useful when not using aardvark-dns
as this used the proper ips there already from the rootless netns
resolv.conf file.

Fixes #19213

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

libpod/container_internal_common.go

@@ -2139,11 +2139,13 @@ func (c *Container) addResolvConf() error {
 		if len(networkNameServers) == 0 || networkBackend != string(types.Netavark) {
 			keepHostServers = true
 		}
-		// first add the nameservers from the networks status
-		nameservers = networkNameServers
-
-		// pasta and slirp4netns have a built in DNS forwarder.
-		nameservers = c.addSpecialDNS(nameservers)
+		if len(networkNameServers) > 0 {
+			// add the nameservers from the networks status
+			nameservers = networkNameServers
+		} else {
+			// pasta and slirp4netns have a built in DNS forwarder.
+			nameservers = c.addSpecialDNS(nameservers)
+		}
 	}
 
 	// Set DNS search domains
@@ -2306,8 +2308,13 @@ func (c *Container) addHosts() error {
 	}
 
 	var exclude []net.IP
+	var preferIP string
 	if c.pastaResult != nil {
 		exclude = c.pastaResult.IPAddresses
+		if len(c.pastaResult.MapGuestAddrIPs) > 0 {
+			// we used --map-guest-addr to setup pasta so prefer this address
+			preferIP = c.pastaResult.MapGuestAddrIPs[0]
+		}
 	} else if c.config.NetMode.IsBridge() {
 		// When running rootless we have to check the rootless netns ip addresses
 		// to not assign a ip that is already used in the rootless netns as it would
@@ -2316,16 +2323,27 @@ func (c *Container) addHosts() error {
 		info, err := c.runtime.network.RootlessNetnsInfo()
 		if err == nil {
 			exclude = info.IPAddresses
+			if len(info.MapGuestIps) > 0 {
+				// we used --map-guest-addr to setup pasta so prefer this address
+				preferIP = info.MapGuestIps[0]
+			}
 		}
 	}
 
+	hostContainersInternalIP := etchosts.GetHostContainersInternalIP(etchosts.HostContainersInternalOptions{
+		Conf:             c.runtime.config,
+		NetStatus:        c.state.NetworkStatus,
+		NetworkInterface: c.runtime.network,
+		Exclude:          exclude,
+		PreferIP:         preferIP,
+	})
+
 	return etchosts.New(&etchosts.Params{
-		BaseFile:     baseHostFile,
-		ExtraHosts:   c.config.HostAdd,
-		ContainerIPs: containerIPsEntries,
-		HostContainersInternalIP: etchosts.GetHostContainersInternalIPExcluding(
-			c.runtime.config, c.state.NetworkStatus, c.runtime.network, exclude),
-		TargetFile: targetFile,
+		BaseFile:                 baseHostFile,
+		ExtraHosts:               c.config.HostAdd,
+		ContainerIPs:             containerIPsEntries,
+		HostContainersInternalIP: hostContainersInternalIP,
+		TargetFile:               targetFile,
 	})
 }
 

libpod/container_internal_linux.go

@@ -617,12 +617,16 @@ func (c *Container) setCgroupsPath(g *generate.Generator) error {
 
 // addSpecialDNS adds special dns servers for slirp4netns and pasta
 func (c *Container) addSpecialDNS(nameservers []string) []string {
-	if c.pastaResult != nil {
+	switch {
+	case c.config.NetMode.IsBridge():
+		info, err := c.runtime.network.RootlessNetnsInfo()
+		if err == nil {
+			nameservers = append(nameservers, info.DnsForwardIps...)
+		}
+	case c.pastaResult != nil:
 		nameservers = append(nameservers, c.pastaResult.DNSForwardIPs...)
-	}
-
-	// slirp4netns has a built in DNS forwarder.
-	if c.config.NetMode.IsSlirp4netns() {
+	case c.config.NetMode.IsSlirp4netns():
+		// slirp4netns has a built in DNS forwarder.
 		slirp4netnsDNS, err := slirp4netns.GetDNS(c.slirp4netnsSubnet)
 		if err != nil {
 			logrus.Warn("Failed to determine Slirp4netns DNS: ", err.Error())

test/system/505-networking-pasta.bats

@@ -455,7 +455,7 @@ function pasta_test_do() {
 
     # pasta is the default now so no need to set it
     run_podman run --rm $IMAGE grep nameserver /etc/resolv.conf
-    assert "${lines[0]}" == "nameserver 169.254.0.1" "default dns forward server"
+    assert "${lines[0]}" == "nameserver 169.254.1.1" "default dns forward server"
 
     run_podman run --rm --net=pasta:--dns-forward,198.51.100.1 \
         $IMAGE nslookup 127.0.0.1 || :
@@ -835,7 +835,9 @@ EOF
         run_podman '?' run --rm --network=$network $IMAGE grep host.containers.internal /etc/hosts
         if [ "$status" -eq 0 ]; then
             assert "$output" !~ "$pasta_ip" "pasta host ip must not be assigned ($network)"
-            assert "$host_ips" =~ "$(cut -f1 <<<$output)" "ip is one of the host ips ($network)"
+            # even more special we use a new --map-guest-addr pasta option and
+            # to map 169.254.1.2 to the host, https://github.com/containers/common/pull/2136
+            assert "$host_ips 169.254.1.2" =~ "$(cut -f1 <<<$output)" "ip is one of the host ips ($network)"
         elif [ "$status" -eq 1 ]; then
             # if only pasta ip then we cannot have a host.containers.internal entry
             # make sure this fact is actually the case
@@ -848,6 +850,6 @@ EOF
     run_podman network rm $netname
 
     first_host_ip=$(head -n 1 <<<"$host_ips")
-    run_podman run --rm --network=pasta:-a,169.254.0.2,-g,169.254.0.1,-n,24 $IMAGE grep host.containers.internal /etc/hosts
-    assert "$output" =~ "^$first_host_ip" "uses host first ip"
+    run_podman run --rm --network=pasta:-a,192.168.0.2,-g,192.168.0.1,-n,24 $IMAGE grep host.containers.internal /etc/hosts
+    assert "$output" =~ "^($first_host_ip|169.254.1.2)" "uses first host ip or special 169.254.1.2 --map-guest-addr"
 }