Merge pull request #26221 from Luap99/resolv

libpod: don't force only network search domains

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.7.1
 	github.com/containers/buildah v1.40.1-0.20250523151639-b535d02d0ee1
-	github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f
+	github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.6
 	github.com/containers/image/v5 v5.35.1-0.20250526152843-c64593da00e4

go.sum

@@ -68,8 +68,8 @@ github.com/containernetworking/plugins v1.7.1 h1:CNAR0jviDj6FS5Vg85NTgKWLDzZPfi/
 github.com/containernetworking/plugins v1.7.1/go.mod h1:xuMdjuio+a1oVQsHKjr/mgzuZ24leAsqUYRnzGoXHy0=
 github.com/containers/buildah v1.40.1-0.20250523151639-b535d02d0ee1 h1:3bNWDmqh9tx0iAXPzBJugj/oC0nTD9yTXCyIu/Mj/LE=
 github.com/containers/buildah v1.40.1-0.20250523151639-b535d02d0ee1/go.mod h1:8BVLrM6nRl/dRMYxZ+TrmoWPXzkCY99rZOYvJoXpIyE=
-github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f h1:308Ex0+3+gBSpDPJrFCQIhALdD8YC7jzaXuxSFZgFiA=
-github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f/go.mod h1:efNRNweihnq5nXALnAPDXTpC7uJtnFV4pNuETTfvI8s=
+github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355 h1:vK7TVpONcQzWHR4dAEnLkLeCrKNB61UhLDpwAXFIIto=
+github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355/go.mod h1:efNRNweihnq5nXALnAPDXTpC7uJtnFV4pNuETTfvI8s=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.8.6 h1:9SeAXK+K2o36CtrgYk6zRXbU3zrayjvkrI8b7/O6u5A=

libpod/container_internal_common.go

@@ -2254,13 +2254,16 @@ func (c *Container) addResolvConf() error {
 	}
 
 	// Set DNS search domains
-	search := networkSearchDomains
-
+	var search []string
+	keepHostSearches := false
 	if len(c.config.DNSSearch) > 0 || len(c.runtime.config.Containers.DNSSearches.Get()) > 0 {
 		customSearch := make([]string, 0, len(c.config.DNSSearch)+len(c.runtime.config.Containers.DNSSearches.Get()))
 		customSearch = append(customSearch, c.runtime.config.Containers.DNSSearches.Get()...)
 		customSearch = append(customSearch, c.config.DNSSearch...)
 		search = customSearch
+	} else {
+		search = networkSearchDomains
+		keepHostSearches = true
 	}
 
 	options := make([]string, 0, len(c.config.DNSOption)+len(c.runtime.config.Containers.DNSOptions.Get()))
@@ -2275,6 +2278,7 @@ func (c *Container) addResolvConf() error {
 	if err := resolvconf.New(&resolvconf.Params{
 		IPv6Enabled:      ipv6,
 		KeepHostServers:  keepHostServers,
+		KeepHostSearches: keepHostSearches,
 		Nameservers:      nameservers,
 		Namespaces:       namespaces,
 		Options:          options,

test/e2e/run_networking_test.go

@@ -1152,24 +1152,27 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 
-		session = podmanTest.Podman([]string{"run", "--name", "con1", "--network", net, CITEST_IMAGE, "nslookup", "con1"})
+		// Note apline nslookup tries to resolve all search domains always and returns an error if one does not resolve.
+		// Because we leak all host search domain into the container we have no control over if it resolves or not.
+		// Thus use "NAME." to indicate the name is full and no search domain should be tried.
+		session = podmanTest.Podman([]string{"run", "--name", "con1", "--network", net, CITEST_IMAGE, "nslookup", "con1."})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 
-		session = podmanTest.Podman([]string{"run", "--name", "con2", "--pod", pod, "--network", net, CITEST_IMAGE, "nslookup", "con2"})
+		session = podmanTest.Podman([]string{"run", "--name", "con2", "--pod", pod, "--network", net, CITEST_IMAGE, "nslookup", "con2."})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 
-		session = podmanTest.Podman([]string{"run", "--name", "con3", "--pod", pod2, CITEST_IMAGE, "nslookup", "con1"})
+		session = podmanTest.Podman([]string{"run", "--name", "con3", "--pod", pod2, CITEST_IMAGE, "nslookup", "con1."})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitWithError(1, ""))
-		Expect(session.OutputToString()).To(ContainSubstring("server can't find con1.dns.podman: NXDOMAIN"))
+		Expect(session.OutputToString()).To(ContainSubstring("NXDOMAIN"))
 
 		session = podmanTest.Podman([]string{"run", "--name", "con4", "--network", net, CITEST_IMAGE, "nslookup", pod2 + ".dns.podman"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 
-		session = podmanTest.Podman([]string{"run", "--network", net, CITEST_IMAGE, "nslookup", hostname})
+		session = podmanTest.Podman([]string{"run", "--network", net, CITEST_IMAGE, "nslookup", hostname + "."})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 	})

test/system/500-networking.bats

@@ -902,11 +902,21 @@ EOF
 @test "podman network rm --dns-option " {
     dns_opt=dns$(random_string)
     run_podman run --rm --dns-opt=${dns_opt} $IMAGE cat /etc/resolv.conf
-    is "$output" ".*options ${dns_opt}" "--dns-opt was added"
+    # Note that we must fully replace all host option so make a match for line start/end as well
+    # https://github.com/containers/podman/issues/22399
+    assert "$output" =~ ".*^options ${dns_opt}\$" "--dns-opt was added"
 
     dns_opt=dns$(random_string)
     run_podman run --rm --dns-option=${dns_opt} $IMAGE cat /etc/resolv.conf
-    is "$output" ".*options ${dns_opt}" "--dns-option was added"
+    assert "$output" =~ ".*^options ${dns_opt}\$" "--dns-option was added"
+
+    # now check with a custom network as well
+    local net=net-$(safename)
+    run_podman network create $net
+    run_podman run --rm --network $net --dns-option=${dns_opt} $IMAGE cat /etc/resolv.conf
+    assert "$output" =~ ".*^options ${dns_opt}\$" "--dns-option was added with custom network"
+
+    run_podman network rm -f $net
 }
 
 # bats test_tags=ci:parallel

vendor/github.com/containers/common/libnetwork/resolvconf/resolv.go

@@ -30,17 +30,28 @@ type Params struct {
 	// IPv6Enabled will filter ipv6 nameservers when not set to true.
 	IPv6Enabled bool
 	// KeepHostServers can be set when it is required to still keep the
-	// original resolv.conf content even when custom Nameserver/Searches/Options
+	// original resolv.conf nameservers even when explicit Nameservers
 	// are set. In this case they will be appended to the given values.
 	KeepHostServers bool
+	// KeepHostSearches can be set when it is required to still keep the
+	// original resolv.conf search domains even when explicit search domains
+	// are set in Searches.
+	KeepHostSearches bool
+	// KeepHostOptions can be set when it is required to still keep the
+	// original resolv.conf options even when explicit options are set in
+	// Options.
+	KeepHostOptions bool
 	// Nameservers is a list of nameservers the container should use,
-	// instead of the default ones from the host.
+	// instead of the default ones from the host. Set KeepHostServers
+	// in order to also keep the hosts resolv.conf nameservers.
 	Nameservers []string
 	// Searches is a list of dns search domains the container should use,
-	// instead of the default ones from the host.
+	// instead of the default ones from the host. Set KeepHostSearches
+	// in order to also keep the hosts resolv.conf search domains.
 	Searches []string
 	// Options is a list of dns options the container should use,
-	// instead of the default ones from the host.
+	// instead of the default ones from the host. Set KeepHostOptions
+	// in order to also keep the hosts resolv.conf options.
 	Options []string
 
 	// resolvConfPath is the path which should be used as base to get the dns
@@ -121,7 +132,8 @@ func unsetSearchDomainsIfNeeded(searches []string) []string {
 // New creates a new resolv.conf file with the given params.
 func New(params *Params) error {
 	// short path, if everything is given there is no need to actually read the hosts /etc/resolv.conf
-	if len(params.Nameservers) > 0 && len(params.Options) > 0 && len(params.Searches) > 0 && !params.KeepHostServers {
+	if len(params.Nameservers) > 0 && len(params.Options) > 0 && len(params.Searches) > 0 &&
+		!params.KeepHostServers && !params.KeepHostOptions && !params.KeepHostSearches {
 		return build(params.Path, params.Nameservers, unsetSearchDomainsIfNeeded(params.Searches), params.Options)
 	}
 
@@ -140,12 +152,12 @@ func New(params *Params) error {
 	searches := unsetSearchDomainsIfNeeded(params.Searches)
 	// if no params.Searches then use host ones
 	// otherwise make sure that they were no explicitly unset before adding host ones
-	if len(params.Searches) == 0 || (params.KeepHostServers && len(searches) > 0) {
+	if len(params.Searches) == 0 || (params.KeepHostSearches && len(searches) > 0) {
 		searches = append(searches, getSearchDomains(content)...)
 	}
 
 	options := params.Options
-	if len(options) == 0 || params.KeepHostServers {
+	if len(options) == 0 || params.KeepHostOptions {
 		options = append(options, getOptions(content)...)
 	}
 

vendor/modules.txt

@@ -142,7 +142,7 @@ github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/pkg/volumes
 github.com/containers/buildah/util
-# github.com/containers/common v0.63.1-0.20250528122446-1a3b5ecec62f
+# github.com/containers/common v0.63.1-0.20250602154905-5a4ca2d5d355
 ## explicit; go 1.23.3
 github.com/containers/common/internal
 github.com/containers/common/internal/attributedstring