podman: rootless dns broken

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I can’t use DNS names to communicate with pods.

Steps to reproduce the issue:

nslookup smtp-gateway

Describe the results you received: Host Journal

aardvark-dns[6156]: 32479 dns request failed: request timed out

Host

$ cat /etc/resolv.conf 
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search online.net

Container

# cat /etc/resolv.conf 
search dns.podman online.net.
nameserver 10.89.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4

Container

root@dyndns:/# nslookup smtp-gateway
Server:		10.89.0.1
Address:	10.89.0.1:53

** server can't find smtp-gateway.dns.podman: NXDOMAIN

** server can't find smtp-gateway.dns.podman: NXDOMAIN

*** Can't find smtp-gateway.online.net.: No answer
*** Can't find smtp-gateway.online.net.: No answer

Describe the results you expected: DNS to IP resolution.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Client:       Podman Engine
Version:      4.3.0
API Version:  4.3.0
Go Version:   go1.19.2
Git Commit:   ad42af94903ce4f3c3cd0693e4e17e4286bf094b-dirty
Built:        Wed Oct 19 23:09:30 2022
OS/Arch:      linux/amd64

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon ist in conmon 1:2.1.4-1 enthalten
    path: /usr/bin/conmon
    version: 'conmon version 2.1.4, commit: bd1459a3ffbb13eb552cc9af213e1f56f31ba2ee'
  cpuUtilization:
    idlePercent: 99.7
    systemPercent: 0.04
    userPercent: 0.26
  cpus: 8
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: backupserver
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
  kernel: 5.15.76-1-lts
  linkmode: dynamic
  logDriver: journald
  memFree: 27072786432
  memTotal: 33437605888
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: /usr/bin/crun ist in crun 1.6-1 enthalten
    path: /usr/bin/crun
    version: |-
      crun version 1.6
      commit: 18cf2efbb8feb2b2f20e316520e0fd0b6c41ef4d
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns ist in slirp4netns 1.2.0-1 enthalten
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 67638333440
  swapTotal: 67645722624
  uptime: 48h 29m 11.00s (Approximately 2.00 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/backupserver/.config/containers/storage.conf
  containerStore:
    number: 10
    paused: 0
    running: 10
    stopped: 0
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /home/backupserver/.local/share/containers/storage
  graphRootAllocated: 1965484457984
  graphRootUsed: 3847544832
  graphStatus:
    Build Version: Btrfs v6.0
    Library Version: "102"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/user/1000/containers
  volumePath: /home/backupserver/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.0
  Built: 1666213770
  BuiltTime: Wed Oct 19 23:09:30 2022
  GitCommit: ad42af94903ce4f3c3cd0693e4e17e4286bf094b-dirty
  GoVersion: go1.19.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.0

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

podman 4.3.0-1

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

N/A

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 28 (11 by maintainers)

Most upvoted comments

Wait, smtp-gateway is a container/pod name? I overlooked that at first. If that is the case please provide a full reproducer, how are the pods/containers created?

Looks like it is not finding the name in aardvarks db so it tries to resolve the name upstream which then times out. You can check the aardvark db content with cat $XDG_RUNTIME_DIR/containers/networks/aardvark-dns/<netname>

Luap99 on Nov 1, 2022