-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Podman with custom network dns not working #23957
Comments
What does cannot reach the internet mean? Your error shows a problem resolving a dns name, do you actually have no network connectivity or is just dns failing? |
@Luap99 That is interesting! Let's see: Running in my container with a custom network created through Running inside How is possible that I can telnet, from inside my container, to port 53... but then dig returns an error?? |
Ok thanks for checking, this means that aardvark-dns is not responding on udp I would guess. telnet uses tcp not udp. You could try to use Can you a check that aardvark-dns is running (when you have the container running) and if so please provide the output of |
Additionally: should I attach strace to the running aardvark-dns and its forks, when doing the dig (with eider udp or tcp), I get similar traces:
meaning: the request reaches aardvark-dns in both cases, but seems that aardvark-dns is not able to query the DNS itself? |
Do you have any aardvark-dns errors logged in journald? The strace part shows a tcp request if I read this right. The async epoll API that we are using makes reading the strace a bit harder but it seems we are trying to connect to upstream servers but then it just removes the fd from the epoll again but I do not see any error logged or any write/read from the socket which seems very odd. What is the content of |
In /etc/resolv.conf I have a bunch of name servers, and inside With the container running, dig www.google.com results on aardvark-dns on the host writting a number of "dns request got empty response" messages on the log. |
This is the special dns forward address we use for pasta so this address is expected to work there. If it doesn't it sounds like pasta bug, if you look in journald do you see a warning from pasta that it didn't find nameservers? You can also just test from the cli with |
Indeed, it fails:
|
How do the routes look like in the container ( |
The routes seem to be fine:
Please, find attached the trace dns.pcap.txt (remove the .txt suffix. Seems GH does not support .pcap): |
The requests was send out but never a reply, can you also do a packet capture on the host to see if pasta makes a actual requests to the upstream server there or if pasta eats it internally and never forwards. I wonder is pasta somehow failed to parse resolv.conf for the servers but in this case it should it should print this as warning like the "multiple default routes" warning. There is also But I guess at this point I have to leave it to @sbrivio-rh and @dgibson (the pasta maintainers) if they have a clue here. |
@sbrivio-rh @dgibson: I have run again the pasta command with the --debug option. Can you guys give me a hand?
|
I was looking into this right now. Quick question: is 2001:b88:1002::10 a valid resolver? What happens if you |
Same for 192.168.178.4: does it work? |
Thank you for your help! Yes, 192.168.178.4 is valid. About the "dig passt.top @2001:b88:1002::10", this also seems to work:
|
Weird, because when pasta (and not a process running under pasta) tries to contact 192.168.178.4, it gets an error ("No route to host"). That might be an ICMP error or netfilter (nftables or iptables) blocking it. How do routes look like on the host (not the ones pasta copies)? Any particular firewalling rule pasta could hit? |
with respect to the routes on the host, this is how they look like:
and about the firewall settings, I do not have any rules in nft that can justify this behavior: nft_rules.txt |
Well, I'm deeply baffled. You're able to manually contact the DNS server from the host, but when pasta tries it gets an ICMP error. We could try to get a packet capture on the host - perhaps that would shed some more light on where the error is originating. In fact, even better would be to get two different packet traces on the host: one querying the nameserver directly from the host with dig, the second doing a similar query from the container via pasta. Perhaps we'll see some difference that helps explain things. |
...or maybe it has something to do with us bind()ing and connect()ing UDP sockets (dig doesn't do that) when two sets of almost-identical routes (metrics, interface, and source differ) are present? I can try and see if it can be reproduced with a dummy interface with similar routes. |
Doesn't bind() or doesn't connect()? I'm pretty sure it has to do one of them in order to receive anything at all.
|
Whoops, sorry, I just assumed. It actually does both:
but it bind()s to 0.0.0.0, port 0, so that's not quite the bind()ing we do. |
I think binding to 0.0.0.0:0 is basically a no-op. Which means I thnk the kernel will implicitly bind the socket at |
Issue Description
Similarly to this issue, using run I can reach the internet:
However, should I create the network separately and then use it, I cannot do it:
returns
Error: authenticating creds for "<registry>": pinging container registry <registry>: Get "https://registry/v2/": dial tcp: lookup <registry>: Temporary failure in name resolution
Steps to reproduce the issue
Describe the results you received
The container cannot reach the internet
Describe the results you expected
The container works with a customized network the same it works with the default network.
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
No response
Additional information
When using the default network, when it works, I get an ip address on the address space of the host.
The text was updated successfully, but these errors were encountered: