inter-network dns not working (rootless)

[witchent]

Issue Description

Ever since upgrading to podman 5.0 (and subsequent versions) and thus switching to pasta as the default rootless networking tool I cannot look up other container names running on the same network.

My goal is to be able to use container names in my compose files to lookup the other services, but it is way easier to reproduce (see below)

Steps to reproduce the issue

Steps to reproduce the issue

1. Have podman upgraded to at least v5.0, using default container.conf file (and thus pasta)
2. Run podman network create testnetwork
3. In shell 1 run podman run --rm --name=container1 -ti --network=testnetwork docker.io/library/fedora:40
4. In shell 2 run podman run --rm --name=container2 -ti --network=testnetwork docker.io/library/fedora:40
5. Run in shell 2 (running container2) getent ahosts container1

Describe the results you received

I am getting empty output.

Describe the results you expected

The ip of the first container should show up

podman info output

host:
  arch: amd64
  buildahVersion: 1.36.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.12-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: e8896631295ccb0bfdda4284f1751be19b483264'
  cpuUtilization:
    idlePercent: 82.15
    systemPercent: 11.81
    userPercent: 6.04
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 1977
  hostname: arch-server
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 984
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 6.9.8-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 229462016
  memTotal: 8155779072
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: /usr/lib/podman/aardvark-dns is owned by aardvark-dns 1.11.0-1
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.11.0
    package: /usr/lib/podman/netavark is owned by netavark 1.11.0-2
    path: /usr/lib/podman/netavark
    version: netavark 1.11.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.15-1
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: /usr/bin/pasta is owned by passt 2024_06_24.1ee2eca-1
    version: |
      pasta 2024_06_24.1ee2eca
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.3.1-1
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 6441922560
  swapTotal: 6442446848
  uptime: 0h 13m 56.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/witchent/.config/containers/storage.conf
  containerStore:
    number: 39
    paused: 0
    running: 8
    stopped: 31
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/witchent/.local/share/containers/storage
  graphRootAllocated: 251028910080
  graphRootUsed: 108729716736
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 32
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/witchent/.local/share/containers/storage/volumes
version:
  APIVersion: 5.1.1
  Built: 1717539130
  BuiltTime: Wed Jun  5 00:12:10 2024
  GitCommit: bda6eb03dcbcf12a5b7ae004c1240e38dd056d24-dirty
  GoVersion: go1.22.3
  Os: linux
  OsArch: linux/amd64
  Version: 5.1.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

podman network inspect testnetwork (without the container parts)

          "name": "testnetwork",
          "id": "2298013e0f420e63b3ce5b1eea1129378d48f6264c864641796d984c91dfb57c",
          "driver": "bridge",
          "network_interface": "podman3",
          "created": "2024-07-09T00:17:42.331312785+02:00",
          "subnets": [
               {
                    "subnet": "10.89.1.0/24",
                    "gateway": "10.89.1.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "ipam_options": {
               "driver": "host-local"
          },

Additional information

I can ping the ip of the container, so the networking itself works, its just the dns lookup that does not work.
Assigning fixed IPs to the container and just using those IPs work, but that actually creates other problems though and I cannot use this fix.

[Luap99]

I don't see how this would be related to pasta. Aardvark-dns container name resolution will never leave the rootless netns as such no traffic will have to go through pasta in this case.

So maybe the obvious question does external dns work? IT sounds more like aardvark-dns is not working for you. You can check the journal for any aardvark-dns errors.

[witchent]

Thanks for the suggestions already, I think they might help a lot. So from container1:

getent ahosts google.de

142.251.36.195  STREAM google.de
142.251.36.195  DGRAM  
142.251.36.195  RAW    
2a00:1450:4016:809::2003 STREAM 
2a00:1450:4016:809::2003 DGRAM  
2a00:1450:4016:809::2003 RAW   

So yes, external dns seems to work.

journalctl -b0 | grep aardvark-dns

Jul 09 05:32:15 hostname systemd[475]: Started /usr/lib/podman/aardvark-dns --config /run/user/1000/containers/networks/aardvark-dns -p 53 run.
Jul 09 05:32:15 hostname aardvark-dns[690]: No configuration found stopping the sever
Jul 09 05:32:16 hostname systemd[475]: Started /usr/lib/podman/aardvark-dns --config /run/user/1000/containers/networks/aardvark-dns -p 53 run.
Jul 09 05:52:17 hostname aardvark-dns[808]: No configuration found stopping the sever
Jul 09 05:52:21 hostname systemd[475]: Started /usr/lib/podman/aardvark-dns --config /run/user/1000/containers/networks/aardvark-dns -p 53 run.
Jul 09 05:52:26 hostname aardvark-dns[6570]: 3654 dns request got empty response
Jul 09 05:52:26 hostname aardvark-dns[6570]: 20215 dns request got empty response
Jul 09 05:52:26 hostname aardvark-dns[6570]: 32030 dns request got empty response
Jul 09 05:52:26 hostname aardvark-dns[6570]: 24055 dns request got empty response
Jul 09 05:52:28 hostname aardvark-dns[6570]: 3654 dns request got empty response
Jul 09 05:52:28 hostname aardvark-dns[6570]: 20215 dns request got empty response
Jul 09 05:52:28 hostname aardvark-dns[6570]: 24055 dns request got empty response
Jul 09 05:52:28 hostname aardvark-dns[6570]: 32030 dns request got empty response
Jul 09 05:52:31 hostname aardvark-dns[6570]: 20215 dns request got empty response
Jul 09 05:52:31 hostname aardvark-dns[6570]: 3654 dns request got empty response

This does not sound good, even though the errors stop after starting up my compose files. So it might just be expected behavior before starting up the containers.
Anyway, i did ls /run/user/1000/containers/networks/aardvark-dns and got aardvark.pid docker-compose_default

The docker-compose_default indeed lists all my container names and their corresponding ips, but there is no config for the testnetwork, and even the docker-compose network stack does not allow internal dns lookup.

I just tried googling the errors but was not able to find if this is expected behavior or if this is the problem, and if so how to fix it. I will keep on trying to find more about this but if you got any idea please let me know.

[Luap99]

The testnetwork config file will only be there as long as the containers on it are running, when the containers are stopped the config file is deleted and aardvarks-dns stops automatically as it is no longer needed.

[Luap99]

The dns request got empty response errors is not something I see but I am not sure if that is actual a critical error here

[witchent]

You are right, the file is there while I am running the containers and the IPs are indeed correct.
I seem to have found the problem as well while further debugging:

One of my containers is exposing port 53 (pihole) to the host so that the host and everyone else on my local network can use its DNS-resolver, and apparently that blocks aadvark-dns to resolve the inter-container IPs. Interestingly enough it seems like aadvark-dns should listen on another port since containers/netavark#323, but it sure is started on port 53.
I don't understand how it is possible that pihole and aadvark-dns both listen to port 53 at the same time (since no error is thrown and actually as soon as I stop pihole the dns starts resolving), but there you go.

Is this then something I need to ask over at netavark, or is this still a problem with podman? And are there any known workarounds? I am sure I am not the only one running pihole in a container now, am I?

[Luap99]

Duplicate of #23128

There is bind conflict because aardvark-dns runs in our rootless netns while the container ports are bound on the host netns

[Luap99]

Arrdvark-dns runs on port 53 by default you have to configure it in containers.conf to have it run on a different port (see dns_bind_port). However because dns is limited to port 53 we still have to create a firewall rule to redirect the traffic to the new port and I am not sure if this takes higher precedence than the normal port forward rule from your pihole container

[witchent]

Oh how could I miss this issue.. Thank you so very much for giving me the right pointers.
Regarding your suggestion, if I understood you correctly, I would have to point dns_bind_port to an unused port on the host, and then manually create a rule in my host firewall that redirects all traffic to port 53 to this new port? Or could I somehow instruct all containers to use this new port as dns server and aardvark-dns to use local port 53 (or /etc/resolv.conf) for external dns queries?

[Luap99]

then manually create a rule in my host firewall that redirects all traffic to port 53 to this new port

No netavark will create the rule automatically for you. I am just unsure about the ordering between this rule and the DNAT rule for your pihole forward. So it could be that this still does not work if the DNAT to the pihole container is used first.

Also if you change dns_bind_port you must stop all container first so aardvark-dns stops and then start them again, then you should see the new port in the aardvark-dns command line in the journal log.