-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pasta: figure out how to deal with /etc/{hosts,resolv.conf} entries #19213
Comments
@Luap99 a couple of background queries to help me understand the problem better.
|
I think my concern was (still is) that a container must never have access to processes listing on 127.0.0.1 on the host ns, at least by default. That decision requires user opt in (i.e. allow_host_loopback=true for slirp4netns). As I understand in pasta by default the gateway ip is mapped to localhost on the host so it bypasses that guarantee. If you could map it to the actual host ip then I would not have any problems with it because this one can be accessed by all the other network modes as well. But then keep in mind that means we can no longer connect to the actual network gw and at least on common home network setups the home router will set itself as dns server which means a lot of users would be hit by this problem.
Exactly that is the problem, for rootful we just assume With pasta we have the unique advantage that we only loose a single ip with is much better and I love that. Certainly we could just define a specific ip and I assume we could set |
Your understanding is correct, so, yes, that constraint absolutely rules out
So, we want to allow that, but it's harder than it sounds. There are, alas, some assumptions about where things are mapped that influences how the port tracking stuff in the UDP code works. Sorting that out is definitely planned, but it's not that easy.
Right.
In the short to medium term, my inclination here would be to allocate a fake DNS server from the 10.88.0.0/16 range, and pass that to the
Well... it depends what "reserved" means, exactly. Obviously The link local range, |
A friendly reminder that this issue had no activity for 30 days. |
@Luap99 Any update on this? |
No |
A friendly reminder that this issue had no activity for 30 days. |
@mheon @dgibson @sbrivio-rh I lost track of this one. I think we need to take look here again and figure out how to fix this is the best optimal way.
This is still a issue, today we already lookup the pasta ip by checking the interface inside the netns so one easy thing to do would be to keep looking for another ip on the host if it is the same as the one pasta uses. However this only works if a system has more than one non localhost ip address which may not be common. Keep in mind that we pass --no-map-gw to pasta so using the gw address is not possible, and even if we would like to use it it is not suitable for us as it remaps to localhost on the host which we consider insecure and as such is a non starter. I am not sure were the passt/pasta work on this but I think you were talking about working on some form of generic ip remapping. So maybe this is something we could implement today? It is totally fine if podman needs to pass a new option. And then if we can do that, we could reuse it if the nameserver is the host ip because then podman could just write the ip we used to remap to the containers resolv.conf and it should just work. The alternative of course is that podman could pass --address,--gateway with the old slirp4netns addresses to force NAT but I don't think this is what any of us want. |
Can
This is still work in progress, I think we're quite far from having options that could be used now, unless @dgibson sees a way to do that. |
This option only handles dns remapping so it does not to fix the generic
So it is certainly an option to fix some of the problems, however it has the same problem in that it maps to 127.0.0.1 so it will not in the case were the host ip is used as nameserver and only listens on that ip (e.g. eth0) but not on localhost. |
I have to admit it confuses me as well. It might be a side effect of commit bad252687271 ("conf, udp: Allow any loopback address to be used as resolver"). I need to look into this a bit further.
...is this case actually a thing? I've never seen systemd-resolved or dnsmasq binding to a specific address or interface. |
Yeah not for systemd/dnsmasq when used as local resolvers. However one place where I have done this is running a dns server in podman. So I put my eth0 ip in resolv.conf as I want to use it also from within all my other containers and podman has to skip localhost resolvers. Now I could bind all addresses (0.0.0.0) but there is a catch with that as well. Podman uses aardvark-dns which by default listens on the bridge ip on port 53 to offer name resolution for container names. So this would fail if there is already a dns sever running on 0.0.0.0. Just saying this because technically you ignore the nameserver ip in this specific case and remap it to 127.0.0.1 which I find weird. |
Both
The gw mapping option is I'm intending to make this NAT special case more flexible, allowing the user (podman in this case) to choose some arbitrary address which can be mapped to the host, or even several different addresses which can be mapped to different host addresses. However, implementing this sanely has a fair bit of prerequisite work. I'm gradually getting there, but it's a pretty long road. |
Doesn't aardvark-dns resolve
I think this works because if
We can also pass another address, not 127.0.0.1, with the If this works, would there be any remaining issue? |
aardvark-dns is not in the picture here, we do not use it for
That means we will read resolv.conf on our side? Seems kinda silly considering that pasta already does that. |
Yeah that does sound useful to me for to map to the actual host. We would need to choose some arbitrary address inside the netns but this shouldn't be a problem. |
Hmm, yes, right.
Okay, so I can prepare a patch for pasta that avoids the warning in that case. Then we need to pass another option in Podman. Should I try to make that change as well? (I'd rather leave it to you or somebody else at the moment, if possible) |
I can do that. |
This reverts commit 92784a2. I plan on using --dns-forward now so we do not want to disable dns by default, see [1]. [1] containers/podman#19213
This reverts commit 92784a2. I plan on using --dns-forward now so we do not want to disable dns by default, see [1]. [1] containers/podman#19213 Signed-off-by: Paul Holzinger <[email protected]>
This reverts commit 92784a2. I plan on using --dns-forward now so we do not want to disable dns by default, see [1]. [1] containers/podman#19213 Signed-off-by: Paul Holzinger <[email protected]>
This reverts commit 92784a2. I plan on using --dns-forward now so we do not want to disable dns by default, see [1]. [1] containers/podman#19213 Signed-off-by: Paul Holzinger <[email protected]>
This reverts commit 92784a2. I plan on using --dns-forward now so we do not want to disable dns by default, see [1]. [1] containers/podman#19213 Signed-off-by: Paul Holzinger <[email protected]>
Both pasta and slirp4netns need to deal with the fact that we can't allocate "real" IP addresses. pasta has chosen a different approach here, which we think is better in more cases, but it's an unavoidable tradeoff, so there are some situations where pasta's approach causes trouble. slirp's approach is to NAT the guest/container - it sees a private (usually pasta instead chooses not to NAT; the container sees the IP from which its packets will appear on the outside - (one of) the host's IPs. This both simplifies the logic and avoids the problems above. The downside is that since it share's the host IP, there's no easy way for those to communicate with each other. Standlone pasta, by default, implements a special case NAT to handle that case, but it's rather limited and involves some other tradeoffs. podman disables that by default (you can re-enable it with |
Setting Defaulting to pasta without taking in consideration this, seems not only a breaking change but a full remove of a feature |
That was not intentional, see #19213 (comment), and now the fix is work in progress, see also #22653. |
pasta 2024_08_21 added a new --map-guest-addr option that we can set by default with some fixed address and then make podman add the corresponding hosts entry for host.containers.internal which should make that work in all cases now just on hosts with more than one ip address. I didn't had a chance to test this yet but I assume it "just works" I will try to work on that next week. That however leaves one question open how do we want to deal with backwards compatibility with older pasta versions. If we pass this option by default users with older pasta versions will break. So we would have an hard requirement on this pasta version. While I would like to say distros/users need to provide the right versions it will make things like bisection much harder so I think the -help check makes the most sense. I know this is what we do with slirp4netns as well. |
Can we do an optimistic version of it, so that we don't make things slower in the general case? That is, try with the new option. If pasta exits with 1 (possibly with |
Yes good idea |
The --map-guest-addr option allows us to sepcify a ip that is remapped to the actual host ip that was used by pasta. This is done to fix the problem where connecting to the host ip was not possible as the same ip was used in the netns. We now set --map-guest-addr 169.254.0.2 which follows the same idea we already used for the --dns-forward option. With that podman can use this ip to set it for host.containers.internal which should the case where there was no second host ip available, see containers/podman#19213 Signed-off-by: Paul Holzinger <[email protected]>
One other issue is that when |
@akostadinov , I don't think that quite makes sense. |
The --map-guest-addr option allows us to sepcify a ip that is remapped to the actual host ip that was used by pasta. This is done to fix the problem where connecting to the host ip was not possible as the same ip was used in the netns. We now set --map-guest-addr 169.254.1.2 which follows the same idea we already used for the --dns-forward option. With that podman can use this ip to set it for host.containers.internal which should the case where there was no second host ip available, see containers/podman#19213 Signed-off-by: Paul Holzinger <[email protected]>
Thank you, @dgibson , As a user I desire things to just work oob and when they don't, I expect to see some useful error/warning messages and better documentation how to achieve certain outcomes. I think better documentation is needed around
In docker world This paragraph in the issue description is not valid anymore:
Specifically my opinion is that, whatever is decided as a behavior, |
which is why we are going to use --map-guest-addr by default in podman #23791 then all containers using pasta, pasta network mode or rootless bridge mode (custom networks) will make use of it so this juts works out of the box after this.
That would be a major change, the fact is that likely 99+% of users will never care about this host entry nor need the connection to the host so throwing a warning by default will cause much more confusing to those users.
That is already the case for rootful bridge networks we use the bridge ip but of course that only make sense as root because the rootless bridge ip isn't actually on the host (#22943 (comment)).
It already sets this entry to any host ip |
[1] podman-5.2.2-1.fc40.x86_64 |
Right,
Sure. We only just implemented the new options in pasta, so the documentation hasn't yet been added to podman. @Luap99 is better place to answer when that might happen.
That's a policy discussion only the podman people can address (I'm a pasta dev, not a podman dev). I was just repeating my understanding of why
@Luap99 has draft patches which address this using the new |
The solution is to switch back to slirp4netns until the pasta resolves the issue. # https://bbs.archlinux.org/viewtopic.php?id=296042 # containers/podman#19213
pasta added a new --map-guest-addr to option that maps a to the actual host ip. This is exactly what we need for host.containers.internal entry. So we now make use of this option by default but still have to keep the exclude fallback because the option is very new and some users/distros will not have it yet. This also fixes an issue where the --dns-forward ip were not used when using the bridge network mode, only useful when not using aardvark-dns as this used the proper ips there already from the rootless netns resolv.conf file. Fixes containers#19213 Signed-off-by: Paul Holzinger <[email protected]>
There are some basic problem with our hosts and resolv.conf handling when we the pasta network mode is used.
For resolv.conf unless custom dns servers are specified via config or cli then podman will read your hosts resolv.conf and add entries to the containers resolv.conf, except that we filter out localhost addresses because they will not be reachable from within the container netns.
Because pasta by default uses no NAT and reuses the host this causes the side effect that the host ip in the host netns is not reachable as well. This means that if you by default have you host ip in resolv.conf then podman adds an entry that is actually not reachable. This is a bad user experience so we should figure out how to best handle this.
This also gets more complicated depending on what pasta options the users specifies (--map-gw, --address, --gateway). They all will result in some NAT for the container and may make certain addresses unavailable.
For /etc/hosts it is not as problematic but there is still the
host.containers.internal
entry which should point to the host ip. Right now this is just the first non localhost ip we find. By default this will be very often the same ip used by pasta so then again you would not actually reach the host but stay in the container netns. Many application usehost.containers.internal
to connect to services running on the host so with pasta this will not work. Again this may also be impacted by the pasta option --address.We need to figure out what pasta options effect this behavior and how to deal with that accordingly. This is something we should address before making pasta the default as this has a high change of causing regressions if we do not deal with it correctly.
The text was updated successfully, but these errors were encountered: