From 85045406b5b81eed93edea278dfcd976b3445449 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 19 Jul 2024 10:00:43 +1000
Subject: [PATCH 1/5] test/system: Move test for default forwarder into its own
 case

The "Local forwarder, IPv4" pasta test, amongst other things, checks that
podman's default DNS forwarding address - 169.254.0.1 - appears in the
container's /etc/resolv.conf.  That's not really related to anything else
going on in that test (which is about _changing_ that default address).

So, move it into its own test case.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 test/system/505-networking-pasta.bats | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats
index f32e3e427d..5d01eb8139 100644
--- a/test/system/505-networking-pasta.bats
+++ b/test/system/505-networking-pasta.bats
@@ -452,12 +452,16 @@ function pasta_test_do() {
            "::1 not resolved"
 }
 
-@test "Local forwarder, IPv4" {
+@test "Default nameserver forwarding" {
     skip_if_no_ipv4 "IPv4 not routable on the host"
 
     # pasta is the default now so no need to set it
     run_podman run --rm $IMAGE grep nameserver /etc/resolv.conf
     assert "${lines[0]}" == "nameserver 169.254.1.1" "default dns forward server"
+}
+
+@test "Local forwarder, IPv4" {
+    skip_if_no_ipv4 "IPv4 not routable on the host"
 
     run_podman run --rm --net=pasta:--dns-forward,198.51.100.1 \
         $IMAGE nslookup 127.0.0.1 || :

From 6c79fe292b936bf2a34ee7e5aadd0edce724f62c Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 19 Jul 2024 09:43:56 +1000
Subject: [PATCH 2/5] test/system: Consolidate "External resolver" pasta tests

The idea behind the "External resolver" tests is simply to check that we
can contact a nameserver, regardless of this configuration.  To this end
the "IPv4" version looks up 127.0.0.1 which RFC1912[0] suggests should
always be resolvable.

The IPv6 version instead looks up [::1].  While it makes sense for
that to be resolvable in a similar way, there appear to be quite a few
nameservers which do not resolve it, making this test flaky.
Furthermore the idea behind resolving [::1] is that it should make
nslookup prefer to resolve over IPv6.  That appears to be very
unreliable at best.  Since making a different query doesn't actually
exercise anything different in pasta, drop the test.

The remaining IPv4 test isn't really specific to an "external" resolver,
it's simply checking that we can contact some sort of resolver with the
default podman configuration.  Rename accordingly, and run it regardless of
IPv4 connectivity on the host: we can still query a nameserver about an
IPv4 address, even if we only have IPv6 connectivity ourselves.

[0] https://datatracker.ietf.org/doc/html/rfc1912#section-4.1

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 test/system/505-networking-pasta.bats | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats
index 5d01eb8139..1f46feadd3 100644
--- a/test/system/505-networking-pasta.bats
+++ b/test/system/505-networking-pasta.bats
@@ -434,24 +434,13 @@ function pasta_test_do() {
 
 ### DNS ########################################################################
 
-@test "External resolver, IPv4" {
-    skip_if_no_ipv4 "IPv4 not routable on the host"
-
+@test "Basic nameserver lookup" {
     run_podman '?' run --rm --net=pasta $IMAGE nslookup 127.0.0.1
 
     assert "$output" =~ "1.0.0.127.in-addr.arpa" \
            "127.0.0.1 not resolved"
 }
 
-@test "External resolver, IPv6" {
-    skip_if_no_ipv6 "IPv6 not routable on the host"
-
-    run_podman '?' run --rm --net=pasta $IMAGE nslookup ::1
-
-    assert "$output" =~ "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" \
-           "::1 not resolved"
-}
-
 @test "Default nameserver forwarding" {
     skip_if_no_ipv4 "IPv4 not routable on the host"
 

From 63e286ac553f87ee8116e88be6623e38b0cbda7e Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 19 Jul 2024 10:28:52 +1000
Subject: [PATCH 3/5] test/system: Simplify testing for nameserver connectivity

In both the "Basic nameserver lookup" and "Local forwarder, IPv4" pasta
tests, we check whether DNS resolution is working by running "nslookup
127.0.0.1" in the container and checking if 1.0.0.127.in-addr.arpa is in
the output.

1.0.0.127.in-addr.arpa isn't the expected result of the resolution though,
it's just the DNS name that nslookup will tranlated 127.0.0.1 into.  The
test mostly works, because nslookup echoes that on successful lookups.
However, it could also echo it in certain sorts of failure, so it's not a
very reliable test.

Furthermore, resolving 127.0.0.1 from a nameserver is a rather strange
thing to do.  It's done that way because RFC1912[0] suggests it should
always resolve, even for nameservers on a disconnected network.  But, this
doesn't really appear to be true in practice: a number of resolvers return
NXDOMAIN.  That works by accident because nslookup seems to echo the
name above as part of the error message.

Change to instead looking up one of the root servers by name.  This does
now rely on access to the global DNS during tests, but other podman tests
attempt to resolve google.com, so that should be ok.  One of the root
servers is about as close to universal resolvability as it's possible to
get

[0] https://datatracker.ietf.org/doc/html/rfc1912#section-4.1

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 test/system/505-networking-pasta.bats | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats
index 1f46feadd3..78e4bd59f0 100644
--- a/test/system/505-networking-pasta.bats
+++ b/test/system/505-networking-pasta.bats
@@ -435,10 +435,7 @@ function pasta_test_do() {
 ### DNS ########################################################################
 
 @test "Basic nameserver lookup" {
-    run_podman '?' run --rm --net=pasta $IMAGE nslookup 127.0.0.1
-
-    assert "$output" =~ "1.0.0.127.in-addr.arpa" \
-           "127.0.0.1 not resolved"
+    run_podman run --rm --net=pasta $IMAGE nslookup l.root-servers.net
 }
 
 @test "Default nameserver forwarding" {
@@ -453,8 +450,7 @@ function pasta_test_do() {
     skip_if_no_ipv4 "IPv4 not routable on the host"
 
     run_podman run --rm --net=pasta:--dns-forward,198.51.100.1 \
-        $IMAGE nslookup 127.0.0.1 || :
-    assert "$output" =~ "1.0.0.127.in-addr.arpa" "No answer from resolver"
+        $IMAGE nslookup l.root-servers.net
 }
 
 @test "Local forwarder, IPv6" {

From 4919440428c673df68cca280dcdce9cc7a441acd Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 19 Jul 2024 10:46:19 +1000
Subject: [PATCH 4/5] test/system: Clarify "Local forwarder" pasta tests

This name for the tests is misleading, since in the default configuration
podman will already configure a forwarding addres, which could forward
to either another local forwarder or an external nameserver on the host
side.  What this test is really about is explicitly configuring the pasta
DNS forwarding address.  Rename accordingly.

The IPv4 version of the test doesn't use the podman --dns option, only
the pasta --dns-forward option.  This exercises the podman behaviour that
pasta --dns-forward options are added to /etc/resolv.conf automatically.
However there could also be other things in /etc/resolv.conf, so the
nslookup might not use the custom forwarding address for the lookup.

To fix that, split the test into two parts: one verifying that the custom
address is in /etc/resolv.conf and another performing the nslookup with an
explicit server address to make sure we exercise the pasta side as well.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 test/system/505-networking-pasta.bats | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats
index 78e4bd59f0..7e112af2ed 100644
--- a/test/system/505-networking-pasta.bats
+++ b/test/system/505-networking-pasta.bats
@@ -446,20 +446,31 @@ function pasta_test_do() {
     assert "${lines[0]}" == "nameserver 169.254.1.1" "default dns forward server"
 }
 
-@test "Local forwarder, IPv4" {
+@test "Custom DNS forward address, IPv4" {
     skip_if_no_ipv4 "IPv4 not routable on the host"
 
-    run_podman run --rm --net=pasta:--dns-forward,198.51.100.1 \
-        $IMAGE nslookup l.root-servers.net
+    local addr=198.51.100.1
+
+    run_podman run --rm --net=pasta:--dns-forward,$addr \
+        $IMAGE grep nameserver /etc/resolv.conf
+    assert "${lines[0]}" == "nameserver $addr" "custom dns forward server"
+
+    run_podman run --rm --net=pasta:--dns-forward,$addr \
+        $IMAGE nslookup l.root-servers.net $addr
 }
 
-@test "Local forwarder, IPv6" {
+@test "Custom DNS forward address, IPv6" {
     skip_if_no_ipv6 "IPv6 not routable on the host"
 
     # TODO: Two issues here:
     skip "Currently unsupported"
-    # run_podman run --dns 2001:db8::1 \
-    #   --net=pasta:--dns-forward,2001:db8::1 $IMAGE nslookup ::1
+    # local addr=2001:db8::1
+    #
+    # run_podman run --rm --net=pasta:--dns-forward,$addr \
+    #     $IMAGE grep nameserver /etc/resolv.conf
+    # assert "${lines[0]}" == "nameserver $addr" "custom dns forward server"
+    # run_podman run --rm --net=pasta:--dns-forward,$addr \
+    #     $IMAGE nslookup l.root-servers.net $addr
     #
     # 1. With this, Podman writes "nameserver 2001:db8::1" to
     #    /etc/resolv.conf, without zone, and the query originates from ::1.

From 2505381551a81101890363be0fd45cdf48996554 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Wed, 18 Sep 2024 11:19:47 +1000
Subject: [PATCH 5/5] test/system: Improve TODO comments on IPv6 pasta custom
 DNS forward test

This test is currently disabled due to several issues, only some of which
are described in the existing comments.  Add some more details to clarify
the situation.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 test/system/505-networking-pasta.bats | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats
index 7e112af2ed..aa1691a4e7 100644
--- a/test/system/505-networking-pasta.bats
+++ b/test/system/505-networking-pasta.bats
@@ -462,7 +462,12 @@ function pasta_test_do() {
 @test "Custom DNS forward address, IPv6" {
     skip_if_no_ipv6 "IPv6 not routable on the host"
 
-    # TODO: Two issues here:
+    # TODO: In fact, this requires not just IPv6 connectivity on the
+    #       host, but an IPv6 reachable nameserver which is harder to
+    #       test for.  We could remove that requirement if pasta could
+    #       forward between IPv4 and IPv6 addresses but as of
+    #       2024_09_06.6b38f07 that's unsupported.  Skip the test for
+    #       now.
     skip "Currently unsupported"
     # local addr=2001:db8::1
     #
@@ -472,6 +477,10 @@ function pasta_test_do() {
     # run_podman run --rm --net=pasta:--dns-forward,$addr \
     #     $IMAGE nslookup l.root-servers.net $addr
     #
+    # TODO: In addition to the IPv6 nameserver requirement above,
+    #       there seem to be two problems running this test.  It's
+    #       unclear if those are in busybox, musl or pasta.
+    #
     # 1. With this, Podman writes "nameserver 2001:db8::1" to
     #    /etc/resolv.conf, without zone, and the query originates from ::1.
     #    Passing: