libnetwork/pasta: set --dns-forward as default

By default set 169.254.0.1 as nameserver in the container, right now we
do not do special dns handling which means if a user has only localhost
resolver or the same nameserver ip as the host ip used by pasta then dns
will most likely fail.

pasta allows us to remap one ipv4 for dns which will then automatically
get remapped to the host dns server from resolv.conf. For that we must
use --dns-forward, now the choice of which ip is arbitrary but using the
local link address 169.254.0.1 is unlikely to be used so it should avoid
conflicts.

Also return the ip in the result together with a ipv6 bool so that
podman can create a correct resolv.conf with that ip for the container.

Signed-off-by: Paul Holzinger <[email protected]>

libnetwork/pasta/pasta_linux.go

@@ -19,10 +19,19 @@ import (
 
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containers/common/libnetwork/types"
+	"github.com/containers/common/libnetwork/util"
 	"github.com/containers/common/pkg/config"
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	dnsForwardOpt = "--dns-forward"
+
+	// dnsForwardIpv4 static ip used as nameserver address inside the netns,
+	// given this is a "link local" ip it should be very unlikely that it causes conflicts
+	dnsForwardIpv4 = "169.254.0.1"
+)
+
 type SetupOptions struct {
 	// Config used to get pasta options and binary path via HelperBinariesDir
 	Config *config.Config
@@ -91,6 +100,7 @@ func Setup2(opts *SetupOptions) (*SetupResult, error) {
 	// then append the ones that were set on the cli
 	cmdArgs = append(cmdArgs, opts.ExtraOptions...)
 
+	var dnsForwardIPs []string
 	for i, opt := range cmdArgs {
 		switch opt {
 		case "-t", "--tcp-ports":
@@ -105,9 +115,20 @@ func Setup2(opts *SetupOptions) (*SetupResult, error) {
 			NoMapGW = false
 			// not an actual pasta(1) option
 			cmdArgs = append(cmdArgs[:i], cmdArgs[i+1:]...)
+		case dnsForwardOpt:
+			// if there is no arg after it pasta will likely error out anyway due invalid cli args
+			if len(cmdArgs) > i+1 {
+				dnsForwardIPs = append(dnsForwardIPs, cmdArgs[i+1])
+			}
 		}
 	}
 
+	if len(dnsForwardIPs) == 0 {
+		// the user did not request custom --dns-forward so add our own.
+		cmdArgs = append(cmdArgs, dnsForwardOpt, dnsForwardIpv4)
+		dnsForwardIPs = append(dnsForwardIPs, dnsForwardIpv4)
+	}
+
 	if NoTCPInitPorts {
 		cmdArgs = append(cmdArgs, "-t", "none")
 	}
@@ -148,6 +169,7 @@ func Setup2(opts *SetupOptions) (*SetupResult, error) {
 		logrus.Infof("pasta logged warnings: %q", string(out))
 	}
 
+	var ipv4, ipv6 bool
 	result := &SetupResult{}
 	err = ns.WithNetNSPath(opts.Netns, func(_ ns.NetNS) error {
 		addrs, err := net.InterfaceAddrs()
@@ -158,12 +180,28 @@ func Setup2(opts *SetupOptions) (*SetupResult, error) {
 			// make sure to skip localhost and other special addresses
 			if ipnet, ok := addr.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() {
 				result.IPAddresses = append(result.IPAddresses, ipnet.IP)
+				if !ipv4 && util.IsIPv4(ipnet.IP) {
+					ipv4 = true
+				}
+				if !ipv6 && util.IsIPv6(ipnet.IP) {
+					ipv6 = true
+				}
 			}
 		}
 		return nil
 	})
 	if err != nil {
 		return nil, err
 	}
+
+	result.IPv6 = ipv6
+	for _, ip := range dnsForwardIPs {
+		ipp := net.ParseIP(ip)
+		// add the namesever ip only if the address family matches
+		if ipv4 && util.IsIPv4(ipp) || ipv6 && util.IsIPv6(ipp) {
+			result.DNSForwardIPs = append(result.DNSForwardIPs, ip)
+		}
+	}
+
 	return result, nil
 }

libnetwork/pasta/types.go

@@ -7,4 +7,9 @@ const BinaryName = "pasta"
 type SetupResult struct {
 	// IpAddresses configured by pasta
 	IPAddresses []net.IP
+	// DNSForwardIP is the ip used in --dns-forward, it should be added as first
+	// entry to resolv.conf in the container.
+	DNSForwardIPs []string
+	// IPv6 says whenever pasta run with ipv6 support
+	IPv6 bool
 }