Port exposure not working with bind mounts but works with regular volumes

[MrSSvard]

Hi!
I have a weird behavior that I'm trying to figure out.
I'm setting up Pihole in rootless podman but I'm having issues with timeouts and other errors with exposing ports while using bind mounted folders.

Connecting via the loopback address works fine for both tcp and udp but connecting via the host address (e.g. 192.168.1.53) either from the same machine or from another computer, I get a timeout on udp and an error over tcp.

Both work fine with regular volume though.

Steps to reproduce:

Working setup with regular volumes

podman run --rm -e WEBPASSWORD=123 -p 8153:53/tcp -p 8153:53/udp -p 8180:80 -v etc:/etc/pihole/:Z -v masq:/etc/dnsmasq.d/:Z docker.io/pihole/pihole:latest

dig @127.0.0.1 -p 8153 google.com # works fine
dig @127.0.0.1 -p 8153 +tcp google.com # works fine
dig @192.168.1.53 -p 8153 google.com # works fine
dig @192.168.1.53 -p 8153 +tcp google.com # works fine

Non-working setup with bind mounted volumes

mkdir -p ~/volumes/pihole-etc ~/volumes/pihole-etc-dnsmasq.d
podman run --rm -e WEBPASSWORD=123 -p 8153:53/tcp -p 8153:53/udp -p 8180:80 -v ~/volumes/pihole-etc/:/etc/pihole/:Z -v ~/volumes/pihole-etc-dnsmasq.d/:/etc/dnsmasq.d/:Z docker.io/pihole/pihole:latest

dig @127.0.0.1 -p 8153 google.com # works fine
dig @127.0.0.1 -p 8153 +tcp google.com # works fine
dig @192.168.1.53 -p 8153 google.com # communications error to 192.168.1.53#8153: timed out
dig @192.168.1.53 -p 8153 +tcp google.com # communications error to 192.168.1.53#8153: end of file

---

Files are created in both volume types and they look fine.

About my system:
Fedora Silverblue 40
podman-5.2.2-1.fc40.x86_64
passt-0^20240906.g6b38f07-1.fc40.x86_64

I have stopped firewalld
I ran setenforce 0

I also confirmed the issue on a separate system:
Fedora IoT 40
podman-5.2.2-1.fc40.x86_64
passt-0^20240906.g6b38f07-1.fc40.x86_64

---

Am I misunderstanding something or doing something incorrectly?
If it were a misconfiguration of pihole, I think it would have failed on the loopback interface too.

Any insight is welcome, thanks!

[luckylinux]

Summary

I can observe something Similar (Fedora 40 with all Updates installed as of Today).
There are differences between Volumes and Bind Mounts.

But I CANNOT / DO NOT ALWAYS observe EXACTLY the same behavior.

I have the issue in both cases to be honest ...
I never tried running pihole as a Docker/Podman Container, so I just try to replicate what you did.

Using Loopback Address on the Podman Host:

• dig @127.0.0.1 -p 8153 google.com -> works with VOLUMES and BIND MOUNTS
• dig @127.0.0.1 -p 8153 +tcp google.com -> works with VOLUMES and BIND MOUNTS

Using the "wrong" IP Address that is NOT registered in Container's /etc/hosts:

• dig @192.168.8.13 -p 8153 google.com -> does NOT work with either VOLUMES NOR BIND MOUNTS
• dig @192.168.8.13 -p 8153 +tcp google.com -> works with VOLUMES, does NOT work with BIND MOUNTS

Using the "right" IP Address that IS registered registered in Container's /etc/hosts:

• dig @192.168.13.161 -p 8153 google.com works with VOLUMES, does NOT work with BIND MOUNTS
• dig @192.168.13.161 -p 8153 +tcp google.com -> works with VOLUMES, does NOT work with BIND MOUNTS

Using Volumes

I tried only using :z,rw NOT :Z,rw for Volumes ...

podman@podmanserver13:~$ dig @127.0.0.1 -p 8153 google.com

; <<>> DiG 9.18.28 <<>> @127.0.0.1 -p 8153 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45652
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		206	IN	A	142.250.147.100
google.com.		206	IN	A	142.250.147.139
google.com.		206	IN	A	142.250.147.138
google.com.		206	IN	A	142.250.147.113
google.com.		206	IN	A	142.250.147.102
google.com.		206	IN	A	142.250.147.101

;; Query time: 0 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1) (UDP)
;; WHEN: Fri Sep 13 06:59:53 CEST 2024
;; MSG SIZE  rcvd: 135

podman@podmanserver13:~$ dig @127.0.0.1 -p 8153 +tcp google.com

; <<>> DiG 9.18.28 <<>> @127.0.0.1 -p 8153 +tcp google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13136
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		203	IN	A	142.250.147.101
google.com.		203	IN	A	142.250.147.100
google.com.		203	IN	A	142.250.147.139
google.com.		203	IN	A	142.250.147.138
google.com.		203	IN	A	142.250.147.113
google.com.		203	IN	A	142.250.147.102

;; Query time: 2 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1) (TCP)
;; WHEN: Fri Sep 13 06:59:56 CEST 2024
;; MSG SIZE  rcvd: 135

podman@podmanserver13:~$ dig @192.168.8.13 -p 8153 google.com
;; communications error to 192.168.8.13#8153: timed out
;; communications error to 192.168.8.13#8153: timed out
;; communications error to 192.168.8.13#8153: timed out

; <<>> DiG 9.18.28 <<>> @192.168.8.13 -p 8153 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

podman@podmanserver13:~$ dig @192.168.8.13 -p 8153 +tcp google.com

; <<>> DiG 9.18.28 <<>> @192.168.8.13 -p 8153 +tcp google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17651
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		181	IN	A	142.250.147.138
google.com.		181	IN	A	142.250.147.113
google.com.		181	IN	A	142.250.147.102
google.com.		181	IN	A	142.250.147.101
google.com.		181	IN	A	142.250.147.100
google.com.		181	IN	A	142.250.147.139

;; Query time: 3 msec
;; SERVER: 192.168.8.13#8153(192.168.8.13) (TCP)
;; WHEN: Fri Sep 13 07:00:18 CEST 2024
;; MSG SIZE  rcvd: 135

podman@podmanserver13:~$ podman exec -it naughty_curran /bin/bash
croot@4147f6c7c3e0:/# cat /etc/resolv.conf 
search MYDOMAIN.TLD
nameserver 169.254.0.1
nameserver 2XXX:XXXX:XXXX:1::1:3
nameserver 2XXX:XXXX:XXXX:1::1:4
nameserver 2XXX:XXXX:XXXX:1::1:5
nameserver 192.168.1.3
nameserver 192.168.1.4
nameserver 192.168.1.5
nameserver 2XXX:XXXX:XXXX:1::1:3
nameserver 2XXX:XXXX:XXXX:1::1:4

Funnily enough TCP works in my case using Host Address (192.168.8.13).

Another Note: for whatever reason the Podman Host (Virtual Machine) is getting 2 IPv4 Addresses (1 Static, 1 via DHCP). 192.168.8.13 (Static) and 192.168.13.161 (DHCP).

For poking around I did a

root@4147f6c7c3e0:/# cat /etc/hosts
127.0.0.1	localhost localhost.localdomain localhost4 localhost4.localdomain4
::1	localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.1.1	podmanserver13.MYDOMAIN.TLD podmanserver13
ff02:1	ip6-allnodes
ff02:2	ip6-allrouters
192.168.13.161	4147f6c7c3e0 strange_maxwell
root@4147f6c7c3e0:/# exit 

NOTE that only ONE IP address is pointing to the Container !

Indeed now both UDP and TCP work, if I use the right IP:

podman@podmanserver13:~$ dig @192.168.13.161 -p 8153 google.com

; <<>> DiG 9.18.28 <<>> @192.168.13.161 -p 8153 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64982
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8d6c8018fcc86b3d0100000066e3c7a16802d7f5001ea31a (good)
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		57	IN	A	142.250.147.113
google.com.		57	IN	A	142.250.147.100
google.com.		57	IN	A	142.250.147.101
google.com.		57	IN	A	142.250.147.102
google.com.		57	IN	A	142.250.147.139
google.com.		57	IN	A	142.250.147.138

;; Query time: 20 msec
;; SERVER: 192.168.13.161#8153(192.168.13.161) (UDP)
;; WHEN: Fri Sep 13 07:03:29 CEST 2024
;; MSG SIZE  rcvd: 163

podman@podmanserver13:~$ dig @192.168.13.161 -p 8153 +tcp google.com

; <<>> DiG 9.18.28 <<>> @192.168.13.161 -p 8153 +tcp google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4907
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		47	IN	A	142.250.147.113
google.com.		47	IN	A	142.250.147.100
google.com.		47	IN	A	142.250.147.101
google.com.		47	IN	A	142.250.147.102
google.com.		47	IN	A	142.250.147.139
google.com.		47	IN	A	142.250.147.138

;; Query time: 3 msec
;; SERVER: 192.168.13.161#8153(192.168.13.161) (TCP)
;; WHEN: Fri Sep 13 07:03:39 CEST 2024
;; MSG SIZE  rcvd: 135

Using Bind Mounts

I tried with both :Z,rw and :z,rw with same Result.

podman run --rm -e WEBPASSWORD=123 -p 8153:53/tcp -p 8153:53/udp -p 8180:80 -v ~/containers/data/pihole/etc:/etc/pihole:z,rw -v ~/containers/data/pihole/dnsmasq.d:/etc/dnsmasq.d:z,rw docker.io/pihole/pihole:latest

Or

podman run --rm -e WEBPASSWORD=123 -p 8153:53/tcp -p 8153:53/udp -p 8180:80 -v ~/containers/data/pihole/etc:/etc/pihole:Z,rw -v ~/containers/data/pihole/dnsmasq.d:/etc/dnsmasq.d:Z,rw docker.io/pihole/pihole:latest

podman@podmanserver13:~$ dig @127.0.0.1 -p 8153 google.com

; <<>> DiG 9.18.28 <<>> @127.0.0.1 -p 8153 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6278
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		192	IN	A	142.250.147.139
google.com.		192	IN	A	142.250.147.102
google.com.		192	IN	A	142.250.147.113
google.com.		192	IN	A	142.250.147.101
google.com.		192	IN	A	142.250.147.138
google.com.		192	IN	A	142.250.147.100

;; Query time: 10 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1) (UDP)
;; WHEN: Fri Sep 13 06:49:12 CEST 2024
;; MSG SIZE  rcvd: 135

podman@podmanserver13:~$ dig @127.0.0.1 -p 8153 +tcp google.com

; <<>> DiG 9.18.28 <<>> @127.0.0.1 -p 8153 +tcp google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25258
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		188	IN	A	142.250.147.139
google.com.		188	IN	A	142.250.147.102
google.com.		188	IN	A	142.250.147.113
google.com.		188	IN	A	142.250.147.101
google.com.		188	IN	A	142.250.147.138
google.com.		188	IN	A	142.250.147.100

;; Query time: 3 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1) (TCP)
;; WHEN: Fri Sep 13 06:49:16 CEST 2024
;; MSG SIZE  rcvd: 135


podman@podmanserver13:~$ dig @192.168.8.13 -p 8153 google.com
;; communications error to 192.168.8.13#8153: timed out
;; communications error to 192.168.8.13#8153: timed out
;; communications error to 192.168.8.13#8153: timed out

; <<>> DiG 9.18.28 <<>> @192.168.8.13 -p 8153 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

podman@podmanserver13:~$ dig @192.168.8.13 -p 8153 +tcp google.com
;; communications error to 192.168.8.13#8153: end of file
;; communications error to 192.168.8.13#8153: end of file
;; communications error to 192.168.8.13#8153: end of file

; <<>> DiG 9.18.28 <<>> @192.168.8.13 -p 8153 +tcp google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

podman@podmanserver13:~$ podman exec -it naughty_curran /bin/bash
root@77d79c84f05f:/# cat /etc/resolv.conf 
search MYDOMAIN.TLD
nameserver 169.254.0.1
nameserver 2XXX:XXXX:XXXX:1::1:3
nameserver 2XXX:XXXX:XXXX:1::1:4
nameserver 2XXX:XXXX:XXXX:1::1:5
nameserver 192.168.1.3
nameserver 192.168.1.4
nameserver 192.168.1.5
nameserver 2XXX:XXXX:XXXX:1::1:3
nameserver 2XXX:XXXX:XXXX:1::1:4

The nameserver 169.254.0.1 looks suspicious. Maybe yet another systemd-resolved related Issue ?

Now I try the same Inspection of /etc/hosts from within the container:

podman@podmanserver13:~$ podman exec -it adoring_wilbur /bin/bash
root@5f7556f6ef0f:/# cat /etc/hosts
127.0.0.1	localhost localhost.localdomain localhost4 localhost4.localdomain4
::1	localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.1.1	podmanserver13.MYDOMAIN.TLD podmanserver13
ff02:1	ip6-allnodes
ff02:2	ip6-allrouters
192.168.13.161	5f7556f6ef0f adoring_wilbur

And doing the dig using the other IP Address:

podman@podmanserver13:~$ dig @192.168.13.161 -p 8153 google.com
;; communications error to 192.168.13.161#8153: timed out
;; communications error to 192.168.13.161#8153: timed out
;; communications error to 192.168.13.161#8153: timed out

; <<>> DiG 9.18.28 <<>> @192.168.13.161 -p 8153 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

podman@podmanserver13:~$ dig @192.168.13.161 -p 8153 +tcp google.com
;; communications error to 192.168.13.161#8153: end of file
;; communications error to 192.168.13.161#8153: end of file
;; communications error to 192.168.13.161#8153: end of file

; <<>> DiG 9.18.28 <<>> @192.168.13.161 -p 8153 +tcp google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

[MrSSvard]

Does your VM have multiple interfaces? I suppose podman is handling them differently.
I only have a single interface on my machine though. This is /etc/hosts in my container:

127.0.0.1	localhost localhost.localdomain localhost4 localhost4.localdomain4
::1	localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.243	01d62db1775c keen_aryabhata

and its /etc/resolv.conf

search <top secret, very important to remove>
nameserver 169.254.0.1
nameserver 192.168.1.100

[luckylinux]

Not intentionally but yeah, between networkmanager on Fedora and dhcpcd Client 's doing it seems like there are always 2 IPv4 Addresses assigned to the SAME Interface.

I also had IPv6 Addresses in the Container.

I was about to post about inspecting the Differences on /etc/dnsmasq.d Configuration Files (for some Reason with Volumes 01-pihole.conf contained server=192.168.1.11 and server=192.168.1.12 [the Real Pihole LXC Container's Address that I use in Production] while with Bind Mounts 01-pihole.conf contained server=192.168.1.4 which is one of the General DNS Servers I use for my Homelab and set in /etc/systemd/resolved.conf on all Systems as well as set via DHCP Server to the DHCP Clients).

That's probably some difference I introduced myself (I cannot let pihole do the default of server=8.8.8.8 because I block DNS Outbound as a general Rule on the OPNSense Router).

In the past there was a bug on Pasta/Passt that @sbrivio-rh helped to Troubleshoot (IPv6 with Local Addresses IIRC), but another thing was that I had an (IPv6) misconfiguration on my main DNS Server which did NOT allow Queries because the Container was in another Subnet from what the BIND Nameserver allowed Queries from. Probably not your case though since you use a Bridge though.

As I mentioned to @sbrivio-rh in IRC, it also seems that on 20240906 for Fedora a new Aardvarkdns and Pasta/Passt were released.

The aardvark-dnsGithub also mentioned something about:

This release fixes a security issue (GHSA-g5jh-57wm-p79m) where tcp connections where not handled correctly which allowed a container to block dns queries for other clients on the same network containers/aardvark-dns#500. Versions before v1.12.0 are unaffected as they do not have tcp support.

Could be interesting to see if previous versions didn't show this Issue.

OR, from within the Container, try if all things work in all directions: last Time I had Issues with OUTBOUND connection, so maybe try curl -4 ifconfig.me (also IPv6 if relevant). Do NOT post the Output, just try to see if it works. That will rule out TCP OUTBOUND on a different port. Try to use dig/nslookup from within the container to your upstream DNS Server and e.g. 8.8.8.8 (if you can). Both UDP and TCP.

I had a quick look at your Packet Capture but I am not an Expert. There seemed to be some DNS Query & DNS Query Answer Messages which I guess are good, but also some out-of-order Packets related to TCP Connections (RST Flag I believe). You'll have to wait until somebody more experienced has a look at it.

Was this the Packet capture with the working or the non-working Config ? Maybe clarify that in the Message where you attached the link to the File.

EDIT 1: You could also simply try an apt update from within the Container and see if that works

[sbrivio-rh]

@MrSSvard could you capture some traffic so that we can understand where those DNS queries end up?

There are basically two ways:

• use the --pcap / -p option of pasta, which will capture container-side traffic as seen by pasta(1). Example: podman run --net=pasta:-p,/tmp/dns.pcap ..., or add that to pasta_options
• tcpdump, inside and outside of the container

If you don't want to share the resulting captures because they contain confidential details, you can use tshark -r /tmp/dns.pcap to get a short text form representation that's easier to edit and share.

[MrSSvard]

Absolutely, it's just a throwaway container anyways.
I started it and then ran these in this order:
dig @192.168.1.243 -p 8153 google.com
dig @192.168.1.243 -p 8153 +tcp google.com
dig @127.0.0.1 -p 8153 +tcp google.com
dig @127.0.0.1 -p 8153 google.com

The MAC address of my interface is 0c:9d:92:c2:c2:16

https://filetransfer.io/data-package/uZ4h3ZJn#link

[sbrivio-rh]

Thanks, I downloaded it, I'll have a look soon.

[sbrivio-rh]

Sorry for the delay, I finally managed to have a look.

Weird, the capture shows the TCP query (I'm checking that one as it's a bit simpler to follow in captures than UDP) in frame #1128, and pasta closes the connection before an answer is sent (frames #1130, #1131). Ignore the out-of-order segment, #1127 and #1128 are swapped (we just found this a while ago and we'll fix that in a bit): the kernel copes with that.

I guess I'll have to reproduce it. It's really not clear why pasta would reset the connection. Maybe this comes from the resolver in the container, I'm not sure.