Custom DNS server ignored with user namespace

[peterpramb]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When running a rootful container/pod with user namespace, any provided custom DNS server is ignored and always overwritten when attaching to a CNI network with dnsname enabled. Without user namespace the provided DNS server is correctly entered in etc/resolv.conf.

Steps to reproduce the issue:

1. Ensure that containernetworking-plugins and podman-plugins are installed.

2. /etc/containers/containers.conf:

[network]
network_backend = "cni"

3. podman network create testnet

4. Verify that testnet has DNS support.

5. podman run -it --rm --name testcon --dns=1.2.3.4 --uidmap=0:100000:65536 --gidmap=0:100000:65536 --network=testnet docker.io/wbitt/network-multitool /bin/bash

Describe the results you received:

/etc/resolv.conf:

search host.domain
nameserver 10.89.0.1

Describe the results you expected:

/etc/resolv.conf:

search host.domain
nameserver 1.2.3.4

Additional information you deem important (e.g. issue happens only occasionally):

Maybe related: #5256

Output of podman version:

Client:       Podman Engine
Version:      4.1.1
API Version:  4.1.1
Go Version:   go1.17.12
Built:        Tue Aug  9 18:43:56 2022
OS/Arch:      linux/amd64

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.26.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.2-2.el9_0.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.2, commit: c22a156d8b67bfc2959fafd1ae718134423045ab'
  cpuUtilization:
    idlePercent: 99.64
    systemPercent: 0.18
    userPercent: 0.17
  cpus: 3
  distribution:
    distribution: '"rocky"'
    version: "9.0"
  eventLogger: journald
  hostname: some.host
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-70.26.1.el9_0.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2460413952
  memTotal: 3870121984
  networkBackend: cni
  ociRuntime:
    name: crun
    package: crun-1.4.5-2.el9_0.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.5
      commit: c381048530aa750495cf502ddb7181f2ded5b400
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-2.el9_0.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 45h 36m 27.05s (Approximately 1.88 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /data/podman/storage
  graphRootAllocated: 21447573504
  graphRootUsed: 781901824
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /data/podman/storage/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  volumePath: /data/podman/volumes
version:
  APIVersion: 4.1.1
  Built: 1660063436
  BuiltTime: Tue Aug  9 18:43:56 2022
  GitCommit: ""
  GoVersion: go1.17.12
  Os: linux
  OsArch: linux/amd64
  Version: 4.1.1

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

container-selinux-2.188.0-1.el9_0.noarch
containers-common-1-36.el9_0.x86_64
containernetworking-plugins-1.0.1-3.el9.x86_64
podman-4.1.1-1.el9_0.x86_64
podman-catatonit-4.1.1-1.el9_0.x86_64
podman-gvproxy-4.1.1-1.el9_0.x86_64
podman-plugins-4.1.1-1.el9_0.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

No/Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Cloud VM running Rocky Linux 9.0 (Blue Onyx).

[baude]

@Luap99 @mheon is this a situation where we only fixed this in nv/av because CNI?

[Luap99]

No this will likely effect netavark as well, the resolv.conf code is the same on the podman side.

[Luap99]

@peterpramb Can you test this with podman v4.2.1 please. I remember working on this not so long ago.

[Luap99]

Yeah looks like my work went into v4.2 (#14220), I think this is already fixed.