-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible to get out of the box (rootful) host-to-container name resolution? #82
Comments
Interesting notion. Just some initial thoughts. With aardvark-dns, we were careful to enforce name lookups based on network connectivity and to not return an answer that the 'asker' about something they should not know about. So what happens here?
|
My understanding is ports on rootless containers are currently only addressable through the host IP, so there'd be no expectation of name resolution when rootless. When rootful, modifying /etc/hosts affects all users, so I'd say DNS host-to-pod name resolution would also be system wide. I have casual knowledge of how name resolution works, but perhaps a --host-dns switch could add the container/pod name to aardvark-dns and then reference that daemon via loopback address in resolv.conf? When I inquired today on Discord, @flouthoc replied they had a "first draft" operational. I'd be curious to hear more about that. |
@lovette I believe the use case you have mentioned is possible to implement from what i can see from my side. There could be some edge-cases but we could think around it, one for sure is which @baude mentioned. I have possible answers for some of them.
I think we can still give this option but its up to the user to make sure that they set and use Anyways I think all this have to be implemented on @lovette But i'd also love to know what is your use-case with this ? Are you trying to implement k8s like |
The bigger problem is that aardvark will not be running if no containers with dns entries are up. So even if you add the server ip to /etc/resolv.conf it will not work when you boot for example until the podman containers are started. This is a problem when systemd-resolved is used on the host because it will skip all servers that are unreachable and not try them again until you restart systemd-resolved. |
@Luap99 I think for systemd-resolvers it works if you recreate the symlink to I don't know if its a good idea for a tool to attempt modifying host's resolver by itself, it would be much easier if Maybe something like
|
We should not expose this in podman. This makes it more complicated with almost no extra benefit. Also we want to change the port from 53 to something different, so in this case it is impossible to use it as system resolver in /etc/resolv.conf. |
Yes in future if we start listening on other port this might be an issue but we could always spawn an extra listener on |
At its most basic, I'd just like to remove the manual act of assigning containers a static IP and adding to (Another approach I've pondered is trying to find a "container just started/stopped" event that I could hook into and have a script munge
It does seem this is more in the realm of aardvark than podman. I don't have a mental map of how podman, netavark and aardvark-dns work together. Any chance there's a writeup somewhere that explains how container networking works under the hood? I don't mind a small bit of DNS configuration. AFAICT, my system isn't running any DNS daemons (systemd-resolved, dnsmasq.) Just whatever NetworkManager is doing.
|
I would like to run Unbound on the host as caching DNS forwarder, to resolve names under some subdomains at a specific resolver, for example resolvers reachable over Wireguard or AnyConnect VPNs. It would be pretty easy to make Unbound forward certain queries to a bridge IP where an instance of Aardvark is listening -- for this to work the only thing currently missing is to be able to make Aardvark authoritative for names in a specific specific subdomain, not unqualified names like it's doing right now. The same is doable with Dnsmasq and I suppose systemd-networkd as well, though I haven't tested it. |
Update: I found out that Aardvark is serving names under the What doesn't work though is that containers can be part of more than one network, and all of these networks are resolved under
In another terminal:
It would help if there also were names like |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
I'm curious whether the new Podman 4 network stack components can be leveraged to enable (rootful) host-to-container/pod name resolution.
Most of my projects are rootful and single host (and run at boot by systemd), so being able to resolve the name to an IP as soon as the container starts would be so helpful.
I'm dreaming of:
or:
Currently I achieve this by creating a custom network and using
--ip
to assign each pod/container a static IP that I add to/etc/hosts
.Perhaps this functionality is venturing into the world of "service discovery" so I may be asking too much of podman. But since most of my projects are single host and have simple needs, expanding my footprint to include minikube/k3s/etc. feels like overkill.
The text was updated successfully, but these errors were encountered: