diff options
| author | baude <bbaude@redhat.com> | 2018-03-02 14:04:00 -0600 |
|---|---|---|
| committer | baude <bbaude@redhat.com> | 2018-03-02 14:24:54 -0600 |
| commit | e4dca05a3133caed4326863cbc66bfe5864c7b98 (patch) | |
| tree | 6cba39e950cf45f2d77e7993818287fcbbfc7ad9 | |
| parent | 11143676fa0d70357cd65127cee53d98afe21a47 (diff) | |
| download | podman-e4dca05a3133caed4326863cbc66bfe5864c7b98.tar.gz podman-e4dca05a3133caed4326863cbc66bfe5864c7b98.tar.bz2 podman-e4dca05a3133caed4326863cbc66bfe5864c7b98.zip | |
allow DNS resolution in containers
Until https://github.com/containernetworking/plugins/pull/75 is merged
upstream, we are using iptables to manually allow DNS resolution in
containers that run bridged mode networking. We also remove the rule
in the networkwork tear down.
Resolves issue: #390
Signed-off-by: baude <bbaude@redhat.com>
| -rw-r--r-- | libpod/networking.go | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/libpod/networking.go b/libpod/networking.go index a508cd7b4..5118b972a 100644 --- a/libpod/networking.go +++ b/libpod/networking.go @@ -7,7 +7,9 @@ import ( "github.com/containernetworking/plugins/pkg/ns" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/pkg/errors" + "github.com/projectatomic/libpod/utils" "github.com/sirupsen/logrus" + "strings" ) // Get an OCICNI network config @@ -54,16 +56,35 @@ func (r *Runtime) createNetNS(ctr *Container) (err error) { resultStruct, err := cnitypes.GetResult(result) if err != nil { - return errors.Wrapf(err, "error parsing result from CBI plugins") + return errors.Wrapf(err, "error parsing result from CNI plugins") } ctr.state.NetNS = ctrNS ctr.state.IPs = resultStruct.IPs ctr.state.Routes = resultStruct.Routes + // We need to temporarily use iptables to allow the container + // to resolve DNS until this issue is fixed upstream. + // https://github.com/containernetworking/plugins/pull/75 + if resultStruct.IPs != nil { + for _, ip := range resultStruct.IPs { + iptablesCmd := iptablesDNS("-I", ip.Address.IP.String()) + logrus.Debug("Running iptables command: ", strings.Join(iptablesCmd, " ")) + _, err := utils.ExecCmd("iptables", iptablesCmd...) + if err != nil { + logrus.Error(err) + } + } + } return nil } +// iptablesDNS accepts an arg (-I|-D) and IP address that generates the +// iptables command to be run +func iptablesDNS(arg, ip string) []string { + return []string{"-t", "filter", arg, "FORWARD", "-s", ip, "!", "-o", ip, "-j", "ACCEPT"} +} + // Join an existing network namespace func joinNetNS(path string) (ns.NetNS, error) { ns, err := ns.GetNS(path) @@ -102,6 +123,19 @@ func (r *Runtime) teardownNetNS(ctr *Container) error { return nil } + // Because we are using iptables to allow the container to resolve DNS + // on per IP address, we also need to try to remove the iptables rule + // on cleanup. Remove when https://github.com/containernetworking/plugins/pull/75 + // is merged. + for _, ip := range ctr.state.IPs { + iptablesCmd := iptablesDNS("-D", ip.Address.IP.String()) + logrus.Debug("Running iptables command: ", strings.Join(iptablesCmd, " ")) + _, err := utils.ExecCmd("iptables", iptablesCmd...) + if err != nil { + logrus.Error(err) + } + } + logrus.Debugf("Tearing down network namespace at %s for container %s", ctr.state.NetNS.Path(), ctr.ID()) podNetwork := getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), ctr.config.PortMappings) |