diff options
| author | Matthew Heon <matthew.heon@gmail.com> | 2018-03-02 15:29:16 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-03-02 15:29:16 -0500 |
| commit | 3a9977083dff3ed9f8f2c1cd7f3fa353492c5885 (patch) | |
| tree | 5fd9706df6fcbdff26515c6144f172d0c1a513e9 | |
| parent | 497190db1b6c0101225f9abbf3d249fd06bf4e4c (diff) | |
| parent | e4dca05a3133caed4326863cbc66bfe5864c7b98 (diff) | |
| download | podman-3a9977083dff3ed9f8f2c1cd7f3fa353492c5885.tar.gz podman-3a9977083dff3ed9f8f2c1cd7f3fa353492c5885.tar.bz2 podman-3a9977083dff3ed9f8f2c1cd7f3fa353492c5885.zip | |
Merge pull request #443 from baude/iptablesdns
allow DNS resolution in containers
| -rw-r--r-- | libpod/networking.go | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/libpod/networking.go b/libpod/networking.go index a508cd7b4..5118b972a 100644 --- a/libpod/networking.go +++ b/libpod/networking.go @@ -7,7 +7,9 @@ import ( "github.com/containernetworking/plugins/pkg/ns" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/pkg/errors" + "github.com/projectatomic/libpod/utils" "github.com/sirupsen/logrus" + "strings" ) // Get an OCICNI network config @@ -54,16 +56,35 @@ func (r *Runtime) createNetNS(ctr *Container) (err error) { resultStruct, err := cnitypes.GetResult(result) if err != nil { - return errors.Wrapf(err, "error parsing result from CBI plugins") + return errors.Wrapf(err, "error parsing result from CNI plugins") } ctr.state.NetNS = ctrNS ctr.state.IPs = resultStruct.IPs ctr.state.Routes = resultStruct.Routes + // We need to temporarily use iptables to allow the container + // to resolve DNS until this issue is fixed upstream. + // https://github.com/containernetworking/plugins/pull/75 + if resultStruct.IPs != nil { + for _, ip := range resultStruct.IPs { + iptablesCmd := iptablesDNS("-I", ip.Address.IP.String()) + logrus.Debug("Running iptables command: ", strings.Join(iptablesCmd, " ")) + _, err := utils.ExecCmd("iptables", iptablesCmd...) + if err != nil { + logrus.Error(err) + } + } + } return nil } +// iptablesDNS accepts an arg (-I|-D) and IP address that generates the +// iptables command to be run +func iptablesDNS(arg, ip string) []string { + return []string{"-t", "filter", arg, "FORWARD", "-s", ip, "!", "-o", ip, "-j", "ACCEPT"} +} + // Join an existing network namespace func joinNetNS(path string) (ns.NetNS, error) { ns, err := ns.GetNS(path) @@ -102,6 +123,19 @@ func (r *Runtime) teardownNetNS(ctr *Container) error { return nil } + // Because we are using iptables to allow the container to resolve DNS + // on per IP address, we also need to try to remove the iptables rule + // on cleanup. Remove when https://github.com/containernetworking/plugins/pull/75 + // is merged. + for _, ip := range ctr.state.IPs { + iptablesCmd := iptablesDNS("-D", ip.Address.IP.String()) + logrus.Debug("Running iptables command: ", strings.Join(iptablesCmd, " ")) + _, err := utils.ExecCmd("iptables", iptablesCmd...) + if err != nil { + logrus.Error(err) + } + } + logrus.Debugf("Tearing down network namespace at %s for container %s", ctr.state.NetNS.Path(), ctr.ID()) podNetwork := getPodNetwork(ctr.ID(), ctr.Name(), ctr.state.NetNS.Path(), ctr.config.PortMappings) |