move network alias validation to container create

Podman 4.0 currently errors when you use network aliases for a network which
has dns disabled. Because the error happens on network setup this can
cause regression for old working containers. The network backend should not
validate this. Instead podman should check this at container create time
and also for network connect.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

1 files changed, 15 insertions, 7 deletions

diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 9a4dbf626..93bfdd54b 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -234,13 +234,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
 }
 
 func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Container, retErr error) {
-	// Validate the container
-	if err := ctr.validate(); err != nil {
-		return nil, err
-	}
-	if ctr.config.IsInfra {
-		ctr.config.StopTimeout = 10
-	}
 	// normalize the networks to names
 	// ocicni only knows about cni names so we have to make
 	// sure we do not use ids internally
@@ -265,11 +258,26 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
 			if err != nil {
 				return nil, err
 			}
+			network, err := r.network.NetworkInspect(netName)
+			if err != nil {
+				return nil, err
+			}
+			if !network.DNSEnabled {
+				return nil, errors.Wrapf(define.ErrInvalidArg, "cannot set network aliases for network %q because dns is disabled", netName)
+			}
 			netAliases[netName] = aliases
 		}
 		ctr.config.NetworkAliases = netAliases
 	}
 
+	// Validate the container
+	if err := ctr.validate(); err != nil {
+		return nil, err
+	}
+	if ctr.config.IsInfra {
+		ctr.config.StopTimeout = 10
+	}
+
 	// Inhibit shutdown until creation succeeds
 	shutdown.Inhibit()
 	defer shutdown.Uninhibit()