Cannot resolve DNS with allow_host_loopback=true

Question

I am trying to give one container in a deployment the option to reach the host loopback IP. However, doing that on a container level will break the way other containers can be reached.

The basic setup:

podman pod create --name "mypod"

podman run -d \
    --pod mypod \
    --name "nginx" \
    --restart "on-failure" \
    docker.io/library/nginx:1.19

podman run -it \
    --pod mypod \
    --name "curler" \
    docker.io/library/alpine:3.11 sh -c "apk add curl; curl nginx"

Here I get the expected HTML result from nginx:

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

However, when I add the allow_host_loopback option to a container within the pod, suddenly the host cannot be resolved by curl:

podman pod create --name "mypod"

podman run -d \
    --pod mypod \
    --net slirp4netns:allow_host_loopback=true \
    --name "nginx" \
    --restart "on-failure" \
    docker.io/library/nginx:1.19

podman run \
    --pod mypod \
    --name "curler" \
    docker.io/library/alpine:3.11 sh -c "apk add curl; curl nginx"

curl: (6) Could not resolve host: nginx

When adding the allow_host_loopback option to the pod, the DNS name can again be resolved:

podman pod create \
    --name mypod \
    --net slirp4netns:allow_host_loopback=true

podman run -d \
    --pod mypod \
    --name "nginx" \
    --restart "on-failure" \
    docker.io/library/nginx:1.19

podman run \
    --pod mypod \
    --name "curler" \
    docker.io/library/alpine:3.11 sh -c "apk add curl; curl nginx"

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Output of podman version:

Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.15.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

What changes in the second case with the network so it can't resolve the DNS names? I there a way to allow one container to reach the loopback, but not all?

Answer 1

The question was answered in a GitHub issue, see here:https://github.com/containers/podman/issues/10988

The behaviour is expected. When you use a pod all containers share the network namespace and can communicate via the loopback interface. When you add --net slirp4netns to a container it will overwrite the default pod network namespace and create a new network namespace with slirp4netns for this container. Therefore it can no longer access the other containers via 127.0.0.1.

This behaviour is also outlined in the documentation: https://github.com/containers/podman/blob/main/docs/source/markdown/podman-create.1.md#--networkmode---net

If used together with --pod, the container will not join the pod's network namespace.