add support for podman create/run --domainname #15200
Conversation
There was a problem hiding this comment.
I took a quick look at docker and this doe snot match it.
The domain name is added in /etc/hosts and setdomainname()? Looks like they jusy use a sysctl for that: https://github.com/moby/moby/blob/master/daemon/oci_utils.go#L8
Also you are ignoring the compat API value and it must be added to podman container inspect.
|
I think the problem is with the I am not sure how the patch to crun can address it, have you verified it really writes to The correct fix IMO is to address it in the OCI specs and make domainname explicit as the hostname is. The only possible workaround I see is to convert a write to diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
index 5a7531e..4cd39e2 100644
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -3255,6 +3255,14 @@ libcrun_set_sysctl (libcrun_container_t *container, libcrun_error_t *err)
if (UNLIKELY (ret < 0))
return ret;
+ if (strcmp (name, "kernel/domainname") == 0)
+ {
+ ret = setdomainname (def->linux->sysctl->values[i], strlen (def->linux->sysctl->values[i]));
+ if (UNLIKELY (ret < 0))
+ return crun_make_error (err, errno, "setdomainname");
+ continue;
+ }
+I am fine to such a workaround if it unblocks you, but I still suggest to 1) verify your patch really does what it is supposed to do 2) propose a fix for the OCI runtime specs. Also no need to block with rootless if it is not currently supported. Just skip the test. |
|
I agree with the OCI spec approach. I've been messing around with the crun hack all day and it doesn't seem to want to cooperate. I'll make a PR for the runtime spec on Monday. |
|
Does this work with Docker? Perhaps only because docker daemon runs as root and running docker in rootless mode this would fail also? |
|
Do we want to add the flag as root-only for now, and enable rootless support once the OCI spec PR merges and support actually lands in crun/runc? |
That sgtm, I haven't pushed the new version with the sysctl. I'll finish that up on Monday then take care of the spec PR |
cdoern
force-pushed
the
domainName
branch
4 times, most recently
from
3b6d21a
to
cb3104a
Compare
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
openshift-merge-robot
added
the
needs-rebase
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
openshift-merge-robot
added
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
test/e2e/run_dns_test.go
Outdated
| @@ -99,6 +99,19 @@ var _ = Describe("Podman run dns", func() { | |||
| Expect(session.OutputToString()).To(ContainSubstring("foobar")) | |||
| }) | |||
|
|
|||
| It("podman run domainname sets /etc/hosts and /proc/sys/kernel/domainname", func() { | |||
| Skip("Waiting for crun release > 1.6") | |||
There was a problem hiding this comment.
crun 1.6 was released some time ago. Where is the test failing?
There was a problem hiding this comment.
ah, let me un-comment that and see if this all works...
|
@giuseppe it seems /proc/sys/kernel/domainname does not get set but /etc/hosts does. Does this mean the domainname is working or not? not sure if the /proc file is meant to be set |
cdoern
force-pushed
the
domainName
branch
5 times, most recently
from
51427a9
to
bac6343
Compare
it sounds like working from Podman but it doesn't look like working from the OCI runtime. To what test are you referring? |
@giuseppe I was checking /proc/sys/kernel/domainname in a test but I am not sure if that file is meant to contain the --domainname. running commands like |
If I run a container I will also see domainname dan within it, which seems wrong, but I can change it |
|
I would expect the /proc/sys/kernel/domainname to show the containers domainname, if this is set. |
ok, then I think this is an issue with crun. Since /etc/hosts seems to be updated and the spec does indeed have the proper domainname entity set, something must be wrong.. though, in crun all of the domainname tests pass. @giuseppe WDYT? |
|
is the correct crun installed? If I pull locally your changes (testing commit c91508b), I see it works: Instead of installing an additional package, let's change the test to print directly |
|
@giuseppe could ci have an old crun version? |
|
yes I think that is the issue. It is using crun-1.6-2.fc36-x86_64 while the support was added in crun 1.7. Let's not block on the CI, just skip the test for now |
domainname functions similarly to --hostname, it sets the value in /etc/hosts to whatever you speficy in conjunction with --hostname. so if you pass --hostname=foo --domainmame=baz.net, /etc/hosts will get the combined entry and /proc/sys/kernel/domainname will get baz.net resolves containers#15102 Signed-off-by: Charlie Doern <cbddoern@gmail.com>
|
@cdoern I think rebasing and unskipping the test is possible now. Do you have time to tackle it? |
The VM image update is still blocked, so there were no updates since November so we are still on crun 1.6.2 at the moment AFAIK. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Friendly ping. @cdoern I think we are good to give it another try. |
github-actions
bot
added
the
locked - please file new issue/PR
domainname functions similarly to --hostname, it sets the value in /etc/hosts
to whatever you speficy in conjunction with --hostname. so if you pass
--hostname=foo --domainmame=baz.net, /etc/hosts will get the combined entry and /proc/sys/kernel/domainname will get baz.net via a sysctl.
resolves #15102
Signed-off-by: Charlie Doern cdoern@redhat.com
Does this PR introduce a user-facing change?