Skip to content

fix: allow localhost DNS servers when using host network #4653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zhangyoufu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: allow localhost DNS servers when using host network #4653

zhangyoufu wants to merge 1 commit into from

Conversation

@zhangyoufu
Copy link

@zhangyoufu zhangyoufu commented Dec 12, 2025
edited
Loading

(This change is vibed by Claude Haiku 4.5, reviewed by human.)

This commit addresses the issue where nerdctl was unconditionally stripping localhost DNS servers from /etc/resolv.conf when containers used --network=host.

Changes made:

  1. Added resolvconf.FilterResolvDNSWithLocalhostOption(), like resolvconf.FilterResolvDNS() but allows controlling whether localhost nameservers are preserved.
  2. Added allowLocalhostDNS parameter to fetchDNSResolverConfig()
  3. Updated hostNetworkManager to use allowLocalhostDNS=true to preserve host DNS
  4. Added comprehensive test coverage for the new functionality

The fix ensures:

  • Host network mode respects host's /etc/resolv.conf including localhost resolvers
  • Isolated networks (bridge, CNI) continue to have fallback Google DNS
  • Backward compatible - all existing behavior unchanged
  • Docker-compatible behavior

Fixes: #4651

@zhangyoufu zhangyoufu changed the title Fix issue #4651: Allow localhost DNS servers when using host network Allow localhost DNS servers when using host network Dec 12, 2025
@zhangyoufu zhangyoufu force-pushed the fix-4651 branch 2 times, most recently from df19f68 to 71836a8 Compare December 15, 2025 08:13
@zhangyoufu zhangyoufu changed the title Allow localhost DNS servers when using host network fix: allow localhost DNS servers when using host network Dec 15, 2025
AkihiroSuda
AkihiroSuda reviewed Dec 15, 2025
View reviewed changes
pkg/resolvconf/resolvconf_linux_test.go Outdated
}

func TestFilterResolvDnsWithLocalhostOption(t *testing.T) {
// Test 1: allowLocalhostDNS=false should strip localhost (original behavior)
Copy link
Member

@AkihiroSuda AkihiroSuda Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should be subtests? (t.Run)

Copy link
Author

@zhangyoufu zhangyoufu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

AkihiroSuda
AkihiroSuda reviewed Dec 15, 2025
View reviewed changes
pkg/resolvconf/resolvconf_linux_test.go
Copy link
Member

@AkihiroSuda AkihiroSuda Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have some integration tests too?

nerdctl/cmd/nerdctl/container/container_run_network_linux_test.go

Lines 935 to 978 in 20a3eeb

func TestHostNetworkHostName(t *testing.T) {
nerdtest.Setup()
testCase := &test.Case{
Require: require.Not(require.Windows),
Setup: func(data test.Data, helpers test.Helpers) {
helpers.Custom("cat", "/etc/hostname").Run(&test.Expected{
Output: func(stdout string, t tig.T) {
data.Labels().Set("hostHostname", stdout)
},
})
},
Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
return helpers.Command("run", "--rm",
"--network", "host",
testutil.AlpineImage, "cat", "/etc/hostname")
},
Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
return &test.Expected{
Output: expect.Equals(data.Labels().Get("hostHostname")),
}
},
}
testCase.Run(t)
}
func TestNoneNetworkDnsConfigs(t *testing.T) {
nerdtest.Setup()
testCase := &test.Case{
Require: require.Not(require.Windows),
Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
return helpers.Command("run", "--rm",
"--network", "none",
"--dns", "0.1.2.3", "--dns-search", "example.com", "--dns-option", "timeout:3", "--dns-option", "attempts:5",
testutil.CommonImage, "cat", "/etc/resolv.conf")
},
Expected: test.Expects(0, nil, expect.Contains(
"0.1.2.3",
"example.com",
"attempts:5",
"timeout:3",
)),
}
testCase.Run(t)
}

Copy link
Author

@zhangyoufu zhangyoufu Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have implemented some simple integration tests. I don't think we should modify host /etc/resolv.conf content on-the-fly.

Copy link
Author

@zhangyoufu zhangyoufu Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm investigating CI failure in rootless setup.

@zhangyoufu zhangyoufu force-pushed the fix-4651 branch 2 times, most recently from 5e3e478 to 9c02946 Compare December 15, 2025 14:04
@zhangyoufu
fix: allow localhost DNS servers when using host network
5414499 
This commit addresses the issue where nerdctl was unconditionally
stripping localhost DNS servers from /etc/resolv.conf when container
is using host network.

Fixes: containerd#4651
Signed-off-by: Youfu Zhang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Should allow localhost DNS servers when using host network

2 participants

@zhangyoufu @AkihiroSuda