4

I just have started using CentOS8 + podman in scope of migration from CentOS7 + docker. The issue is the following:

  1. When firewalld is stopped - DNS works fine inside container:

    [root@dev1 ~]# systemctl stop firewalld
[root@dev1 ~]# podman run -it alpine ping gmail.com
PING gmail.com (172.217.161.133): 56 data bytes
64 bytes from 172.217.161.133: seq=0 ttl=54 time=6.027 ms
64 bytes from 172.217.161.133: seq=1 ttl=54 time=5.892 ms
64 bytes from 172.217.161.133: seq=2 ttl=54 time=5.757 ms
^C
--- gmail.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5.757/5.892/6.027 ms

  2. But once firewalld is launched - DNS stop working inside container, even though network itself (ping) works fine:

    [root@dev1 ~]# systemctl start firewalld
[root@dev1 ~]# podman run -it alpine ping gmail.com
ping: bad address 'gmail.com'
[root@dev1 ~]#
[root@dev1 ~]#
[root@dev1 ~]# podman run -it alpine ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=54 time=4.536 ms
64 bytes from 8.8.8.8: seq=1 ttl=54 time=7.059 ms
64 bytes from 8.8.8.8: seq=2 ttl=54 time=4.924 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 4.536/5.506/7.059 ms

  3. DNS can work fine in container when it is launched with --net=host param:

    [root@dev1 ~]# podman run -it --net=host  alpine ping gmail.com
PING gmail.com (172.217.161.133): 56 data bytes
64 bytes from 172.217.161.133: seq=0 ttl=55 time=4.981 ms
64 bytes from 172.217.161.133: seq=1 ttl=55 time=5.445 ms
64 bytes from 172.217.161.133: seq=2 ttl=55 time=4.635 ms
^C
--- gmail.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 4.635/5.020/5.445 ms

Any suggestions on how to resolve this issue?

UPDATE: As of 13/Dec/2020 this issue is not reproducible on "CentOS Linux release 8.3.2011".

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
AndrewG10i
  • 151
  • 2
  • 7
  • I have the same problem. For now I solved by adding the CNI interface created by podman in the trusted zone of firewalld. I know it's a workaround, but I could not find any better solution. – Claudio Venturini Feb 22 '20 at 22:28
  • I have the same problem, but somehow cannot find a working firewall rule to allow traffic. @ClaudioVenturini: can you share the rule you have used to work around this issue? – SWilk Feb 23 '20 at 03:01
  • 1
    I simply did this: sudo firewall-cmd --zone=trusted --add-interface=cni-podman0 – Claudio Venturini Feb 23 '20 at 23:20
  • Could it be possible that this was fixed recently? Today I started up new CentOS8, and all podman containers are able to dns-resolve with firewalld turned on. – Bertl Dec 04 '20 at 16:53
  • Thanks for the comment, just tested on "CentOS Linux release 8.3.2011" and seems all works good! And some off-topic: went to download CentOS latest ISO to test this issue and was shocked by this update: https://blog.centos.org/2020/12/future-is-centos-stream/ – AndrewG10i Dec 13 '20 at 05:19

0 Answers0