Hi everyone,
I’m facing a weird issue which only happens while I’m connected to my corporate VPN, and only from within podman containers. DNS resolution fails.
I open a shell on an ubuntu image:
podman run -it ubuntu bash
Then I apt-get update
, repos are refreshed just fine.
The relevant DNS configs are:
(container)
root@ef71e8cae5df:/# cat /etc/resolv.conf
nameserver 169.254.0.1
nameserver 109.0.66.10
nameserver 109.0.66.20
nameserver 2a02:842a:8697:5001:b6e2:65ff:fed5:e33
(host)
🐧 andrea 15:53:21 17/04/24 🏠 ✅ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 109.0.66.10
nameserver 109.0.66.20
nameserver 2a02:842a:8697:5001:b6e2:65ff:fed5:e33
(container)
root@ef71e8cae5df:/# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
192.168.1.88 ef71e8cae5df upbeat_feistel -> this is my WiFi adapter's IP address
(host)
🐧 andrea 15:53:24 17/04/24 🏠 ✅ cat /etc/hosts
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain ipv6-localhost ipv6-loopback
# special IPv6 addresses
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
Now I leave the container, and connect to my corporate VPN.
I create yet again an ubuntu container on the fly and try to refresh repos via apt-get update
, as before.
But this time I get:
root@3fb4cf455737:/# apt-get update
Ign:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Err:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Temporary failure resolving 'security.ubuntu.com'
Err:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Temporary failure resolving 'archive.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
The relevant DNS configs are:
(container)
root@3fb4cf455737:/# cat /etc/resolv.conf
search tuiad.net
nameserver 10.85.38.15
nameserver 10.85.39.15
(host)
🐧 andrea 15:33:32 17/04/24 🏠 ✅ cat /etc/resolv.conf
#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
# Generated by NetworkManager
nameserver 10.85.38.15
nameserver 10.85.39.15
search tuiad.net
(container)
root@3fb4cf455737:/# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
192.168.1.88 host.containers.internal host.docker.internal
2a02:842a:8697:5001:aeed:f77f:14d3:1596 3fb4cf455737 elated_black
(host)
🐧 andrea 15:57:13 17/04/24 🏠 ✅ cat /etc/hosts
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain ipv6-localhost ipv6-loopback
# special IPv6 addresses
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
I have also tried with systemctl disable --now firewalld.service
, to no avail.
Which makes me suspect that the fw has nothing to do with this, and maybe it’s more of a podman problem…
Any help is greatly appreciated.
Thanks!
EDIT: I also tried sniffing packages with Wireshark (root mode) on all adapters, with this filter “dns.qry.name==“archive.ubuntu.com””, but while I can see the request/response recorded while not connected to the VPN, as soon as I connect, nothing appears anymore. It’s probably a useless test since the issue is clearly even before any request goes out of my network, but still I wanted to point it out.