11:58 a.m.
Hello Paul,
Thanks for the answers, that helps a lot - I haven't really used
containers since more than 5 years and that space evolves quickly so I
wasn't sure if I was missing something!
On 05/08/2024 19:28, Paul Holzinger wrote:
> - there is no warning message when aardvark-dns can't start
because
> the port is already taken by the host (that would have made the issue
> very obvious)
I fixed this very recently in netavark/aardvark-dns v1.12.0, so this
already fixed.
Great news, thank you!
> - internal networks don't generate DNAT rules when dns_port
is set to
> anything other than 53 ; containers can access the DNS resolver on the
> non-standard port just fine and have /etc/resolv.conf configured to
> the correct IP, but the resolv.conf mechanism cannot (to my knowledge)
> use a different port and thus DNS fails in practice
Correct this is a problem, please file a bug on the netavark repo about
it. This is similar to
https://github.com/containers/podman/issues/22807. Right now internal
networks do nothing with the host firewall I think we must reevaluate
that design decision.
Created: https://github.com/containers/netavark/issues/1051
> The last part sounds weird to me, is that the expected behavior
or is
> it maybe another misconfiguration on my part?
This is expected with our current design see my point above how we do
nothing with the firewall int he internal case thus no port DNAT rules
are added as well.
However note that this will actually work when running rootless podman
today as it uses a user space forwarder.
Good to know even if for the moment I'm mostly using rootful.
In general I felt that the "Basic networking" document was both too
detailed and not detailed enough when I tried to understand all this.
Would you welcome suggestions/attempts at creating small PRs for the
documentation, or is that something that's best done by the dev team?
What's the best location, the podman repo?