libnetwork/resolvconf: add new KeepHostSearches/Options

Luap99 · Luap99 · commit fa22a10e4a58 · 2025-06-03T16:37:44.000+02:00
Using one KeepHostServers that controls the override of nameservers, search domains and options is not good enough. With netavark 1.15 we dropped the dns.podman search domain[1] as this always overwrote the host search domains which was not correct. However that in turn caused a new issue[2] that a container name might now get resolved to a search domain from the host first. To fix that we either need to revert the dns.podman change or add the ndots:0 option in resolv.conf. Whatever we end up doing we will need one of KeepHostSearches or KeepHostOptions in podman to populate resolv.conf correctly so that we don't overwrite the host domains/options but still can overwrite the nameservers as we want to force aardvark-dns only as nameserver so resolvers cannot bypass it. [1] containers/netavark#1214 [2] containers/podman#26198 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit b4bf1f2) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
diff --git a/libnetwork/resolvconf/resolv.go b/libnetwork/resolvconf/resolv.go
@@ -30,17 +30,28 @@ type Params struct {
 	// IPv6Enabled will filter ipv6 nameservers when not set to true.
 	IPv6Enabled bool
 	// KeepHostServers can be set when it is required to still keep the
-	// original resolv.conf content even when custom Nameserver/Searches/Options
+	// original resolv.conf nameservers even when explicit Nameservers
 	// are set. In this case they will be appended to the given values.
 	KeepHostServers bool
+	// KeepHostSearches can be set when it is required to still keep the
+	// original resolv.conf search domains even when explicit search domains
+	// are set in Searches.
+	KeepHostSearches bool
+	// KeepHostOptions can be set when it is required to still keep the
+	// original resolv.conf options even when explicit options are set in
+	// Options.
+	KeepHostOptions bool
 	// Nameservers is a list of nameservers the container should use,
-	// instead of the default ones from the host.
+	// instead of the default ones from the host. Set KeepHostServers
+	// in order to also keep the hosts resolv.conf nameservers.
 	Nameservers []string
 	// Searches is a list of dns search domains the container should use,
-	// instead of the default ones from the host.
+	// instead of the default ones from the host. Set KeepHostSearches
+	// in order to also keep the hosts resolv.conf search domains.
 	Searches []string
 	// Options is a list of dns options the container should use,
-	// instead of the default ones from the host.
+	// instead of the default ones from the host. Set KeepHostOptions
+	// in order to also keep the hosts resolv.conf options.
 	Options []string
 
 	// resolvConfPath is the path which should be used as base to get the dns
@@ -121,7 +132,8 @@ func unsetSearchDomainsIfNeeded(searches []string) []string {
 // New creates a new resolv.conf file with the given params.
 func New(params *Params) error {
 	// short path, if everything is given there is no need to actually read the hosts /etc/resolv.conf
-	if len(params.Nameservers) > 0 && len(params.Options) > 0 && len(params.Searches) > 0 && !params.KeepHostServers {
+	if len(params.Nameservers) > 0 && len(params.Options) > 0 && len(params.Searches) > 0 &&
+		!params.KeepHostServers && !params.KeepHostOptions && !params.KeepHostSearches {
 		return build(params.Path, params.Nameservers, unsetSearchDomainsIfNeeded(params.Searches), params.Options)
 	}
 
@@ -140,12 +152,12 @@ func New(params *Params) error {
 	searches := unsetSearchDomainsIfNeeded(params.Searches)
 	// if no params.Searches then use host ones
 	// otherwise make sure that they were no explicitly unset before adding host ones
-	if len(params.Searches) == 0 || (params.KeepHostServers && len(searches) > 0) {
+	if len(params.Searches) == 0 || (params.KeepHostSearches && len(searches) > 0) {
 		searches = append(searches, getSearchDomains(content)...)
 	}
 
 	options := params.Options
-	if len(options) == 0 || params.KeepHostServers {
+	if len(options) == 0 || params.KeepHostOptions {
 		options = append(options, getOptions(content)...)
 	}
 
diff --git a/libnetwork/resolvconf/resolv_test.go b/libnetwork/resolvconf/resolv_test.go
@@ -19,15 +19,17 @@ options edns0
 
 func TestNew(t *testing.T) {
 	tests := []struct {
-		name            string
-		baseContent     string
-		nameservers     []string
-		options         []string
-		searches        []string
-		ipv6            bool
-		hostns          bool
-		keepHostServers bool
-		want            string
+		name             string
+		baseContent      string
+		nameservers      []string
+		options          []string
+		searches         []string
+		ipv6             bool
+		hostns           bool
+		keepHostServers  bool
+		keepHostSearches bool
+		keepHostOptions  bool
+		want             string
 	}{
 		{
 			name:        "simple resolv.conf",
@@ -98,7 +100,36 @@ func TestNew(t *testing.T) {
 			options:         []string{"ndots:2"},
 			searches:        []string{"test.com"},
 			keepHostServers: true,
-			want:            "search test.com example.com\nnameserver 1.2.3.4\nnameserver 5.6.7.8\nnameserver 1.1.1.1\noptions ndots:2 edns0\n",
+			want:            "search test.com\nnameserver 1.2.3.4\nnameserver 5.6.7.8\nnameserver 1.1.1.1\noptions ndots:2\n",
+		},
+		{
+			name:             "set all and keep host searches",
+			baseContent:      resolv2,
+			nameservers:      []string{"1.2.3.4", "5.6.7.8"},
+			options:          []string{"ndots:2"},
+			searches:         []string{"test.com"},
+			keepHostSearches: true,
+			want:             "search test.com example.com\nnameserver 1.2.3.4\nnameserver 5.6.7.8\noptions ndots:2\n",
+		},
+		{
+			name:            "set all and keep host options",
+			baseContent:     resolv2,
+			nameservers:     []string{"1.2.3.4", "5.6.7.8"},
+			options:         []string{"ndots:2"},
+			searches:        []string{"test.com"},
+			keepHostOptions: true,
+			want:            "search test.com\nnameserver 1.2.3.4\nnameserver 5.6.7.8\noptions ndots:2 edns0\n",
+		},
+		{
+			name:             "set all and keep all options",
+			baseContent:      resolv2,
+			nameservers:      []string{"1.2.3.4", "5.6.7.8"},
+			options:          []string{"ndots:2"},
+			searches:         []string{"test.com"},
+			keepHostServers:  true,
+			keepHostSearches: true,
+			keepHostOptions:  true,
+			want:             "search test.com example.com\nnameserver 1.2.3.4\nnameserver 5.6.7.8\nnameserver 1.1.1.1\noptions ndots:2 edns0\n",
 		},
 		{
 			name:        "localhost nameservers should be filtered and use defaults instead",
@@ -148,14 +179,16 @@ func TestNew(t *testing.T) {
 				}
 			}
 			err = New(&Params{
-				Path:            target,
-				Nameservers:     tt.nameservers,
-				Searches:        tt.searches,
-				Options:         tt.options,
-				IPv6Enabled:     tt.ipv6,
-				KeepHostServers: tt.keepHostServers,
-				Namespaces:      namespaces,
-				resolvConfPath:  base,
+				Path:             target,
+				Nameservers:      tt.nameservers,
+				Searches:         tt.searches,
+				Options:          tt.options,
+				IPv6Enabled:      tt.ipv6,
+				KeepHostServers:  tt.keepHostServers,
+				KeepHostSearches: tt.keepHostSearches,
+				KeepHostOptions:  tt.keepHostOptions,
+				Namespaces:       namespaces,
+				resolvConfPath:   base,
 			})
 			assert.NoError(t, err, "New()")
 			content, err := os.ReadFile(target)
