Accessing another network

killua · February 19, 2022, 3:20pm

Hi,

i’ve got a host running both lxd and podman. One lxd container acts as a proxy (haproxy). When trying to add hostname resolution via the resolver directive in haproxy, i noticed that even though I can ping containers in the podman network from the lxd proxy container

root@proxy01:~# ping 10.89.1.1
PING 10.89.1.1 (10.89.1.1) 56(84) bytes of data.
64 bytes from 10.89.1.1: icmp_seq=1 ttl=64 time=0.107 ms

trying to resolve the name via udp

root@proxy01:~# nslookup acmedns-ind01 10.89.1.1
;; connection timed out; no servers could be reached

as well as tcp

root@proxy01:~# dig +tcp acmedns-ind01 @10.89.1.1
;; communications error to 10.89.1.1#53: end of file

;; communications error to 10.89.1.1#53: end of file

will fail. OTOH from host


kil@dev02:~$ nslookup acmedns-ind01 10.89.1.1
Server:		10.89.1.1
Address:	10.89.1.1#53

Name:	acmedns-ind01
Address: 10.89.1.4

everything works just fine. Any idea what might be the cause?

killua · February 20, 2022, 4:45pm

Following some other posts, here the tcpdump for dig +tcp acmedns-ind01 @10.89.1.1

root@proxy01:~# tcpdump -nn -i eth0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:40:31.175647 IP 240.102.0.47.50741 > 10.89.1.1.53: Flags [S], seq 4170258847, win 64860, options [mss 1410,sackOK,TS val 3010699785 ecr 0,nop,wscale 7], length 0
16:40:31.175745 IP 10.89.1.1.53 > 240.102.0.47.50741: Flags [S.], seq 266882846, ack 4170258848, win 64308, options [mss 1410,sackOK,TS val 1525447471 ecr 3010699785,nop,wscale 7], length 0
16:40:31.175772 IP 240.102.0.47.50741 > 10.89.1.1.53: Flags [.], ack 1, win 507, options [nop,nop,TS val 3010699785 ecr 1525447471], length 0
16:40:31.176054 IP 240.102.0.47.50741 > 10.89.1.1.53: Flags [P.], seq 1:57, ack 1, win 507, options [nop,nop,TS val 3010699785 ecr 1525447471], length 56 48641+ [1au] A? acmedns-ind01. (54)
16:40:31.176118 IP 10.89.1.1.53 > 240.102.0.47.50741: Flags [.], ack 57, win 502, options [nop,nop,TS val 1525447471 ecr 3010699785], length 0
16:40:31.176316 IP 10.89.1.1.53 > 240.102.0.47.50741: Flags [F.], seq 1, ack 57, win 502, options [nop,nop,TS val 1525447471 ecr 3010699785], length 0
16:40:31.176397 IP 10.89.1.1.53 > 240.102.0.47.50741: Flags [R.], seq 2, ack 57, win 502, options [nop,nop,TS val 1525447472 ecr 3010699785], length 0
16:40:31.176797 IP 240.102.0.47.51865 > 10.89.1.1.53: Flags [S], seq 3908763312, win 64860, options [mss 1410,sackOK,TS val 3010699786 ecr 0,nop,wscale 7], length 0
16:40:31.176891 IP 10.89.1.1.53 > 240.102.0.47.51865: Flags [S.], seq 13154576, ack 3908763313, win 64308, options [mss 1410,sackOK,TS val 1525447472 ecr 3010699786,nop,wscale 7], length 0
16:40:31.176926 IP 240.102.0.47.51865 > 10.89.1.1.53: Flags [.], ack 1, win 507, options [nop,nop,TS val 3010699786 ecr 1525447472], length 0
16:40:31.177250 IP 240.102.0.47.51865 > 10.89.1.1.53: Flags [P.], seq 1:57, ack 1, win 507, options [nop,nop,TS val 3010699786 ecr 1525447472], length 56 24475+ [1au] A? acmedns-ind01. (54)
16:40:31.177298 IP 10.89.1.1.53 > 240.102.0.47.51865: Flags [.], ack 57, win 502, options [nop,nop,TS val 1525447472 ecr 3010699786], length 0
16:40:31.177411 IP 10.89.1.1.53 > 240.102.0.47.51865: Flags [F.], seq 1, ack 57, win 502, options [nop,nop,TS val 1525447473 ecr 3010699786], length 0
16:40:31.177476 IP 10.89.1.1.53 > 240.102.0.47.51865: Flags [R.], seq 2, ack 57, win 502, options [nop,nop,TS val 1525447473 ecr 3010699786], length 0

For the udp request dig acmedns-ind01 @10.89.1.1

16:41:54.185401 IP 240.102.0.47.52727 > 10.89.1.1.53: 53769+ [1au] A? acmedns-ind01. (54)
16:41:59.186419 IP 240.102.0.47.52727 > 10.89.1.1.53: 53769+ [1au] A? acmedns-ind01. (54)
16:42:04.190404 IP 240.102.0.47.52727 > 10.89.1.1.53: 53769+ [1au] A? acmedns-ind01. (54)
17 packets captured
17 packets received by filter
0 packets dropped by kernel

Unfortunately I’m not familiar with using tcpdump, so I’m still clueless.

root@proxy01:~# sudo iptables-save; sudo ip6tables-save; sudo nft list ruleset
sudo: iptables-save: command not found
sudo: ip6tables-save: command not found

tomp · February 21, 2022, 2:12pm

Do you know how your host is resolving those names for the podman containers?

killua · February 21, 2022, 2:54pm

I’m not sure exactly what you mean. When I

user@host:~$ nslookup acmedns-ind01
Server:		192.168.88.1
Address:	192.168.88.1#53

** server can't find acmedns-ind01: NXDOMAIN

the default nameserver kicks in and resolves nothing. When I query the name from the podman’s network nameserver (10.89.1.1) I get the expected response

user@host:~$ nslookup acmedns-ind01 10.89.1.1
Server:		10.89.1.1
Address:	10.89.1.1#53

Name:	acmedns-ind01
Address: 10.89.1.4

The problem is, that when I do the same in the proxy01 lxd container, something drops the request/response to 10.89.1.1

root@proxy01:~$ nslookup acmedns-ind01 10.89.1.1
;; connection timed out; no servers could be reached

and I can’t figure out what - pinging from the proxy01 works fine for example. The same happens, when HAPROXY does the request from the proxy01 containers. I explicitly pass the nameservers that should be queried to the haproxy config:

resolvers localns
    nameserver lxd 240.102.0.1:53
    nameserver pod 10.89.1.1:53

haproxy takes the first valid response. 240.102.0.1 is the fan network gw, so that won’t reply/know the name, query to 10.89.1.1 times out because of that something which i’m trying to figure out.

Please let me know if I can help describe the problem better in any way.