When creating a container attached to a network, podman uses the first IP in the subnet (both v4 and v6) as a default gateway and also runs a DNS resolver on them.
Ex:
23: pod-tailscale: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ce:7d:f3:ed:aa:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.98.1/24 brd 192.168.98.255 scope global pod-tailscale
valid_lft forever preferred_lft forever
inet6 fd9c:e5fd:554f::1/64 scope global
valid_lft forever preferred_lft foreverFor some reason, it seems to only listen and respond to DNS queries on the v4 address (192.168.98.1 in thes case). This is problematic, because the generated resolv.conf in the containers specifies both resolvers and even the v6 one first:
vyos@305-1700-gw:~$ sudo podman exec -it tailscale ash / # cat /etc/resolv.conf search dns.podman nameserver fd9c:e5fd:554f::1 nameserver 192.168.98.1
This causes DNS resolution issues in containers, e.g.
vyos@305-1700-gw:~$ show contianer log tailscale
[...]
[RATELIMIT] format("peerapi: handleDNS fwd error: %v") (17 dropped)
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceeded
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceeded
[RATELIMIT] format("peerapi: handleDNS fwd error: %v")
control: NetInfo: NetInfo{varies=false hairpin= ipv6=true ipv6os=true udp=true icmpv4=false derp=#21 portmap= link="" firewallmode="ipt-default"}
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceeded
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceeded
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceeded
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceeded
peerapi: handleDNS fwd error: waiting for response or error from [[fd9c:e5fd:554f::1]:53]: context deadline exceededReproducer:
vyos@305-1700-gw:~$ dig www.google.com aaaa @192.168.98.1 +short 2607:f8b0:4020:801::2004 vyos@305-1700-gw:~$ dig www.google.com aaaa @fd9c:e5fd:554f::1 +short ;; communications error to fd9c:e5fd:554f::1#53: connection refused ;; communications error to fd9c:e5fd:554f::1#53: connection refused ;; communications error to fd9c:e5fd:554f::1#53: connection refused ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> www.google.com aaaa @fd9c:e5fd:554f::1 +short ;; global options: +cmd ;; no servers could be reached
config:
vyos@305-1700-gw# show container
name tailscale {
capability net-admin
capability net-raw
capability sys-module
capability sys-admin
device devtun {
destination /dev/net/tun
source /dev/net/tun
}
environment TS_ACCEPT_DNS {
value False
}
environment TS_AUTHKEY {
value <snipped>
}
environment TS_AUTH_ONCE {
value True
}
environment TS_EXTRA_ARGS {
value "--advertise-exit-node --accept-routes --snat-subnet-routes=false --stateful-filtering=false --login-server <snipped>"
}
environment TS_ROUTES {
value 172.17.51.0/24,172.17.52.0/24,172.17.53.0/24,10.235.128.0/18,10.235.64.0/18,10.235.0.0/18,2a0c:9a46:637:51::/64,2a0c:9a46:637:52::/64,2a0c:9a46:637:53::/64,2a0c:9a46:637:88:2::/104,2a0c:9a46:637:88:1::/112,2a0c:9a46:637:88:3::/80
}
environment TS_STATE_DIR {
value /var/lib/tailscale
}
environment TS_USERSPACE {
value False
}
image docker.io/tailscale/tailscale:v1.80
memory 512
network tailscale {
address 192.168.98.2
address fd9c:e5fd:554f::2
}
restart on-failure
shared-memory 128
sysctl {
parameter net.ipv6.conf.all.forwarding {
value 1
}
}
volume tailscale_lib {
destination /var/lib/tailscale
source /config/container/tailscale/lib/
}
}
network tailscale {
prefix fd9c:e5fd:554f::/64
prefix 192.168.98.0/24
}
[edit]