Skip to content

Podman DNS match pattern for nftables #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 2, 2025
Merged

Podman DNS match pattern for nftables #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions nixos-test/podman-compose.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
# Auto-generated using compose2nix v0.3.2-pre.
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
# See: https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
4 changes: 4 additions & 0 deletions nixos-test/test.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,10 @@ in
m.succeed(f"systemctl show -p Restart {runtime}-service-b.service | grep -E '=on-success$'")
m.succeed(f"systemctl show -p Restart {runtime}-myproject-no-restart.service | grep -E '=no$'")

# Ensure we can reach a container in the same network. Regression test
# for DNS settings, especially for Podman.
m.succeed(f"{runtime} exec -it myproject-service-a wget http://no-restart")

# Stop the root unit.
m.systemctl(f"stop {runtime}-compose-myproject-root.target")
'';
Expand Down
17 changes: 9 additions & 8 deletions templates/main.nix.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{- if .Version -}}
# Auto-generated using compose2nix v{{.Version}}.
{ pkgs, lib, ... }:
{{end -}}
{{- if eq (.Runtime | printf "%s") "podman" -}}
{ pkgs, lib, config, ... }:
{{- else -}}
{ pkgs, lib, ... }:
{{- end}}
Expand All @@ -13,17 +15,16 @@
autoPrune.enable = true;
{{- if eq (.Runtime | printf "%s") "podman"}}
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
{{- end}}
};
{{- if eq (.Runtime | printf "%s") "podman"}}

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "{{.Runtime}}";
{{- else}}
Expand Down
15 changes: 7 additions & 8 deletions testdata/TestAutoStart.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestBasic.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
22 changes: 14 additions & 8 deletions testdata/TestBasicAutoFormat.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,26 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
config,
...
}:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces =
let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in
{
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestBuildSpec.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestBuildSpec_BuildEnabled.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestCommandAndEntrypoint.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestComposeEnvFiles.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestDeployDevices.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestEmptyEnv.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestEnvFiles.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestEnvFilesOnly.podman.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
Loading
Loading