When user wants to publish port 53 they run into EADDRINUSE errors in the VM. First we use the default systemd-resolved and second when a network with dns is running aardvark-dns uses port 53 too. The work around generally is to only bind specific ips but this cannot work with machine because a) inside the machine we remove the host ip and always bind everything as the host ip is only used on the mac side to make port forwarding work and b) for some idiotic reason macos only allows binding "priviledged" ports only for 0.0.0.0 not a specific host ip which means gvproxy would fail to bind as we run it rootless.
$ nc -l 0.0.0.0 53
<works>
$ nc -l 127.0.0.1 53
nc: Permission denied
As such I think we should 1) disable systemd-resolved by default, it doesn't do anything useful for us here. In fact if we count aardvark-dns -> systemd-resolved -> gvproxy dns resolver it means each dns requests currently is read by three resolvers on the local host which adds unnecessary overhead. And there is also the fact that we know systemd-resolved is broken with how it resolves quay.io as we had to disable it on all our CI VMs and as it just kept randomly failing to resolve the name correctly.
And 2) configure aardvark-dns dns_bind_port in containers.conf to something else than 53. Not sure what port to choose any port could cause a conflict theoretically.
Running a dns server in a container seems like a rather common use case we should support out of the box.
see containers/podman#24099 for a user impacted by these problems
cc @mheon @baude
When user wants to publish port 53 they run into EADDRINUSE errors in the VM. First we use the default systemd-resolved and second when a network with dns is running aardvark-dns uses port 53 too. The work around generally is to only bind specific ips but this cannot work with machine because a) inside the machine we remove the host ip and always bind everything as the host ip is only used on the mac side to make port forwarding work and b) for some idiotic reason macos only allows binding "priviledged" ports only for 0.0.0.0 not a specific host ip which means gvproxy would fail to bind as we run it rootless.
As such I think we should 1) disable systemd-resolved by default, it doesn't do anything useful for us here. In fact if we count aardvark-dns -> systemd-resolved -> gvproxy dns resolver it means each dns requests currently is read by three resolvers on the local host which adds unnecessary overhead. And there is also the fact that we know systemd-resolved is broken with how it resolves quay.io as we had to disable it on all our CI VMs and as it just kept randomly failing to resolve the name correctly.
And 2) configure aardvark-dns dns_bind_port in containers.conf to something else than 53. Not sure what port to choose any port could cause a conflict theoretically.
Running a dns server in a container seems like a rather common use case we should support out of the box.
see containers/podman#24099 for a user impacted by these problems
cc @mheon @baude