On Mon, Nov 24, 2025 at 08:10:35PM -0330, Ayon T wrote:
> Hi, sorry it has been a while, I haven't been able to find the time to work
> on this problem.
>
> However, I think I've managed to narrow down what the problem is, so I'm
> writing to you again!
>
> I essentially ended up using a wrapper for pasta to try out a few different
> arguments with it, even though I went down a different route. I used
> "DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS" with `rootlesskit` to pass on a new
> location to a script wrapping the pasta binary.
>
> I passed on the explicit local network IP of the DNS server that runs on my
> home network, and everything started working fine.
>
> I'll explain: my server PC runs rootless containers – one of them runs a
> DNS server. On that PC itself, I redirect local DNS queries to 127.0.0.1
> (the first nameserver on /etc/resolv.conf). pasta picks up the first entry
> on /etc/resolv.conf and forwards DNS queries to it. But it seems like it
> cannot access localhost (probably by design?)

With its own default options, pasta will generally allow access from
loopback, but docker may (by design) add parameters that override that
behaviour.  Using 'ps' (or your wrapper) to find out the exact
arguments that docker is invoking pasta with would help.

> Once I add the local network IP (192.168.x.y) explicitly as the DNS server
> to forward queries to, things work, but I find this inefficient as it feels
> like queries shouldn't have to go through the local network for resolution,
> since the DNS server runs on that very device.

So, yes, it arguably should be possible to access the server via
127.0.0.1.  That said, I don't think there's any real inefficiency
here: the kernel will already direct traffic to a public-but-local
address over 'lo', so it won't actually hit the external network.

> Please advise me on what can be done about this and if I'm on the wrong
> track.
>
> Regards,
> Ayon
>
> On Tue, Jun 3, 2025 at 8:16 AM Stefano Brivio <sbrivio@redhat.com> wrote:
>
> > On Fri, 23 May 2025 00:51:25 -0230
> > Ayon T <sanroz.mozan13@gmail.com> wrote:
> >
> > > I know you have been asking me to run pasta with arguments with docker,
> > but
> > > I'm not sure how to do this (pardon my inexperience). I use an
> > > override.conf file to set the default network and port driver of docker,
> > > and that's how I use pasta with docker. I have tried looking up how to do
> > > it in a different way that gives me more control over the arguments that
> > go
> > > in, but I haven't been able to find it. Could you guide me regarding this
> > > or point me to a resource?
> >
> > Apologies for the delay. It looks like you need to rebuild rootlesskit
> > with any option you want to add, here:
> >
> >
> > https://github.com/rootless-containers/rootlesskit/blob/e83d7635183e1125798b2928b22002dfcc4a1168/pkg/network/pasta/pasta.go#L146
> >
> > because there's currently no convenient command-line mechanism like the
> > one implemented by Podman, here:
> >
> >
> > https://github.com/containers/common/blob/5a4ca2d5d35571556f6e7d1d5f024c19dc482135/libnetwork/pasta/pasta_linux.go#L174
> >
> > I guess it would be nice to implement something similar, but I'm not
> > really familiar with rootlesskit otherwise. An alternative could be to
> > use a trivial wrapper at /usr/local/bin/pasta, a simple script doing:
> >
> > --
> > #!/bin/sh
> >
> > /usr/bin/pasta $@ --whatever-additional-option-here
> > --
> >
> > --
> > Stefano
> >
> >

> _______________________________________________
> user mailing list -- passt-user@passt.top
> To unsubscribe send an email to passt-user-leave@passt.top


--
David Gibson (he or they)       | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you, not the other way
                                | around.
http://www.ozlabs.org/~dgibson