rkt · steveej · Jan 28, 2016 · Jan 27, 2016 · achanda · Jan 28, 2016
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 #### New features and UX changes
 
 - Add pod creation and start times to `rkt list` and `rkt status` ([#2030](https://github.com/coreos/rkt/pull/2030)). See [`rkt list`](https://github.com/coreos/rkt/blob/master/Documentation/subcommands/list.md) and [`rkt status`](https://github.com/coreos/rkt/blob/master/Documentation/subcommands/status.md) documentation.
+- The DNS configuration can now be passed to the pod via the command line ([#2040](https://github.com/coreos/rkt/pull/2040)). See [`DNS support`](https://github.com/coreos/rkt/blob/master/Documentation/networking.md#dns-support) documentation.
 
 ## v0.16.0
 

diff --git a/Documentation/networking.md b/Documentation/networking.md
@@ -341,3 +341,28 @@ rkt run --net="all,net1:IP=1.2.3.4" --net="net2:IP=1.2.4.5" pod.aci
 
 This is not documented yet.
 Please follow [this issue on CNI](https://github.com/appc/cni/issues/56) to track the progress of the documentation.
+
+## DNS support
+
+rkt can automatically prepare `/etc/resolv.conf` for the apps in the pod. The simplest configuration is:
+
+```bash
+rkt run --dns=8.8.8.8 pod.aci
+```
+
+Other parameters can be given:
+
+```bash
+rkt run --dns=8.8.8.8 --dns=8.8.4.4 --dns-search=foo.com --dns-opt=debug pod.aci
+```
+
+This will generate the following `/etc/resolv.conf` for the applications:
+
+```
+# Generated by rkt
+
+search foo.com
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+options debug
+```
diff --git a/rkt/run.go b/rkt/run.go
@@ -56,6 +56,9 @@ End the image arguments with a lone "---" to resume argument parsing.`,
 	flagInheritEnv   bool
 	flagExplicitEnv  envMap
 	flagInteractive  bool
+	flagDNS          flagStringList
+	flagDNSSearch    flagStringList
+	flagDNSOpt       flagStringList
 	flagNoOverlay    bool
 	flagStoreOnly    bool
 	flagNoStore      bool
@@ -76,6 +79,9 @@ func init() {
 	cmdRun.Flags().BoolVar(&flagPrivateUsers, "private-users", false, "Run within user namespaces (experimental).")
 	cmdRun.Flags().Var(&flagExplicitEnv, "set-env", "an environment variable to set for apps in the form name=value")
 	cmdRun.Flags().BoolVar(&flagInteractive, "interactive", false, "run pod interactively. If true, only one image may be supplied.")
+	cmdRun.Flags().Var(&flagDNS, "dns", "name servers to write in /etc/resolv.conf")
+	cmdRun.Flags().Var(&flagDNSSearch, "dns-search", "DNS search domains to write in /etc/resolv.conf")
+	cmdRun.Flags().Var(&flagDNSOpt, "dns-opt", "DNS options to write in /etc/resolv.conf")
 	cmdRun.Flags().BoolVar(&flagStoreOnly, "store-only", false, "use only available images in the store (do not discover or download from remote URLs)")
 	cmdRun.Flags().BoolVar(&flagNoStore, "no-store", false, "fetch images ignoring the local store")
 	cmdRun.Flags().StringVar(&flagPodManifest, "pod-manifest", "", "the path to the pod manifest. If it's non-empty, then only '--net', '--no-overlay' and '--interactive' will have effects")
@@ -91,6 +97,9 @@ func init() {
 	cmdRun.Flags().Var((*appCPULimit)(&rktApps), "cpu", "cpu limit for the preceding image (example: '--cpu=500m')")
 
 	flagPorts = portList{}
+	flagDNS = flagStringList{}
+	flagDNSSearch = flagStringList{}
+	flagDNSOpt = flagStringList{}
 
 	// Disable interspersed flags to stop parsing after the first non flag
 	// argument. All the subsequent parsing will be done by parseApps.
@@ -271,6 +280,9 @@ func runRun(cmd *cobra.Command, args []string) (exit int) {
 		Net:          flagNet,
 		LockFd:       lfd,
 		Interactive:  flagInteractive,
+		DNS:          flagDNS,
+		DNSSearch:    flagDNSSearch,
+		DNSOpt:       flagDNSOpt,
 		MDSRegister:  flagMDSRegister,
 		LocalConfig:  globalFlags.LocalConfigDir,
 		RktGid:       rktgid,
@@ -328,6 +340,22 @@ func (pl *portList) Type() string {
 	return "portList"
 }
 
+// flagStringList implements the flag.Value interface to contain a set of strings
+type flagStringList []string
+
+func (dns *flagStringList) Set(s string) error {
+	*dns = append(*dns, s)
+	return nil
+}
+
+func (dns *flagStringList) String() string {
+	return strings.Join(*dns, " ")
+}
+
+func (dns *flagStringList) Type() string {
+	return "flagStringList"
+}
+
 // envMap implements the flag.Value interface to contain a set of name=value mappings
 type envMap struct {
 	mapping map[string]string

diff --git a/rkt/run_prepared.go b/rkt/run_prepared.go
@@ -41,6 +41,9 @@ func init() {
 
 	cmdRunPrepared.Flags().Var(&flagNet, "net", "configure the pod's networking. optionally pass a list of user-configured networks to load and arguments to pass to them. syntax: --net[=n[:args]][,]")
 	cmdRunPrepared.Flags().Lookup("net").NoOptDefVal = "default"
+	cmdRunPrepared.Flags().Var(&flagDNS, "dns", "name servers to write in /etc/resolv.conf")
+	cmdRunPrepared.Flags().Var(&flagDNSSearch, "dns-search", "DNS search domains to write in /etc/resolv.conf")
+	cmdRunPrepared.Flags().Var(&flagDNSOpt, "dns-opt", "DNS options to write in /etc/resolv.conf")
 	cmdRunPrepared.Flags().BoolVar(&flagInteractive, "interactive", false, "the pod is interactive")
 	cmdRunPrepared.Flags().BoolVar(&flagMDSRegister, "mds-register", false, "register pod with metadata service")
 }
@@ -123,6 +126,9 @@ func runRunPrepared(cmd *cobra.Command, args []string) (exit int) {
 		Net:         flagNet,
 		LockFd:      lfd,
 		Interactive: flagInteractive,
+		DNS:         flagDNS,
+		DNSSearch:   flagDNSSearch,
+		DNSOpt:      flagDNSOpt,
 		MDSRegister: flagMDSRegister,
 		Apps:        apps,
 		RktGid:      rktgid,

diff --git a/stage0/run.go b/stage0/run.go
@@ -28,6 +28,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"os"
 	"path"
 	"path/filepath"
@@ -87,6 +88,9 @@ type RunConfig struct {
 	Apps        schema.AppList // applications (prepare gets them via Apps)
 	LocalConfig string         // Path to local configuration
 	RktGid      int            // group id of the 'rkt' group, -1 if there's no rkt group.
+	DNS         []string       // DNS name servers to write in /etc/resolv.conf
+	DNSSearch   []string       // DNS search domains to write in /etc/resolv.conf
+	DNSOpt      []string       // DNS options to write in /etc/resolv.conf
 }
 
 // configuration shared by both Run and Prepare
@@ -379,6 +383,32 @@ func preparedWithPrivateUsers(dir string) (string, error) {
 	return string(bytes), nil
 }
 
+func addResolvConf(cfg RunConfig, rootfs string) {
+	content := "# Generated by rkt\n\n"
+	if len(cfg.DNSSearch) > 0 {
+		content += fmt.Sprintf("search %s\n", strings.Join(cfg.DNSSearch, " "))
+	}
+	for _, server := range cfg.DNS {
+		// skip empty entries
+		if server == "" {
+			continue
+		}
+		// comment invalid entries
+		if net.ParseIP(server) == nil {
+			content += "# "
+		}
+		content += "nameserver " + server + "\n"
+	}
+	if len(cfg.DNSOpt) > 0 {
+		content += fmt.Sprintf("options %s\n", strings.Join(cfg.DNSOpt, " "))
+	}
+	content += "\n"
+
+	if err := ioutil.WriteFile(filepath.Join(rootfs, "etc/rkt-resolv.conf"), []byte(content), 0644); err != nil {
+		log.Fatalf("error writing /etc/rkt-resolv.conf: %v\n", err)
+	}
+}
+
 // Run mounts the right overlay filesystems and actually runs the prepared
 // pod by exec()ing the stage1 init inside the pod filesystem.
 func Run(cfg RunConfig, dir string, dataDir string) {
@@ -406,6 +436,10 @@ func Run(cfg RunConfig, dir string, dataDir string) {
 
 	destRootfs := common.Stage1RootfsPath(dir)
 
+	if len(cfg.DNS) > 0 || len(cfg.DNSSearch) > 0 || len(cfg.DNSOpt) > 0 {
+		addResolvConf(cfg, destRootfs)
+	}
+
 	if err := os.Setenv(common.EnvLockFd, fmt.Sprintf("%v", cfg.LockFd)); err != nil {
 		log.Fatalf("setting lock fd environment: %v", err)
 	}

diff --git a/stage1/prepare-app/prepare-app.c b/stage1/prepare-app/prepare-app.c
@@ -147,12 +147,15 @@ int main(int argc, char *argv[])
 		"/dev/console",
 		NULL
 	};
-	static const mount_point mount_table[] = {
+	static const mount_point dirs_mount_table[] = {
 		{ "/proc", "/proc", "bind", NULL, MS_BIND|MS_REC },
 		{ "/sys", "/sys", "bind", NULL, MS_BIND|MS_REC },
 		{ "/dev/shm", "/dev/shm", "bind", NULL, MS_BIND },
 		{ "/dev/pts", "/dev/pts", "bind", NULL, MS_BIND },
 	};
+	static const mount_point files_mount_table[] = {
+		{ "/etc/rkt-resolv.conf", "/etc/resolv.conf", "bind", NULL, MS_BIND },
+	};
 	const char *root;
 	int rootfd;
 	char to[4096];
@@ -243,8 +246,8 @@ int main(int argc, char *argv[])
 	}
 
 	/* Bind mount directories */
-	for (i = 0; i < nelems(mount_table); i++) {
-		const mount_point *mnt = &mount_table[i];
+	for (i = 0; i < nelems(dirs_mount_table); i++) {
+		const mount_point *mnt = &dirs_mount_table[i];
 
 		exit_if(snprintf(to, sizeof(to), "%s/%s", root, mnt->target) >= sizeof(to),
 			"Path too long: \"%s\"", to);
@@ -253,6 +256,26 @@ int main(int argc, char *argv[])
 				"Mounting \"%s\" on \"%s\" failed", mnt->source, to);
 	}
 
+	/* Bind mount files, if the source exists */
+	for (i = 0; i < nelems(files_mount_table); i++) {
+		const mount_point *mnt = &files_mount_table[i];
+		int fd;
+
+		exit_if(snprintf(to, sizeof(to), "%s/%s", root, mnt->target) >= sizeof(to),
+			"Path too long: \"%s\"", to);
+		if (access(mnt->source, F_OK) != 0)
+			continue;
+		if (access(to, F_OK) != 0) {
+			pexit_if((fd = creat(to, 0644)) == -1,
+				"Cannot create file: \"%s\"", to);
+			pexit_if(close(fd) == -1,
+				"Cannot close file: \"%s\"", to);
+		}
+		pexit_if(mount(mnt->source, to, mnt->type,
+			       mnt->flags, mnt->options) == -1,
+				"Mounting \"%s\" on \"%s\" failed", mnt->source, to);
+	}
+
 	/* /dev/ptmx -> /dev/pts/ptmx */
 	exit_if(snprintf(to, sizeof(to), "%s/dev/ptmx", root) >= sizeof(to),
 		"Path too long: \"%s\"", to);

diff --git a/tests/rkt_dns_test.go b/tests/rkt_dns_test.go
@@ -0,0 +1,67 @@
+// Copyright 2016 The rkt Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/coreos/rkt/tests/testutils"
+)
+
+// TestDNS is checking how rkt fills /etc/resolv.conf
+func TestDNS(t *testing.T) {
+	imageFile := patchTestACI("rkt-inspect-exit.aci", "--exec=/inspect --print-msg=Hello --read-file")
+	defer os.Remove(imageFile)
+	ctx := testutils.NewRktRunCtx()
+	defer ctx.Cleanup()
+
+	for _, tt := range []struct {
+		paramDNS     string
+		expectedLine string
+	}{
+		{
+			paramDNS:     "",
+			expectedLine: "Cannot read file",
+		},
+		{
+			paramDNS:     "--dns=8.8.4.4",
+			expectedLine: "nameserver 8.8.4.4",
+		},
+		{
+			paramDNS:     "--dns=8.8.8.8 --dns=8.8.4.4",
+			expectedLine: "nameserver 8.8.8.8",
+		},
+		{
+			paramDNS:     "--dns=8.8.8.8 --dns=8.8.4.4 --dns-search=search.com --dns-opt=debug",
+			expectedLine: "nameserver 8.8.4.4",
+		},
+		{
+			paramDNS:     "--dns-search=foo.com --dns-search=bar.com",
+			expectedLine: "search foo.com bar.com",
+		},
+		{
+			paramDNS:     "--dns-opt=debug --dns-opt=use-vc --dns-opt=rotate",
+			expectedLine: "options debug use-vc rotate",
+		},
+	} {
+
+		rktCmd := fmt.Sprintf(`%s --insecure-options=image run --set-env=FILE=/etc/resolv.conf %s %s`,
+			ctx.Cmd(), tt.paramDNS, imageFile)
+		t.Logf("%s\n", rktCmd)
+		runRktAndCheckOutput(t, rktCmd, tt.expectedLine, false)
+	}
+}