Podman does not pass the correct DNS when running in a network namespace

[Bart97]

Issue Description

By default, Podman passes host resolv.conf entries to the container instead of taking it from the network namespace it's executed in

Steps to reproduce the issue

Steps to reproduce the issue

1. Set up a network namespace on the host with a different DNS server configured in /etc/resolv.conf
2. Run a shell in the new network namespace and set up a new container using podman run.
3. Enter shell inside of the container, run cat /etc/resolv.conf. Should be the same as configuration in network namespace

Describe the results you received

At step 4 the contents are the same as /etc/resolv.conf outside the network namespace.

Describe the results you expected

/etc/resolv.conf should be the same as configuration in the network namespace

podman info output

host:
  arch: amd64
  buildahVersion: 1.41.3
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-1:2.1.13-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: 82de887596ed8ee6d9b2ee85e4f167f307bb569b'
  cpuUtilization:
    idlePercent: 95.45
    systemPercent: 0.82
    userPercent: 3.73
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2046
  hostname: bkazmier-thinkpad
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.16.3-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 33684344832
  memTotal: 41791913984
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.16.0-1
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.16.0
    package: netavark-1.16.1-1
    path: /usr/lib/podman/netavark
    version: netavark 1.16.1
  ociRuntime:
    name: crun
    package: crun-1.23.1-1
    path: /usr/bin/crun
    version: |-
      crun version 1.23.1
      commit: d20b23dba05e822b93b82f2f34fd5dada433e0c2
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-2025_08_05.309eefd-1
    version: |
      pasta 2025_08_05.309eefd
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 6h 20m 5.00s (Approximately 0.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/bkazmier/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/bkazmier/.local/share/containers/storage
  graphRootAllocated: 497354588160
  graphRootUsed: 306764603392
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 24
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/bkazmier/.local/share/containers/storage/volumes
version:
  APIVersion: 5.6.0
  Built: 1755376297
  BuiltTime: Sat Aug 16 22:31:37 2025
  GitCommit: da671ef6cfa3fc9ac6225c18f1dd0a70a951e43f
  GoVersion: go1.25.0
  Os: linux
  OsArch: linux/amd64
  Version: 5.6.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

Please provide a proper reproducer with commands so it is clear what you are doing. In general podman reads /etc/resolv.conf so you would need to switch the mount namespace as well to provide an alternate resolve.conf file.

Note that switching namesapces in general can cause quite a lot problems with podman as we need a single mount namespace in order to properly mount/unmount the storage.

[Bart97]

The idea is that I'm running a separate network namespace on my workstation for VPN access. I want to run a rootless container in that network namespace, which will be able to access the VPN. It does work, but I have to manually provide the configuration via --dns arguments.

1. sudo mkdir /etc/netns/mynet
2. echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
3. sudo ip netns add mynet # skipping network configuration here as it's not needed for reproduction
4. echo "nameserver 1.1.1.1" | sudo tee /etc/netns/mynet/resolv.conf
5. sudo -E /usr/bin/ip netns exec mynet cat /etc/resolv.conf
   nameserver 1.1.1.1
6. cat /etc/resolv.conf
   nameserver 8.8.8.8
7. /usr/bin/sudo -E /usr/bin/ip netns exec mynet sudo -E -u $USER zsh
   1. cat /etc/resolv.conf
      nameserver 1.1.1.1
   2. podman run -it alpine sh
      1. cat /etc/resolv.conf

         nameserver 169.254.1.1
         nameserver 8.8.8.8
         

I expect to see nameserver 1.1.1.1 in the last step.

[Luap99]

yeah that is simply impossible, rootless podman must run within a single user + mount namesapce. Each rootless podman command thus joins the same user + mount namespace so they always see the same files and ignore the parent mount namespace.

And if you use something like --network bridge there is only one pasta process which is created by the first start and would use the namespace of podman but then all following commands would simply join the rootless-netns, see #22943 (comment) for how that would look.

[Bart97]

I see. Is there any other solution that would allow me to connect rootless containers to another network namespace? I don't mind performing additional configuration as root as long as I can automate it, but the goal is to be able to somehow be able to connect some containers to the network configured in my namespace

[Luap99]

If you create a new network namespace within podman unshare (i.e. the podman userns+mountns) then you could run a rootless container with --network ns:/path/to/netns. This is certainly complex to setup but you could have full control over how to configure the netns.

Another thing I haven't tried is pasta itself supports the --outbound options to specify a custom outbound interface which may be enough if you have a VPN interface on the host, or maybe bind to a veth pair to then route this into another namespace.

I am sure there might be more ways, I haven't really explored that problem space.