network alias with space causes DNS resolution to fail

[mfenniak]

Issue Description

When a --network-alias option to a container has a space in it, no error is thrown during container creation, but DNS resolution within the container will fail with timeouts.

Steps to reproduce the issue

Steps to reproduce the issue

1. sudo podman run --network-alias "testtrim release" --rm -it node:current-bookworm /bin/bash
2. curl https://google.com/

Describe the results you received

$ sudo podman run --network-alias "testtrim release" --rm -it node:current-bookworm /bin/bash
root@00a382cc61c7:/# curl https://google.com/
curl: (6) Could not resolve host: google.com

Describe the results you expected

Either having whitespace in an alias is unsupported (which would make sense) and should cause an error; or it should be silently ignored; but either way I should not get a container where DNS resolution will fail for an unidentifiable reason.

If I remove the space from my alias, DNS resolution works:

$ sudo podman run --network-alias "testtrim-release" --rm -it node:current-bookworm /bin/bash
root@ad50b96ec6b2:/# curl https://google.com > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   220  100   220    0     0   3031      0 --:--:-- --:--:-- --:--:--  3055

podman info output

host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /nix/store/cygy62gmh4fqjicwg2zflyaidimfnj6q-podman-helper-binary-wrapper/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 97.79
    systemPercent: 0.52
    userPercent: 1.69
  cpus: 32
  databaseBackend: boltdb
  distribution:
    codename: vicuna
    distribution: nixos
    version: "24.11"
  eventLogger: journald
  freeLocks: 2031
  hostname: nixosdesktop
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.6.63
  linkmode: dynamic
  logDriver: journald
  memFree: 2413629440
  memTotal: 134120222720
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /nix/store/60cdq9pj1y4sxn28pqb7mb5wf3yv6769-podman-5.2.3/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.0
    package: Unknown
    path: /nix/store/60cdq9pj1y4sxn28pqb7mb5wf3yv6769-podman-5.2.3/libexec/podman/netavark
    version: netavark 1.7.0
  ociRuntime:
    name: crun
    package: Unknown
    path: /nix/store/cygy62gmh4fqjicwg2zflyaidimfnj6q-podman-helper-binary-wrapper/bin/crun
    version: |-
      crun version 1.18.2
      commit: 1.18.2
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /nix/store/60cdq9pj1y4sxn28pqb7mb5wf3yv6769-podman-5.2.3/libexec/podman/pasta
    package: Unknown
    version: |
      pasta 2024_09_06.6b38f07
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 50637725696
  swapTotal: 50708865024
  uptime: 218h 31m 8.00s (Approximately 9.08 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 1982707269632
  graphRootUsed: 1479270805504
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 16
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.3
  Built: 315532800
  BuiltTime: Mon Dec 31 17:00:00 1979
  GitCommit: ""
  GoVersion: go1.23.3
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.3

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Reproducible on two NixOS 24.11 servers, but they likely have very similar configurations to each other.

Additional information

I'm sure that the initial reaction to this report will be "so don't do that" -- which is fair. 👍 However I identified this issue because a tool (act-runner) was using a string name field as an alias for a container, with no reason to believe that the name would be turned into a DNS alias and cause this issue.

If this is indicated as an unsupported operation (again, would make sense), I'm happy to also report it to the tool for them to validate and/or sanitize the input. But if it's going to cause a problem with the container, I feel like podman should block it as an invalid input.