Disable DHCP-provided DNS on VM passt NIC

[alicefr]

passt injects additional DNS servers (169.254.1.1, host gateway) via DHCP that don't know about cluster.local. systemd-resolved may query these before the bink DNS container and accept an NXDOMAIN, causing flaky registry.cluster.local resolution on worker nodes.

Setting ipv4.ignore-auto-dns prevents DHCP DNS from being added to the link, leaving only the bink DNS container which forwards non-cluster queries to upstream (8.8.8.8, 8.8.4.4).

Fixes: #59

Summary by Sourcery

Bug Fixes:

• Prevent flaky resolution of cluster-local domains by ignoring auto-provisioned DNS from DHCP on the worker node network interface.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Configures the VM passt NIC NetworkManager connection to stop using DHCP-provided DNS and rely solely on the cluster DNS, by extending the existing nmcli modification command.

Flow diagram for updated DNS resolution path on passt NIC

flowchart LR
    A[Worker_node systemd-resolved
    query registry.cluster.local]
    B[NetworkManager connection cloud-init_enp2s0
    ipv4.ignore-auto-dns yes]
    C[bink_DNS_container
    cluster DNS]

    A --> B
    B --> C
    C --> D[Upstream DNS 8.8.8.8 / 8.8.4.4
    for non-cluster domains]

Loading

File-Level Changes

Change	Details	Files
Ensure the VM passt NIC ignores DHCP-provided DNS and only uses the configured cluster DNS search domain.	Extend the nmcli connection modify command for cloud-init enp2s0 to add ipv4.ignore-auto-dns yes alongside the existing ipv4.dns-search configuration. Keep the NetworkManager connection bring-up sequence the same so the new DNS behavior applies when the connection is reactivated.	internal/node/templates/user-data.yaml.tmpl

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#59	Ensure worker nodes in bootc-operator e2e tests reliably resolve registry.cluster.local (cluster DNS) by fixing the DNS configuration that causes flaky image pulls (ErrImagePull / ImagePullBackOff).	✅

Possibly linked issues

• #(unknown): PR disables auto DHCP DNS on passt NIC, directly fixing flaky cluster.local DNS in nested image tests.
• #N/A: PR removes DHCP DNS so worker nodes use only cluster DNS, directly fixing flaky registry.cluster.local resolution

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="internal/node/templates/user-data.yaml.tmpl" line_range="84" />
<code_context>
   - systemctl enable --now ostree-state-overlay@opt.service
   - systemctl enable --now qemu-guest-agent
-  - nmcli connection modify "cloud-init enp2s0" ipv4.dns-search "~{{.ClusterDomain}} {{.ClusterDomain}}"
+  - nmcli connection modify "cloud-init enp2s0" ipv4.dns-search "~{{.ClusterDomain}} {{.ClusterDomain}}" ipv4.ignore-auto-dns yes
   - nmcli connection up "cloud-init enp2s0"
   - systemctl enable --now crio
</code_context>
<issue_to_address>
**suggestion:** Consider whether IPv6 DNS auto-configuration should also be disabled for consistency.

Right now only IPv4 auto DNS is disabled via `ipv4.ignore-auto-dns yes`. In dual-stack setups (DNS via IPv6 RA/DHCPv6), this could lead to inconsistent DNS behavior between IPv4 and IPv6. Please decide explicitly whether `ipv6.ignore-auto-dns` should match this setting to avoid subtle interface-specific DNS differences.

```suggestion
  - nmcli connection modify "cloud-init enp2s0" ipv4.dns-search "~{{.ClusterDomain}} {{.ClusterDomain}}" ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Consider whether IPv6 DNS auto-configuration should also be disabled for consistency.

Right now only IPv4 auto DNS is disabled via ipv4.ignore-auto-dns yes. In dual-stack setups (DNS via IPv6 RA/DHCPv6), this could lead to inconsistent DNS behavior between IPv4 and IPv6. Please decide explicitly whether ipv6.ignore-auto-dns should match this setting to avoid subtle interface-specific DNS differences.

Suggested change

	- nmcli connection modify "cloud-init enp2s0" ipv4.dns-search "~{{.ClusterDomain}} {{.ClusterDomain}}" ipv4.ignore-auto-dns yes
	- nmcli connection modify "cloud-init enp2s0" ipv4.dns-search "~{{.ClusterDomain}} {{.ClusterDomain}}" ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes