Chmod / to 755 on containers started with remote api breaks dns

[42wim]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

Everything is run as the root user

1. Enable podman api

podman system service --time=0

2. Run podman normal, change / to 755 (everything works fine)

# podman run --rm -ti ubuntu:latest                                              
root@0e7274956424:/# chmod 755 /
root@0e7274956424:/# apt-get update
Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [107 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [107 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [98.3 kB]
Get:5 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [30.9 kB]
Get:6 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [147 kB]
Get:7 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [42.3 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [1077 B]
Get:9 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [270 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [143 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [1077 B]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [31.0 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [2900 B]
Fetched 14.1 MB in 1s (11.3 MB/s)
Reading package lists... Done

3. Run podman remote, change / to 755 (to fix issue remote api with podman 2.0.0 sets permissions of / to 600 instead of 755 #6787) , DNS stops working

# podman run --remote --rm -ti ubuntu:latest
root@3bc1e8350892:/# chmod 755 /
root@3bc1e8350892:/# apt-get update
Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu focal-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Describe the results you received:

DNS fails when chmod 755 /

Describe the results you expected:

DNS keeps working

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.0.0
API Version:  1
Go Version:   go1.13.4
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.18-1.el8.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 993c9938f035967b39e65e46dce6ae7d6cfbb898'
  cpus: 24
  distribution:
    distribution: '"centos"'
    version: "8"
  eventLogger: file
  hostname: icts-p-netconf-3
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-147.8.1.el8_1.x86_64
  linkmode: dynamic
  memFree: 22758936576
  memTotal: 67257278464
  ociRuntime:
    name: runc
    package: runc-1.0.0-64.rc9.module_el8.1.0+298+41f9343a.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 673h 35m 10.95s (Approximately 28.04 days)
registries:
  search:
  - registry.access.redhat.com
  - registry.fedoraproject.org
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 2
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 20
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.13.4
  OsArch: linux/amd64
  Version: 2.0.0

Package info (e.g. output of rpm -q podman or apt list podman):

rpm -q podman
podman-2.0.0-2.el8.x86_64

[42wim]

Seems to be as soon the world execute bit is set it fails. 754 still works.
Also tried with --privileged --net=host --security-opt seccomp=unconfined, no difference

[42wim]

Reason found: permissions of /etc/resolv.conf are incorrectly 0600, instead of 0644.
Related to #6787 probably