podman build does not support host-gateway in --add-host

[sabae-valve]

Issue Description

Podman does not support the host-gateway shortcut in the build command.

Steps to reproduce the issue

I can run build on a simple Containerfile that just cat's out /etc/hosts:

$ podman build .
STEP 1/2: FROM busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 97e70d161e81 done   | 
Copying config ff7a7936e9 done   | 
Writing manifest to image destination
STEP 2/2: RUN cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       sabae-linux
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.21.20    host.containers.internal host.docker.internal
172.18.21.20    a05a8d14bd39
COMMIT
--> 81e303764a3e
81e303764a3eb46be04fff856ed870661e4b5c548b34235567a4da04c6436958

Attempting to define proxyhost to point to host-gateway results in:

$ podman build --add-host=proxyhost:host-gateway .
Error: invalid value for add-host: invalid IP address in add-host: "host-gateway"

However this works for podman run:

$ podman run -ti --add-host=proxyhost:host-gateway busybox cat /etc/hosts
169.254.1.2     proxyhost
127.0.0.1       localhost
127.0.1.1       sabae-linux
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
169.254.1.2     host.containers.internal host.docker.internal
172.18.21.20    68a406a6a9bc vigilant_villani

Describe the results you received

I received the error:

Error: invalid value for add-host: invalid IP address in add-host: "host-gateway"

Describe the results you expected

I expect host-gateway to work in podman build, as the documentation claims it should.

podman info output

This is a from-source build from the latest stable git tag as of this writing, `v5.4.2`:


$ podman info
host:
  arch: amd64
  buildahVersion: 1.39.4
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/local/libexec/podman/conmon
    version: 'conmon version 2.1.12, commit: 119db20187a4356abd4d31d76ad53063a7a2e85e'
  cpuUtilization:
    idlePercent: 98.43
    systemPercent: 0.74
    userPercent: 0.82
  cpus: 28
  databaseBackend: boltdb
  distribution:
    codename: oracular
    distribution: ubuntu
    version: "24.10"
  eventLogger: journald
  freeLocks: 2010
  hostname: sabae-linux
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.11.0-21-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 1817260032
  memTotal: 65732444160
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: Unknown
    path: /usr/local/libexec/podman/netavark
    version: netavark 1.14.1
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/local/bin/crun
    version: |-
      crun version 1.20.0.0.0.9-cc27f
      commit: 9c9a76ac11994701dd666c4f0b869ceffb599a66
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /usr/local/bin/pasta
    package: Unknown
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 40333312
  swapTotal: 2147479552
  uptime: 220h 59m 38.00s (Approximately 9.17 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/sabae/.config/containers/storage.conf
  containerStore:
    number: 16
    paused: 0
    running: 0
    stopped: 16
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /data/podman/storage
  graphRootAllocated: 3779301580800
  graphRootUsed: 1364765515776
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1519
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /data/podman/storage/volumes
version:
  APIVersion: 5.4.2
  Built: 1746051873
  BuiltTime: Wed Apr 30 15:24:33 2025
  GitCommit: be85287fcf4590961614ee37be65eeb315e5d9ff
  GoVersion: go1.23.6
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

No response

[baude]

@flouthoc ptal and triage this ?

[flouthoc]

I'll take a look at this, thanks.

[Luap99]

like podman, buildah must allow host-gateway. Technically the etc/hosts backend code is already parsing all the right values so I suppose buildah could drop the cli level validation.