Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dont use resolveconf on systemd #70

Merged
merged 6 commits into from
May 26, 2020
Merged

dont use resolveconf on systemd #70

merged 6 commits into from
May 26, 2020

Conversation

yuval-k
Copy link
Member

@yuval-k yuval-k commented May 18, 2020

trying to address:
#58
#50

it seems like mounting resolv.conf by default lead to failures in systemd systems.

this makes it so it is not mounted on known systemd images.
I'm open for discussion of what's the best way here. mount it on known images? add mount_ressolv boolean option? any other ideas?
cc @joshuaspence @hoshsadiq @micchickenburger

@joshuaspence
Copy link
Contributor

I had a bit of a look into this. The original error in #58 is because os.Stat seems to suggest that /etc/resolv.conf doesn't exist (because it is a symlink to a path that doesn't exist), but os.MkdirAll("/etc/resolv.conf", 0755) fails. I think we can fix this by using os.Lstat instead of os.Stat.

I don't think you need to do anything with /run/systemd.

@joshuaspence
Copy link
Contributor

I tried using os.Lstat instead of os.Stat but have now run into this problem: https://unix.stackexchange.com/questions/429724/how-do-i-mount-a-file-on-top-of-a-broken-symbolic-link

@yuval-k
Copy link
Member Author

yuval-k commented May 18, 2020

i see; so you are saying we should avoid mounting it if it exist.
maybe i'll add an optional mounts field that ignores errors and add resolve conf there?

@joshuaspence
Copy link
Contributor

No, you have to mount it (I think). I mounted the Ubuntu Raspberry Pi image without mounting /etc/resolv.conf and its borked.

root@mnt:/# dig google.com
Unsupported ancillary data: 0/1
Unsupported setsockopt level=41 optname=67
Unsupported setsockopt level=41 optname=66
Unsupported ancillary data: 41/67
Unsupported setsockopt level=41 optname=66
socket.c:2411: setsockopt(20, IPV6_RECVTCLASS) failed: Protocol not available

I am using systemd-nspawn here so it might be doing some magic but things start working if I add --bind /etc/resolv.conf.

root@mnt:/# ls -al /etc/resolv.conf 
lrwxrwxrwx 1 root root 39 Apr 24 01:02 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

@yuval-k
Copy link
Member Author

yuval-k commented May 20, 2020

what about copying it instead of mounting it?

@yuval-k
Copy link
Member Author

yuval-k commented May 20, 2020

@joshuaspence updated pr to copy resolv conf. do you think this will help? i can make the copy default on / optional off.

@hoshsadiq
Copy link
Contributor

In my opinion to maintain backwards compatibility it should default to off.

In addition, can I suggest a possibly different approach. Often the reason for @joshuaspence original issue is because of DNS server is misconfigured or unreachable for one reason or another. In theory it's addressable without resolv.conf hacks like this, but that's usually a lot more time consuming, so this is in general easier. My suggestion is, instead of touching resolv.conf file, you could have an option for custom DNS entries, which, if set, simply writes a minimal resolv.conf file with just the DNS entries (nameserver <entry> for each entry item). What do you think?

@joshuaspence
Copy link
Contributor

Copying is not a good idea as then the file ends up in the image being created. I think we can probably bind mount both /run and /etc/resolve.conf (I think you would need to do /run first)

@hoshsadiq this technique (mounting resolve.conf inside a chroot) is quite common and is very similar to what systemd-nspawn.

@joshuaspence
Copy link
Contributor

For example, arch-chroot (https://wiki.archlinux.org/index.php/Chroot) does this too

@yuval-k yuval-k changed the title dont use resolveconf on system dont use resolveconf on systemd May 20, 2020
@yuval-k
Copy link
Member Author

yuval-k commented May 20, 2020

if the issue that the file ends up in the image, we can make sure it is cleaned up if it was created.

I'm a bit scared bind mounting /run as this gives the image access to the host /run we might be destructive if these are different distributions, no?

@micchickenburger
Copy link

micchickenburger commented May 20, 2020 via email

@joshuaspence
Copy link
Contributor

I think the best solution would be to mimic systemd-nspawn here. In systemd/systemd#9024 they added --resolv-conf (available from version 239). From https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--resolv-conf:

Configures how /etc/resolv.conf inside of the container (i.e. DNS configuration synchronization from host to container) shall be handled. Takes one of off, copy-host, copy-static, bind-host, bind-static, delete or auto. If set to off the /etc/resolv.conf file in the container is left as it is included in the image, and neither modified nor bind mounted over. If set to copy-host, the /etc/resolv.conf file from the host is copied into the container. Similar, if bind-host is used, the file is bind mounted from the host into the container. If set to copy-static the static resolv.conf file supplied with systemd-resolved.service(8) is copied into the container, and correspondingly bind-static bind mounts it there. If set to delete the /etc/resolv.conf file in the container is deleted if it exists. Finally, if set to auto the file is left as it is if private networking is turned on (see --private-network). Otherwise, if systemd-resolved.service is connectible its static resolv.conf file is used, and if not the host's /etc/resolv.conf file is used. In the latter cases the file is copied if the image is writable, and bind mounted otherwise. It's recommended to use copy if the container shall be able to make changes to the DNS configuration on its own, deviating from the host's settings. Otherwise bind is preferable, as it means direct changes to /etc/resolv.conf in the container are not allowed, as it is a read-only bind mount (but note that if the container has enough privileges, it might simply go ahead and unmount the bind mount anyway). Note that both if the file is bind mounted and if it is copied no further propagation of configuration is generally done after the one-time early initialization (this is because the file is usually updated through copying and renaming). Defaults to auto.

#48 is relevant here :)

@yuval-k
Copy link
Member Author

yuval-k commented May 24, 2020

ok, I think we now have all the options. feedback is welcome

@yuval-k
Copy link
Member Author

yuval-k commented May 24, 2020

will merge and in a day or two if no objections

@yuval-k yuval-k merged commit 536e21e into master May 26, 2020
@yuval-k yuval-k deleted the resolv-systemd branch May 29, 2020 14:24
@yuval-k yuval-k mentioned this pull request Jun 1, 2020
Closed
yurasmetanka pushed a commit to yurasmetanka/pwnagotchi that referenced this pull request Oct 20, 2024
use resolve-conf config solo-io/packer-plugin-arm-image#70
f196719
yurasmetanka pushed a commit to yurasmetanka/pwnagotchi that referenced this pull request Oct 20, 2024
use resolve-conf config solo-io/packer-plugin-arm-image#70
84ad9b7
yurasmetanka pushed a commit to yurasmetanka/pwnagotchi that referenced this pull request Oct 20, 2024
use resolve-conf config solo-io/packer-plugin-arm-image#70
0a600ed
yurasmetanka pushed a commit to yurasmetanka/pwnagotchi that referenced this pull request Oct 20, 2024
use resolve-conf config solo-io/packer-plugin-arm-image#70
226c701
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yuval-k @joshuaspence @hoshsadiq @micchickenburger