Bug#881310: systemd-container: systemd-nspawn containers get non-functioning /etc/resolv.conf

Sat, 11 Nov 2017 16:51:32 -0800 

Control: tags -1 = patch

Am 12.11.2017 um 00:33 schrieb Alex King:

> So it seems like this will be a problem for stretch systems with
> usrmerge enabled, and are not using systemd-resolved

Indeed, these are the conditions under which you can trigger this issue.

Looking through the git history, to fix this issue, we'd have to  backport
7debb05dbe1f157e5f07c9bffa98fbe33e1b514e
b053cd5f8e48e04ac576296404848bbb8dd26854
7357272ed1c2c7a139c9ecbc8f3b8f63f71dd0b0

That seems like a bit much for a stable upload and I'm not sure if the
stable release managers are ok with such a change, given that this only
affects usrmerged systems.

If you want to see this fixed in stretch, please consider talking to the
stable release managers and get an ok.

I'm attaching the necessary patches. As for buster, the issue is already
fixed there.

Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

From ce15fd8f60433530f4a157299f711c9fc85ecf14 Mon Sep 17 00:00:00 2001
From: Christian Hesse <m...@eworm.de>
Date: Wed, 9 Nov 2016 04:01:26 +0100
Subject: [PATCH 1/3] nspawn: fix condition for mounting resolv.conf (#4622)

The file /usr/lib/systemd/resolv.conf can be stale, it does not tell us
whether or not systemd-resolved is running or not.
So check for /run/systemd/resolve/resolv.conf as well, which is created
at runtime and hence is a better indication.

(cherry picked from commit 7debb05dbe1f157e5f07c9bffa98fbe33e1b514e)
---
 src/nspawn/nspawn.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c56af6e6f..608ad0598 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1309,7 +1309,8 @@ static int setup_resolv_conf(const char *dest) {
         /* Fix resolv.conf, if possible */
         where = prefix_roota(dest, "/etc/resolv.conf");
 
-        if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) {
+        if (access("/run/systemd/resolve/resolv.conf", F_OK) >= 0 &&
+                        access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) {
                 /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
                  * container, so that the container can use the host's resolver. Given that network namespacing is
                  * disabled it's only natural of the container also uses the host's resolver. It also has the big
-- 
2.15.0


From ac0e333259054ccb2bd09bb4841616efe3b53d02 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lenn...@poettering.net>
Date: Thu, 16 Feb 2017 17:56:10 +0100
Subject: [PATCH 2/3] nspawn: tweak check whether resolved is around a bit

Let's check D-Bus instead of files in /run to see if resolved is
running. This is a bit nicer as bus names are automatically cleaned up
when resolved dies, which is not the case for files in /run.

See: #4649
(cherry picked from commit b053cd5f8e48e04ac576296404848bbb8dd26854)
---
 src/nspawn/nspawn.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 608ad0598..d641acb10 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -40,6 +40,7 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include "sd-bus.h"
 #include "sd-daemon.h"
 #include "sd-id128.h"
 
@@ -48,6 +49,7 @@
 #include "base-filesystem.h"
 #include "blkid-util.h"
 #include "btrfs-util.h"
+#include "bus-util.h"
 #include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-util.h"
@@ -1297,6 +1299,19 @@ static int setup_timezone(const char *dest) {
         return 0;
 }
 
+static int resolved_running(void) {
+        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
+        int r;
+
+        /* Check if resolved is running */
+
+        r = sd_bus_open_system(&bus);
+        if (r < 0)
+                return r;
+
+        return bus_name_has_owner(bus, "org.freedesktop.resolve1", NULL);
+}
+
 static int setup_resolv_conf(const char *dest) {
         const char *where = NULL;
         int r;
@@ -1309,8 +1324,9 @@ static int setup_resolv_conf(const char *dest) {
         /* Fix resolv.conf, if possible */
         where = prefix_roota(dest, "/etc/resolv.conf");
 
-        if (access("/run/systemd/resolve/resolv.conf", F_OK) >= 0 &&
-                        access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) {
+        if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0 &&
+            resolved_running() > 0) {
+
                 /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
                  * container, so that the container can use the host's resolver. Given that network namespacing is
                  * disabled it's only natural of the container also uses the host's resolver. It also has the big
-- 
2.15.0


From 5726bd456216b9002a4f01490f0522d234b3224c Mon Sep 17 00:00:00 2001
From: David Michael <david.mich...@coreos.com>
Date: Wed, 8 Mar 2017 12:45:03 -0800
Subject: [PATCH 3/3] nspawn: check if the DNS stub is listening for requests

(cherry picked from commit 7357272ed1c2c7a139c9ecbc8f3b8f63f71dd0b0)
---
 src/nspawn/nspawn.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index d641acb10..e6f0144bb 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1299,17 +1299,32 @@ static int setup_timezone(const char *dest) {
         return 0;
 }
 
-static int resolved_running(void) {
+static int resolved_listening(void) {
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
+        _cleanup_free_ char *dns_stub_listener_mode = NULL;
         int r;
 
-        /* Check if resolved is running */
+        /* Check if resolved is listening */
 
         r = sd_bus_open_system(&bus);
         if (r < 0)
                 return r;
 
-        return bus_name_has_owner(bus, "org.freedesktop.resolve1", NULL);
+        r = bus_name_has_owner(bus, "org.freedesktop.resolve1", NULL);
+        if (r <= 0)
+                return r;
+
+        r = sd_bus_get_property_string(bus,
+                                       "org.freedesktop.resolve1",
+                                       "/org/freedesktop/resolve1",
+                                       "org.freedesktop.resolve1.Manager",
+                                       "DNSStubListener",
+                                       NULL,
+                                       &dns_stub_listener_mode);
+        if (r < 0)
+                return r;
+
+        return STR_IN_SET(dns_stub_listener_mode, "udp", "yes");
 }
 
 static int setup_resolv_conf(const char *dest) {
@@ -1325,7 +1340,7 @@ static int setup_resolv_conf(const char *dest) {
         where = prefix_roota(dest, "/etc/resolv.conf");
 
         if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0 &&
-            resolved_running() > 0) {
+            resolved_listening() > 0) {
 
                 /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
                  * container, so that the container can use the host's resolver. Given that network namespacing is
-- 
2.15.0

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Pkg-systemd-maintainers mailing list
Pkg-systemd-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers

Reply via email to