[systemd-devel] systemd-resolved/NetworkManager resolv.conf handling
Petr Menšík
pemensik at redhat.com
Sun Nov 6 17:24:51 UTC 2022
Oh, understood. Then it is specific problem to Fedora, because I think
other distributions do not use systemd's implementation of resolvconf
binary.
I think original Debian resolvconf package does not use -a interface
parameter for anything serious. It just uses the same interface
identifier to pair -a and -d for the same connection.
On the other hand systemd's resolvconf tracks settings per interface and
it requires it to point to the real interface on the system. Of course
F5 client should use a real interface name it is going to use. I am not
sure what can be done for it on side of systemd. Perhaps systemd could
allow configuration of aliases, so it would allow to map eth0.f5 to tun0
interface. But that seems a mere workaround, F5 client should be
modified to call resolvconf once it knows used interface name, not
before that. It would be nice to issue a bug on F5 site. I haven't found
issue matching your description. It would be worth filling.
https://support.f5.com/csp/bug-tracker
On 11/2/22 16:20, Thomas HUMMEL wrote:
> On 10/31/22 12:19, Petr Menšík wrote:
>
> Hello, thank you and Barry as well for your answers
>
>
>> I would suggest using strace to find what exactly it does and what it
>> tries to modify. I expect sources for that client are not available.
>
> Well, digging a little deeper, here's what I've found out:
>
> 1) in the default case (described in my initial post), i.e.
>
> /etc/resolv.conf symlinked to systemd-resolved
> /run/systemd/resolve/stub-resolv.conf
> no dns nor rc.manager directives in NM config
> no F5 client NM profile
>
> The vpn client:
>
> a) backs up /etc/resolv.conf to /etc/resolv.conf.fp-saved
> b) readlinks the symlink
> c) execve's /sbin/resolvconf providing nameservers (thus trying to
> play along with systemd-resolved) but on the wrong interface on my
> Fedora (eth0.f5 instead of tun0) [besides with a deprecated and not
> used arg (-m)]
>
> execve("/sbin/resolvconf", ["/sbin/resolvconf", "-a", "eth0.f5",
> "-m 0"], 0x7ffd13bf8568 /* 30 vars */ <unfinished ...>
>
> d) set up tun0 interface and bring it up
>
> -> hence we end up with:
>
> a) /etc/resolv.conf.fp-saved as a regular file, copy of
> /run/systemd/resolve/stub-resolv.conf
> b) NM managed tun0 interface without and dns property in its
> profile nor any disk persistent profile
> c) unchanded /etc/resolv.conf (still linked to
> /run/systemd/resolve/stub-resolv.conf
>
> so, systemd-resolved not knowing about vpn nameservers and vpn
> nameresolution fails without workaround (like resolvectl dns adding
> the tun0 nameserver for instance)
>
> 2) with NM handling /etc/resolv.conf as a regular file, i.e.
>
> /etc symlink rm-ed
> dns=default
> rc.manager=file
>
> the F5 client consider it a 'legacy' setting and overwrite (which is
> wrong to me) NM managed /etc/resolv.conf regular file
>
> it restores it when stopped by copying back /etc/resolv.conf.fp-saved
That is exactly what it should do for a VPN, unless it knows a more
proper way to configure system DNS. Some packages like dnssec-trigger
prevents that by setting additional parameter to /etc/resolv.conf,
making it non-writeable even by root process. There is not a generic and
better way other than resolvconf. On Fedora resolvconf is provided just
for systemd-resolved in default installation. But it needs precise
interfaces used, unlike original implementation.
>
>
> So, basically I'd say there are 2 bugs :
>
> 1) legacy handling which seems to consider pre-NM era legacy
> 2) resolvconf call when systemd-resolved is used (at least on Fedora)
>
> In any case, I don't understand why it does not set the NM profile
> ipv4.dns property, which would let much more chances for NM and/or
> resolved to work
Does "nmcli c" command show F5 profile in green, when it is connected?
"nmcli c show <connection-name>" would provide all details it knows. I
am not sure how information obtained from VPN plugins should work. I
think network manager list has to be used for qualified response. It
seems to me only VPNs configured by NM plugin know configuration details.
>
> Anyway, this leaves 2 unanswered questions, the first of which was my
> initial one:
>
> 1) how could, when all resolv.conf-as-a-file-by-NM conf has been
> removed (by me) and symlink to stub has been restored (by me)
> systemd-resolved, with *no trace* of the vpn nameservers in its own
> /run/systemd/resolv/resolv.conf nor seemingly nowhere else, can be
> still aware of the vpn nameservers (as described in my initial post
> scenario) ?
>
> -> is there a persistent systemd-resolved cache on disk somewhere?
I don't think any persistent cache were ever on disk or that it would be
a good idea. Most dns caches are able to dump contents of cache
somewhere on request, but I haven't found a way to do that with resolvectl.
>
> 2) when running resolvconf by hand (resolvconf <int>) providing
> specific interface specific nameservers (on stdin), it seems to update
> the **global** /run/systemd/resolve/resolv.conf (hence making those
> nameservers available for all interfaces ?)
>
> -> Is there any other place where the specific ns <-> interface is
> persited or stored or is this global updating all there is ?
resolvconf might have some hacks to configure rules just for some
subdomains. openresolv can do something similar. But usually resolvconf
changes just global set of servers if the interface configured has
higher priority than previous. Returns them back when such interface is
stopped. resolvectl layer ignores -m parameter, but it pairs dns
configuration with real interface. AFAIK none such information is
persistent and is lost when systemd-resolved is restarted. But Network
Manager's plugins configures it from NM interfaces again. I doubt
external services unrelated to NM are handled, I think they have to
reconfigure systemd-resolved again after its restart. Nothing is stored
permanently.
>
> Thanks for your help
>
> --
> Thomas HUMMEL
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the systemd-devel
mailing list