running tinc via systemd does not seem to able to use dns

[mogorman]

Issue description

Before I upgraded to 16.03 I had a tinc use dns to find the vpn host it connects to. Since upgrading to 16.03 it no longer seems to be able to use dns. if I change the dns name to a static ip my problem of connecting to the vpn goes away.

Steps to reproduce

Setup a tinc environment using hostnames and not static ips

Technical details

16.03.498.f8a5d1e (Emu)
nix-env (Nix) 1.11.2
"16.03.498.f8a5d1e"

journalctl output

Apr 03 20:59:03 toadman polkitd[1076]: Registered Authentication Agent for unix-process:26530:3445431 (system bus name :1.78 [/run/current-system/sw/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 03 20:59:03 toadman systemd[1]: Starting Tinc Daemon - mavericks...
Apr 03 20:59:03 toadman systemd[1]: Started Tinc Daemon - mavericks.
Apr 03 20:59:03 toadman audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=tinc.mavericks comm="systemd" exe="/nix/store/m04qal8fw9pchqj4h5q9m54hvqh4grrd-systemd-229/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 03 20:59:03 toadman kernel: audit: type=1130 audit(1459731543.792:167): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=tinc.mavericks comm="systemd" exe="/nix/store/m04qal8fw9pchqj4h5q9m54hvqh4grrd-systemd-229/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 03 20:59:03 toadman tinc.mavericks-start[26541]: tincd 1.1pre-2016-01-28-d8ca00f (Jan  1 1970 00:00:01) starting, debug level 0
Apr 03 20:59:03 toadman tinc.mavericks-start[26541]: /dev/net/tun is a Linux tun/tap device (tun mode)
Apr 03 20:59:03 toadman polkitd[1076]: Unregistered Authentication Agent for unix-process:26530:3445431 (system bus name :1.78, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Apr 03 20:59:03 toadman NetworkManager[979]: <warn>  (tinc.mavericks): arping could not be found; no ARPs will be sent
Apr 03 20:59:03 toadman tinc.mavericks-start[26541]: Ready
Apr 03 20:59:03 toadman tinc.mavericks-start[26541]: Error looking up MYHOST.com port 443: No address associated with hostname
Apr 03 20:59:03 toadman dbus[915]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Apr 03 20:59:03 toadman systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr 03 20:59:03 toadman dbus[915]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Apr 03 20:59:03 toadman audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/nix/store/m04qal8fw9pchqj4h5q9m54hvqh4grrd-systemd-229/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 03 20:59:03 toadman kernel: audit: type=1130 audit(1459731543.861:168): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/nix/store/m04qal8fw9pchqj4h5q9m54hvqh4grrd-systemd-229/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 03 20:59:03 toadman systemd[1]: Started Network Manager Script Dispatcher Service.
Apr 03 20:59:03 toadman nm-dispatcher[26553]: Dispatching action 'up' for tinc.mavericks
Apr 03 20:59:03 toadman systemd[1]: Reached target Services Requiring IP Connectivity.
Apr 03 20:59:03 toadman systemd[1]: Reached target Network is Online.
Apr 03 20:59:05 toadman ntpd[807]: Listen normally on 12 tinc.mavericks 172.16.50.42:123
Apr 03 20:59:05 toadman ntpd[807]: new interface(s) found: waking up resolver
Apr 03 20:59:06 toadman NetworkManager[979]: <warn>  (tinc.mavericks): arping could not be found; no ARPs will be sent
Apr 03 20:59:08 toadman tinc.mavericks-start[26541]: Error looking up MYHOST.com port 443: No address associated with hostname

[domenkozar]

cc @globin

[globin]

@fpletz will look at this later

[fpletz]

Hmm, I can't reproduce this here. Name resolution works for me within tinc. Also using tinc_pre in the same version.

Have you checked that name resolution works in general on that host?

[mogorman]

Yes name resolution is fine on the host, and works fine when i call the tinc scripts as root.

[mogorman]

https://github.com/mogorman/dotfiles/blob/master/nixos/tinc.nix
https://github.com/mogorman/dotfiles/tree/master/nixos

are my configs

[mogorman]

so I figured out what caused this issue, in upgrade chroot=true; is now the default. Setting my chroot=false; resolves the issue. Does anyone have a method for pulling in the resolv.conf in the chroot? Or do people get around this issue by just not using dns?

[domenkozar]

in upgrade chroot=true; is now the default.

Huh, can you back this off with some link(s)?

[mogorman]

5c19830

so before there was no chroot flag being passed, so tincs default was to set it false. now the service is passing it and setting it to true by default. which is fine it adds more security just a change from 15.07 to 16.03, and at least currently im not sure how to enable this feature and still get dns correctly into the chroot.

[wkennington]

triton/triton@da08fa6
On Tue, Apr 5, 2016 at 7:02 AM mogorman notifications@github.com wrote:

5c19830
5c19830

so before there was no chroot flag being passed, so tincs default was to
set it false. now the service is passing it and setting it to true by
default. which is fine it adds more security just a change from 15.07 to
16.03, and at least currently im not sure how to enable this feature and
still get dns correctly into the chroot.

—
You are receiving this because you are subscribed to this thread.

Reply to this email directly or view it on GitHub
#14433 (comment)

[mogorman]

that looks like a good fix if chroot is enabled we should do that

[mogorman]

i tested chroot on my box and it seems to be resolving dns correctly now.

[doronbehar]

I can confirm that even with today's version - 19.03, I need to set chroot = false; in order for DNS to work. I wonder if it's an upstream issue but I don't mind it.

[joepie91]

See also #66432.