Transmission daemon cannot connect to trackers on unstable channel

[poscat0x04]

Describe the bug
Transmission daemon is unable to connect to trackers. This happened somewhere after commit 7f69fdd182ef28ae049417a2a41153640ac185c6.

relevant transmission daemon log:

Call to getaddrinfo_async with no evdns_base configured. (/build/source/libtransmission/trevent.c:232)

edit: I believe this is caused by commit 2a49db6a89efb8825379aa2211b183f734164b31 since the daemon is able to connect to trackers again after I commented out the systemd service file hardenings introduced in that commit.

To Reproduce
Steps to reproduce the behavior:

1. enable transmission daemon
2. add a torrent with trasnmission-remote -a <file>
3. transmission-remote -t all -i -it

Expected behavior
The transmission daemon should be able to connect to tracker

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Notify maintainers

Metadata

• system: "aarch64-linux"
• host os: Linux 5.4.66, NixOS, 21.03pre244045.1179840f9a8 (Okapi)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 3.0pre20200829_f156513
• channels(root): "nixos-21.03pre244045.1179840f9a8, home-manager"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: services/torrent/transmission.nix

[doronbehar]

IIRC I also experienced some tracker connections issues with transmission on my home server (it doesn't work right now so I can't verify). @ju1m maybe those hardenings at #92106 were too much?

[ju1m]

edit: I believe this is caused by commit 2a49db6 since the daemon is able to connect to trackers again after I commented out the systemd service file hardenings introduced in that commit.

I haven't noticed such tracker problem yet, in @poscat0x04 case it looks like libevent is not able to setup its DNS machinery.
@poscat0x04 would you be able to tell us a bit more about your DNS resolver setup?
Also, would you be able to bisect at the option level to get a subset of options to relax? The usual suspect is SystemCallFilter=, but it can also be a missing BindPaths= due to RootDirectory=, or something else. For that you can download https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/torrent/transmission.nix in /etc/nixos/transmission.nix, edit it to comment options like:

nixpkgs/nixos/modules/services/torrent/transmission.nix

Lines 243 to 287 in ce89dd6

	# The following options are only for optimizing:
	# systemd-analyze security transmission
	AmbientCapabilities = "";
	CapabilityBoundingSet = "";
	# ProtectClock= adds DeviceAllow=char-rtc r
	DeviceAllow = "";
	LockPersonality = true;
	MemoryDenyWriteExecute = true;
	NoNewPrivileges = true;
	PrivateDevices = true;
	PrivateMounts = true;
	PrivateNetwork = mkDefault false;
	PrivateTmp = true;
	PrivateUsers = true;
	ProtectClock = true;
	ProtectControlGroups = true;
	# ProtectHome=true would not allow BindPaths= to work accross /home,
	# and ProtectHome=tmpfs would break statfs(),
	# preventing transmission-daemon to report the available free space.
	# However, RootDirectory= is used, so this is not a security concern
	# since there would be nothing in /home but any BindPaths= wanted by the user.
	ProtectHome = "read-only";
	ProtectHostname = true;
	ProtectKernelLogs = true;
	ProtectKernelModules = true;
	ProtectKernelTunables = true;
	ProtectSystem = "strict";
	RemoveIPC = true;
	# AF_UNIX may become usable one day:
	# https://github.com/transmission/transmission/issues/441
	RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
	RestrictNamespaces = true;
	RestrictRealtime = true;
	RestrictSUIDSGID = true;
	SystemCallFilter = [
	"@system-service"
	# Groups in @system-service which do not contain a syscall
	# listed by perf stat -e 'syscalls:sys_enter_*' transmission-daemon -f
	# in tests, and seem likely not necessary for transmission-daemon.
	"~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources" "~@setuid" "~@timer"
	# In the @privileged group, but reached when querying infos through RPC (eg. with stig).
	"quotactl"
	];
	SystemCallArchitectures = "native";
	SystemCallErrorNumber = "EPERM";

and put/merge in your /etc/nixos/configuration.nix :

disabledModules = [ "services/torrent/transmission.nix" ];
imports = [ ./transmission.nix ];

[dmanam]

It seems that systemd-resolved symlinks /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf. Adding that to BindReadOnlyPaths fixed this issue for me.