/etc/ network namespace overlay not working when using nsdo

[luminoso]

According to ip-netns man page, each network namespace can have its own set of configurations. I don't know if it due to a bug or a limitation, but in my case that I'm firewalled of using other DNS servers than local nsdo can't resolve anything.

Example for the case of using OpenDNS servers:

$ nsdo vpn cat /etc/resolv.conf                                                                                                                                          
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.0.1

Different result when using ip netns directly:

$ sudo ip netns exec vpn sudo -u gjc cat /etc/resolv.conf
nameserver 208.67.222.222
nameserver 208.67.220.220

Which also results in different connectivity:

$ nsdo vpn ping sapo.pt                                                                                                                                                     
^C

Versus ip netns:

$ sudo ip netns exec vpn sudo -u gjc ping sapo.pt                                                                                                                      
PING sapo.pt (213.13.146.142) 56(84) bytes of data.
64 bytes from sapo.pt (213.13.146.142): icmp_seq=1 ttl=246 time=97.0 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=2 ttl=246 time=98.7 ms
^C
--- sapo.pt ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 97.088/97.901/98.714/0.813 ms

The workaround is obviously run ip netns rather then nsdo :-)

[ausbin]

#2, #3

not sure which to use, would appreciate any advice

[luminoso]

Sorry I didn't saw the pull requests.

Well...
#3 doesn't work for me.
#2 does work.

[ytoku]

#3 works for me.

To use overlay fs is good idea.
Unbinding resolv.conf after suspend/resume bothers me.

But netns.sh makes it difficult to use nsdo.
I think nsdo command should set up the filesystem when nsdo uses the namespace for the first time.

[ausbin]

@ytoku thanks for taking a look at #3. I think it's the best approach too, but I agree that netns.sh is clumsy.

part of the reason i've been slow on this (sorry) is that i don't really understand how other people use nsdo (i never expected other people to), and why netns.sh is less convenient for example. do y'all do something like https://austinjadams.com/blog/running-select-applications-through-openvpn/ or something else?

[ausbin]

also @danifss and @luminoso 👆

[luminoso]

I started by using it for rtorrent at home, where I do not have external DNS firewalled. At the moment i'm using nsdo to have multiple working profiles (such as firefox running inside a VPN). I remember using #2 or #3 when I had external dns blocked.

I've added the "Help wanted" section to Copr nsdo build, maybe some of the currently 50 users can share some feedback.

[ausbin]

Hi,

Life circumstances have changed and I'm using VPNs on GNU/Linux again, so I tried to fix this. Let me know what y'all think

Closing this for the moment but feel free to reopen

[luminoso]

Thank you for notifying.
I also did a new release at https://copr.fedorainfracloud.org/coprs/luminoso/nsdo/ and enabled a bunch of new distro support 😄

[animaldaydream]

Hi. I can't get resolv.conf to point to /etc/{NSNAME}/resolv.conf.

Could be some compatibility issue with ZFS but I really don't know where to begin to troubleshoot. I also don't know if it's the same bug at all but I need to make sure.

Running the Copr build (thank you) on Fedora 36.

[ausbin]

@animaldaydream We can troubleshoot, but I don't know much about this copr build. Do you know what commit ID it is using? Also, unfortunately due to overlayfs trolling, you have to put files in /var/ns-etc/NSNAME/ instead of /etc/netns/NSNAME/. I'm wondering if that has been fixed in overlayfs actually since early 2021; if so, we can change it back to use /etc/netns/NSNAME/. (Unfortunately, I don't have time to test this at the moment)

[ausbin]

@animaldaydream I created #14 to track this, thank you for bringing this up, very interesting

[animaldaydream]

/var/ns-etc/NSNAME/ works!

On a side note, adding the resolv.conf file in that path fixes Flatpaks not running. I don't know why they started failing but I assume it happened sometime when I updated my Fedora install, and I just now noticed because I hadn't performed a reboot yet.

flatpak/flatpak#427