Support /etc/resolv.conf symlinks on the host by martinpitt · Pull Request #380 · containers/toolbox

martinpitt · 2020-02-26T22:34:32Z

If /etc/resolv.conf is already a symlink on the host [1], fix the link
target in toolbox to the corresponding /run/host/.

https://bugzilla.redhat.com/show_bug.cgi?id=1785244

[1] It's common to point it to /run/NetworkManager/resolv.conf or
/run/systemd/resolve/resolv.conf

martinpitt · 2020-02-26T22:37:27Z

I tested this with /etc/resolv.conf being a plain file and a symlink to /run/NetworkManager/resolv.conf (my usual configuration, to avoid writing to /etc), and it now behaves correctly in both cases.

Before that, networking was always broken by default, and I had to apply a hack. I didn't go with letting it point to /run/host/monitor/resolv.conf though, as that's just a bind-mount from the host's flatpak helper and I'd rather not introduce this assumption/dependency to resolv.conf handling.

softwarefactory-project-zuul · 2020-02-26T22:41:16Z

Build succeeded.

shellcheck : SUCCESS in 1m 16s
test-with-podman-stable-f30 : SUCCESS in 4m 37s
test-with-podman-stable-f31 : SUCCESS in 3m 53s
test-with-podman-rawhide : SUCCESS in 3m 36s

kronenpj

Looks like a sensible approach.

martinpitt · 2020-03-13T13:05:05Z

Argh, the ls -ld was a debugging leftover. I force-pushed to drop it. @kronenpj , do you mind to re-approve? Thanks for the review!

softwarefactory-project-zuul · 2020-03-13T13:09:38Z

Build failed.

shellcheck : SUCCESS in 1m 19s
test-with-podman-stable-f30 : SUCCESS in 3m 54s
test-with-podman-stable-f31 : SUCCESS in 3m 42s
test-with-podman-rawhide : RETRY_LIMIT in 7s

martinpitt · 2020-03-13T13:14:29Z

I can't look into that podman-rawhide failure (the logs are private or require logging in, etc?), but I don't think it's something that I caused. The previous version (with the leftover debug ls -ld) was passing, and the f30/f31 ones work.

kronenpj · 2020-03-13T13:22:42Z

I looked into that a bit as well. I'm guessing only a 'member' of the project can kick the job off again. You might ask @debarshiray for access.

If /etc/resolv.conf is already a symlink on the host [1], fix the link target in toolbox to the corresponding /run/host/<original target>. https://bugzilla.redhat.com/show_bug.cgi?id=1785244 [1] It's common to point it to /run/NetworkManager/resolv.conf or /run/systemd/resolve/resolv.conf #380

martinpitt · 2020-03-13T13:50:41Z

I force-pushed to trigger the job again, but I suppose it's rather some change/regression with podman itself in rawhide.

martymichal · 2020-03-13T13:55:47Z

Hi, @martinpitt! Seems like there's a problem with Zuul itself because the playbook won't even start. The other tests seem to be ok.

softwarefactory-project-zuul · 2020-03-13T13:56:08Z

Build failed.

shellcheck : SUCCESS in 1m 19s
test-with-podman-stable-f30 : SUCCESS in 3m 48s
test-with-podman-stable-f31 : SUCCESS in 3m 42s
test-with-podman-rawhide : RETRY_LIMIT in 7s

morucci · 2020-03-13T16:41:26Z

recheck

softwarefactory-project-zuul · 2020-03-13T16:47:23Z

Build failed.

shellcheck : SUCCESS in 2m 10s
test-with-podman-stable-f30 : SUCCESS in 4m 04s
test-with-podman-stable-f31 : SUCCESS in 4m 40s
test-with-podman-rawhide : FAILURE in 5m 12s

kronenpj · 2020-03-13T21:37:36Z

recheck

softwarefactory-project-zuul · 2020-03-13T21:42:08Z

Build succeeded.

shellcheck : SUCCESS in 1m 02s
test-with-podman-stable-f30 : SUCCESS in 3m 42s
test-with-podman-stable-f31 : SUCCESS in 3m 19s
test-with-podman-rawhide : SUCCESS in 4m 10s

There has been a long standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. There are many ways how to go about it. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. Second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. Then the function tries first to find the file before it creates the link. Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. There are many ways how to go about it. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. Then the function tries first to find the file before it creates the link. Based on: containers#380 [0] containers#187

martinpitt · 2020-07-09T20:01:13Z

FTR, the exact same issue applies to the Go rewrite, but now of course this PR does not apply any more.

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. There are many ways how to go about it. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. Then the function tries first to find the file before it creates the link. Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. There are many ways how to go about it. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. The function looks for the links in the chain under /run/host where the host's filesystem is available. Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. There are many ways how to go about it. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. The function looks for the links in the chain under /run/host where the host's filesystem is available. Relative symlinks are handled by this. Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. There are many ways how to go about it. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. The function looks for the links in the chain under /run/host where the host's filesystem is available. Relative symlinks are handled by this (thanks Tudor Roman!). Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and updating the target path. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink and if it is, it's target will be set as the new target. This is repeated if the new target is also a symlink. The function looks for the links in the chain under /run/host where the host's filesystem is available. Relative symlinks are handled by this (thanks Tudor Roman!). Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and update the target path if the target is an invalid symlink. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink. If it's not then the symlinking is done right away. If it's a symlink then it is resolved. When the target is valid, symlinking proceeds normally. If it it's not then symlinking still proceeds but in two different ways depending on target being an absolute or a relative symlink: - absolute - target is prepended with /run/host (the target may not be invalid) - relative - target is not changed (the target will be invalid) This commit tries to rely on well-made relative symlinks. Those behave correctly even when they are placed in a different prefix (in Toolbox's case under /run/host). Thanks Tudor Roman for raising concern about relative links. Based on: containers#380 [0] containers#187

There has been a long-standing issue[0] when symlinking /etc/resolv.conf to /run/host/etc/resolv.conf (host's resolv.conf). Many solutions were proposed. Hardcode other paths, where the file could be, completely rely on tools like flatpak-session-helper that will track such files in a single directory, or update the symlinking function to follow symlinks and update the target path. [0] containers#187 The first solution is the easiest short-term but not very good long-term. The second solution is possibly the best long-term but there is a problem with using flatpak-session-helper. It cannot be used as root. That leaves the third option, follow symlinks and update the target path if the target is an invalid symlink. This commit takes the third approach to solve the issue. Now the target of the symlinking is first tested if it is a symlink. If it's not then the symlinking is done right away. If it's a symlink then it is resolved. When the target is valid, symlinking proceeds normally. If it it's not then symlinking still proceeds but in two different ways depending on target being an absolute or a relative symlink: - absolute - target is prepended with /run/host (the target may not be invalid) - relative - target is not changed (the target will be invalid) This commit tries to rely on well-made relative symlinks. Those behave correctly even when they are placed in a different prefix (in Toolbox's case under /run/host). Thanks Tudor Roman for raising concern about relative links. Based on: containers#380 containers#460

Currently toolbox containers can get misconfigured if some configuration files on the host are absolute symbolic links to some other location. For example, when systemd-resolved is used to manage /etc/resolv.conf on the host, and if the file is an absolute link to /run/systemd/resolve/stub-resolv.conf, then /etc/resolv.conf ends up being invalid inside the container. This happens because the container's /etc/resolv.conf points to /run/host/etc/resolv.conf, which in turn points to /run/systemd/resolve/stub-resolv.conf, but that's absent from the container. This is, of course, not a problem with relative symbolic links. If the host had a relative link to ../run/systemd/resolve/stub-resolv.conf, then it would continue to work inside the container. One solution would have been to use flatpak-session-helper to maintain a copy of the host's /etc/resolv.conf in $XDG_RUNTIME_DIR/.flatpak-helper/monitor. However, that doesn't work when toolbox(1) is run as root. The other option is to prepend the destination of the absolute symbolic link with /run/host to make it resolve inside the container. It might not work with funky links, but it's enough for the common case where a an administrator changed the host's /etc/resolv.conf into a sane, but absolute, symbolic link. Properly configured hosts should anyway use relative symbolic links, because they don't need to be adjusted in such scenarios. That's also what Fedora and Ubuntu do, by default. Thanks to Tudor Roman for raising a concern about relative symbolic links. Based on Martin Pitt's work on the POSIX shell implementation: containers#380 containers#187

debarshiray · 2020-08-28T12:35:03Z

@HarryMichal ported this to the Go implementation in #460

Thanks for pursuing this @martinpitt ! Much appreciated, and my apologies for the delay in getting to it.

debarshiray · 2020-08-28T12:36:37Z

I didn't go with letting it point to /run/host/monitor/resolv.conf though,
as that's just a bind-mount from the host's flatpak helper and I'd rather
not introduce this assumption/dependency to resolv.conf handling.

Yes, I agree.

We do currently use flatpak-session-helper for some of the configuration files, but we need to move away from it because it doesn't work with sudo toolbox ....

martinpitt · 2020-08-28T13:06:27Z

Thanks @debarshiray ! Glad to see that this is fixed at last.

kronenpj approved these changes Mar 13, 2020

View reviewed changes

martinpitt mentioned this pull request Apr 2, 2020

/etc/resolv.conf is broken when it's an absolute symbolic link on the host #187

Closed

martymichal mentioned this pull request May 27, 2020

cmd/initContainer: Try to handle config files that're absolute symlinks #460

Merged

martinpitt closed this Jul 9, 2020

martinpitt deleted the resolv-conf-link branch July 9, 2020 20:05

Conversation

martinpitt commented Feb 26, 2020

Uh oh!

martinpitt commented Feb 26, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

softwarefactory-project-zuul bot commented Feb 26, 2020

Uh oh!

kronenpj left a comment

Choose a reason for hiding this comment

Uh oh!

martinpitt commented Mar 13, 2020

Uh oh!

softwarefactory-project-zuul bot commented Mar 13, 2020

Uh oh!

martinpitt commented Mar 13, 2020

Uh oh!

kronenpj commented Mar 13, 2020

Uh oh!

martinpitt commented Mar 13, 2020

Uh oh!

martymichal commented Mar 13, 2020

Uh oh!

softwarefactory-project-zuul bot commented Mar 13, 2020

Uh oh!

morucci commented Mar 13, 2020

Uh oh!

softwarefactory-project-zuul bot commented Mar 13, 2020

Uh oh!

kronenpj commented Mar 13, 2020

Uh oh!

softwarefactory-project-zuul bot commented Mar 13, 2020

Uh oh!

martinpitt commented Jul 9, 2020

Uh oh!

debarshiray commented Aug 28, 2020

Uh oh!

debarshiray commented Aug 28, 2020

Uh oh!

martinpitt commented Aug 28, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

martinpitt commented Feb 26, 2020 •

edited

Loading