New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault 0.3.1 does not respect Mac OS X VPN DNS resolution. #712
Comments
I don't know much about the OSX DNS subsystem, but my guess is that this is related to the fact that 0.2 was built on OSX and incorrectly created a dynamic build rather than a static build. In 0.3.1 (0.3 on all platforms except amd64_linux) we are forcing a static build, which means that cgo is not enabled at build time. This may change resolver behavior as it means that native Go DNS resolution is being used. From searching around it seems that you can adjust this at runtime using |
@jefferai Thanks. I tried that and it doesn't fix the problem. I was able to pull the latest version of the Hashicorp
|
Hi @hobbeswalsh , In GODEBUG you have |
You can combine flags, as per https://golang.org/pkg/net/ |
Oh, I see -- the plus sign denotes a debugging level (multiple debug flags are joined by commas, so I was confused). Given that |
I don't know all that much about how Go does name resolution but I'm wondering if the runtime flag they indicate only actually works if the binary was built with cgo enabled in the first place. It's not what the documentation says, but it might just not be clear or correct, if using the cgo resolution method requires being dynamically linked to some host resolver library (and it doesn't pull that into the static build, which it could). |
I am seeing this issue as well in Vault 0.5.1. I can confirm that issue does not occur in Vault 0.2.1. I have not yet tested on versions > 0.2.1 and < 0.3.1, but it is clear the issue was introduced somewhere in one of those versions, if not in 0.3.1 itself. |
It's not a Vault issue, it's a Go issue. The binaries we distribute are built statically, hence it uses Go's internal DNS resolver. We do not plan on changing the build method, however, you can rebuild yourself using dynamic linking to see if that helps. See the Name Resolution section in https://golang.org/pkg/net/ for more details. You can change this behavior at runtime, but I believe only if the program was built dynamically in the first place. |
- Add option “with-dynamic” to vault, in order to optionally build with CGO_ENABLED - This is a common use case for VPN users on Mac OS X - See: hashicorp/vault#1159, hashicorp/vault#712 Closes #7238. Signed-off-by: Alex Dunn <dunn.alex@gmail.com>
For anyone on macOS who has DNS issues with vault installed from homebrew, and is Googling to figure out what's wrong, here's your solution as of today. brew install go
mkdir -p ~/.golang/src/github.com/hashicorp
if [ -z $GOPATH ]; then
echo "export GOPATH=~/.golang" >> ~/.bash_profile
echo "export PATH=$GOPATH/bin:\$PATH" >> ~/.bash_profile
source ~/.bash_profile
fi
git clone https://github.com/hashicorp/vault.git ~/.golang/src/github.com/hashicorp/vault
WD=`pwd`
cd ~/.golang/src/github.com/hashicorp/vault
# Important part is the `make dev-dynamic`.
# That sets a variable that forces Go to use the cgo DNS resolver.
make bootstrap && make dev-dynamic
cd $WD I don't know what the standard is for a GOPATH, but that's what I used and now I can finally use vault on my Mac. |
Or, since it seems you are already using Homebrew to install Go, you could instead simply do this: brew install vault --with-dynamic |
Sadly I've setup a tap for now https://github.com/mindfulmonk/homebrew-tap |
or... use a wrapper script called 'vault' that is in your path and uses docker..
from a devops standpoint, we are just trying to have a bin repository of executable scripts like the above that a new devops person clones down and then installs docker. once you install docker and it does the initial pull of the image, you don't even know it's running in docker from a usability standpoint and the DNS issues is gone :). |
I updated that bash script to be the following:
This handles scenarios of when you try piping the output to something like jq. Docker returns carriage returns, so it detects if you're piping it and removes the carriage returns and runs it through cat for formatting. |
It is sad, indeed, that Homebrew does not support But we can compile Vault from source code ourselves, right? Luckily, the
You will find the Vault binary in the
Or just add the Go |
I'm not sure what flags you used when you built Vault, but it appears that DNS resolution does not work as it did before.
192.168.86.1
is my home's router.What's going on here? Did you use the right
netgo
flags when 0.3.0 was compiled? Is there any way I can fix this?Thanks!
The text was updated successfully, but these errors were encountered: