New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vpn-tcp (sshuttle) method doesn't work with fully qualified .local domains on Linux #161

Open
itamarst opened this Issue Jun 2, 2017 · 7 comments

Comments

6 participants
@itamarst
Copy link
Contributor

itamarst commented Jun 2, 2017

sshuttle works by capturing DNS packets. .local domains are often handled (on Linux) earlier than DNS, via mDNS nss plugin, so sshuttle never captures them. This is only a problem on Linux.

Potential solution: bind mount (in mount namespace) a new /etc/nss.conf that disable mDNS for the telepresence subprocess.

@itamarst itamarst added the bug label Jun 2, 2017

@itamarst itamarst changed the title vpn-tcp (sshuttle) method doesn't work with fully qualified .local domains vpn-tcp (sshuttle) method doesn't work with fully qualified .local domains on Linux Jun 5, 2017

@itamarst itamarst added this to Next in Telepresence Jun 6, 2017

@itamarst itamarst removed this from Next in Telepresence Jul 24, 2017

@jascott1

This comment has been minimized.

Copy link

jascott1 commented Oct 13, 2017

@itamarst This appears to be a requirement for my current project but .local DNS also seems worthwhile in general. I started looking into the potential solution you suggested but can you please share more details?

@itamarst

This comment has been minimized.

Copy link
Contributor

itamarst commented Oct 13, 2017

On Ubuntu 16.04:

$ cat /etc/nsswitch.conf  | grep hosts
hosts:          files mdns4_minimal [NOTFOUND=return] dns

What that says is: "When looking up DNS hosts, check local files (e.g. /etc/hosts), then mDNS, then DNS."

You can use mount --bind to override any file for a particular process, given a new mount namespace (which you can create with unshare). So, this approach is something like:

  1. Create new mount namespace for telepresence and its subprocesses using unshare.
  2. Create nsswitch.conf version that doesn't list mDNS.
  3. Use mount --bind to override /etc/nsswitch.conf in the mount namespace.

That's the theory.

There may be other, simpler approaches.

@jascott1

This comment has been minimized.

Copy link

jascott1 commented Oct 13, 2017

@itamarst Thanks for the reply. Which host needs the nsswitch.conf modifications? I looked in minikube and it has no mDNS entries. I have a dumb Ubuntu 16.04 (running /sbin/init) deployment that I swap with telepresence for my local. That container also does not have mDNS in its nsswitch.conf.

My goal is to develop an operator on minikube and run the operator code (golang) locally on mac using telepresence. I was successful in getting the operator to run in this way but it closed after failing to resolve DNS. Is this golang related?

@ark3

This comment has been minimized.

Copy link
Contributor

ark3 commented Oct 13, 2017

@jascott1 This issue concerns running Telepresence (and your own code) on a Linux host, i.e. the development machine is Linux. When your code performs a DNS lookup for blah.blah.local Telepresence fails to capture/redirect it on Linux. If you're running Telepresence on a Mac, you will not hit this particular issue.

That said, we should figure out what's going wrong and get you productive. Can you open a new issue and/or poke us on Gitter? Thanks.

@itamarst Thanks for expanding on the potential solution.

@plombardi89 plombardi89 added this to Bugs in Roadmap Feb 20, 2018

@rhs rhs added this to Bug in Buckets Mar 8, 2018

@mornindew

This comment has been minimized.

Copy link

mornindew commented Sep 25, 2018

Any update on this issue, I think that i have hit this when trying to access my redis cluster via telepresence. Works fine when I port-forward a specific pod or when I deploy into K8s.

Developing locally and attempting to use the service wont allow me to access redis cache via service name. I can probably work around by manually using port-forwarding locally and then use the URL localhost: when connecting to redis. This seems to work but isn't really using the service properly

I am developing on ubuntu (18.04) and let me know if you have any questions.

@LukeShu

This comment has been minimized.

Copy link
Contributor

LukeShu commented Oct 11, 2018

I wonder if proxying /run/avahi-daemon/socket would make mDNS work.

@ofpiyush

This comment has been minimized.

Copy link
Collaborator

ofpiyush commented Dec 17, 2018

The fix that worked for us is to move dns before [NOTFOUND=return]

Not working:

$ cat /etc/nsswitch.conf  | grep hosts
hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname

Working:

$ cat /etc/nsswitch.conf  | grep hosts
hosts:          files dns mdns4_minimal [NOTFOUND=return] myhostname

Also working

$ cat /etc/nsswitch.conf  | grep hosts
hosts:          files mdns4_minimal dns [NOTFOUND=return] myhostname
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment