resolvconf: use /run/systemd/resolve/resolv.conf if systemd-resolved manages DNS #2385
Conversation
tiborvass
force-pushed
the
resolvconf-systemd
branch
2 times, most recently
from
ba7ef83 to
6c67387
Compare
tiborvass
force-pushed
the
resolvconf-systemd
branch
3 times, most recently
from
62f1e5f to
cb850c2
Compare
|
Fixed ineffassign linter issue. And added testutils import in the procfs test, because apparently that's needed... |
resolvconf/resolvconf.go
Outdated
| "regexp" | ||
| "strings" | ||
| "sync" | ||
|
|
||
| "github.com/docker/docker/pkg/ioutils" | ||
| "github.com/docker/libnetwork/procfs" |
There was a problem hiding this comment.
Can we use https://godoc.org/k8s.io/kubernetes/pkg/util/procfs instead
There was a problem hiding this comment.
It is a copy of that small package, which I'd rather have than depend on k8s.io/kubernetes.
There was a problem hiding this comment.
Yes, it was copied at the time to prevent having to pull the whole kubernetes repo on each vendor update.
| @@ -11,8 +11,7 @@ RUN go get golang.org/x/lint/golint \ | |||
| golang.org/x/tools/cmd/cover \ | |||
| github.com/mattn/goveralls \ | |||
| github.com/gordonklaus/ineffassign \ | |||
| github.com/client9/misspell/cmd/misspell \ | |||
| honnef.co/go/tools/cmd/gosimple | |||
There was a problem hiding this comment.
Is this cmd failing consistently ?
There was a problem hiding this comment.
Yes, try to go get honnef.co/go/tools/cmd/gosimple
resolvconf/resolvconf.go
Outdated
| if len(pids) > 0 && pids[0] > 0 { | ||
| _, err := os.Stat(alternatePath) | ||
| if err == nil { | ||
| logrus.Infof("systemd-resolved is running, so using resolvconf: %s", alternatePath) |
There was a problem hiding this comment.
Probably we should use systemd-resolved config only if /etc/resolv.conf points to a loopback address?
There was a problem hiding this comment.
e.g. when running with RootlessKit+slirp4netns/VPNKit, systemd-resolved would be visible (unless PIDNS is unshared) but /etc/resolv.conf would point to slirp4netns/VPNKit-builtin DNS.
Even in that case, using systemd DNS should be fine for almost all usecases, but not 100% sure.
There was a problem hiding this comment.
I'm not sure what the correct behavior is. After reading a bit about systemd-resolved i was surprised of the current behavior in moby, but this PR is about bringing whatever we have in moby to libnetwork in order to fix a difference between buildkit and non-buildkit builds.
If you think this won't work with rootlesskit, I suggest we fix it in a follow up.
tiborvass
force-pushed
the
resolvconf-systemd
branch
from
cb850c2 to
4dd2f01
Compare
tiborvass
force-pushed
the
resolvconf-systemd
branch
2 times, most recently
from
14d5651 to
4a75b1b
Compare
tiborvass
force-pushed
the
resolvconf-systemd
branch
from
4a75b1b to
083e39b
Compare
|
This seems totally the wrong way to do this. You can identify whether It is never going to work properly to just see if it is running as it could be running in a container or not activated or anything. |
|
I seem to recall that the symlink is created only in upgrade scenarios, but not in fresh installs (or the other way round). |
|
@justincormack I agree with you that the logic is super weird and I think we should fix it. This PR is not about fixing that, it's about moving code here so it can be used by both buildkit and moby to fix a discrepancy between legacy and buildkit builder. So I suggest we merge this and open up a new one to fix the behavior for all. |
|
For the record this was the original PR: moby/moby#37485 I'm adding a reference in the description of this PR as well. |
|
@mavenugo @justincormack ok I read https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf I'm trying to understand the proper logic here. We can obviously not use 127.0.0.53 inside the container. So question Q1: do you agree that IF it is detected that systemd-resolved handles DNS, THEN,
Question Q2: do you agree that in order to detect whether systemd-resolved handles DNS, I would need to check if EITHER If you answered YES for Q1 and Q2, then Q3: do you agree that we don't need to check symlinks at all, we could simplify the logic to: if In particular Q3 implies that if |
tiborvass
force-pushed
the
resolvconf-systemd
branch
from
083e39b to
449d384
Compare
tiborvass
changed the title
|
I updated the PR assuming you agree with my comment above @justincormack @mavenugo @arkodg |
tiborvass
force-pushed
the
resolvconf-systemd
branch
2 times, most recently
from
330a3fc to
bea9524
Compare
…manages DNS Signed-off-by: Tibor Vass <[email protected]>
Also fixes issue reported by ineffassign Signed-off-by: Tibor Vass <[email protected]>
tiborvass
force-pushed
the
resolvconf-systemd
branch
from
bea9524 to
23fc2c9
Compare
|
Yes this looks way better as it is much simpler! There are still configs in which DNS will not work, eg |
|
Should we backport this to 18.09 (or would that not be useful without the buildkit changes?) |
|
@thaJeztah yeah it's not worth the complications I think. |
|
@tiborvass I opened #moby/moby#38243 when 18.09 was released because this update included "support for systemd-resolved" and ended up being a regression on my system as I suddenly lost the ability to resolve names available only on one of my interfaces' DNS. See the issue for more details, but the gist of it is that using I don't know if this PR is exactly related to the issue but given that it talks of using I've had to pin Docker to version 18.06 ever since, which is a situation I'd like to get out of if possible. |
|
Resolving using In the default |
|
That said; perhaps we should revisit the "default bridge network doesn't use the embedded DNS"; also see moby/moby#22295 |
|
@thaJeztah I am indeed in a situation where I use custom networks (type bridge, but not the default one: it's created by docker-compose) and resolution fails since the host' Also huge +1 for the idea of revisiting the default bridge network behavior, or at least letting it be opt-in through configuration :) |
|
@superseed could you perhaps open a ticket in moby/moby that captures the conversation above? (just so that it doesn't get lost)? |
|
@superseed thanks for bringing this up to our attention. This PR was to bring the behavior that was in master to libnetwork. But indeed it is worth discussing any improvements or regression fixes. My understanding is that moby/moby#38243 is the issue for a regression in 18.09 from 18.06. |
|
@thaJeztah Oh, I created the issue I mentioned above (#moby/moby#38243) for it. Do you want me to make changes to it/open another one on another project, or is it enough? @tiborvass Yep, exactly. Sorry for discussing the issue in the wrong place, my search was pretty fuzzy and I don't know exactly how moby/docker components projects are related so I thought this PR might be it. |
Signed-off-by: Tibor Vass [email protected]
procfs was copied from https://github.com/moby/moby/blob/e353e7e/daemon/daemon_linux.go#L142-L167. It was a package that was only used for this purpose. It is being removed in moby/moby#39295. It was added in moby in moby/moby#37485This PR is updated according to the comment below #2385 (comment)