fedora-toolbox:39 has a dangling /etc/resolv.conf symlink on hosts without systemd-resolved(8) #1410
Comments
|
I imagine this is also the cause of the problems in #1406 although it's not specified what system the toolbox is being run on there |
ianw
changed the title
debarshiray
changed the title
|
This looks like a regression from the Fedora 39 Change that started building the Prior to that, the [rishi@topinka ~]$ podman run --rm --interactive --tty --env TERM=$TERM registry.fedoraproject.org/fedora-toolbox:38 /bin/bash
[root@cf4e0ff025dc /]# ls -l /etc/resolv.conf
-rw-r--r--. 1 root root 100 Dec 1 16:10 /etc/resolv.conf
[root@cf4e0ff025dc /]# cat /etc/resolv.conf
search redhat.com
nameserver 10.0.2.3
nameserver 192.168.0.1
nameserver fe80::7a98:e8ff:fe55:4180%4
[root@cf4e0ff025dc /]# ... that got turned into a symbolic link to the host's The logic in the entry point looks like this: if _, err := os.Readlink("/etc/resolv.conf"); err != nil {
if err := redirectPath("/etc/resolv.conf", "/run/host/etc/resolv.conf", false); err != nil {
return err
}
}Unfortunately, os.Readlink doesn't return an error if the target of the symlink is absent, which is what leads to this situation. While we fix this, you can fix your own containers by making sure that the container's |
|
I added some tests to ensure that DNS works inside the containers: #1414 It's not as exhaustive as I would like it to be, because we aren't currently running all the tests on CentOS Stream 9 and Ubuntu 22.10. However, it's a start. We should also probably check |
|
One way to fix this bug would be to always reset the container's However, we don't preserve such modifications elsewhere either, so this won't make it any worse. I suppose we need to introduce some sort of a stamp file to mark a container as already initialized, and to not reset any configuration changes made by the user. |
One thing that we (we being mostly @wackrat :) is that this symlink is being created by I don't think that |
Yes, that's exactly it! I didn't notice that we are explicitly pulling in It's a mistake that crept in during the move to build the images as part of the nightly composes. Earlier, Last time, Anyway, do you want to submit a pull request to fedora-kickstarts to fix the $ git diff
diff --git a/fedora-container-toolbox.ks b/fedora-container-toolbox.ks
index 89e8ee9d38b9..5e86e5f4cba7 100644
--- a/fedora-container-toolbox.ks
+++ b/fedora-container-toolbox.ks
@@ -82,7 +82,7 @@ shadow-utils
-shared-mime-info
-sssd-client
sudo
-systemd
+-systemd-resolved
tar # https://bugzilla.redhat.com/show_bug.cgi?id=1409920
tcpdump
time
Yes, you are right. We point (or at least try to) the container's |
Apart from fixing the Pull requests welcome. :) |
|
I see that the container starts with Line 399 in 9ec3f36 The current logic seems to boil down to
I think the assumption we broke here was that it in the default case, there was a symlink so toolbox assumed it was setup and left it alone? I think perhaps asserting in the container that the resolv.conf is a plain file might be enough? |
Thanks, @ianw !
Yes, correct.
Yes, correct.
Umm... what do you mean by asserting? You mean leaving the current logic as it is? I was considering making the current logic more aggressive like this: if resolvConfTarget, err := os.Readlink("/etc/resolv.conf"); err != nil || resolvConfTarget != "/run/host/etc/resolv.conf" {
if err := redirectPath("/etc/resolv.conf", "/run/host/etc/resolv.conf", false); err != nil {
return err
}
}This has the downside of overwriting some custom user-made modifications to the container's On the plus side, being more aggressive with enforcing the known good configuration will protect us from the subtleties of unknown host and image combinations. We can defend against the unknown by further improving our CI by running the full test suite on more host operating systems (eg., we only run a few tests on CentOS Stream 9 and Ubuntu 22.04 today), but there are only so many combinations that we will be able to test. |
On some Toolbx images with systemd-resolved.service(8), like the
fedora-toolbox image for Fedora 39 onwards, /etc/resolv.conf can end up
being a symbolic link inside the container that expects the host
operating system to also use systemd-resolved.service(8):
$ ls -l /etc/resolv.conf
lrwxrwxrwx. 1 root root 39 Nov 28 08:50 /etc/resolv.conf ->
../run/systemd/resolve/stub-resolv.conf
This happens because /etc/resolv.conf is already a symbolic link inside
the image, and, hence, the container's entry point doesn't change it to
point at the host's copy of the file at /run/host/etc/resolv.conf.
If the host OS doesn't use systemd-resolved.service(8), like Red Hat
Enterprise Linux 9, then this leads to a dangling symbolic link and
breaks DNS queries.
Note that the presence of systemd-resolved.service(8) in the recent
fedora-toolbox is a regression arising from the ToolbxReleaseBlocker
Change [1] for Fedora 39 where the image was rewritten to in terms of
fedora-kickstarts and pungi-fedora instead of a Container/Dockerfile.
By mistake, systemd crept in as an RPM needed by the image [2], which
in turn pulled in the systemd-resolved RPM as a weak dependency [3].
Hopefully, that will get fixed. However, it's also not practical to
keep track of all the Toolbx images out there in the wild, so it's
wise to make toolbox(1) more resilient to such things.
This will have the downside of overwriting some custom user-made
modifications to the container's /etc/resolv.conf. While that's
unfortunate, it's more important to have Toolbx images produce working
containers on a wide range of host OSes. It will be better to come up
with a more explicit way to support custom user-made modifications to
the container's configuration. Perhaps with a persistent stamp file.
[1] https://fedoraproject.org/wiki/Changes/ToolbxReleaseBlocker
[2] fedora-kickstarts commit 48e2c3b5598de32f
https://pagure.io/fedora-kickstarts/c/48e2c3b5598de32f
[3] fedora-kickstarts commit 49306cb6eada8777
https://pagure.io/fedora-kickstarts/c/49306cb6eada8777
containers#1410
On some Toolbx images with systemd-resolved.service(8), like the
fedora-toolbox image for Fedora 39 onwards, /etc/resolv.conf can end up
being a symbolic link inside the container that expects the host
operating system to also use systemd-resolved.service(8):
$ ls -l /etc/resolv.conf
lrwxrwxrwx. 1 root root 39 Nov 28 08:50 /etc/resolv.conf ->
../run/systemd/resolve/stub-resolv.conf
This happens because /etc/resolv.conf is already a symbolic link inside
the image, and, hence, the container's entry point doesn't change it to
point at the host's copy of the file at /run/host/etc/resolv.conf.
If the host OS doesn't use systemd-resolved.service(8), like Red Hat
Enterprise Linux 9, then this leads to a dangling symbolic link and
breaks DNS queries.
Note that the presence of systemd-resolved.service(8) in the recent
fedora-toolbox is a regression arising from the ToolbxReleaseBlocker
Change [1] for Fedora 39 where the image was rewritten to in terms of
fedora-kickstarts and pungi-fedora instead of a Container/Dockerfile.
By mistake, systemd crept in as an RPM needed by the image [2], which
in turn pulled in the systemd-resolved RPM as a weak dependency [3].
Hopefully, that will get fixed. However, it's also not practical to
keep track of all the Toolbx images out there in the wild, so it's
wise to make toolbox(1) more resilient to such things.
This will have the downside of overwriting some custom user-made
modifications to the container's /etc/resolv.conf. While that's
unfortunate, it's more important to have Toolbx images produce working
containers on a wide range of host OSes. It will be better to come up
with a more explicit way to support custom user-made modifications to
the container's configuration. Perhaps with a persistent stamp file.
[1] https://fedoraproject.org/wiki/Changes/ToolbxReleaseBlocker
[2] fedora-kickstarts commit 48e2c3b5598de32f
https://pagure.io/fedora-kickstarts/c/48e2c3b5598de32f
[3] fedora-kickstarts commit 49306cb6eada8777
https://pagure.io/fedora-kickstarts/c/49306cb6eada8777
containers#1410
On some Toolbx images with systemd-resolved(8), like the fedora-toolbox
images for Fedora 39 onwards, /etc/resolv.conf can end up being a
symbolic link inside the container that expects the host operating
system to also use systemd-resolved(8):
$ ls -l /etc/resolv.conf
lrwxrwxrwx. 1 root root 39 Nov 28 08:50 /etc/resolv.conf ->
../run/systemd/resolve/stub-resolv.conf
This happens because systemd-resolved(8) already makes /etc/resolv.conf
a symbolic link inside the image, and, hence, the container's entry
point doesn't change it to point at the host's copy of the file at
/run/host/etc/resolv.conf. Instead, it's left pointing to the host's
copy of the files maintained by systemd-resolved(8) under
/run/systemd/resolve, which happen to be also available inside the
container [1].
If the host OS doesn't use systemd-resolved(8), like Red Hat Enterprise
Linux 9, then this leads to a dangling symbolic link and breaks DNS
queries.
Note that the presence of systemd-resolved(8) in the recent
fedora-toolbox images is a regression caused by the ToolbxReleaseBlocker
Change [2] for Fedora 39 where the image was rewritten in terms of
fedora-kickstarts and pungi-fedora instead of a Container/Dockerfile.
By mistake, systemd crept in as an RPM needed by the image [3], which
in turn pulled in the systemd-resolved RPM as a weak dependency [4].
Hopefully, that will get fixed. However, it's also not practical to
keep track of all the Toolbx images out there in the wild, so it's
wise to make toolbox(1) more resilient to such things.
This will have the downside of overwriting some custom user-made
modifications to the container's /etc/resolv.conf. While that's
unfortunate, it's more important to have Toolbx images produce working
containers on a wide range of host OSes. It will be better to come up
with a more explicit way to support custom user-made modifications to
the container's configuration. Perhaps with a persistent stamp file.
[1] Commit af602c7
containers@af602c7d227617d2
containers#707
[2] https://fedoraproject.org/wiki/Changes/ToolbxReleaseBlocker
[3] fedora-kickstarts commit 48e2c3b5598de32f
https://pagure.io/fedora-kickstarts/c/48e2c3b5598de32f
[4] fedora-kickstarts commit 49306cb6eada8777
https://pagure.io/fedora-kickstarts/c/49306cb6eada8777
containers#1410
On some Toolbx images with systemd-resolved(8), like the fedora-toolbox
images for Fedora 39 onwards, /etc/resolv.conf can end up being a
symbolic link inside the container that expects the host operating
system to also use systemd-resolved(8):
$ ls -l /etc/resolv.conf
lrwxrwxrwx. 1 root root 39 Nov 28 08:50 /etc/resolv.conf ->
../run/systemd/resolve/stub-resolv.conf
This happens because systemd-resolved(8) already makes /etc/resolv.conf
a symbolic link inside the image, and, hence, the container's entry
point doesn't change it to point at the host's copy of the file at
/run/host/etc/resolv.conf. Instead, it's left pointing at the host's
copy of the files maintained by systemd-resolved(8) under
/run/systemd/resolve, which happen to be also available inside the
container [1].
If the host OS doesn't use systemd-resolved(8), like Red Hat Enterprise
Linux 9, then this leads to a dangling symbolic link and breaks DNS
queries.
Note that the presence of systemd-resolved(8) in the recent
fedora-toolbox images is a regression caused by the ToolbxReleaseBlocker
Change [2] for Fedora 39 where the image was rewritten in terms of
fedora-kickstarts and pungi-fedora instead of a Container/Dockerfile.
By mistake, systemd crept in as an RPM needed by the image [3], which
in turn pulled in the systemd-resolved RPM as a weak dependency [4].
Hopefully, that will get fixed. However, it's also not practical to
keep track of all the Toolbx images out there in the wild, so it's
wise to make toolbox(1) more resilient to such things.
This will have the downside of overwriting some custom user-made
modifications to the container's /etc/resolv.conf. While that's
unfortunate, it's more important to have Toolbx images produce working
containers on a wide range of host OSes. It will be better to come up
with a more explicit way to support custom user-made modifications to
the container's configuration. Perhaps with a persistent stamp file.
[1] Commit af602c7
containers@af602c7d227617d2
containers#707
[2] https://fedoraproject.org/wiki/Changes/ToolbxReleaseBlocker
[3] fedora-kickstarts commit 48e2c3b5598de32f
https://pagure.io/fedora-kickstarts/c/48e2c3b5598de32f
[4] fedora-kickstarts commit 49306cb6eada8777
https://pagure.io/fedora-kickstarts/c/49306cb6eada8777
containers#1410
debarshiray
changed the title
|
The fedora-toolbox:40 image has now been fixed, and Once this has gotten some more testing, we can arrange for some backports for the |
|
Thanks for your help getting this fixed, @ianw ! |
|
fedora-toolbox-39 is work! ver: toolbox-0.0.99.5-1. Thank you! |
|
I hit this on Fedora 39 today. Looks like it might be fixed in rawhide, but not yet for 39. https://bugzilla.redhat.com/show_bug.cgi?id=2258648 |
Since change 48e2c3b this kickstart is pulling in systemd. This was noticed because since b5fc5fd started bringing in weak-dependencies, we started installing systemd-resolved is which created a symlinked /etc/resolv.conf in the image. Toolbox will not currently reset this on container start, as it is a symlink (this behaviour is a bit complicated; see [1]). This leads to an incompatability running the toolbox on *non* systemd-resolved hosts (e.g. RHEL9); you are left with a dangling symlink and no name-resolution in the toolbox. We do not want systemd in the toolbox image by default it; remove it from the list. Exclude systemd-resolved specifically, so if something else brings in systemd we still don't include this. [1] containers/toolbox#1410 https://pagure.io/fedora-kickstarts/pull-request/1027
The 39 (and 40) tag appears to have
/etc/resolv.confin the container as a dangling symlink tosystemd/resolve/stub-resolv.confThis breaks name resolution on toolbox entry for people on systems like rhel9 that are not using systemd-resolved
The text was updated successfully, but these errors were encountered: