On 5/28/22 22:22, Thomas Haller wrote:
> As you say, NetworkManager can run dnsmasq as DNS plugin by configuring
> `[main].dns=dnsmasq` in `man NetworkManager.conf`.
> In that mode, NetworkManager will spawn the dnsmasq process.
> Doing that is undesirable, for several reasons.
> I agree, it would be much better, if dnsmasq could run as a separate
> service. In the best case, dnsmasq could be D-Bus activated, then it
> doesn't even have to be a systemd service (altough, on systemd systems,
> of course systemd would start the dnsmasq service).
> When would dnsmasq reload those files? Usually, we would prefer that
> everything can be configured via D-Bus. Of course, if dnsmasq by
> default runs without D-Bus, then that wouldn't work. What would those
> configuration snippes contain beside `enable-dbus`?
I thought it could contain dnssec for selected networks. However that is
not possible to set via dbus (or alternatives). It requires restart,
because some structures are initialized different way. Just pure
reconfiguration by re-reading config file is not enough. It would
require no small changes in dnsmasq to allow enabling validation runtime.
> /etc/NetworkManager/dnsmasq.d is a semidocumented thing, where users
> could hack the setup by dropping snippets. I wonder how bad it would be
> to move away from the way how we do it currently. Maybe we could
> symlink all files there from /run. Or maybe we would need to add a
> separate dns=dnsmasq2 plugin for the new way.
> I would prefer the notion that dnsmasq is just running as a stand-alone
> service, and NetworkManager can push interface-specific DNS
> configuration to it (basically, like with systemd-resolved) and also
> with the notion that there could be other services that configure their
> part. For example, WireGuard's wg-quick could configure the DNS server
> on the WireGuard interface (though, currently I think that would call
> /usr/sbin/resolvconf -- unless systemd-resolved is detected).

There is a problem that no generic interface good for reconfiguration of
running services exist. resolvconf can configure something and
openresolv package attempts to do such thing. It is possible to make
generic query to dbus (or varlink?) which services provide some
interface? Then VPN could send required configuration to all interested
providers. I am not working with dbus often. What would be the best way
for other services to provide unified API?

I doubt we want each VPN provider to implement all possible DNS caches.
Can generic api be used instead?

> best,
> Thomas

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

networkmanager-list mailing list

Reply via email to