[Desktop-packages] [Bug 1671606] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1
Ryan, The problem is not that a recent change in resolvconf caused a regression. The problem with resolvconf is that the upgrade to network-manager exposed an existing bug in resolvconf. This happens because the new version of network-manager now tells resolvconf that it must only use a specific interface when talking to the name server, and resolvconf was not properly tracking how interfaces were added and removed from the system. This is most obvious for VPN connections which use an interface for VPN traffic, as that interface will be destroyed and recreated on every VPN connection, triggering the bug in resolvconf. (Setting up the new DNS for the new VPN interface is insufficient to make it happy.) This can also be triggered on systems that remove and readd interfaces for things like suspend or hibernate. Redhat documented the bug fairly well when they found it, their bug report on the matter is https://bugzilla.redhat.com/show_bug.cgi?id=1373485 The actual patch that needs to be applied is git commit 2675f2061525bc954be14988d64384b74aa7bf8b, and the upstream gitweb URL for viewing the diff is: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b There is a separate (but very related) issue, in that some existing VPNs that involve ipsec have one interface for sending traffic and to hold an IP, but the response traffic appears on the interface of the primary internet connection. This is completely broken in the middle of an LTS by this change, and fixing the bug in resolvconf won't help. I'm still trying to sort out the right answer for some of my VPN use cases there. ** Changed in: resolvconf (Ubuntu) Status: Invalid => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1671606 Title: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1 Status in network-manager package in Ubuntu: Confirmed Status in resolvconf package in Ubuntu: Confirmed Bug description: I use my company's cisco vpn via network-manager in Ubuntu 16.04.2 LTS. After recent upgrade of network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 DNS resolution of VPN's server hostnames does not work. Roll back to version 1.2.2-0ubuntu0.16.04.4 solves the problem. Steps for reproducing: 1. upgrade network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 2. connect to VPN via network-manager applet 3. nslookop servername.internal --> ** server can't find servername.internal: NXDOMAIN 4. disconnect from VPN via network-manager applet 5. roll back network-manager via command: sudo apt-get install network-manager=1.2.2-0ubuntu0.16.04.4 6. restart network-manager via sudo service network-manager restart 7. connect to VPN via network-manager applet 8. nslookop servername.internal --> the server is resolved correctly ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: network-manager 1.2.6-0ubuntu0.16.04.1 ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44 Uname: Linux 4.4.0-66-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 CurrentDesktop: Unity Date: Thu Mar 9 19:49:55 2017 InstallationDate: Installed on 2015-10-05 (520 days ago) InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422) NetworkManager.state: [main] NetworkingEnabled=true WirelessEnabled=true WWANEnabled=true WimaxEnabled=true SourcePackage: network-manager UpgradeStatus: No upgrade log present (probably fresh install) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.2.6connected started full enabled enabled enabled enabled enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1671606] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1
After two and a half weeks, can we please get a build of resolvconf with http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b applied pushed out? We don't even need the full new release of resolvconf, we just need the documented bug (https://bugzilla.redhat.com/show_bug.cgi?id=1373485) patched. This was covered in detail in https://bugs.launchpad.net/ubuntu/+source /network-manager/+bug/1672491 and while it won't fix some of my use cases, it will at least get a large number of the VPN users working again. Regards, Zephaniah E. Loss-Cutler-Hull. ** Bug watch added: Red Hat Bugzilla #1373485 https://bugzilla.redhat.com/show_bug.cgi?id=1373485 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1671606 Title: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1 Status in network-manager package in Ubuntu: Confirmed Status in resolvconf package in Ubuntu: Confirmed Bug description: I use my company's cisco vpn via network-manager in Ubuntu 16.04.2 LTS. After recent upgrade of network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 DNS resolution of VPN's server hostnames does not work. Roll back to version 1.2.2-0ubuntu0.16.04.4 solves the problem. Steps for reproducing: 1. upgrade network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 2. connect to VPN via network-manager applet 3. nslookop servername.internal --> ** server can't find servername.internal: NXDOMAIN 4. disconnect from VPN via network-manager applet 5. roll back network-manager via command: sudo apt-get install network-manager=1.2.2-0ubuntu0.16.04.4 6. restart network-manager via sudo service network-manager restart 7. connect to VPN via network-manager applet 8. nslookop servername.internal --> the server is resolved correctly ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: network-manager 1.2.6-0ubuntu0.16.04.1 ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44 Uname: Linux 4.4.0-66-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 CurrentDesktop: Unity Date: Thu Mar 9 19:49:55 2017 InstallationDate: Installed on 2015-10-05 (520 days ago) InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422) NetworkManager.state: [main] NetworkingEnabled=true WirelessEnabled=true WWANEnabled=true WimaxEnabled=true SourcePackage: network-manager UpgradeStatus: No upgrade log present (probably fresh install) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.2.6connected started full enabled enabled enabled enabled enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1645698] Re: [SRU] Upgrade network-manager to latest point release
So, this managed to break at least my VPN setup quite well. See #1672491 with the details, but the short version is that 'specify egress interface for each dnsmasq upstream server' breaks things in two cases. The first could be argued to be a bug on the VPN client side, though a behavior change of this nature in an LTS release is decidedly unwelcome. The second exposes a bug in dnsmasq which needs to be fixed for any case where an interface is removed and then readded, this includes suspend/resume and some VPN cases. Regards, Zephaniah E. Loss-Cutler-Hull. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1645698 Title: [SRU] Upgrade network-manager to latest point release Status in OEM Priority Project: Fix Released Status in network-manager package in Ubuntu: Fix Released Status in network-manager source package in Xenial: Fix Released Status in network-manager source package in Yakkety: Fix Released Bug description: [Impact] This SRU would try to have the latest well-tested upstream point release (1.2.6) of 1.2.x land in Xenial, which is the successor of the current 1.2.2 version, fixing quite some bugs that's suitable to land in the stable branch. https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=nm-1-2 [Test Case] After installing the updated version, users should be able to avoid some mem leaks in some cases and have generally improved DNS related experiences. Also, as this is a general point release update, cases described in https://wiki.ubuntu.com/NetworkManager/DistroTesting should be used for smoke testing. [Regression Potential] This is a bug/regression fix for 1.2.2 and 1.2.4, which is quite complete. [Other Info] The first attempt at SRUing this to xenial was for 1.2.4 but it failed verification. This second attempt matches yakkety with 1.2.6. Parallel building was enabled in xenial to keep the diff between xenial and yakkety minimal since they are basically in sync now. Parallel building was enabled in the yakkety package in May 2016 so it's been working fine for a while. needed by: lp #1647283 To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1645698/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1672491] Re: New NetworkManager breaks VPN DNS.
Alright, this is due to a change to 1.2.4: commit 2f12f485607590d6415cf5fb81ad4db5b04615cd Author: Beniamino GalvaniDate: Wed May 11 18:43:41 2016 +0200 dns: specify egress interface for each dnsmasq upstream server Currently we don't specify to dnsmasq which interface must be used to contact a given nameserver and so requests can be sent through the wrong interface. Fix this by concatenating a @interface prefix to each server (unless an IPv6 interface scope-id is already present). https://bugzilla.gnome.org/show_bug.cgi?id=765153 (cherry picked from commit b71e104d333a1eb3325274089faf449126a4b157) Now, this causes _two_ problems. The first is that for some VPN connections you get traffic going out on tap0, but due to the wonders of ipsec the responses show up on the actual interface, such as eth0 or wlan0. This is a little bit of a pain normally, but it means that dnsmasq simply dies. It is possible that this is something I can fix on my VPN package, but it's _not_ a change that I expected to see in a LTS release. Second, https://bugzilla.redhat.com/show_bug.cgi?id=1373485 (upstream commit http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b fixes it) now matters, and without that fix anything that removes an interface and brings it back up breaks dnsmasq until dnsmasq is restarted. So, either 16.04 needs to fall back to 1.2.2, or dnsmasq needs the fix applied. (And if the latter is chosen, VPN plugins which worked before may still be non-functional until additional work on them is done. Again, in an LTS release?) Regards, Zephaniah E. Loss-Cutler-Hull. ** Bug watch added: GNOME Bug Tracker #765153 https://bugzilla.gnome.org/show_bug.cgi?id=765153 ** Bug watch added: Red Hat Bugzilla #1373485 https://bugzilla.redhat.com/show_bug.cgi?id=1373485 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1672491 Title: New NetworkManager breaks VPN DNS. Status in network-manager package in Ubuntu: New Bug description: Alright, this is going to be a frustrating bug for everyone involved I expect, but here goes. On Ubuntu 16.04, using a non-released VPN client (making this _much_ harder for anyone to reproduce), upgrading the network-manager packages from 1.2.2-0ubuntu0.16.04.3 to 1.2.6-0ubuntu0.16.04.1 quite handily broke DNS over the VPN. And it broke it really oddly. dnsmasq binds to socket 12 for the new interface, just fine. strace shows that it does the sendto for the DNS request, and that the poll calls are working, just fine. tcpdump shows the response messages, they are coming back from the correct host and port, going to my IP and the port that dnsmasq is sending from. There are no iptables rules involved, nothing is set to deny. dnsmasq is never getting the response packet. The request thus times out. Doing a host or dig directly to the DNS server works just fine. And this is completely reproducible, and goes away the moment I downgrade back to 1.2.2-0ubuntu0.16.04.3. Was there some change to how network-manager handles VPN interfaces/tap0 in the new version? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1672491/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1672491] [NEW] New NetworkManager breaks VPN DNS.
Public bug reported: Alright, this is going to be a frustrating bug for everyone involved I expect, but here goes. On Ubuntu 16.04, using a non-released VPN client (making this _much_ harder for anyone to reproduce), upgrading the network-manager packages from 1.2.2-0ubuntu0.16.04.3 to 1.2.6-0ubuntu0.16.04.1 quite handily broke DNS over the VPN. And it broke it really oddly. dnsmasq binds to socket 12 for the new interface, just fine. strace shows that it does the sendto for the DNS request, and that the poll calls are working, just fine. tcpdump shows the response messages, they are coming back from the correct host and port, going to my IP and the port that dnsmasq is sending from. There are no iptables rules involved, nothing is set to deny. dnsmasq is never getting the response packet. The request thus times out. Doing a host or dig directly to the DNS server works just fine. And this is completely reproducible, and goes away the moment I downgrade back to 1.2.2-0ubuntu0.16.04.3. Was there some change to how network-manager handles VPN interfaces/tap0 in the new version? ** Affects: network-manager (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1672491 Title: New NetworkManager breaks VPN DNS. Status in network-manager package in Ubuntu: New Bug description: Alright, this is going to be a frustrating bug for everyone involved I expect, but here goes. On Ubuntu 16.04, using a non-released VPN client (making this _much_ harder for anyone to reproduce), upgrading the network-manager packages from 1.2.2-0ubuntu0.16.04.3 to 1.2.6-0ubuntu0.16.04.1 quite handily broke DNS over the VPN. And it broke it really oddly. dnsmasq binds to socket 12 for the new interface, just fine. strace shows that it does the sendto for the DNS request, and that the poll calls are working, just fine. tcpdump shows the response messages, they are coming back from the correct host and port, going to my IP and the port that dnsmasq is sending from. There are no iptables rules involved, nothing is set to deny. dnsmasq is never getting the response packet. The request thus times out. Doing a host or dig directly to the DNS server works just fine. And this is completely reproducible, and goes away the moment I downgrade back to 1.2.2-0ubuntu0.16.04.3. Was there some change to how network-manager handles VPN interfaces/tap0 in the new version? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1672491/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp