Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
* Paul Wouters: > On Mon, 22 Feb 2021, Petr Menšík wrote: > >> Wouldn't it be much simpler, if I could just dnf remove systemd-resolved >> in case I don't want it? > > In the past I also mentioned this. The overwhelming majority of installs > do not gain any benefit from te systemd-resolved service. Most servers, > containers and even workstations are installed and given DNS > configurations via DHCP, manager by a network administrator. I think a local cache is very beneficial to most users. The novel DNS request routing is problematic. Ideally Fedora would have a local cache by default, but keep the old way of routing DNS requests. In my opinion, just getting rid of systemd-resolved is not the right way forward. We should really keep the local cache aspect of it. So an outright removal of the service is not an answer, we'd need a replacement for the cache part. (A separate subpackage probably makes sense for other reasons.) Thanks, Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
On Mon, 22 Feb 2021, Petr Menšík wrote: Wouldn't it be much simpler, if I could just dnf remove systemd-resolved in case I don't want it? In the past I also mentioned this. The overwhelming majority of installs do not gain any benefit from te systemd-resolved service. Most servers, containers and even workstations are installed and given DNS configurations via DHCP, manager by a network administrator. systemd-resolved addresses a problem with finding printers and resolving a .box domain for router reconfiguration. And it provides partial solutions for split-DNS views when VPN's are deployed on laptops. There is no technical reason why this is not in its own package. There has been some focussing on reducing minimal installs, and this is a prime candidate for that. I'm fine with the workstation or desktop installs bringing this package in by default. But I see only potential harm from installing it on servers, containers and most virtual machines. Paul ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
Michael Catanzaro wrote: > Is there some reason systemd-resolved cannot be a subpackage? Seems > like that would be the easiest solution? +1 to making this a subpackage. I really don't see why this has to be part of the main systemd package. There are other optional parts of systemd that should also really be in subpackages. E.g., why do we install bootctl by default when Fedora does not actually use systemd-boot by default, but shim and GRUB? Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
On 2/22/21 9:12 PM, Lennart Poettering wrote: > Quite frankly, I am not sure it would be a good idea to do things that > way. > > note that resolved should be fine as a resolvconf replacement, even if > you don't want to use it as a resolver: just set the /etc/resolv.conf > symlink to /run/systemd/resolve/resolv.conf (instead of the usual > /run/systemd/resolve/stub-resolv.conf) and you get the upstream > servers listed there, as any other resolvconf implementation would do > it. I am aware it can work like that. But it still requires systemd-resolved to be enabled, while it does nothing more than listening for interface events. Even when some other DNS cache running on localhost. Openresolv can provide also split-dns configuration for dnsmasq, unbound, named, powerdns (recursor). Or just no local cache, in size 64k. > > The thing is, there's a bunch of software these days that can talk to > to resolved's D-Bus interface to set DNS servers and such. You lose > all that if you insist that systemd-resolved is so terrible that you > cannot even use it as a resolvconf reimplementation, that is more than > a bunch of shell scripts. I never proposed D-Bus API. I think DNS (RFC 1035) works well enough to provide name resolution. I would recommend DNS library instead of proprietary D-Bus API personally. I am trying to find common solution with ability to support different implementations. Implementing common D-Bus protocol in every cache seems unrealistic to me. Common interface able to pass domains and addresses tuples seems possible with resolvconf, with minimal overhead or added complexity. > > Another option might be > https://docs.fedoraproject.org/en-US/packaging-guidelines/Alternatives/ btw. > > Lennart > > -- > Lennart Poettering, Berlin I know about alternatives. I would kindly point you to filled bug #1923727 [1], which already requests Alternatives support from systemd. Openresolv already supports it [2]. Problem with alternatives is, it can handle quite poorly situation, where both openresolv and systemd-resolved are removed or disabled. Let's take for example file from openvpn package: /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up Close to the end is resolvconf handling. I would like something similar to be part of installed packages, for example dhcp-client. It should handle states: - systemd-resolved enabled and active (default configuration), providing split- DNS - dnsmasq + openresolv configured, providing split-DNS * no local cache running and no resolvconf enabled Problem is with *starred* option. How to tell packages to handle resolv.conf manually? How to update /usr/sbin/dhclient-script, function change_resolv_conf()? How can I use alternatives and check resolvconf is enabled? And keep it simple and maintainable in various VPN providers? Openvpn variant is simple and elegant, but requires ability to remove resolvconf, when not used. Current systemd does not pass such requirement. 1. https://bugzilla.redhat.com/show_bug.cgi?id=1923727 2. https://src.fedoraproject.org/rpms/openresolv/blob/rawhide/f/openresolv.spec#_56 -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB OpenPGP_signature Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
On Mo, 22.02.21 17:15, Petr Menšík (pemen...@redhat.com) wrote: > Wouldn't it be much simpler, if I could just dnf remove systemd-resolved > in case I don't want it? Then I don't have to make a proxy, but install > indeed a different package providing resolvconf. I think I would submit > that PR on Fedora package instead. Or don't have any > /usr/sbin/resolvconf, in which case openvpn or dhclient knows it should > try to rewrite /etc/resolv.conf itself. Unless driven by NM or similar. Quite frankly, I am not sure it would be a good idea to do things that way. note that resolved should be fine as a resolvconf replacement, even if you don't want to use it as a resolver: just set the /etc/resolv.conf symlink to /run/systemd/resolve/resolv.conf (instead of the usual /run/systemd/resolve/stub-resolv.conf) and you get the upstream servers listed there, as any other resolvconf implementation would do it. The thing is, there's a bunch of software these days that can talk to to resolved's D-Bus interface to set DNS servers and such. You lose all that if you insist that systemd-resolved is so terrible that you cannot even use it as a resolvconf reimplementation, that is more than a bunch of shell scripts. Another option might be https://docs.fedoraproject.org/en-US/packaging-guidelines/Alternatives/ btw. Lennart -- Lennart Poettering, Berlin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
On Mon, Feb 22, 2021 at 5:15 pm, Petr Menšík wrote: Wouldn't it be much simpler, if I could just dnf remove systemd-resolved in case I don't want it? Is there some reason systemd-resolved cannot be a subpackage? Seems like that would be the easiest solution? If that's problematic for some reason, then surely /usr/sbin/resolvconf can move to a subpackage. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [dns-sig] Re: split-DNS, resolvconf on Fedora
Wouldn't it be much simpler, if I could just dnf remove systemd-resolved in case I don't want it? Then I don't have to make a proxy, but install indeed a different package providing resolvconf. I think I would submit that PR on Fedora package instead. Or don't have any /usr/sbin/resolvconf, in which case openvpn or dhclient knows it should try to rewrite /etc/resolv.conf itself. Unless driven by NM or similar. Init system and dns cache have very different requirements in system integration. On 2/22/21 4:38 PM, Lennart Poettering wrote: > On Mo, 22.02.21 16:29, Petr Menšík (pemen...@redhat.com) wrote: > > It might be OK for systemd's resolvectl to pass the call on to some > other executable if it notices resolved is not there. We do the same > in the "telinit" tool, so that Debian can have multiple init systems, > and when ours owns the "telinit" name, but the system is not actually > booted with systemd we can propagate the call to some other tool. > > Happy to review a patch for that (submit upstream) > > Lennart > > -- > Lennart Poettering, Berlin > ___ > dns-sig mailing list -- dns-...@lists.fedoraproject.org > To unsubscribe send an email to dns-sig-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/dns-...@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB OpenPGP_signature Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure