Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
At this time the ip monitor command does not function in a gVisor container, although it is a WIP per gVisor. By nfset, I assume you mean the nftables equivalent of ipset. I don't believe this works either due to the architecture of namespaces that gVisor uses, with assumptions it should be used on the host OS. My container will be run in a stub namespace without any L2 bridging, so it will not be receiving multicast anyway. I was thus hoping to see if it would be safe to compile out or perhaps open a bug report if the code may benefit from a restructure. Thank you On Tuesday, March 19th, 2024 at 5:09 AM, Nicolas Cavallari - nicolas.cavallari at green-communications.fr wrote: > > > On 16/03/2024 10:09, shamrock_sesame214--- via Dnsmasq-discuss wrote: > > > Hello, > > > > I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is a hardened > > userspace kernel compatible with Kubernetes and Docker containers. At the > > moment, gVisor does not seem to support some routing features such as those > > found in linux/rtnetlink.h, including multicast related netlink > > subscriptions. > > > > When I run dnsmasq in gVisor, I get this crash on startup: > > > > cannot create netlink socket: Permission denied > > > > Checking strace debugger, this was the attempted call made: > > > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID: > > 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs) > > > > The next call writes an error message to the terminal and begins exiting > > the program. I believe this to be caused by multicast route subscription > > near this line 73 in src/netlink.c: > > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73 > > > > I noticed the comment in the code: > > > > /* May not be able to have permission to set multicast groups don't die in > > that case */ > > > > I am unsure if line 79 will trigger this error anyway, and if this is > > intended behavior, as the program seems to crash anyway. > > > Line 79 basically retries the bind without subscribing to any > route/ifaddr groups. There is no reason for it to fail. Actually, i > think the second call is a no-op and it could just be omitted, the > kernel will autobind on the first sendmsg(). I'm not the maintainer so i > don't know why this call was added. > > Anyway, as of 2024, both calls do not require any privileges (try "ip > monitor" as a simple user, which requests even more rtnetlink groups). > Not being able to use rtnetlink multicast groups is a severe limitation, > this should really be fixed in gVisor. > > Out of curiosity, does dnsmasq's nfset support works inside gVisor ? ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How to confiure dnsmasq for IPv4 to IPv6 DNS proxy?
DNSMasq should automatically resolve names when it gets a DNS request for a device it registered over DHCP. Make sure to set the base name in your DHCP scopes. I believe it updates /etc/hosts too. This can be combined with IPv6 DHCPv6, but not all devices use DHCPv6, such as Android. Android only does IPv6 SLAAC (never registers name). You can work around this with ra-names options, see below. For devices disabling IPv4 and only use IPv6 SLAAC will never get a hostname registered. Devices that do this are rare but it is possible to configure. ra-names: ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra-names can be combined with ra-stateless and slaac. See ra-names in manual https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html On Friday, April 5th, 2024 at 3:22 AM, Hsin-Yao Huang - zeusshuang at gmail.com wrote: > A router with WAN site IPv6 only with IPv6 DNS server settings, and LAN site > supports both IPv4/IPv6.While the LAN site client only query DNS by IPv4 (A > record), how to configure dnsmasq to convert between A and automatically? > > Thanks, > Eric ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Re-sending previous email with HTML formatting disabled, my apologies. Control and standard test cases for issue reproduction listed below: A 'control' test case for the issue would be to launch dnsmasq in a typical Docker container. The program should launch normally and begin parsing the config, etc. The `docker run` statement should contain --privileged and --cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this, please do not use --privileged in prod!). A standard test case to reproduce this issue would be to launch the exact same Docker container, using the gVisor runtime. Then the crash is reproduced. gVisor can be installed quickly using an apt repo & a modification of /etc/docker/daemon.json to permit use of the new runtime: https://gvisor.dev/docs/user_guide/install/ gVisor can then be launched for any container using `docker run --runtime=runsc`, combined with any other necessary Docker args: https://gvisor.dev/docs/user_guide/quick_start/docker/ Further information regarding this runtime: Overview: https://gvisor.dev/docs/ Syscall compatibility docs: https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/ On Saturday, March 16th, 2024 at 5:49 AM, Geert Stappers - stappers at stappers.nl wrote: > > > On Sat, Mar 16, 2024 at 09:09:16AM +, shamrock_sesame214--- via > Dnsmasq-discuss wrote: > > > Hello, > > > > I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is > > a hardened userspace kernel compatible with Kubernetes and Docker > > containers. At the moment, gVisor does not seem to support some routing > > features such as those found in linux/rtnetlink.h, including multicast > > related netlink subscriptions. > > > > When I run dnsmasq in gVisor, I get this crash on startup: > > > > cannot create netlink socket: Permission denied > > > > Checking strace debugger, this was the attempted call made: > > > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID: > > 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs) > > > > The next call writes an error message to the terminal and > > begins exiting the program. I believe this to be caused by > > multicast route subscription near this line 73 in src/netlink.c: > > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73 > > > > I noticed the comment in the code: > > > > /* May not be able to have permission to set multicast groups don't die in > > that case */ > > > > I am unsure if line 79 will trigger this error anyway, and if this is > > intended behavior, as the program seems to crash anyway. > > > > I also found in the source code that Netlink multicast subscription > > is added to prevent routing race conditions when routes update, and > > of course for DHCP/RA support. If Dnsmasq is running as a stub DNS > > resolver inside a network namespace with one default gateway, is a > > feature considerable to disable multicast Netlink subscriptions? In > > this condition I do not anticipate routing updates to be frequent. > > > > For additional debugging notes, the dnsmasq container functions outside > > of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN > > did not resolve the issue, as it appears to be gVisor compatibility > > limitation. > > > Advice: Do a follow-up which aims for much more common interest. Like > explaining how cool gVisor is and where to find more information about it. > > > Groeten > Geert Stappers > -- > Silence is hard to parse > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Control and standard test cases for issue reproduction listed below: A 'control' test case for the issue would be to launch dnsmasq in a typical Docker container. The program should launch normally and begin parsing the config, etc. The `docker run` statement should contain --privileged and --cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this, please do not use --privileged in prod!). A standard test case to reproduce this issue would be to launch the exact same Docker container, using the gVisor runtime. Then the crash is reproduced. gVisor can be installed quickly using an apt repo & a modification of /etc/docker/daemon.json to permit use of the new runtime: [https://gvisor.dev/docs/](https://gvisor.dev/docs/user_guide/install/ gVisor can then be launched for any container using `docker run --runtime=runsc`, combined with any other necessary Docker args: [https://gvisor.dev/docs/](https://gvisor.dev/docs/user_guide/quick_start/docker/ Further information regarding this runtime: Overview: https://gvisor.dev/docs/ Syscall compatibility docs: https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/ gVisor is owned by Google and used Google Cloud Platform's container related services, so looking into this issue may improve GCP compatibility, although I have not personally tested this against Google's online container services at this time. Original Message On Mar 16, 2024, 5:49 AM, Geert Stappers - stappers at stappers.nl wrote: > On Sat, Mar 16, 2024 at 09:09:16AM +, shamrock_sesame214--- via > Dnsmasq-discuss wrote: > Hello, > > I am attempting to run dnsmasq DNS > resolver in gVisor. gVisor is > a hardened userspace kernel compatible with > Kubernetes and Docker > containers. At the moment, gVisor does not seem to > support some routing > features such as those found in linux/rtnetlink.h, > including multicast > related netlink subscriptions. > > When I run dnsmasq > in gVisor, I get this crash on startup: > > cannot create netlink socket: > Permission denied > > Checking strace debugger, this was the attempted call > made: > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, > PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) > (19.017µs) > > The next call writes an error message to the terminal and > > begins exiting the program. I believe this to be caused by > multicast route > subscription near this line 73 in src/netlink.c: > > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73 > > > I noticed the comment in the code: > > /* May not be able to have > permission to set multicast groups don't die in that case */ > > I am unsure > if line 79 will trigger this error anyway, and if this is > intended > behavior, as the program seems to crash anyway. > > I also found in the > source code that Netlink multicast subscription > is added to prevent routing > race conditions when routes update, and > of course for DHCP/RA support. If > Dnsmasq is running as a stub DNS > resolver inside a network namespace with > one default gateway, is a > feature considerable to disable multicast Netlink > subscriptions? In > this condition I do not anticipate routing updates to be > frequent. > > For additional debugging notes, the dnsmasq container functions > outside > of gVisor. The Docker --user root, --privileged, and > --cap-add=NET_ADMIN > did not resolve the issue, as it appears to be gVisor > compatibility > limitation. Advice: Do a follow-up which aims for much more > common interest. Like explaining how cool gVisor is and where to find more > information about it. Groeten Geert Stappers -- Silence is hard to parse > ___ Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Hello, I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is a hardened userspace kernel compatible with Kubernetes and Docker containers. At the moment, gVisor does not seem to support some routing features such as those found in linux/rtnetlink.h, including multicast related netlink subscriptions. When I run dnsmasq in gVisor, I get this crash on startup: cannot create netlink socket: Permission denied Checking strace debugger, this was the attempted call made: dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs) The next call writes an error message to the terminal and begins exiting the program. I believe this to be caused by multicast route subscription near this line 73 in src/netlink.c: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73 I noticed the comment in the code: /* May not be able to have permission to set multicast groups don't die in that case */ I am unsure if line 79 will trigger this error anyway, and if this is intended behavior, as the program seems to crash anyway. I also found in the source code that Netlink multicast subscription is added to prevent routing race conditions when routes update, and of course for DHCP/RA support. If Dnsmasq is running as a stub DNS resolver inside a network namespace with one default gateway, is a feature considerable to disable multicast Netlink subscriptions? In this condition I do not anticipate routing updates to be frequent. For additional debugging notes, the dnsmasq container functions outside of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN did not resolve the issue, as it appears to be gVisor compatibility limitation. Thank you for your time ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss