Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
At this time the ip monitor command does not function in a gVisor container,
although it is a WIP per gVisor. By nfset, I assume you mean the nftables
equivalent of ipset. I don't believe this works either due to the architecture
of namespaces that gVisor uses, with assumptions it should be used on the host
OS.
My container will be run in a stub namespace without any L2 bridging, so it
will not be receiving multicast anyway. I was thus hoping to see if it would be
safe to compile out or perhaps open a bug report if the code may benefit from a
restructure.
Thank you
On Tuesday, March 19th, 2024 at 5:09 AM, Nicolas Cavallari - nicolas.cavallari
at green-communications.fr wrote:
>
>
> On 16/03/2024 10:09, shamrock_sesame214--- via Dnsmasq-discuss wrote:
>
> > Hello,
> >
> > I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is a hardened
> > userspace kernel compatible with Kubernetes and Docker containers. At the
> > moment, gVisor does not seem to support some routing features such as those
> > found in linux/rtnetlink.h, including multicast related netlink
> > subscriptions.
> >
> > When I run dnsmasq in gVisor, I get this crash on startup:
> >
> > cannot create netlink socket: Permission denied
> >
> > Checking strace debugger, this was the attempted call made:
> >
> > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID:
> > 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs)
> >
> > The next call writes an error message to the terminal and begins exiting
> > the program. I believe this to be caused by multicast route subscription
> > near this line 73 in src/netlink.c:
> > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
> >
> > I noticed the comment in the code:
> >
> > /* May not be able to have permission to set multicast groups don't die in
> > that case */
> >
> > I am unsure if line 79 will trigger this error anyway, and if this is
> > intended behavior, as the program seems to crash anyway.
>
>
> Line 79 basically retries the bind without subscribing to any
> route/ifaddr groups. There is no reason for it to fail. Actually, i
> think the second call is a no-op and it could just be omitted, the
> kernel will autobind on the first sendmsg(). I'm not the maintainer so i
> don't know why this call was added.
>
> Anyway, as of 2024, both calls do not require any privileges (try "ip
> monitor" as a simple user, which requests even more rtnetlink groups).
> Not being able to use rtnetlink multicast groups is a severe limitation,
> this should really be fixed in gVisor.
>
> Out of curiosity, does dnsmasq's nfset support works inside gVisor ?
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How to confiure dnsmasq for IPv4 to IPv6 DNS proxy?
DNSMasq should automatically resolve names when it gets a DNS request for a device it registered over DHCP. Make sure to set the base name in your DHCP scopes. I believe it updates /etc/hosts too. This can be combined with IPv6 DHCPv6, but not all devices use DHCPv6, such as Android. Android only does IPv6 SLAAC (never registers name). You can work around this with ra-names options, see below. For devices disabling IPv4 and only use IPv6 SLAAC will never get a hostname registered. Devices that do this are rare but it is possible to configure. ra-names: ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra-names can be combined with ra-stateless and slaac. See ra-names in manual https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html On Friday, April 5th, 2024 at 3:22 AM, Hsin-Yao Huang - zeusshuang at gmail.com wrote: > A router with WAN site IPv6 only with IPv6 DNS server settings, and LAN site > supports both IPv4/IPv6.While the LAN site client only query DNS by IPv4 (A > record), how to configure dnsmasq to convert between A and automatically? > > Thanks, > Eric ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Re-sending previous email with HTML formatting disabled, my apologies.
Control and standard test cases for issue reproduction listed below:
A 'control' test case for the issue would be to launch dnsmasq in a typical
Docker container. The program should launch normally and begin parsing the
config, etc. The `docker run` statement should contain --privileged and
--cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this,
please do not use --privileged in prod!).
A standard test case to reproduce this issue would be to launch the exact same
Docker container, using the gVisor runtime. Then the crash is reproduced.
gVisor can be installed quickly using an apt repo & a modification of
/etc/docker/daemon.json to permit use of the new runtime:
https://gvisor.dev/docs/user_guide/install/
gVisor can then be launched for any container using `docker run
--runtime=runsc`, combined with any other necessary Docker args:
https://gvisor.dev/docs/user_guide/quick_start/docker/
Further information regarding this runtime:
Overview: https://gvisor.dev/docs/
Syscall compatibility docs:
https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
On Saturday, March 16th, 2024 at 5:49 AM, Geert Stappers - stappers at
stappers.nl wrote:
>
>
> On Sat, Mar 16, 2024 at 09:09:16AM +, shamrock_sesame214--- via
> Dnsmasq-discuss wrote:
>
> > Hello,
> >
> > I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is
> > a hardened userspace kernel compatible with Kubernetes and Docker
> > containers. At the moment, gVisor does not seem to support some routing
> > features such as those found in linux/rtnetlink.h, including multicast
> > related netlink subscriptions.
> >
> > When I run dnsmasq in gVisor, I get this crash on startup:
> >
> > cannot create netlink socket: Permission denied
> >
> > Checking strace debugger, this was the attempted call made:
> >
> > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID:
> > 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs)
> >
> > The next call writes an error message to the terminal and
> > begins exiting the program. I believe this to be caused by
> > multicast route subscription near this line 73 in src/netlink.c:
> > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
> >
> > I noticed the comment in the code:
> >
> > /* May not be able to have permission to set multicast groups don't die in
> > that case */
> >
> > I am unsure if line 79 will trigger this error anyway, and if this is
> > intended behavior, as the program seems to crash anyway.
> >
> > I also found in the source code that Netlink multicast subscription
> > is added to prevent routing race conditions when routes update, and
> > of course for DHCP/RA support. If Dnsmasq is running as a stub DNS
> > resolver inside a network namespace with one default gateway, is a
> > feature considerable to disable multicast Netlink subscriptions? In
> > this condition I do not anticipate routing updates to be frequent.
> >
> > For additional debugging notes, the dnsmasq container functions outside
> > of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN
> > did not resolve the issue, as it appears to be gVisor compatibility
> > limitation.
>
>
> Advice: Do a follow-up which aims for much more common interest. Like
> explaining how cool gVisor is and where to find more information about it.
>
>
> Groeten
> Geert Stappers
> --
> Silence is hard to parse
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Control and standard test cases for issue reproduction listed below:
A 'control' test case for the issue would be to launch dnsmasq in a typical
Docker container. The program should launch normally and begin parsing the
config, etc. The `docker run` statement should contain --privileged and
--cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this,
please do not use --privileged in prod!).
A standard test case to reproduce this issue would be to launch the exact same
Docker container, using the gVisor runtime. Then the crash is reproduced.
gVisor can be installed quickly using an apt repo & a modification of
/etc/docker/daemon.json to permit use of the new runtime:
[https://gvisor.dev/docs/](https://gvisor.dev/docs/user_guide/install/
gVisor can then be launched for any container using `docker run
--runtime=runsc`, combined with any other necessary Docker args:
[https://gvisor.dev/docs/](https://gvisor.dev/docs/user_guide/quick_start/docker/
Further information regarding this runtime:
Overview: https://gvisor.dev/docs/
Syscall compatibility docs:
https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
gVisor is owned by Google and used Google Cloud Platform's container related
services, so looking into this issue may improve GCP compatibility, although I
have not personally tested this against Google's online container services at
this time.
Original Message
On Mar 16, 2024, 5:49 AM, Geert Stappers - stappers at stappers.nl wrote:
> On Sat, Mar 16, 2024 at 09:09:16AM +, shamrock_sesame214--- via
> Dnsmasq-discuss wrote: > Hello, > > I am attempting to run dnsmasq DNS
> resolver in gVisor. gVisor is > a hardened userspace kernel compatible with
> Kubernetes and Docker > containers. At the moment, gVisor does not seem to
> support some routing > features such as those found in linux/rtnetlink.h,
> including multicast > related netlink subscriptions. > > When I run dnsmasq
> in gVisor, I get this crash on startup: > > cannot create netlink socket:
> Permission denied > > Checking strace debugger, this was the attempted call
> made: > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK,
> PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied)
> (19.017µs) > > The next call writes an error message to the terminal and >
> begins exiting the program. I believe this to be caused by > multicast route
> subscription near this line 73 in src/netlink.c: >
> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
> > > I noticed the comment in the code: > > /* May not be able to have
> permission to set multicast groups don't die in that case */ > > I am unsure
> if line 79 will trigger this error anyway, and if this is > intended
> behavior, as the program seems to crash anyway. > > I also found in the
> source code that Netlink multicast subscription > is added to prevent routing
> race conditions when routes update, and > of course for DHCP/RA support. If
> Dnsmasq is running as a stub DNS > resolver inside a network namespace with
> one default gateway, is a > feature considerable to disable multicast Netlink
> subscriptions? In > this condition I do not anticipate routing updates to be
> frequent. > > For additional debugging notes, the dnsmasq container functions
> outside > of gVisor. The Docker --user root, --privileged, and
> --cap-add=NET_ADMIN > did not resolve the issue, as it appears to be gVisor
> compatibility > limitation. Advice: Do a follow-up which aims for much more
> common interest. Like explaining how cool gVisor is and where to find more
> information about it. Groeten Geert Stappers -- Silence is hard to parse
> ___ Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Hello,
I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is a hardened
userspace kernel compatible with Kubernetes and Docker containers. At the
moment, gVisor does not seem to support some routing features such as those
found in linux/rtnetlink.h, including multicast related netlink subscriptions.
When I run dnsmasq in gVisor, I get this crash on startup:
cannot create netlink socket: Permission denied
Checking strace debugger, this was the attempted call made:
dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID:
0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs)
The next call writes an error message to the terminal and begins exiting the
program. I believe this to be caused by multicast route subscription near this
line 73 in src/netlink.c:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
I noticed the comment in the code:
/* May not be able to have permission to set multicast groups don't die in
that case */
I am unsure if line 79 will trigger this error anyway, and if this is intended
behavior, as the program seems to crash anyway.
I also found in the source code that Netlink multicast subscription is added
to prevent routing race conditions when routes update, and of course for
DHCP/RA support. If Dnsmasq is running as a stub DNS resolver inside a network
namespace with one default gateway, is a feature considerable to disable
multicast Netlink subscriptions? In this condition I do not anticipate routing
updates to be frequent.
For additional debugging notes, the dnsmasq container functions outside of
gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN did not
resolve the issue, as it appears to be gVisor compatibility limitation.
Thank you for your time
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
