Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for escaping resolv.conf symlinks #318

Merged
merged 3 commits into from
Aug 17, 2023

Conversation

n1hility
Copy link
Contributor

@n1hility n1hility commented Aug 17, 2023

Previously if resolv.conf was symlinked to a location other than /etc, or /run, a warning message would be printed and DNS would be non-functional.

Instead, attempt to bind an equivalent resolv.conf link target path in the namespace structure, so that symlink continues to function, and DNS remains operational.

This fixes usage in WSL environments which symlinks /etc/resolv.conf under a shared location under /mnt. Although I suspect this usage pattern is fairly common in other environments.

Alternatively, instead of mirroring the target path, this could have utilized the newer open_tree/move_mount syscalls, to bind mount on top of the /etc/resolv.conf symlink. However, this would have limited the support to 5.2 kernels and later, so just cloning the target seemed the way to go.

Note: this PR also includes some commits to fix CI

@n1hility n1hility force-pushed the fix-symlinks branch 4 times, most recently from b8b5b23 to f5c4a92 Compare August 17, 2023 08:46
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
@n1hility
Copy link
Contributor Author

PTAL @AkihiroSuda @giuseppe

Copy link
Collaborator

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sandbox.c Outdated Show resolved Hide resolved
Previously if resolv.conf was symlinked to a location other than
/etc, or /run, a warning message would be printed and DNS would be
non-functional.

Instead, attempt to bind an equiavlent resolv.conf link target path
in the namespace structure, so that symlink continues to function,
and DNS remains operational.

Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
@AkihiroSuda AkihiroSuda added this to the v1.2.1 milestone Aug 17, 2023
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit 0c5bdfc into rootless-containers:master Aug 17, 2023
@n1hility
Copy link
Contributor Author

@AkihiroSuda you're welcome! Thanks for including this in your 1.2.1 release plans! It will be great to get this one out to users.

@AkihiroSuda
Copy link
Member

@KiruyaMomochi
Copy link

KiruyaMomochi commented Dec 24, 2023

Thank you for this PR! It's great to see support for escaping resolv.conf symlinks.
However, I've encountered some issues in more complex environments like NixOS, where symlinks can have multiple layers and even parent folders can be symlinked. Please see #333 for more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants