From: Stefano Brivio <sbrivio@redhat.com>
To: Noah Gold <nkgold@google.com>
Cc: passt-dev@passt.top, David Gibson <david@gibson.dropbear.id.au>
Subject: Re: Improved handling of changing DNS resolvers
Date: Sat, 21 Jan 2023 10:47:03 +0100 [thread overview]
Message-ID: <20230121104703.3ebcc753@elisabeth> (raw)
In-Reply-To: <CAEJ_Dr9C4mbm3sc=5biPFkQA-y=ZiMg8NLhtNNntKzcQL9do_g@mail.gmail.com>
Hi Noah,
Sorry for the delay, I didn't check pending mailing list posts for a
couple of days. Comments below:
On Tue, 17 Jan 2023 11:50:50 -0800
Noah Gold <nkgold@google.com> wrote:
> Hi folks,
>
> libslirp and Passt have different approaches to sharing DNS resolvers with
> the guest system, each with their own benefits & drawbacks. On the libslirp
> project, we're discussing [1] how to support DNS failover. Passt already has
> support for this, but there is a drawback to its solution which prevents us
> from taking a similar approach: the resolvers are read exactly once, so if the
> host changes networks at runtime, the guest will not receive the updated
> resolvers and thus its connectivity will break.
Right -- the main motivation behind this (other than simplicity) is that
we can close /etc/resolv.conf before sandboxing.
However, we could keep a handle on it, just like we do for PID and pcap
files, while still unmounting the filesystem.
And we could also use inotify to detect changes I guess -- we do the
same to monitor namespaces in pasta mode (see pasta_netns_quit_init()).
> libslirp's current approach is to DNAT a single address exposed to the guest
> to one of the resolvers configured on the host. The problem here is that if that
> one resolver goes down, the guest can't resolve DNS names. We're
> considering changing so that instead of a single address, we expose a set of
> MAXNS addresses, and DNAT those 1:1 to the DNS resolvers registered with
> the host. Because the DNAT table lives on the host side, we can refresh the
> guest's resolvers whenever the host's resolvers change, but without the need to
> expire a DHCP lease (even with short leases, the guest will still lose
> connectivity
> for a time).
>
> Does this sound like an approach Passt would be open to adopting as well?
Yes, definitely, patches would be very welcome.
Note that David (Cc'ed) is currently working on a generalised/flexible
address mapping mechanism, some kind of (simple) NAT table as far as I
understood it.
This might even address your DNS idea already, I'm not sure, I'd wait
for him to comment.
--
Stefano
next prev parent reply other threads:[~2023-01-21 9:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-17 18:51 Improved handling of changing DNS resolvers Noah Gold
2023-01-21 9:47 ` Stefano Brivio [this message]
2023-01-23 6:20 ` David Gibson
2023-01-25 17:55 ` Stefano Brivio
2023-01-31 0:11 ` Noah Gold
2023-02-02 11:09 ` Stefano Brivio
2023-02-14 2:45 ` Noah Gold
2023-02-14 15:06 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230121104703.3ebcc753@elisabeth \
--to=sbrivio@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=nkgold@google.com \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).