Re: [PATCH] conf: Don't warn if nameservers were found, but won't be advertised

[David Gibson <david@gibson.dropbear.id.au>]

[-- Attachment #1: Type: text/plain, Size: 3164 bytes --]

On Fri, Mar 08, 2024 at 12:25:51AM +0100, Stefano Brivio wrote:
> Starting from commit 3a2afde87dd1 ("conf, udp: Drop mostly duplicated
> dns_send arrays, rename related fields"), we won't add to c->ip4.dns
> and c->ip6.dns nameservers that can't be used by the guest or
> container, and we won't advertise them.
> 
> However, the fact that we don't advertise any nameserver doesn't mean
> that we didn't find any, and we should warn only if we couldn't find
> any.
> 
> This is particularly relevant in case both --dns-forward and
> --no-map-gw are passed, and a single loopback address is listed in
> /etc/resolv.conf: we'll forward queries directed to the address
> specified by --dns-forward to the loopback address we found, we
> won't advertise that address, so we shouldn't warn: this is a
> perfectly legitimate usage.
> 
> Reported-by: Paul Holzinger <pholzing@redhat.com>
> Link: https://github.com/containers/podman/issues/19213
> Fixes: 3a2afde87dd1 ("conf, udp: Drop mostly duplicated dns_send arrays, rename related fields")
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

I don't think this is quite the right fix.  It makes sense *when*
--dns-forward is specified.  However if --dns-forward is *not*
specified, then having only localhost resolvers on the host side means
we really do have nothing the guest can use.  So I think we need to
make the behaviour explicitly conditional on the dns_match variable.
Possibly by making add_dns[46]() accept localhost addresses if
(dns_match && no_map_gw)?

> ---
>  conf.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/conf.c b/conf.c
> index 4a783b8..c50c039 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -399,6 +399,7 @@ static void get_dns(struct ctx *c)
>  	int dns4_set, dns6_set, dnss_set, dns_set, fd;
>  	struct fqdn *s = c->dns_search;
>  	struct lineread resolvconf;
> +	unsigned int added = 0;
>  	char *line, *end;
>  	const char *p;
>  	int line_len;
> @@ -427,13 +428,17 @@ static void get_dns(struct ctx *c)
>  
>  			if (!dns4_set &&
>  			    dns4 - &c->ip4.dns[0] < ARRAY_SIZE(c->ip4.dns) - 1
> -			    && inet_pton(AF_INET, p + 1, &dns4_tmp))
> +			    && inet_pton(AF_INET, p + 1, &dns4_tmp)) {
>  				add_dns4(c, &dns4_tmp, &dns4);
> +				added++;
> +			}
>  
>  			if (!dns6_set &&
>  			    dns6 - &c->ip6.dns[0] < ARRAY_SIZE(c->ip6.dns) - 1
> -			    && inet_pton(AF_INET6, p + 1, &dns6_tmp))
> +			    && inet_pton(AF_INET6, p + 1, &dns6_tmp)) {
>  				add_dns6(c, &dns6_tmp, &dns6);
> +				added++;
> +			}
>  		} else if (!dnss_set && strstr(line, "search ") == line &&
>  			   s == c->dns_search) {
>  			end = strpbrk(line, "\n");
> @@ -459,7 +464,7 @@ static void get_dns(struct ctx *c)
>  	close(fd);
>  
>  out:
> -	if (!dns_set && dns4 == c->ip4.dns && dns6 == c->ip6.dns)
> +	if (!dns_set && !added)
>  		warn("Couldn't get any nameserver address");
>  }
>  

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]