From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 826425A0271 for ; Fri, 8 Mar 2024 07:33:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1709879603; bh=Q3lCaZg8pn2NQMCZnxhTrtHjLDxgTtgMBA7RYKQgBs4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CXwNl6bbnVd/wBWdPeaCyGnCKMpXUMmPDWWeUxIR5JwCNMmj2Gr6oh0jKOOApJjvd MC8axfQk2LKU7w4XitRF5UnJeIeDgiytDVnvhUFBylVhBuBSG1spfFOi3ixwyMA1SJ bfYlTLmsQ14L+hvWJvPLhAWEOmJKYweQeZ+aQ0+1yYDD0ueMpJUz/bhHO/HqU+3Mei tIgT6nrr3kqSknM3NECCm0HLFhsWaQAmZwjrpIwo07vBpkAmi1DD9ooX20HQUR/vR3 zOr2yMJXBMxX09+y8mh1qCgACtj7BSdmgYD/Xi/i/YOMIHLEwG+Mk3y0R1xlb7ycg4 Di8TrCu2LSIug== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Trbw351grz4wcl; Fri, 8 Mar 2024 17:33:23 +1100 (AEDT) Date: Fri, 8 Mar 2024 17:33:00 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] conf: Don't warn if nameservers were found, but won't be advertised Message-ID: References: <20240307232551.1828628-1-sbrivio@redhat.com> <20240308070530.6cef401c@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k3hwrvUUZIh4uKsg" Content-Disposition: inline In-Reply-To: <20240308070530.6cef401c@elisabeth> Message-ID-Hash: HDP5RR7G2AUQVDGLR2LPQQ552M6L5FLD X-Message-ID-Hash: HDP5RR7G2AUQVDGLR2LPQQ552M6L5FLD X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --k3hwrvUUZIh4uKsg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 08, 2024 at 07:05:30AM +0100, Stefano Brivio wrote: > On Fri, 8 Mar 2024 12:17:13 +1100 > David Gibson wrote: >=20 > > On Fri, Mar 08, 2024 at 12:25:51AM +0100, Stefano Brivio wrote: > > > Starting from commit 3a2afde87dd1 ("conf, udp: Drop mostly duplicated > > > dns_send arrays, rename related fields"), we won't add to c->ip4.dns > > > and c->ip6.dns nameservers that can't be used by the guest or > > > container, and we won't advertise them. > > >=20 > > > However, the fact that we don't advertise any nameserver doesn't mean > > > that we didn't find any, and we should warn only if we couldn't find > > > any. > > >=20 > > > This is particularly relevant in case both --dns-forward and > > > --no-map-gw are passed, and a single loopback address is listed in > > > /etc/resolv.conf: we'll forward queries directed to the address > > > specified by --dns-forward to the loopback address we found, we > > > won't advertise that address, so we shouldn't warn: this is a > > > perfectly legitimate usage. > > >=20 > > > Reported-by: Paul Holzinger > > > Link: https://github.com/containers/podman/issues/19213 > > > Fixes: 3a2afde87dd1 ("conf, udp: Drop mostly duplicated dns_send arra= ys, rename related fields") > > > Signed-off-by: Stefano Brivio =20 > >=20 > > I don't think this is quite the right fix. It makes sense *when* > > --dns-forward is specified. However if --dns-forward is *not* > > specified, then having only localhost resolvers on the host side means > > we really do have nothing the guest can use. So I think we need to > > make the behaviour explicitly conditional on the dns_match variable. >=20 > I was actually about to do that, then I read the text of the warning > again: "Couldn't get any nameserver address". >=20 > If there are just loopback addresses in resolv.conf, and we don't have > --dns-forward, is that claim correct? We could get them, we actually > parse them, we just don't advertise them. At the same time, we show the > user (at least without --quiet) that we don't advertise any server via > DHCP/NDP/DHCPv6: that section will be missing. >=20 > On the other hand, I guess there might be some value in giving the user > a hint if they just see name resolution failing. Maybe, if we don't use > any nameserver from resolv.conf (or from the command line), we could > say "Couldn't use any nameserver address"? Right. I think giving some sort of warning if we're unable to advertise any useful nameserver to the guest is more important than the pedantic correctness of what the message says. Though obviously we want to get the latter right too, ideally. > > Possibly by making add_dns[46]() accept localhost addresses if > > (dns_match && no_map_gw)? >=20 > What do you mean by "accept"? It already sets .dns_host, no matter > what. I don't think we should add loopback addresses to the list we > advertise if c->no_map_gw, because they can't be reached anyway. >=20 > Another alternative would be to automatically advertise the address > passed by --dns-forward. But the user can already specify that via > --dns, so we'd be actually losing functionality. Ah.. I forgot that. It seems weird to me that these are set separately. I guess that approach doesn't quite work. What about your patch, plus a new explicit check about whether we have something we can advertise to the guest (whether it comes from resolv.conf or from --dns)? > I was rather pondering to set .dns_host from add_dns[46]() iff it's > used (that is, if !IN6_IS_ADDR_UNSPECIFIED(&c->ip[46].dns_match) and > return some value there (maybe that's what you meant by "accept")? >=20 > Then, if any call to add_dns[46]() used any address (advertised or > mapped), we wouldn't print any warning. Hm, maybe. Basically it seems to me we kind of need two different checks: one if we have no resolvers on the host side for passt itself to use, one if we have no resolver address we can advertise to the guest. Each would be suppressed in certain conditions when it's not relevant, but those conditions are different for each check. > I'm a bit undecided, because we'd make it more complicated for the sake > of a warning that doesn't really need to be printed anyway. But again, > it might be helpful. It's a bit more of an extensive change, but a possibly conceptually easier to understand approach would be: - Make dns_host an array, instead of single - add_dns[46]() adds things to the dns_host array, instead of the dns array (more or less unconditionally) - We generate the dns array by filtering and/or translating the dns_host array, unless overridden by --dns The two checks then become whether each of the two arrays is empty. --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --k3hwrvUUZIh4uKsg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmXqsQsACgkQzQJF27ox 2GfGIhAAgEKUlyeSOLdOJmX8P8Bs0DQgksP14e+aF6HAQ+fYWs54uMmQ/uT6JmrS SceLN2UFJvpaorfeGpOTxYie/Djc4659+tDJqdMQ7Ta1gtTzIL7GorvoptZJC+n8 5LDePljthN5HrieBi6PZFDdDMStoYFH67CZlpDt3nbzTqlRWWizl88TM0IPi22/q wxkdXAAmLu4Kkxvzpww8VCap7AFNFasZM+Z6VHhAJN/DFUK8M81bzLu52whDSPys QkYpTUb3/iL+mAFGRWunTKPGsRTuF6ZHkEXRDW8Q8ZMxKWbjnE6vaE6MdJ4O7BAk H653gigAv9f+esQm5ei+paf5XMvBf77NiA9XFOkRjhxd34+eaR9jXpHA3zeAIZZR F8KB8s5ulnKIajvjKr0jWvvpFtg5kSiemfg+tIDqE9pBJ4oJX35E1YcFBOufKyA7 BJn092VsnDCoDQ6toHsvPVb2Jy+By6XLcHy6cXfn9ZKIHyfgXazJYtcKx36l/Lpe fkiK/VzITsPx7OZA+zUhrez5YW7d7b1AJjjnRngy/SiQ0tSH6XhcRBs3yCJiqA7o SzQb2uC/wuSta32QqGeJyKtK2Y2OQwXPXhwqRnJlcDnprOYli8Uh4ZogRD9j3W0d j6pzgt9kuzYiqHHr7JL928GFWOHWcK9FEbFF9VVE79Uaghln2PA= =L/fv -----END PGP SIGNATURE----- --k3hwrvUUZIh4uKsg--