Loading wrong resolv.conf from wrong namespace

[yurtesen]

I am running openvpn client in a namespace. I am starting it as:

ip netns exec vpn openvpn --fast-io --config /etc/openvpn/OpenVPN-Configs/Random-TCP.ovpn

It works fine for a long time but sometimes it ends up printing:

Apr 26 13:48:43 ubuntu openvpn[5182]: RESOLVE: Cannot resolve host address: XXXXXXX:XXXX (Temporary failure in name resolution)

I ran strace on the process and found out that it is reading the default /etc/resolv.conf file. (I can see it as the first line in file is "# This file is managed") and it seems to be using 127.0.0.1 for DNS resolving but it won't work inside namespace!

sendto(3, "<27>Apr 26 13:53:43 openvpn[5182"..., 137, MSG_NOSIGNAL, NULL, 0) = 137
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=719, ...}) = 0
read(4, "# This file is managed by man:sy"..., 4096) = 719
read(4, "", 4096)                       = 0
close(4)                                = 0
getpid()                                = 5182
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=719, ...}) = 0
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
lseek(4, 0, SEEK_CUR)                   = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=287, ...}) = 0
read(4, "127.0.0.1\tlocalhost.localdomain\t"..., 4096) = 287
lseek(4, 0, SEEK_CUR)                   = 287
read(4, "", 4096)                       = 0
close(4)                                = 0

Normally I have an /etc/netns/vpn/resolv.conf file (which does NOT have a line like "# This file...") which should be used by processes running inside the namespace.

When I check the process with ip netns identify OPENVPN_PID I see that OpenVPN process is still inside the namespace it started in.

resolv.conf is a link: /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

When I execute ip netns exec vpn cat /etc/resolv.conf I receive the contents of /etc/netns/vpn/resolv.conf as it should be...

Furthermore, DNS resolution works fine for other programs which are inside the namespace. So how come OpenVPN opens the wrong resolv.conf? I believe this is a bug?

Thanks!

[Gert Döring]

OpenVPN is not opening /etc/resolv.conf directly - that is all done by the resolver library.

We do call res_init() before resolving, to ensure we have up-to-date resolver infos - but the actual "read the file" part is being done by glibc.

[Gert Döring]

@ordex: throwing this at you. I have no idea what Linux is doing there and why a "net" namespace would affect *file* reading. But maybe you have an idea.

The milestone setting is certainly wrong, this should never be "the version with the problem", but "the version we hope to see a fix".

[Antonio Quartulli]

I know this bug was created looong ago, however, we (mostly Gianmarco) have recently performed extensive tests with the latest openvpn + netns and I can confirm that, when used within a specific namespace (i.e. by running openvpn as 'ip netns exec $name openvpn ...'), the resolv.conf file being used is the one within the special /etc/netns/$NAME/etc subfolder (if it exists at all).

For this reason we are unable to reproduce the bug at this time.

Nothing was changed regarding netns (openvpn as of now is netns unaware), therefore I am unable to tell what fixed this.

Please note that strace will always show "/etc/resolv.conf" as file being opened (because the program doesn't know about namespaces) but a virtual folder bind will ensure the right file is opened.

Due to all the above, I am closing this ticket.

Should anybody still have similar issues, please open a new ticket with reproducible steps for the latest OpenVPN version.