Opened 19 months ago

Last modified 8 months ago

#1278 assigned Bug / Defect

Loading wrong resolv.conf from wrong namespace

Reported by: yurtesen Owned by: Antonio
Priority: major Milestone: release 2.4.11
Component: Networking Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: namespace, resolv.conf,
Cc:

Description

I am running openvpn client in a namespace. I am starting it as:

ip netns exec vpn openvpn --fast-io --config /etc/openvpn/OpenVPN-Configs/Random-TCP.ovpn

It works fine for a long time but sometimes it ends up printing:

Apr 26 13:48:43 ubuntu openvpn[5182]: RESOLVE: Cannot resolve host address: XXXXXXX:XXXX (Temporary failure in name resolution)

I ran strace on the process and found out that it is reading the default /etc/resolv.conf file. (I can see it as the first line in file is "# This file is managed") and it seems to be using 127.0.0.1 for DNS resolving but it won't work inside namespace!

sendto(3, "<27>Apr 26 13:53:43 openvpn[5182"..., 137, MSG_NOSIGNAL, NULL, 0) = 137
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=719, ...}) = 0
read(4, "# This file is managed by man:sy"..., 4096) = 719
read(4, "", 4096)                       = 0
close(4)                                = 0
getpid()                                = 5182
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=719, ...}) = 0
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
lseek(4, 0, SEEK_CUR)                   = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=287, ...}) = 0
read(4, "127.0.0.1\tlocalhost.localdomain\t"..., 4096) = 287
lseek(4, 0, SEEK_CUR)                   = 287
read(4, "", 4096)                       = 0
close(4)                                = 0

Normally I have an /etc/netns/vpn/resolv.conf file (which does NOT have a line like "# This file...") which should be used by processes running inside the namespace.

When I check the process with ip netns identify OPENVPN_PID I see that OpenVPN process is still inside the namespace it started in.

resolv.conf is a link: /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

When I execute ip netns exec vpn cat /etc/resolv.conf I receive the contents of /etc/netns/vpn/resolv.conf as it should be...

Furthermore, DNS resolution works fine for other programs which are inside the namespace. So how come OpenVPN opens the wrong resolv.conf? I believe this is a bug?

Thanks!

Change History (2)

comment:1 Changed 15 months ago by Gert Döring

OpenVPN is not opening /etc/resolv.conf directly - that is all done by the resolver library.

We do call res_init() before resolving, to ensure we have up-to-date resolver infos - but the actual "read the file" part is being done by glibc.

comment:2 Changed 8 months ago by Gert Döring

Milestone: release 2.4.7release 2.4.11
Owner: set to Antonio
Status: newassigned

@ordex: throwing this at you. I have no idea what Linux is doing there and why a "net" namespace would affect *file* reading. But maybe you have an idea.

The milestone setting is certainly wrong, this should never be "the version with the problem", but "the version we hope to see a fix".

Note: See TracTickets for help on using tickets.