Bug#1032937: systemd-resolved: Overwriting /etc/resolv.conf with link to /run/systemd/resolve/stub-resolv.conf breaks install in chroot
Samuli Suonpää
Version: 252.6-1
Severity: important
I'd like to use systemd-resolved in my Debian live cd/usb, built with
live-build. This fails, as I believe will fail any other attempt to use
systemd-resolved in debootstrapped chroot environment.
Installing systemd-resolved overwrites /etc/resolv.conf with link to
../run/systemd/resolve/stub-resolve.conf.
From systemd-resolved.postinst:
echo "Converting /etc/resolv.conf to a symlink to /run/systemd/resolve/stub-resolv.conf..."
if [ -f "${DPKG_ROOT}/etc/resolv.conf" ]; then
mv "${DPKG_ROOT}/etc/resolv.conf" "${DPKG_ROOT}/etc/.resolv.conf.systemd-resolved.bak" || echo "Cannot take a backup of /etc/resolv.conf."
fi
ln -sf ../run/systemd/resolve/stub-resolv.conf "${DPKG_ROOT}/etc/resolv.conf" || echo "Cannot install symlink from /etc/resolv.conf to ../run/systemd/resolve/stub-resolv.conf"
This is fine, as long as systemd-resolved.service it started right away.
However, when building a Debian live image or quite possibly when doing
any Debian install in debootstrapped chroot environment, the service is
not started.
Now we are in a chroot environment, but name resolution does not work.
Would it be possible to defer overwriting /etc/resolv.conf? Does it have
to happen at .postinst and not at, say, at the start of the service?
Example:
# mkdir bootstrapped
# debootstrap bookworm bootstrapped
I: Target architecture can be executed
I: Retrieving InRelease
I: Checking Release signature
I: Valid Release signature (key id A7236886F3CCCAAD148A27F80E98404D386FA1D9)
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://deb.debian.org/debian...
[ ... ]
I: Base system installed successfully.
# mount --make-private --rbind /dev bootstrapped/dev/
# mount --make-private --rbind /proc bootstrapped/proc/
# mount --make-private --rbind /sys bootstrapped/sys
# chroot bootstrapped/
# ping -c 1 deb.debian.org
PING deb.debian.org(2a04:4e42:8e::644 (2a04:4e42:8e::644)) 56 data bytes
64 bytes from 2a04:4e42:8e::644 (2a04:4e42:8e::644): icmp_seq=1 ttl=59 time=5.26 ms
--- deb.debian.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.256/5.256/5.256/0.000 ms
# apt install systemd-resolved
Reading package lists... Done
Building dependency tree... Done
[ ...]
Selecting previously unselected package systemd-resolved.
Preparing to unpack .../8-systemd-resolved_252.6-1_amd64.deb ...
Unpacking systemd-resolved (252.6-1) ...
[...]
Setting up dbus (1.14.6-1) ...
Running in chroot, ignoring request.
Setting up systemd-resolved (252.6-1) ...
Converting /etc/resolv.conf to a symlink to /run/systemd/resolve/stub-resolv.conf...
Creating group 'systemd-resolve' with GID 997.
Creating user 'systemd-resolve' (systemd Resolver) with UID 997 and GID 997.
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-resolved.service → /lib/systemd/system/systemd-resolved.service.
Setting up libnss-resolve:amd64 (252.6-1) ...
Processing triggers for libc-bin (2.36-8) ...
# ping -c1 deb.debian.org
ping: deb.debian.org: Name or service not known
# ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Mar 14 12:34 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
# cat /etc/resolv.conf
cat: /etc/resolv.conf: No such file or directory
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (500, 'testing-security'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-6-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-resolved depends on:
ii dbus [default-dbus-system-bus] 1.14.6-1
ii libc6 2.36-8
ii libssl3 3.0.8-1
ii libsystemd-shared 252.6-1
ii systemd 252.6-1
Versions of packages systemd-resolved recommends:
ii libnss-myhostname 252.6-1
ii libnss-resolve 252.6-1
Versions of packages systemd-resolved suggests:
ii policykit-1 122-3
ii polkitd 122-3
-- no debconf information
Luca Boccassi
<suo...@diurnalis.fi> wrote:
> Now we are in a chroot environment, but name resolution does not
work.
>
> Would it be possible to defer overwriting /etc/resolv.conf? Does it
have
> to happen at .postinst and not at, say, at the start of the service?
install the package, you need to ensure it can work, and if you use an
image build tool, it's up to that tool to ensure it is set up
correctly, as it obviously cannot be done from the package itself.
--
Kind regards,
Luca Boccassi
Bastian Blank
Let's make this RC, as it breaks updates.
The systemd-resolved package modifies a global config file
/etc/resolv.conf. This breaks any name resolution if resolved is not
running. Especially if it can't run at all.
| root@debian-sid:~# ls -al /etc/resolv.conf
| lrwxrwxrwx 1 root root 40 Mar 14 14:03 /etc/resolv.conf -> /../run/systemd/resolve/stub-resolv.conf
| root@debian-sid:~# getent hosts heise.de
| 2a02:2e0:3fe:1001:302:: heise.de
| root@debian-sid:~# systemctl stop systemd-resolved
| root@debian-sid:~# getent hosts heise.de
| root@debian-sid:~#
Sorry, but the only person to know if resolved can be used is the admin,
not a package.
Bastian
--
A princess should not be afraid -- not with a brave knight to protect her.
-- McCoy, "Shore Leave", stardate 3025.3
Samuli Suonpää
> On 14. Mar 2023, at 17.34, Luca Boccassi <bl...@debian.org> wrote:
>
> Exactly, so the admin shouldn't install a package that in the
> description says:
>
> "Installing this package automatically overwrites /etc/resolv.conf and
> switches it to be managed by systemd-resolved."
>
> if that's not what they want to achieve. I agree that the
> /etc/resolv.conf interface is garbage, but there's nothing we can do
> about it, that's just how it works.
> This is the only way read-only images can be supported sanely.
Why exactly is it necessary to overwrite /etc/resolv.conf at postinst, even if
the service will not and can not be started?
Wouldn’t it make more sense to make the symlink at a later stage? For
Instance when the service is actually started?
There’s no point in having resolv.conf symlink to
/run/systemd/resolve/stub-resolv.conf when systemd-resolved is not running.
Samuli
Luca Boccassi
<suo...@diurnalis.fi> wrote:
>
> > On 14. Mar 2023, at 17.34, Luca Boccassi <bl...@debian.org> wrote:
> >
> > Exactly, so the admin shouldn't install a package that in the
> > description says:
> >
> > "Installing this package automatically overwrites /etc/resolv.conf
and
> > switches it to be managed by systemd-resolved."
> >
> > if that's not what they want to achieve. I agree that the
> > /etc/resolv.conf interface is garbage, but there's nothing we can
do
> > about it, that's just how it works.
> > This is the only way read-only images can be supported sanely.
>
> Why exactly is it necessary to overwrite /etc/resolv.conf at
postinst, even if
> the service will not and can not be started?
>
> Wouldn’t it make more sense to make the symlink at a later stage? For
> Instance when the service is actually started?
and thus it's too late.
> There’s no point in having resolv.conf symlink to
> /run/systemd/resolve/stub-resolv.conf when systemd-resolved is not
running.
I might accept a patch that switches to using tmpfiles.d, as long as
the default is still to enable on install, and that taking a copy of
the existing resolv.conf is also done, and that it is proven to work on
a read-only image. That way it's easier to override it with a drop-in.
I am not going to write and test such patch though, someone else needs
to do it and send a MR on Salsa.
Bastian Blank
Hi
I intend to NMU this today. It changes global config without any
knowledge if it might work.
diff -Nru systemd-253/debian/changelog systemd-253/debian/changelog
--- systemd-253/debian/changelog 2023-02-15 21:36:32.000000000 +0100
+++ systemd-253/debian/changelog 2023-03-19 11:54:54.000000000 +0100
@@ -1,3 +1,10 @@
+systemd (253-1.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Remove broken resolv.conf setup. (closes: #1032937)
+
+ -- Bastian Blank <wa...@debian.org> Sun, 19 Mar 2023 11:54:54 +0100
+
systemd (253-1) experimental; urgency=medium
* New upstream version 253. For a full list of changes, see:
diff -Nru systemd-253/debian/systemd-resolved.postinst systemd-253/debian/systemd-resolved.postinst
--- systemd-253/debian/systemd-resolved.postinst 2023-02-09 15:56:44.000000000 +0100
+++ systemd-253/debian/systemd-resolved.postinst 2023-03-19 11:54:50.000000000 +0100
@@ -23,14 +23,4 @@
_adopt_conffile "${DPKG_ROOT}/etc/systemd/resolved.conf" systemd-resolved
fi
-if [ "$1" = configure ] && dpkg --compare-versions "$2" lt 251.4-2; then
- if [ "$(readlink "${DPKG_ROOT}/etc/resolv.conf")" != "../run/systemd/resolve/stub-resolv.conf" ] && [ "$(readlink "${DPKG_ROOT}/etc/resolv.conf")" != "/run/systemd/resolve/stub-resolv.conf" ]; then
- echo "Converting /etc/resolv.conf to a symlink to /run/systemd/resolve/stub-resolv.conf..."
- if [ -f "${DPKG_ROOT}/etc/resolv.conf" ]; then
- mv "${DPKG_ROOT}/etc/resolv.conf" "${DPKG_ROOT}/etc/.resolv.conf.systemd-resolved.bak" || echo "Cannot take a backup of /etc/resolv.conf."
- fi
- ln -sf ../run/systemd/resolve/stub-resolv.conf "${DPKG_ROOT}/etc/resolv.conf" || echo "Cannot install symlink from /etc/resolv.conf to ../run/systemd/resolve/stub-resolv.conf"
- fi
-fi
-
#DEBHELPER#
Bastian
--
Time is fluid ... like a river with currents, eddies, backwash.
-- Spock, "The City on the Edge of Forever", stardate 3134.0
Bastian Blank
This modification of global configuration breaks the building of cloud
images. We need a way to install the package, but no services will run
in the environment, nor is there a systemd-resolved in the same network
namespace.
The build does not exhibit that failure right now, because by chance
systemd-resolved is the last thing that needs a working resolver before
the build is finished. But this is not guaranteed.
Regards,
Bastian
--
There's coffee in that nebula!
-- Capt. Kathryn Janeway, Star Trek: Voyager, "The Cloud"
Luca Boccassi
wrote:
>
> Hi
>
> I intend to NMU this today. It changes global config without any
> knowledge if it might work.
Helmut Grohne
On Sun, Mar 19, 2023 at 12:21:48PM +0100, Bastian Blank wrote:
> This modification of global configuration breaks the building of cloud
> images. We need a way to install the package, but no services will run
> in the environment, nor is there a systemd-resolved in the same network
> namespace.
> The build does not exhibit that failure right now, because by chance
> systemd-resolved is the last thing that needs a working resolver before
> the build is finished. But this is not guaranteed.
reference.
You expect that you can install systemd-resolved without running any
services or init processes (in a chroot or service-less container) and
then continue using DNS resolution inside that environment.
I content that such an environment is very unusual since you would not
want to install systemd-resolved in a setting where you do not run
services and if you are in bootstrap setting, you can use an external
apt (with access to an external resolv.conf) to download packages.
Even then when assuming that your expectation is well-founded (which I
do not fully agree with), it remains unclear why Michael's proposal
would not solve your problem.
Given the lack of answers on these questions, I think that rc-severity
is not reasonable though I do not have authority on this question.
Helmut
Marcel Partap
Version: 252.5-2~bpo11+1
Followup-For: Bug #1032937
Ubuntu had this in their systemd.postinst since 5 years:
> ef4adf4 Dimitri John Ledkov 5 years ago 63│ # Use stub resolve.conf by default on new installs
> 20bc8a3 Dimitri John Ledkov 5 years ago 64│ if [ -z "$2" ]; then
> 20bc8a3 Dimitri John Ledkov 5 years ago 65│ mkdir -p /run/systemd/resolve
> 20bc8a3 Dimitri John Ledkov 5 years ago 66│ if [ -e /etc/resolv.conf ]; then
> 20bc8a3 Dimitri John Ledkov 5 years ago 67│ cp /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf
> 20bc8a3 Dimitri John Ledkov 5 years ago 68│ fi
> b04f573 Dimitri John Ledkov 5 years ago 69│ # If /etc/resolv.conf is a bind-mount, moving or replacing
> b04f573 Dimitri John Ledkov 5 years ago 70│ # /etc/resolv.conf may fail
> b04f573 Dimitri John Ledkov 5 years ago 71│ ln -snf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || true
> ef4adf4 Dimitri John Ledkov 5 years ago 72│ fi
and moved the relevant copy operation into systemd-resolved.postinst in September.
Any reason not to apply the same, @Luca?
Workaround for live-build can be a /usr/share/live/build/hooks/normal/0001-systemd-resolved-unbreak.hook.chroot
> #!/bin/sh
> mkdir -p /run/systemd/resolve/
> cp -a /etc/.resolv.conf.systemd-resolved.bak /run/systemd/resolve/stub-resolv.conf
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (510, 'unstable'), (509, 'experimental'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.19.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-resolved depends on:
ii dbus [default-dbus-system-bus] 1.14.6-1
ii libc6 2.36-5
ii libssl1.1 1.1.1n-1
ii libssl3 3.0.8-1
ii libsystemd-shared 252.6-1
ii systemd 252.6-1
Versions of packages systemd-resolved recommends:
ii libnss-myhostname 252.6-1
pn libnss-resolve <none>