Hello, I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is a hardened userspace kernel compatible with Kubernetes and Docker containers. At the moment, gVisor does not seem to support some routing features such as those found in linux/rtnetlink.h, including multicast related netlink subscriptions.
When I run dnsmasq in gVisor, I get this crash on startup: cannot create netlink socket: Permission denied Checking strace debugger, this was the attempted call made: dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs) The next call writes an error message to the terminal and begins exiting the program. I believe this to be caused by multicast route subscription near this line 73 in src/netlink.c: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73 I noticed the comment in the code: /* May not be able to have permission to set multicast groups don't die in that case */ I am unsure if line 79 will trigger this error anyway, and if this is intended behavior, as the program seems to crash anyway. I also found in the source code that Netlink multicast subscription is added to prevent routing race conditions when routes update, and of course for DHCP/RA support. If Dnsmasq is running as a stub DNS resolver inside a network namespace with one default gateway, is a feature considerable to disable multicast Netlink subscriptions? In this condition I do not anticipate routing updates to be frequent. For additional debugging notes, the dnsmasq container functions outside of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN did not resolve the issue, as it appears to be gVisor compatibility limitation. Thank you for your time _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss