Hello,
I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is a hardened
userspace kernel compatible with Kubernetes and Docker containers. At the
moment, gVisor does not seem to support some routing features such as those
found in linux/rtnetlink.h, including multicast related netlink subscriptions.
When I run dnsmasq in gVisor, I get this crash on startup:
cannot create netlink socket: Permission denied
Checking strace debugger, this was the attempted call made:
dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID:
0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs)
The next call writes an error message to the terminal and begins exiting the
program. I believe this to be caused by multicast route subscription near this
line 73 in src/netlink.c:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
I noticed the comment in the code:
/* May not be able to have permission to set multicast groups don't die in
that case */
I am unsure if line 79 will trigger this error anyway, and if this is intended
behavior, as the program seems to crash anyway.
I also found in the source code that Netlink multicast subscription is added
to prevent routing race conditions when routes update, and of course for
DHCP/RA support. If Dnsmasq is running as a stub DNS resolver inside a network
namespace with one default gateway, is a feature considerable to disable
multicast Netlink subscriptions? In this condition I do not anticipate routing
updates to be frequent.
For additional debugging notes, the dnsmasq container functions outside of
gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN did not
resolve the issue, as it appears to be gVisor compatibility limitation.
Thank you for your time
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
