On Sat, Mar 16, 2024 at 09:09:16AM +0000, shamrock_sesame214--- via
Dnsmasq-discuss wrote:
> Hello,
>
> I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is
> a hardened userspace kernel compatible with Kubernetes and Docker
> containers. At the moment, gVisor does not seem to support some routing
> features such as those found in linux/rtnetlink.h, including multicast
> related netlink subscriptions.
>
> When I run dnsmasq in gVisor, I get this crash on startup:
>
> cannot create netlink socket: Permission denied
>
> Checking strace debugger, this was the attempted call made:
>
> dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK,
> PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied)
> (19.017µs)
>
> The next call writes an error message to the terminal and
> begins exiting the program. I believe this to be caused by
> multicast route subscription near this line 73 in src/netlink.c:
> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
>
> I noticed the comment in the code:
>
> /* May not be able to have permission to set multicast groups don't die
> in that case */
>
> I am unsure if line 79 will trigger this error anyway, and if this is
> intended behavior, as the program seems to crash anyway.
>
> I also found in the source code that Netlink multicast subscription
> is added to prevent routing race conditions when routes update, and
> of course for DHCP/RA support. If Dnsmasq is running as a stub DNS
> resolver inside a network namespace with one default gateway, is a
> feature considerable to disable multicast Netlink subscriptions? In
> this condition I do not anticipate routing updates to be frequent.
>
> For additional debugging notes, the dnsmasq container functions outside
> of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN
> did not resolve the issue, as it appears to be gVisor compatibility
> limitation.
Advice: Do a follow-up which aims for much more common interest. Like
explaining how cool gVisor is and where to find more information about it.
Groeten
Geert Stappers
--
Silence is hard to parse
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
