Control and standard test cases for issue reproduction listed below:
A 'control' test case for the issue would be to launch dnsmasq in a typical
Docker container. The program should launch normally and begin parsing the
config, etc. The `docker run` statement should contain --privileged and
--cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this,
please do not use --privileged in prod!).
A standard test case to reproduce this issue would be to launch the exact same
Docker container, using the gVisor runtime. Then the crash is reproduced.
gVisor can be installed quickly using an apt repo & a modification of
/etc/docker/daemon.json to permit use of the new runtime:
[https://gvisor.dev/docs/](<a
href=)user_guide/install/">https://gvisor.dev/docs/user_guide/install/
gVisor can then be launched for any container using `docker run
--runtime=runsc`, combined with any other necessary Docker args:
[https://gvisor.dev/docs/](<a
href=)user_guide/quick_start/docker/">https://gvisor.dev/docs/user_guide/quick_start/docker/
Further information regarding this runtime:
Overview: https://gvisor.dev/docs/
Syscall compatibility docs:
https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
gVisor is owned by Google and used Google Cloud Platform's container related
services, so looking into this issue may improve GCP compatibility, although I
have not personally tested this against Google's online container services at
this time.
-------- Original Message --------
On Mar 16, 2024, 5:49 AM, Geert Stappers - stappers at stappers.nl wrote:
> On Sat, Mar 16, 2024 at 09:09:16AM +0000, shamrock_sesame214--- via
> Dnsmasq-discuss wrote: > Hello, > > I am attempting to run dnsmasq DNS
> resolver in gVisor. gVisor is > a hardened userspace kernel compatible with
> Kubernetes and Docker > containers. At the moment, gVisor does not seem to
> support some routing > features such as those found in linux/rtnetlink.h,
> including multicast > related netlink subscriptions. > > When I run dnsmasq
> in gVisor, I get this crash on startup: > > cannot create netlink socket:
> Permission denied > > Checking strace debugger, this was the attempted call
> made: > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK,
> PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied)
> (19.017µs) > > The next call writes an error message to the terminal and >
> begins exiting the program. I believe this to be caused by > multicast route
> subscription near this line 73 in src/netlink.c: >
> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
> > > I noticed the comment in the code: > > /* May not be able to have
> permission to set multicast groups don't die in that case */ > > I am unsure
> if line 79 will trigger this error anyway, and if this is > intended
> behavior, as the program seems to crash anyway. > > I also found in the
> source code that Netlink multicast subscription > is added to prevent routing
> race conditions when routes update, and > of course for DHCP/RA support. If
> Dnsmasq is running as a stub DNS > resolver inside a network namespace with
> one default gateway, is a > feature considerable to disable multicast Netlink
> subscriptions? In > this condition I do not anticipate routing updates to be
> frequent. > > For additional debugging notes, the dnsmasq container functions
> outside > of gVisor. The Docker --user root, --privileged, and
> --cap-add=NET_ADMIN > did not resolve the issue, as it appears to be gVisor
> compatibility > limitation. Advice: Do a follow-up which aims for much more
> common interest. Like explaining how cool gVisor is and where to find more
> information about it. Groeten Geert Stappers -- Silence is hard to parse
> _______________________________________________ Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
