Re-sending previous email with HTML formatting disabled, my apologies. Control and standard test cases for issue reproduction listed below:
A 'control' test case for the issue would be to launch dnsmasq in a typical Docker container. The program should launch normally and begin parsing the config, etc. The `docker run` statement should contain --privileged and --cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this, please do not use --privileged in prod!). A standard test case to reproduce this issue would be to launch the exact same Docker container, using the gVisor runtime. Then the crash is reproduced. gVisor can be installed quickly using an apt repo & a modification of /etc/docker/daemon.json to permit use of the new runtime: https://gvisor.dev/docs/user_guide/install/ gVisor can then be launched for any container using `docker run --runtime=runsc`, combined with any other necessary Docker args: https://gvisor.dev/docs/user_guide/quick_start/docker/ Further information regarding this runtime: Overview: https://gvisor.dev/docs/ Syscall compatibility docs: https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/ On Saturday, March 16th, 2024 at 5:49 AM, Geert Stappers - stappers at stappers.nl <stapp...@stappers.nl> wrote: > > > On Sat, Mar 16, 2024 at 09:09:16AM +0000, shamrock_sesame214--- via > Dnsmasq-discuss wrote: > > > Hello, > > > > I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is > > a hardened userspace kernel compatible with Kubernetes and Docker > > containers. At the moment, gVisor does not seem to support some routing > > features such as those found in linux/rtnetlink.h, including multicast > > related netlink subscriptions. > > > > When I run dnsmasq in gVisor, I get this crash on startup: > > > > cannot create netlink socket: Permission denied > > > > Checking strace debugger, this was the attempted call made: > > > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID: > > 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs) > > > > The next call writes an error message to the terminal and > > begins exiting the program. I believe this to be caused by > > multicast route subscription near this line 73 in src/netlink.c: > > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73 > > > > I noticed the comment in the code: > > > > /* May not be able to have permission to set multicast groups don't die in > > that case */ > > > > I am unsure if line 79 will trigger this error anyway, and if this is > > intended behavior, as the program seems to crash anyway. > > > > I also found in the source code that Netlink multicast subscription > > is added to prevent routing race conditions when routes update, and > > of course for DHCP/RA support. If Dnsmasq is running as a stub DNS > > resolver inside a network namespace with one default gateway, is a > > feature considerable to disable multicast Netlink subscriptions? In > > this condition I do not anticipate routing updates to be frequent. > > > > For additional debugging notes, the dnsmasq container functions outside > > of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN > > did not resolve the issue, as it appears to be gVisor compatibility > > limitation. > > > Advice: Do a follow-up which aims for much more common interest. Like > explaining how cool gVisor is and where to find more information about it. > > > Groeten > Geert Stappers > -- > Silence is hard to parse > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
