Re: [Openvpn-devel] Re: OpenVPN --resolv-retry and --chroot problem

2003-10-29 Thread Teemu Kiviniemi 
Wed, 29-10-2003 at 23:38, James Yonan wrote:

> I would rather see this fix accomplished by adding some kind of dummy call
> early on in the initialization sequence to trigger the dynamic load of the DNS
> library -- but which doesn't touch the functionality of the current DNS name
> resolution code.

Hi,

I made a new patch. This time the name lookup is done in openvpn.c if
options->remote is set, just before entering the chroot jail.

http://iki.fi/teemuki/openvpn/cvs-resolvfix2.diff
The patch is against the current CVS version.

Teemu



signature.asc
Description: PGP signature

[Openvpn-devel] Re: OpenVPN --resolv-retry and --chroot problem

2003-10-29 Thread James Yonan 
Teemu Kiviniemi  said:

> Hi,
> 
> OpenVPN 1.5beta12 and the CVS version have a problem when --resolv-retry
> and --chroot are used at the same time. In chroot environment,
> gethostbyname() can't resolve the remote IP address:
> 
> Wed Oct 29 17:19:17 2003 13: RESOLVE: Cannot resolve host address:
> somehost.somedomain: [unknown h_errno value]
> 
> This problem occurs with Debian Woody. I think it's related to the Glibc
> dynamic loader. If the name resolver libraries aren't loaded before
> OpenVPN enters the chroot jail, OpenVPN can't do any DNS queries. If
> gethostbyname() is run before entering chroot(), the resolver libraries
> are loaded and everything works as it should.
> 
> I changed link_socket_init_phase1() in socket.c to resolve the remote
> host even if resolve_retry_seconds is set. That way, gethostbyname() is
> run before chroot(). I don't know if that's the right way to do it, but
> it fixes the problem for me.
> 
> The patch for 1.5 beta12 and the CVS version is available at:
> http://iki.fi/teemuki/openvpn/openvpn-resolvfix.diff

Teemu,

The DNS name resolution code for --remote is somewhat delicate -- for example,
the phase1 code cannot block because it's called before daemonization.

I would rather see this fix accomplished by adding some kind of dummy call
early on in the initialization sequence to trigger the dynamic load of the DNS
library -- but which doesn't touch the functionality of the current DNS name
resolution code.

James

[Openvpn-devel] OpenVPN --resolv-retry and --chroot problem

2003-10-29 Thread Teemu Kiviniemi 
Hi,

OpenVPN 1.5beta12 and the CVS version have a problem when --resolv-retry
and --chroot are used at the same time. In chroot environment,
gethostbyname() can't resolve the remote IP address:

Wed Oct 29 17:19:17 2003 13: RESOLVE: Cannot resolve host address:
somehost.somedomain: [unknown h_errno value]

This problem occurs with Debian Woody. I think it's related to the Glibc
dynamic loader. If the name resolver libraries aren't loaded before
OpenVPN enters the chroot jail, OpenVPN can't do any DNS queries. If
gethostbyname() is run before entering chroot(), the resolver libraries
are loaded and everything works as it should.

I changed link_socket_init_phase1() in socket.c to resolve the remote
host even if resolve_retry_seconds is set. That way, gethostbyname() is
run before chroot(). I don't know if that's the right way to do it, but
it fixes the problem for me.

The patch for 1.5 beta12 and the CVS version is available at:
http://iki.fi/teemuki/openvpn/openvpn-resolvfix.diff

Teemu



signature.asc
Description: PGP signature