Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconsider logic around resolv.conf.ipa and updating nameserver in resolv.conf. #644

Open
adelton opened this issue Dec 15, 2024 · 2 comments · May be fixed by #648
Open

Reconsider logic around resolv.conf.ipa and updating nameserver in resolv.conf. #644

adelton opened this issue Dec 15, 2024 · 2 comments · May be fixed by #648

Comments

@adelton
Copy link
Collaborator

adelton commented Dec 15, 2024

Since 357a70b we tried to properly recreate the /etc/resolv.conf setups upon container startup, to match the state in which ipa-server-install left it. In 707f9dd we changed the logic to set nameserver to 127.0.0.1, to use FreeIPA's internal DNS server for resolution, and in 33822d3 we covered the creation of the resolv.conf.ipa (which indicates that the mechanism should be triggered) with

if systemctl is-active -q named-pkcs11 || [ -f /run/ipa/ipa-server-ip ] ; then

Once we achieved correct behaviour with read-only root, we documented in 9f49a2f that folks should really be using --dns=127.0.0.1 when starting the container, as the container itself will not be able to update the /etc/resolv.conf itself.

In #642, a setup with DNS external to the FreeIPA container, together with the use of IPA_SERVER_IP environment varialbe (which propagates to /run/ipa/ipa-server-ip) uncovered that the logic that we use is likely not correct -- if there is no DNS server in the container, we do no want to set the namesrever 127.0.0.1. We rely on the proper authentication working against the external DNS server, and with #640 we are able to disable the IP address update, for situation when they are handled completely outside of the logic on the FreeIPA container.

We might want to reconsider the logic around out handling of resolv.conf, to fix use cases like #642, but possibly to make the setup more predictable in general.
@adelton
Copy link
Collaborator Author

adelton commented Dec 15, 2024

One possibility is to remove the logic around creating and following the existence of resolv.conf.ipa. We would assume users are able to set the resolv.conf content properly when creating the container.

It would be an incompatible change, so we might want to consider all implications of such change, and how to deprecate the behaviour for easy transition.

@adelton adelton mentioned this issue Dec 15, 2024
Closed
@adelton adelton mentioned this issue Dec 27, 2024
Merged
@adelton
Copy link
Collaborator Author

adelton commented Dec 27, 2024

In #646 we document that --dns=127.0.0.1 should be used (not just for read-only containers) and we add

NOTE:
Consider setting --dns=127.0.0.1 when using internal DNS server.
The mechanism which sets it now will be removed from images in April 2025.

to the output both for initial configuration of FreeIPA containers and when they start and we detect internal DNS but not nameserver 127.0.0.1.

After the three months we would then remove the logic which manipulates the resolv.conf completely, as shown in ed39d8f.

@adelton adelton linked a pull request Jan 6, 2025 that will close this issue
Open
adelton added a commit to adelton/webauthinfra that referenced this issue Feb 8, 2025
@adelton
The FreeIPA container configures a DNS server, make sure FreeIPA uses…
38cb04e 
… it.

freeipa/freeipa-container#644
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@adelton