Hi Tadej, I think more effort should be put to configure the instance correctly by provider. No default should save invalid configuration of container host. I think there is actually little benefit in systemd-resolved usage in a container. I would guess the container host would run proper dns cache for all its containers, sharing the cache between them. Why does it run its own cache inside? I think systemd-resolved should not be used on container at all. It needs to forward queries to any address configured by the host. It should even not be installed by default in container, could it be split to systemd-resolved package? Do you know, what are all steps done by cloud-init? Did it try to write its own /etc/resolv.conf? When it disables dns=none in NM, I guess it tried to setup static resolv.conf. Is it possible that writes went to symlink target in /run/systemd/resolve and they were overwritten later? We have to find good way to configure DNS in all releases the proper way. Don't rely on fallbacks. If you had non-working configuration from the start and relied on fallback, I think this should be fixed. If configuration were provided but did not work, it should fail hard, let you notice it. I think most daemons do that already. Is there any "standard" way to configure DNS in deployed containers? I use DHCP myself, but have only containers for development. Cheers, Petr On 2/22/21 10:58 AM, Tadej Janež wrote: > Hi, > > I would like to question the decision that was made by systemd > maintainers to remove the fallback DNS server list: > https://src.fedoraproject.org/rpms/systemd/c/14b2fafb3688a4170a9c15235d1c3feb7ddeaf9d > > And then backported to F33: > https://src.fedoraproject.org/rpms/systemd/c/ed795fb1fc9a2c20ebcac34bdf7e7c7ae17322a2?branch=f33 > > On F33, this actually breaks a working vanilla cloud instance by > removing the fallback DNS server list in a systemd upgrade, effectively > leaving the system with no DNS servers configured. > > I described this in more detail here: > https://lists.fedoraproject.org/archives/list/cloud@xxxxxxxxxxxxxxxxxxxxxxx/thread/72MRKIFGPMFGBS7XJ5T5I23NVDXXWVGR/ > > Zbigniew Jędrzejewski-Szmek wrote the following in the commit message > accompanying the fallback DNS server list removal: > >> So hopefully users will not see any effect from the change done in >> this patch. Right now I think it is better to avoid the legal and >> privacy risk. If it turns out this change causes noticable problems, >> we might want to reconsider. In particular we could use the fallback >> servers only in containers and such which are not "personal" machines >> and there is no particular person attached to them. > > I would argue that the change causes noticeable problems and we want to > reconsider this change. > In particular, I think cloud image users would prefer to have their > cloud instances usable out of the box, i.e. have DNS working out-of-the > box. > > Don't get me wrong, I understand the privacy concerns and I think > Fedora should strive to protect the privacy of its users as much as > possible, but at the same time, the circumstances of a cloud instance > are probably very different from a e.g. workstation instance. > > Possible solutions that come to mind: > > 1) Use different defaults for different Fedora editions, e.g. container > and cloud images include the fallback DNS servers list while > workstation (and similar) images don't. > > 2) Pick a reputable DNS resolver that preserves users' privacy and > doesn't log anything and configure it as a fallback DNS server. > Here is a good summary of DNS resolvers and their privacy: > https://privacytools.io/providers/dns/#dns > > Thoughts? > > Regards, > Tadej > > P.S. I'm subscribed, but please keep me in Cc so I'll notice replies > sooner. > > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@xxxxxxxxxx PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
