On Oct 18, 2024, at 7:28 AM, Petr Menšík <pemensik@xxxxxxxxxx> wrote:
Is there any API description of the Varlink API, which you are referring to?
I have found:
- https://systemd.io/WRITING_RESOLVER_CLIENTS/
- https://www.freedesktop.org/software/systemd/man/latest/org.freedesktop.resolve1.html
- https://systemd.io/USER_GROUP_API/
I’m going to go out on a limb and suggest that, for the specific case of DNS resolution, *all* current Linux mechanisms are inappropriate. It’s a namespace and config issue:
1. /etc/resolv.conf plus an in-process resolver: /etc is an inappropriate location, and there should not be dynamic state like resolv.conf in /etc. Many systems kludge around this with symlinks, but that’s a partial solution, and see below.
2. D-bus and varlink. These are at least not tied to /etc, but, just like /etc, they’re associated with the wrong namespace!
Name resolution is part of *networking*, not filesystem. I should be able to nsenter a network namespace and have networking work, and it never has on Linux.
I think any new design here should find a way to tie name resolution to the *network* namespace. I’m not sure what the best approach is, but something involving anonymous UNIX sockets could plausibly be workable. Ideally, though, privilege over the netns would be enforced.
It seems like it ought to be straightforward to make a kernel patch to make a new netlink family that needs CAP_NET_ADMIN to bind but allows anyone to send. Or perhaps a protocol could be designed that works by binding to a well known port, below 1024, localhost-only, on a well known IPv4 or v6 address.
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue