Re: Improvements in name resolution, DNS and HTTPS RR and SVCB future usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Interesting point. Haven't thought about it much. Yes, current /etc/resolv.conf is quite a weird configuration style in common today's usage. I thought about proposing standard unix domain socket in /run, but that would still be part of filesystem namespace.

Unix domain have advantage, that they are able to identify which process with which uid and groups is asking a query. It may be used to limit flatpak apps to be allowed just smaller set of domains. But common UDP localhost resolver address cannot do that.

I cannot think how to pass such socket into either just alternate namespace it the same chroot, or to complete container using also other namespaces. But great point. If possible, this is indeed related to network namespace and would be great to be passed into alternate namespaces. I could think about special kind of network interface, kind of point to point connection to main host cache.

This would be question to kernel people. If there is already some mechanism to pass something like unix pipe into separate namespaces already. What it would need if needs to be added.

Petr

On 19/10/2024 17:55, Andrew Lutomirski wrote:
I’m going to go out on a limb and suggest that, for the specific case of DNS resolution, *all* current Linux mechanisms are inappropriate. It’s a namespace and config issue:

1. /etc/resolv.conf plus an in-process resolver: /etc is an inappropriate location, and there should not be dynamic state like resolv.conf in /etc. Many systems kludge around this with symlinks, but that’s a partial solution, and see below.

2. D-bus and varlink. These are at least not tied to /etc, but, just like /etc, they’re associated with the wrong namespace!

Name resolution is part of *networking*, not filesystem. I should be able to nsenter a network namespace and have networking work, and it never has on Linux.

I think any new design here should find a way to tie name resolution to the *network* namespace.  I’m not sure what the best approach is, but something involving anonymous UNIX sockets could plausibly be workable.  Ideally, though, privilege over the netns would be enforced.

It seems like it ought to be straightforward to make a kernel patch to make a new netlink family that needs CAP_NET_ADMIN to bind but allows anyone to send.  Or perhaps a protocol could be designed that works by binding to a well known port, below 1024, localhost-only, on a well known IPv4 or v6 address.


--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux