search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.19k stars 14.19k forks source link

networking.networkmanager.ensureProfiles.profiles.<name>.ipv4.ignore-auto-dns option does not work #291868

Closed pallix closed 8 months ago

pallix commented 8 months ago

Describe the bug

The setting networking.networkmanager.ensureProfiles.profiles.<name>.ipv4.ignore-auto-dns does not work.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Create a NetworkManager wifi configuration in a config file such as:

    networking.networkmanager.ensureProfiles.profiles = {
my-cool-wifi = {
  connection = {
    id = "some-wifi-id";
    type = "wifi";
    interface = "$NETWORK_IFACE";
    permissions = "";
  };
  ipv4 = {
    method = "auto";
    ignore-auto-dns = "true";
    dns = "$DNS";
    dns-search = "";
  };

  wifi = {
    mode = "infrastructure";
    ssid = "$SSID";
  };

  wifi-security = {
    auth-alg = "open";
    key-mgmt = "wpa-psk";
    psk = "$PASSWORD";
  };
};
};

  2. Apply the configuration

  3. Check the configuration is applied at /run/NetworkManager/system-connections/my-cool-wifi.connection

  4. Restart networkmanager with "ssystemctl restart NetworkManager"

  5. Wait a few seconds and cat /etc/resolv.conf

  6. An entry is created that starts with "domain x.y.z" where x.y.z is pushed from the dns server.

Expected behavior

According to https://people.freedesktop.org/~lkundrak/nm-docs/nm-settings.html, setting ignore-auto-dns to "true" should ignore automatically configured nameservers and search domains

There should be no line in /etc/resolv.conf configuring a domain ; that is there should be no line starting with "domain x.y.z".

Notify maintainers

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.78, NixOS, 24.05 (Uakari), 24.05.20240221.0e74ca9`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - nixpkgs: `/nix/store/gzf4zwcakda1nykn6h0avh45xhjhvsz4-source`

Add a :+1: reaction to issues you find important.

pallix commented 8 months ago

CC: @NixOS/freedesktop

pallix commented 8 months ago

CC: @Janik-Haag @flokli @jtojnar @kevincox

Janik-Haag commented 8 months ago

Can you share the content of /run/NetworkManager/system-connections/my-cool-wifi ?

pallix commented 8 months ago

Thanks for the quick feedback!

Here:

[connection]
id=my-cool-wifi
interface=$INTERFACE
permissions=
type=wifi

[ipv4]
dns=$IP_OF_DNS
dns-search=
ignore-auto-dns=true
method=auto

[wifi]
mode=infrastructure
ssid=$SSID

[wifi-security]
auth-alg=open
key-mgmt=wpa-psk
psk=$PASSWD

All the $VAR things are for anonymity/security of the concerned network.

One of my colleague tried with Debian on the same network and ignore-auto-dns=true DID work for them, no domain x.y.z was pushed in /etc/resolv.conf.

Janik-Haag commented 8 months ago

I'll be at dayjob for the next few hours but can take a look later.

Janik-Haag commented 8 months ago

Okay so I would say this isn't a NixOS bug, or at least isn't one related to networking.networkmanager.ensureProfiles.profiles since it gets rendered correctly. Did you try diffing you and your colleague's nmconnection file?

You can also try reading through the nm reference manual Where it lists some conditions:

When "method" is set to "auto" and this property to TRUE, automatically configured name servers and search domains are ignored and only name servers and search domains specified in the "dns" and "dns-search" properties, if any, are used.

pallix commented 8 months ago

We basically had the same configuration but I will ask a second time.

When "method" is set to "auto" and this property to TRUE, automatically configured name servers and search domains are ignored and only name servers and search domains specified in the "dns" and "dns-search" properties, if any, are used.

Exactly. In the configuration method=auto and the property is set to true BUT the name servers domains are not ignored.

at least isn't one related to networking.networkmanager.ensureProfiles.profiles

Yes, maybe there is something happening beyond that. The first call to cat showed the nameserver but only the second call (after 1 or 2 seconds) would show the added domain x.y.z line.

pallix commented 8 months ago

Here the config from my colleague:

[connection]
id=my-cool-wifi
uuid=$SOMEUID
type=wifi
interface-name=$INTERFACE

[wifi]
mode=infrastructure
ssid=$SSID

[wifi-security]
auth-alg=open
key-mgmt=wpa-psk
psk=$THE_SECRET_PASSWORD

[ipv4]
method=auto
ignore-auto-dns=true
dns=$DNS_IP

[ipv6]
addr-gen-mode=default
method=auto

[proxy]
Janik-Haag commented 8 months ago

Honestly no idea what's wrong with it. I started writing VM-tests for Network-Manager yesterday and will try to finish them this weekend. Then checking for your problem will be a lot easier.

pallix commented 8 months ago

Thank you so much!!

A workaround is to have a dispatchScript, like so:

networking.networkmanager.dispatcherScripts = [
    {
     source = pkgs.writeText "upHook" ''
              if [ "$2" != "up" ]; then
                logger "exit: event $2 != up"
                exit
              fi

              sleep 2s
              sed -i 's/domain x.y.z.*//' /etc/resolv.conf

              # coreutils and iproute are in PATH too
              logger "Device $DEVICE_IFACE coming up"
            '';
     type = "basic";
   }
  ];
Janik-Haag commented 8 months ago

Feel free to take a look at #292472 it has some very basic NM vm-tests I'll add a test case for your problem this weekend or so.

Janik-Haag commented 8 months ago

Okay so as you can see with https://github.com/NixOS/nixpkgs/pull/292472/files#diff-3649918b52093521f5b02110302572d734ccc01a0778c65089b556e1db448ee3R94-R124 the issue you are describing is not network-manager related. You probably have something else installed trying to update /etc/resolv.conf based on dhcp packets, maybe networkd?

If you want to test locally I suggest you do something like:

nix run github:janik-haag/nixpkgs/networkmanager-tests#nixosTests.networking.networkmanager.dns.driverInteractive

or

env -i nix-shell -I nixpkgs=https://github.com/Janik-Haag/nixpkgs/archive/refs/heads/networkmanager-tests.tar.gz '<nixpkgs>' -p nixosTests.networki
ng.networkmanager.dns.driverInteractive --run nixos-test-driver

and then just type:

# starts the vms
start_all()
# wait ~10-60 seconds depending on your hardware
static.shell_interact()
# or depending on which machine you want to look at
dynamic.shell_interact()

then you get a shell inside the vm and do things like: cat /etc/resolv.conf

So I think we can close this issue?

pallix commented 8 months ago

Thanks for taking time to develop these tests. Does your test simulate the dhcp server pushing a domain for resolution?

I don't think I have networkd ?

sudo systemctl list-units | grep network
[sudo] password for user: 
  network-addresses-enp0s31f6.service                                                    loaded active exited    Address configuration of enp0s31f6
  network-addresses-wlp9s0.service                                                       loaded active exited    Address configuration of wlp9s0
  network-addresses-wwan0.service                                                        loaded active exited    Address configuration of wwan0
  network-local-commands.service                                                         loaded active exited    Extra networking commands.
  network-setup.service                                                                  loaded active exited    Networking Setup
  network-online.target                                                                  loaded active active    Network is Online
  network-pre.target                                                                     loaded active active    Preparation for Network
  network.target                                                                         loaded active active    Network
Janik-Haag commented 8 months ago

Does your test simulate the dhcp server pushing a domain for resolution

nope only pushing a dns server.

pallix commented 8 months ago

Is there a way to test that? To test that domain x.y.z gets written in /etc/resolv.con despite ignore-auto-dns.

Thank you again for the tests, it's really nice work!

pallix commented 8 months ago

Here another manual test at home. I have

[ipv4]
dns-search=
method=auto
# debugging https://github.com/NixOS/nixpkgs/issues/291868
ignore-auto-dns=yes

in my private wifi configuration (this time directly edited in the file). I restart NetworkManager with systemctl restart NetworkManager.

Then:

resolvconf -l | head -3
# resolv.conf from NetworkManager
# Generated by NetworkManager
search fritz.box

Here I would expect search fritz.box to not be there. What do you think?

pallix commented 8 months ago

Rest of the file has also this:

# resolv.conf from wlp9s0.dhcp
# Generated by dhcpcd from wlp9s0.dhcp
domain fritz.box
search fritz.box
nameserver 192.168.178.1

Do you know how NetworkManager and dhcpcd interact ?

pallix commented 8 months ago

Do you know how NetworkManager and dhcpcd interact ?

Looking at the documentation on resolvconf it seems not relevant since the NetworkManager section printed by resolvconf -l should already not have search. What does resolvconf -l shows on your system? and if you add ignore-auto-dns=yes to your config?

Janik-Haag commented 8 months ago

Did you try setting https://search.nixos.org/options?channel=unstable&show=networking.interfaces.%3Cname%3E.useDHCP&from=0&size=200&sort=relevance&type=packages&query=useDhcp to false?

pallix commented 8 months ago

It does not affect the output from resolvconf -l:

# resolv.conf from NetworkManager
# Generated by NetworkManager
nameserver $IP_OF_DNS

# resolv.conf from wlp9s0.dhcp
# Generated by dhcpcd from wlp9s0.dhcp
domain x.y.z
search x.y.z
nameserver $IP_OF_DNS

Maybe because the second entry is the one from the internal dhcp of NetworkManager.

pallix commented 8 months ago

Ok it seems the right setting is networking.dhcpcd.enable = false;. It works on my work network, I will try at home also.

I'm not sure why dhcpd is activated by default in Nix since the default configuration encourages to use NetworkManager anyway and it works without dhcpd?!

Do you think this is something that could be documented? We could add "Note that a domain can still ends up in /etc/resolv.conf when using resolvconf and other dhcp client such as the dhcpd which is enabled by default." to the setting.

Janik-Haag commented 8 months ago

Do you think this is something that could be documented? We could add "Note that a domain can still ends up in /etc/resolv.conf when using resolvconf and other dhcp client such as the dhcpd which is enabled by default." to the setting.

Sure, feel free to do a pr adding it to networking.useDHCP/networking.interfaces.<name>.useDHCP

pallix commented 8 months ago

More like in the documentation of networking.networkmanager.ensureProfiles.profiles.<name>.ipv4, right?

Janik-Haag commented 8 months ago

More like in the documentation of networking.networkmanager.ensureProfiles.profiles..ipv4, right?

networking.networkmanager.ensureProfiles.profiles.<name>.ipv4 doesn't have any explicit documentation since it's not really defined, networking.networkmanager.ensureProfiles.profiles just expects a attr-set of ini.type.

But I think we can close this issue for now since your problem is resolved?

pallix commented 8 months ago

I think so. Sorry for the confusion and many thanks for the help.