networking.networkmanager.appendNameservers doesn't do anything

[l0b0]

Describe the bug Values in this option do not seem to do anything.

To Reproduce Steps to reproduce the behavior:

1. Add networking.networkmanager.appendNameservers = [ "[some IP address]" ]; to /etc/nixos/configuration.nix
2. sudo nixos-rebuild switch
3. resolvconf -l

Expected behavior There should be a nameserver entry in the resolvconf entry with the given appended name server.

Actual behavior There is only one nameserver entry containing the local router address:

$ resolvconf -l
# resolv.conf from static
search [a networking.search entry next to appendNameservers]

# resolv.conf from NetworkManager
# Generated by NetworkManager
search Home
nameserver 192.168.1.1

Additional context In my case networkmanager.appendNameservers is in an included file, but other options from the file are included in the configuration, so it should work.

Weirdly, even setting an additional DNS server in the currently active NetworkManager connection does't change the resolvconf -l output or even seem to have any effect. Could this be caused by my VPN connection?

Workaround

Adding the host to networking.nameservers instead worked. The original bug report stands, since networking.nameservers are added before the DHCP name server(s), while appendNameservers should add secondary etc. name servers.

Metadata

$ nix run nixpkgs.nix-info --command nix-info --markdown # package metadata 
 - system: `"x86_64-linux"`
 - host os: `Linux 4.19.61, NixOS, 19.03.173198.aeeb30a3b29 (Koi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.2.2`
 - channels(root): `"nixos-19.03.173198.aeeb30a3b29"`
 - channels(victor): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[danbst]

I can link related issues:

• in master a resolvconf service was added recently https://github.com/NixOS/nixpkgs/pull/62955
• there is also an issue https://github.com/NixOS/nixpkgs/issues/44972

[obadz]

Doesn't really help but this seems to work fine when initializing a VM from scratch, so I suppose what doesn't work is the action of (nixos-rebuild) switching while adding a new nameserver.

nix-build -E 'let pkgs = import <nixpkgs> {}; in with import <nixpkgs/nixos> {
configuration = {
users.extraUsers.root.initialHashedPassword = "";
virtualisation.graphics = false;
environment.systemPackages = with pkgs; [ vim ];
documentation.nixos.enable = false;
networking.networkmanager.enable = true;
networking.networkmanager.appendNameservers = [ "1.2.3.5.6" ];
}; }; vm' && rm ./nixos.qcow2 && ./result/bin/run-nixos-vm 

[tazjin]

Could this be caused by my VPN connection?

This seems likely to me. The DNS setup is overridden by a script that is placed in NetworkManager's dispatcher.d and without being aware of any NetworkManager internals my assumption is that there is something in VPN configurations that runs later and takes precedence.

We experimented with running a VM with this option set (with no additional network configuration) and the nameservers showed up as expected.

@l0b0 Could you try this without your VPN config?

[l0b0]

@tazjin Removing the VPN configuration, rebuilding and switching did not work – resolvconf -l still lists only the local DNS server. I should've probably mentioned the VPN connection has autoStart = false;, so at least the service itself very likely did not cause this.

[GuillaumeDesforges]

Same issue here (same steps to reproduce).

[lheckemann]

Removing blocker, since this doesn't prevent systems from booting etc and isn't a 19.03 → 19.09 regression. Of course, I'm happy if anyone has a fix to cherry-pick to 19.09 :)

[stale[bot]]

Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on irc.freenode.net.

[l0b0]

I no longer need appendNameservers, so I won't have time to follow up on this. Closing.

[DerRockWolf]

From what I can tell it's correct that resolvconf -l does not show the additional nameservers as they are written directly into /etc/resolv.conf by the dispatcher script.

resolvconf afaict uses the files in /run/resolveconf/interface to create the output of -l. /run/resolvconf/interfaces/NetworkManager does not contain the additional nameservers, as they are added by the dispatcher script.

I think the flow is something like this:

1. NetworkManager creates the /run/resolvconf/interfaces/NetworkManager file
2. NetworkManager calls resolveconf to write the new /etc/resolv.conf
3. NetworkManager runs the dispatcher script which extends /etc/resolv.conf with appendNameservers & insertNameservers

So overall it is really janky and not at all obvious. I think appendNameservers & insertNameservers are better suited when not using resolvconf:

• disabling resolvconf: networking.resolvconf.enable = false;
• changing rc-manager: networking.networkmanager.settings.main.rc-manager to "file" or "symlink".

The workaround from @l0b0

Adding the host to networking.nameservers instead worked. The original bug report stands, since networking.nameservers are added before the DHCP name server(s), while appendNameservers should add secondary etc. name servers.

is also good if one does not want to disable resolvconf, as it results in the creation of /run/resolvconf/interfaces/static which then also shows up with resolvconf -l. In my tests the nameservers from networking.nameservers were added after the NetworkManager nameservers.

I hope this helps someone who stumbles upon this :slightly_smiling_face:

---

@jtojnar what do you think about this? Should we directly expose rc-manager via the module and add assertions that prevent the usage of appendNameservers & insertNameservers when rc-manager is not "file" or "symlink" and when networking.resolvconf is enabled?