Check contents of /etc/resolv.conf

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation

GNU General Public License v3.0

49 stars 27 forks source link

Check contents of /etc/resolv.conf #209

Open yrro opened 3 years ago

yrro commented 3 years ago

I've got a machine where resolv.conf was changed from:

# auto-generated by IPA installer
search ipa.example.com
nameserver 127.0.0.1
nameserver ::1

to:

; generated by /usr/sbin/dhclient-script
nameserver 203.0.113.1
nameserver 203.0.113.2
nameserver 203.0.113.3

Maybe ipa-healthcheck could complain if ::1 and 127.0.0.1 are not the only configured nameservers, and if the search list doesn't include the IPA domain?

(In case someone else finds it useful--this particular server is using network-scripts to configure via DHCP; the fix was to add DNS1=127.0.0.1 and DNS2=::1 to /etc/sysconfig/network-scripts/ifcfg-eth0 and reboot).

rcritten commented 3 years ago

That's a great suggestion, thanks.

We'd need to be careful to only apply this when the DNS service is configured and to not assume which addresses are there.

The installer configures 127.0.0.1 if there are any IPv4 addresses and ::1 if any IPv6 in https://github.com/freeipa/freeipa/blob/master/ipaserver/install/bindinstance.py#L1127

rcritten commented 2 years ago

This is somewhat complicated by systemd-resolvd which now owns /etc/resolv.conf. I guess if the file is a symlink to /run/systemd/resolve/stub-resolv.conf then we can executed systemd-resolv --status and scrape for 127.0.0.1.

yrro commented 2 years ago

Since (I think) I filed this issue, FreeIPA has been enhanced to tell NetworkManager to configure the system's DNS to use 127.0.0.1/::1 as its resolver. So probably the original reason I filed this issue is no longer reproducible.

Nonetheless it's probably still useful to have a health check for proper DNS configuration. If you want to check whether resolved 'owns' resolv.conf then the best way to find out is to ask it via D-Bus (check the manager's ResolvConfMode property which can be set to uplink, stub, static if managed, missing if resolv.conf has been deleted, and foreign if resolv.conf is not managed by resolved).

rcritten commented 2 years ago

Yes, D-Bus is a much nicer way to inquire on status, thanks for that!

rcritten commented 1 year ago

I may add this under meta as an informational value.

Simple code for getting this property:

import dbus

bus = dbus.SystemBus()
obj = bus.get_object('org.freedesktop.resolve1',
                     '/org/freedesktop/resolve1')
prop_if = dbus.Interface(obj, 'org.freedesktop.DBus.Properties')
mode = prop_if.Get('org.freedesktop.resolve1.Manager', 'ResolvConfMode')
print(mode)