search

lxc / lxc-ci

LXC continuous integration and build scripts
https://jenkins.linuxcontainers.org
Apache License 2.0
259 stars 136 forks source link

DNS broken for some images in IPv6-only network #177

Closed kkremitzki closed 4 years ago

kkremitzki commented 4 years ago

For example, works on bionic+ since systemd-resolved is used, but is broken on xenial, buster+.

Reproduction setup:

lxc profile copy default ipv6
lxc network create lxdbr1
lxc network unset lxdbr1 ipv4.address
lxc network unset lxdbr1 ipv4.nat
lxc profile device set ipv6 eth0 network lxdbr1
lxc launch ubuntu:xenial -p ipv6 xenial
lxc launch ubuntu:bionic -p ipv6 bionic
lxc launch images:debian/buster -p ipv6 buster

Result:

Bionic:

kurt@bullseye-plasma:~$ lxc exec bionic cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0

Buster:

kurt@bullseye-plasma:~$ lxc exec buster cat /etc/resolv.conf

Xenial:

kurt@bullseye-plasma:~$ lxc exec xenial cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Apt failure:

kurt@bullseye-plasma:~$ lxc exec buster apt update
Err:1 http://security.debian.org/debian-security buster/updates InRelease
  Temporary failure resolving 'security.debian.org'
Err:2 http://deb.debian.org/debian buster InRelease
  Temporary failure resolving 'deb.debian.org'
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://deb.debian.org/debian/dists/buster/InRelease  Temporary failure resolving 'deb.debian.org'
W: Failed to fetch http://security.debian.org/debian-security/dists/buster/updates/InRelease  Temporary failure resolving 'security.debian.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.
stgraber commented 4 years ago

Yes, that's normal and you'll need to manually modify the network config of the container to account for that.

The short version is that short of running something like networkd or NetworkManager which can detect either the RDNSS field in the RA or detect the managed/other-config field in the RA and then do DHCPv6 to get the DNS, there's nothing to actually configure your DNS server.

The only reason why you have an IPv6 address at all is because address and route config from RA is automatically handled by the kernel, however the kernel doesn't care about DNS, causing what you're seeing.

ifupdown offers no way to do what networkd does and effectively detect what's supported through RA and go with that. So you can definitely configure something like inet6 auto with dhcp 1 or whatever the syntax is to get stateless DHCPv6 but if you then turn off IPv6, rather than just move on, your container will hang indefinitely, making such a config unsuitable for a default config.