Dynamic DNS resolver

[babaric-dev]

After this is implemented, we have theoratically a working DNS resolver? This would be a cool update that will improve this project greatly.

Edit: This is already discussed in #44. But since it is closed, perhaps we should discuss here.

[licy183]

Android's DNS resolver is a system service. I think it is hard to have a real DNS resolver for termux-docker.

[babaric-dev]

How does Linux's DNS resolver work, then? Can we take the Linux approach and apply it in termux-docker?

[licy183]

I'm afraid not. That means we need to hook all the res_* functions and I think it would be a huge work.

[sylirre]

How does Linux's DNS resolver work, then? Can we take the Linux approach and apply it in termux-docker?

I'm not going to backport a DNS resolver from GNU or Musl libc and neither going to maintain sources of it. Too much work for the original purpose of termux-docker.

[ntkme]

@sylirre @licy183 dnsmasq from AOSP generic system image (https://developer.android.com/topic/generic-system-image/releases) works out of box.

I built a minimal android container by stripping AOSP GSI, available at ghcr.io/dart-android/toybox. It runs dnsmasq at start and DNS works inside the container.

I think we can take a similar approach here.

[babaric-dev]

@ntkme how can i try out your docker image?

[ntkme]

[opc@instance-0 ~]$ podman run --rm --privileged ghcr.io/dart-android/toybox sh -c "sleep 1; ping google.com"
Ping google.com (216.58.220.142): 56(84) bytes.
64 bytes from 216.58.220.142: icmp_seq=1 ttl=255 time=2 ms
64 bytes from 216.58.220.142: icmp_seq=2 ttl=255 time=2 ms
64 bytes from 216.58.220.142: icmp_seq=3 ttl=255 time=2 ms
--- 216.58.220.142 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss
round-trip min/avg/max = 2/2/2 ms

Note:

1. --privileged is only needed for arm64/arm for the known personality issue.
2. sleep 1 is to avoid a race condition of dnsmasq taking some time to complete startup in background.
3. This is a bare minimum command line environment that is purely AOSP GSI and thus does not have any Termux bits, but it should be fairly straightforward to add those into the image.

[sylirre]

Will check this.

[ntkme]

Another small tip about dnsmasq from GSI:

ENTRYPOINT ["/bin/sh", "-c", "/bin/sh -T /dev/ptmx -c dnsmasq 2>/dev/null; exec \"$@\"", "--"]
CMD ["/bin/sh"]

The reason I had to use /bin/sh -T /dev/ptmx -c dnsmasq:

• If I launch it without attaching tty, e.g. dnsmasq </dev/null, somehow dnsmasq goes 100% CPU usage for unknown reason.
• If I launch it in current tty, the CPU usage of dnsmasq stays normal, but the mksh shell in current tty would randomly become laggy on user input.
• If I launch it in another tty via /dev/ptmx, everything seems to be good.

[sylirre]

Added necessary changes for dynamic DNS. Looks like working.

[sylirre]

When doing AArch64 and ARM image builds, getting these errors:

#11 0.221 error getting old personality value: Operation not permitted
#11 0.222 libc: error getting old personality value: Operation not permitted

[ntkme]

That is the known issue for personality call on arm mentioned on README. Maybe try add --security-opt seccomp:unconfined to docker build and see if it works?

[sylirre]

It doesn't work.

WARNING: security-opt flag is deprecated. "RUN --security=insecure" should be used with BuildKit.

and then same issue about personality. Tried adding --security=insecure to RUN steps. This cause docker file parse errors. Both locally and on GitHub Actions.

Tried locally building image without buildkit, here is error that I got:

Error response from daemon: The daemon on this platform does not support setting security options on build

[ntkme]

Here is a workaround I used in the past for lack of privileged mode during docker build: just use docker run --privileged with a persisted volume to get all the bits saved into the persisted volume, and then do docker build to copy the files. It is kind of annoying, but at least would work more consistently.

[lars18th]

Hi @sylirre ,

With current container:

$ docker run -it --privileged termux/termux-docker:latest
WARNING: The requested image's platform (linux/386) does not match the detected host platform (linux/amd64) and no specific platform was requested
-env: unknown program ‘-env’
Try '-env --help' for more information.

Any idea?

[sylirre]

Looking into it. Interestingly that it doesn't happen with aarch64 image for some reason.

[lars18th]

Looking into it. Interestingly that it doesn't happen with aarch64 image for some reason.

It seems to work when adding --entrypoint /entrypoint.sh to the run command.

But after inside the Termux:

Welcome to Termux!

Docs:       https://termux.dev/docs
Donate:     https://termux.dev/donate
Community:  https://termux.dev/community

Working with packages:

 - Search:  pkg search <query>
 - Install: pkg install <package>
 - Upgrade: pkg upgrade

Subscribing to additional repositories:

 - Root:    pkg install root-repo
 - X11:     pkg install x11-repo

For fixing any repository issues,
try 'termux-change-repo' command.

Report issues at https://termux.dev/issues
~ # pkg
Error: Cannot run 'pkg' command as root
~ #

Something is broken in the i686 image. 😢

[sylirre]

Remove and download again the images:

IMAGE ID       REPOSITORY                       TAG
a451ab2ab57d   termux/termux-docker             arm
70cf1552bf05   termux/termux-docker             aarch64
eea96e3e7475   termux/termux-docker             x86_64
724de9049b81   termux/termux-docker             i686
724de9049b81   termux/termux-docker             latest

Error with -env is fixed. There were issues with building proper command line for launching the shell.

Something is broken in the i686 image.

pkg and apt can't be used as root. Intended behaviour.

But normally there should be system user. Again this is issue of entrypoint script which is fixed.

[lars18th]

Hi @sylirre ,

After updating the images all will work like a charm. Thank you!