[Bug 1139903] New: DNS resolution broken after upgrading 15.0 to 15.1
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903 Bug ID: 1139903 Summary: DNS resolution broken after upgrading 15.0 to 15.1 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: mail@sven-seeberg.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- After upgrading from 15.0 to 15.1 with "zypper dup", the DNS resolution is (mostly) broken. There were no apparent error messages during the upgrade process. Interestingly, NetworkManager seems to set the nameserver correctly in the /etc/resolv.conf. I can remove the file at it will be recreated correctly after reconnecting. The IP addresses of the nameservers are also set correctly. Also, dig and nslookup do correctly resolve host names:
root@neptun ~ # nslookup heise.de Server: 192.168.0.1 Address: 192.168.0.1#53
Non-authoritative answer: Name: heise.de Address: 193.99.144.80 Name: heise.de Address: 2a02:2e0:3fe:1001:302::
root@neptun ~ # dig heise.de ;; ANSWER SECTION: heise.de. 82530 IN A 193.99.144.80 ;; Query time: 0 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Mon Jul 01 12:27:11 CEST 2019 ;; MSG SIZE rcvd: 53
All other programs (ping, wget, curl, Firefox, Thunderbird, nm-applet, etc) however cannot resolve host names:
root@neptun ~ # ping heise.de ping: heise.de: Name or service not known
I have no idea yet, what is going on. Is systemd-resolvd used by default in 15.1? The service file is not on my system:
root@neptun ~ # systemctl status systemd-resolved Unit systemd-resolved.service could not be found.
As a workaround for Firefox and Thunderbird I can use a SOCKS proxy (including DNS). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c1
--- Comment #1 from Sven Seeberg
Jul 01 13:38:52 neptun dnsmasq[9703]: failed to read /etc/resolv.conf: Permission denied Jul 01 13:38:52 neptun dnsmasq[9703]: no servers found in /etc/resolv.conf, will retry
I then removed the symlink of /etc/resolv.conf and then copied the /var/run/netconfig/resolv.conf into its place. Now dnsmasq started up and all programs are able to resolv domain names. Why is this? How can I fix this permanently? Copying the /var/run/netconfig/resolv.conf is not a good solution. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c2
--- Comment #2 from Sven Seeberg
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c3
--- Comment #3 from Sven Seeberg
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c4
--- Comment #4 from Sven Seeberg
How can I fix this permanently? Copying the /var/run/netconfig/resolv.conf is not a good solution.
It seems AppArmor prevented accessing the file. I ran
aa-disable /usr/sbin/dnsmasq
to fix the problem for now. For some other reason, I'm not able to add /var/run/netconfig/resolv.conf as a readable file to the AppArmor profile of dnsmasq. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c5
Christian Boltz
(In reply to Sven Seeberg from comment #1)
How can I fix this permanently? Copying the /var/run/netconfig/resolv.conf is not a good solution.
It seems AppArmor prevented accessing the file. I ran
aa-disable /usr/sbin/dnsmasq
to fix the problem for now. For some other reason, I'm not able to add /var/run/netconfig/resolv.conf as a readable file to the AppArmor profile of dnsmasq.
Better run aa-complain /usr/sbin/dnsmasq in such cases - that will put the profile into complain mode (allow everything, and log what would be denied). Also, please attach your /var/log/audit/audit.log (or the "grep dnsmasq" result for it) so that I can see what exactly gets denied. Oh, BTW - does it work if you install the update packages from https://build.opensuse.org/package/show/home:cboltz:branches:OBS_Maintained:... ? (Updating apparmor-profiles and apparmor-abstractions should be enough in this case.) Note: you'll have to run aa-enforce or aa-complain for the dnsmasq profile to undo the aa-disable (or remove the symlink in /etc/apparmor.d/disable/ manually and run "rcapparmor reload") -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c6
--- Comment #6 from Sven Seeberg
The following 3 packages are going to change vendor: apparmor-parser openSUSE -> obs://build.opensuse.org/home:cboltz apparmor-parser-lang openSUSE -> obs://build.opensuse.org/home:cboltz libapparmor1 openSUSE -> obs://build.opensuse.org/home:cboltz
I'm getting a
# aa-enforce usr.sbin.dnsmasq Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
ERROR: Path doesn't start with / or variable: libvirt_leaseshelper
AppArmor is not able to start enforcing the policies for dnsmasq.
# grep -n libvirt_leaseshelper /etc/apparmor.d/usr.sbin.dnsmasq 73: /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper, 94: profile libvirt_leaseshelper { 99: /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
I also added 2 lines to the profile in the NetworkManager integration section which result in changed line numbers for the leaseshelper stated above:
/var/run/netconfig/resolv.conf r, /etc/resolv.conf r,
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c7
--- Comment #7 from Sven Seeberg
ERROR: Path doesn't start with / or variable: libvirt_leaseshelper
comes from this section in the usr.sbin.dnsmas:
profile libvirt_leaseshelper { #include
/etc/libnl-3/classid r,
/usr/lib{,64}/libvirt/libvirt_leaseshelper m,
owner @{PROC}/@{pid}/net/psched r, owner @{PROC}/@{pid}/status r,
/sys/devices/system/cpu/ r, /sys/devices/system/node/ r, /sys/devices/system/node/*/meminfo r,
# libvirt lease and status files for dnsmasq /var/lib/libvirt/dnsmasq/*.leases rw, /var/lib/libvirt/dnsmasq/*.status* rw,
/{,var/}run/leaseshelper.pid rwk, }
More specifically, the error comes from the first line (profile) in the quote. I can comment the content of the section and aa-enforce still throws an error. As soon as I comment the full section, it works. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c9
--- Comment #9 from Sven Seeberg
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c10
--- Comment #10 from Christian Boltz
1) Is this AppArmor error actually a bug or something that is specific to my system as well? I'm not sure, but I don't mind if we assume that it is specific to my system.
ERROR: Path doesn't start with / or variable: libvirt_leaseshelper is a bug in the AppArmor tools, and IIRC I fixed it in the meantime. Can you please install more packages from the upcoming update and try again? In theory apparmor-utils and python3-libapparmor should be enough, but it's probably easier to update all packages from home:cboltz:branches:OBS_Maintained:apparmor ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c11
--- Comment #11 from Sven Seeberg
zypper se --provides /etc/apparmor.d/usr.sbin.dnsmasq
which showed that apparmor-profiles was not installed. I now replaced all files in the apparmor.d directory with the ones from the apparmor-packages rpm, but still get the same error message. But now I'm very confident, that this problem is due to my broken system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c12
--- Comment #12 from Sven Seeberg
In theory and python3-libapparmor should be enough, but it's probably easier to update all packages from home:cboltz:branches:OBS_Maintained:apparmor ;-)
Installed the packages. However, I only see a libapparmor1 package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c13
--- Comment #13 from Christian Boltz
(In reply to Christian Boltz from comment #10)
In theory and python3-libapparmor should be enough, but it's probably easier to update all packages from home:cboltz:branches:OBS_Maintained:apparmor ;-)
Installed the packages. However, I only see a libapparmor1 package.
Sorry, my mistake - the package is named python3-apparmor, not python3-libapparmor. You should have the following packages (all with version 2.13.3) from home:cboltz:branches:OBS_Maintained:apparmor: apparmor-abstractions-2.12.3-lp151.7.1.noarch apparmor-parser-2.12.3-lp151.7.1.x86_64 apparmor-profiles-2.12.3-lp151.7.1.noarch apparmor-utils-2.12.3-lp151.7.1.noarch libapparmor1-2.12.3-lp151.7.1.x86_64 perl-apparmor-2.12.3-lp151.7.1.x86_64 python3-apparmor-2.12.3-lp151.7.1.x86_64 # the most relevant one for this bug -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c14
Sven Seeberg
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903
http://bugzilla.opensuse.org/show_bug.cgi?id=1139903#c15
--- Comment #15 from Christian Boltz
That fixed it - some packages were missing (python3-apparmor, apparmor-utils, apparmor-utils-lang, perl-apparmor). Thanks for helping out.
Thanks for confirming that the update packages fix it ;-)
I'll set this bug to resolved invalid, because the problem (most likely) was a manually broken RPM database a longer time ago. Sorry for causing trouble and thanks again for helping.
You are welcome ;-) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com