[Bug 1185882] New: /etc/resolv.conf not restored after NetworkManager VPN connection terminates
https://bugzilla.suse.com/show_bug.cgi?id=1185882 Bug ID: 1185882 Summary: /etc/resolv.conf not restored after NetworkManager VPN connection terminates Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: doug@uq.edu.au QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- For NetworkManager VPN plugins that use pppd, netconfig seems to be getting run twice (once by NetworkManager and once by pppd) resulting in /etc/resolv.conf not being restored after the VPN connection is terminated. Apparently with https://bugzilla.suse.com/show_bug.cgi?id=1079793 there was a netconfig policy change to permit non-NM settings : * Do Mai 17 2018 mt@suse.de - version 0.84.3 - netconfig: change policy to permit non-NM settings (bsc#1079793) As requested and approved by NetworkManager maintainer, the 'auto' policy permits now also per interface settings provided by other services when NetworkManager is enabled. That is, the auto policy resolving has been changed from "STATIC_FALLBACK NetworkManager" to "STATIC_FALLBACK * NetworkManager". So changes to pppd's ip-up script and netconfig behavior can't be accepted due to that policy change as they would override the policy change behavior. More details: https://github.com/openSUSE/sysconfig/issues/31 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
Marius Tomaschewski
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c1
Marius Tomaschewski
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c2
--- Comment #2 from Jonathan Kang
For NetworkManager VPN plugins that use pppd, netconfig seems to be getting run twice (once by NetworkManager and once by pppd) resulting in /etc/resolv.conf not being restored after the VPN connection is terminated.
I'm curious why netconfig run by pppd didn't restore the correct /etc/resolv.conf. When the connection is down, shouldn't pppd remove dns searches/servers from /etc/resolv.conf? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c3
--- Comment #3 from Douglas Kosovic
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c4
--- Comment #4 from Douglas Kosovic
I'm curious why netconfig run by pppd didn't restore the correct /etc/resolv.conf. When the connection is down, shouldn't pppd remove dns searches/servers from /etc/resolv.conf?
Editing /etc/ppp/netconfig and removing the comments chars as suggested like so : ### ### remove comment chars to trace this script: ### exec &>/tmp/${ACTION//\//-}.$$.trace set -x echo 1>&2 "$0: $@" env 1>&2 I see a /tmp/ip-up.d-10-netconfig.2539.trace file that gets generated, but there is no corresponding /tmp/ip-down.d-90-netconfig.2539.trace file. So looks like netconfig is never called in a pppd down script when a NetworkManager pppd based VPN is used. For completeness, I've attached the generated /tmp/ip-up.d-10-netconfig.2539.trace file. Originally in my pull request, I thought disarming netconfig in /etc/ppp/netconfig when a pppd based NetworkManager VPN is used was the correct approach : https://github.com/openSUSE/sysconfig/pull/30 But Marius suggested that wasn't the correct approach. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
Douglas Kosovic
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c5
--- Comment #5 from Marius Tomaschewski
I'm curious why netconfig run by pppd didn't restore the correct /etc/resolv.conf. When the connection is down, shouldn't pppd remove dns searches/servers from /etc/resolv.conf?
It does not remove the dns settings added by the NetworkManager. Correct implementation is AFAIK: by NetworkManager definitions, all plugins have to deliver the settings to NetworkManager and NetworkManager is applying the settings, in pppd case, e.g. a: /etc/ppp/ip-up.d/network-manager script sending them to NetworkManager. NetworkManager maintains the currently valid dns settings and their order itself and is applying them via a call to: /sbin/netconfig modify -s NetworkManager When there aren't any settings, it can either reset them via modify to an empty set or call: /sbin/netconfig remove -s NetworkManager The per interface calls made by pppd in this case: up/start -> /sbin/netconfig modify $VERBOSE -s pppd-ipv4 -i "$INTERFACE" down/stop -> /sbin/netconfig remove $VERBOSE -s pppd-ipv4 -i "$INTERFACE" are filtered _out_ by the default DNS policy 'STATIC_FALLBACK NetworkManager' policy completely, so there is no explicit hard-coded guard / check for NM vs. other network.service needed in the ip-*.d scripts as netconfig guards it already. The default DNS policy 'STATIC_FALLBACK NetworkManager' causes also, that when the NetworkManager didn't provided any settings or reset them to empty set, netconfig will apply a static setting are applied as fallback (if any) or reset to an empty set, where the nameserver listening on loopback IPs is tried to be used by the glibc. The now broken default DNS 'STATIC_FALLBACK * NetworkManager', requested via in bug 1079793 may even cause that these (from all services) settings are applied twice -- once by the service (pppd) and once by NetworkManager and the logic to apply them inside of NetworkManager does not work any more. When the user wants to permit non-NetworkManager services to apply settings beside NetworkManager, the user still can change the NETCONFIG_DNS_POLICY='auto' which is resolve to the network.service depending default policy, to an explicit policy (can be done via yast2 or manually): NETCONFIG_DNS_POLICY='STATIC_FALLBACK ppp0 NetworkManager' NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager ppp0' NETCONFIG_DNS_POLICY='STATIC_FALLBACK * NetworkManager' or whatever the user prefers to use. So it's simply a all based on the wrong decision in bug 1079793 to change the default behavior to adopt for a specific, non-standard use-case. Also, instead to hack ip-*.d scripts, this bug can be resolved by setting: NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager' in /etc/sysconfig/network/config as netconfig already contains a guard. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c6
--- Comment #6 from Marius Tomaschewski
Originally in my pull request, I thought disarming netconfig in /etc/ppp/netconfig when a pppd based NetworkManager VPN is used was the correct approach : https://github.com/openSUSE/sysconfig/pull/30
But Marius suggested that wasn't the correct approach.
As I've With the now default policy we use now, the correct approach is to set an explicit NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager' dns (ntp, nis) policy in /etc/sysconfig/network/config, which causes to discard settings provided by pppd (by everything except of NetworkManager). I'd just like we discuss, whether the defaults to permit breaking the NetworkManager by anything else are appropriate... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c7
--- Comment #7 from Jonathan Kang
The now broken default DNS 'STATIC_FALLBACK * NetworkManager', requested via in bug 1079793 may even cause that these (from all services) settings are applied twice -- once by the service (pppd) and once by NetworkManager and the logic to apply them inside of NetworkManager does not work any more.
My original thought about this is we want to enable users to use other services outside NetworkManager by default as well.
When the user wants to permit non-NetworkManager services to apply settings beside NetworkManager, the user still can change the NETCONFIG_DNS_POLICY='auto' which is resolve to the network.service depending default policy, to an explicit policy (can be done via yast2 or manually): NETCONFIG_DNS_POLICY='STATIC_FALLBACK ppp0 NetworkManager' NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager ppp0' NETCONFIG_DNS_POLICY='STATIC_FALLBACK * NetworkManager' or whatever the user prefers to use.
This is indeed an better solution to me. @Frederic What's your opinion about this? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c8
Marius Tomaschewski
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c9
Frederic Crozat
Frederic?
I think the big problem is simply we can't expect users to go and edit configuration files (like /etc/sysconfig/network/config ) if they start enabling services which happen to be non managed by NM, to have a working network setup. This was the reason for the request to change the fallback in auto policy, so it works out of the box, even for services non managed by NM. And in the proposal here, I don't see a solution which doesn't require users to again edit configuration files. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c10
--- Comment #10 from Marius Tomaschewski
(In reply to Marius Tomaschewski from comment #8)
Frederic?
I think the big problem is simply we can't expect users to go and edit configuration files (like /etc/sysconfig/network/config ) if they start enabling services which happen to be non managed by NM, to have a working network setup.
Regardless that NetworkManager has a defined feature set and own support for openvpn (as in the original issue) and already using the non-nm variant of the service sounds odd.
This was the reason for the request to change the fallback in auto policy, so it works out of the box, even for services non managed by NM.
So better other non-nm things work and it's better to break NetworkManager plugins as default?
And in the proposal here, I don't see a solution which doesn't require users to again edit configuration files.
Nobody needs to edit config files -> yast2 network supports to adjust the netconfig update policies since ever. IMO it's better when the users need to adjust the default policy to extent it to cover special / non-standard cases of a non-NetworkManager service use rather than be forced to adjust the policy by default (without even using non-nm services) as the new default policy is causing to break NetworkManager plugins. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c11
--- Comment #11 from Marius Tomaschewski
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c12
--- Comment #12 from Frederic Crozat
(In reply to Frederic Crozat from comment #9)
(In reply to Marius Tomaschewski from comment #8)
Frederic?
I think the big problem is simply we can't expect users to go and edit configuration files (like /etc/sysconfig/network/config ) if they start enabling services which happen to be non managed by NM, to have a working network setup.
Regardless that NetworkManager has a defined feature set and own support for openvpn (as in the original issue) and already using the non-nm variant of the service sounds odd.
This was the reason for the request to change the fallback in auto policy, so it works out of the box, even for services non managed by NM.
So better other non-nm things work and it's better to break NetworkManager plugins as default?
This was obviously missed by me, when requesting a change to the fallback policy (which, by its name, is supposed to be just a fallback, when the rest doesn't work in auto).
And in the proposal here, I don't see a solution which doesn't require users to again edit configuration files.
Nobody needs to edit config files -> yast2 network supports to adjust the netconfig update policies since ever.
Using yast2 to adjust netconfig update policy is still editing a configuration file: it requires user interaction, who needs to know why buttons / check box to tweak.
IMO it's better when the users need to adjust the default policy to extent it to cover special / non-standard cases of a non-NetworkManager service use rather than be forced to adjust the policy by default (without even using non-nm services) as the new default policy is causing to break NetworkManager plugins.
This implies the user know it is going "out of policy", which is not obvious. (In reply to Marius Tomaschewski from comment #11)
Please make decision whether we revert this incorrect defaults change or not.
Then, please revert it. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c13
Marius Tomaschewski
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c14
Jonathan Kang
IMO it's better when the users need to adjust the default policy to extent it to cover special / non-standard cases of a non-NetworkManager service use rather than be forced to adjust the policy by default (without even using non-nm services) as the new default policy is causing to break NetworkManager plugins.
I agree. Between these two solutions, this seems to be the better one. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c15
--- Comment #15 from Jonathan Kang
Jonathan, Douglas,
the revert is in https://github.com/openSUSE/sysconfig/pull/32 now and will filter settings from services they try to apply directly instead to send them to the NetworkManager.
Hi Marius It seems that this is not available in openSUSE:Factory yet. Is this planned to be released for Tumbleweed so that we can close this bug? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
Jonathan Kang
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c16
Marius Tomaschewski
https://bugzilla.suse.com/show_bug.cgi?id=1185882
Pavel Dost�l
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c20
--- Comment #20 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185882
https://bugzilla.suse.com/show_bug.cgi?id=1185882#c21
Viktors Trubovics
zypper info -t patch --conflicts openSUSE-SLE-15.4-2022-3219 | \ grep " < " | while read NAME C VERSION; do \ rpm --quiet -q --queryformat "%{name}\n" $NAME && echo "${NAME}<${VERSION}"; \ done` Loading repository data... Reading installed packages... Resolving package dependencies...
The following 2 packages are going to be downgraded: sysconfig sysconfig-netconfig 2 packages to downgrade. Overall download size: 155.1 KiB. Already cached: 0 B. After the operation, additional 1.8 KiB will be used. Continue? [y/n/v/...? shows all options] (y): Retrieving package sysconfig-0.85.6-9.1.x86_64 (1/2), 42.4 KiB ( 73.0 KiB unpacked) Retrieving: sysconfig-0.85.6-9.1.x86_64.rpm ...............................................................................[done] Retrieving package sysconfig-netconfig-0.85.6-9.1.x86_64 (2/2), 112.7 KiB (170.3 KiB unpacked) Retrieving: sysconfig-netconfig-0.85.6-9.1.x86_64.rpm .....................................................................[done] Checking for file conflicts: ..............................................................................................[done] Updating /etc/sysconfig/network/dhcp ... Updating /etc/sysconfig/network/config ... (1/2) Installing: sysconfig-0.85.6-9.1.x86_64 .............................................................................[done] (2/2) Installing: sysconfig-netconfig-0.85.6-9.1.x86_64 ...................................................................[done] There are running programs which still use files and libraries deleted or updated by recent upgrades. They should be restarted to benefit from the latest updates. Run 'zypper ps -s' to list these programs. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185882
Marina Latini
participants (1)
-
bugzilla_noreply@suse.com