[Bug 1185882] New: /etc/resolv.conf not restored after NetworkManager VPN connection terminates

newer
[Bug 1203383] New: Cannot use any...

older
[Bug 1203018] VUL-0:...

bugzilla_noreply＠suse.com

10 May 2021 10 May '21

22:11

https://bugzilla.suse.com/show_bug.cgi?id=1185882 Bug ID: 1185882 Summary: /etc/resolv.conf not restored after NetworkManager VPN connection terminates Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: doug@uq.edu.au QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- For NetworkManager VPN plugins that use pppd, netconfig seems to be getting run twice (once by NetworkManager and once by pppd) resulting in /etc/resolv.conf not being restored after the VPN connection is terminated. Apparently with https://bugzilla.suse.com/show_bug.cgi?id=1079793 there was a netconfig policy change to permit non-NM settings : * Do Mai 17 2018 mt@suse.de - version 0.84.3 - netconfig: change policy to permit non-NM settings (bsc#1079793) As requested and approved by NetworkManager maintainer, the 'auto' policy permits now also per interface settings provided by other services when NetworkManager is enabled. That is, the auto policy resolving has been changed from "STATIC_FALLBACK NetworkManager" to "STATIC_FALLBACK * NetworkManager". So changes to pppd's ip-up script and netconfig behavior can't be accepted due to that policy change as they would override the policy change behavior. More details: https://github.com/openSUSE/sysconfig/issues/31 -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 3.4 KB)

Show replies by date

bugzilla_noreply＠suse.com

10 May 10 May

22:22

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mt@suse.com Assignee|screening-team-bugs@suse.de |songchuan.kang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

23:09

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c1 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fcrozat@suse.com --- Comment #1 from Marius Tomaschewski --- The description is not correct: The /etc/resolv.conf is never restored and does not need to be. Both, the /etc/ppp/ip-up.d/10-netconfig (/etc/ppp/netconfig) script and netconfig work correctly and according with the policy to use while NetworkManager is running (bug 1079793), which causes to use the settings from other services than NetworkManager now. The solution / workaround? is to either: - set NETCONFIG_DNS_POLICY="NetworkManager" in /etc/sysconfig/network/config (or via yast2) or - revert policy change for NetworkManager (bug 1079793). ---- There is a (open)SUSE system policy since SLE-11 that all programs/services have to use netconfig, which is also supported in yast (where you can set the policy, ...). netconfig receives and collects settings from all services and is applying them according to the defined policies. A script/program that writes /etc/resolv.conf directly on an (open)SUSE system violates the policy and needs to be fixed [�]. Also, as defined by NetworkManager, all its scripts/plugins have to deliver their settings to the NetworkManager, which has a special call to write it's merged settings. Further: The /etc/resolv.conf is a link to /run/netconfig/resolv.conf where netconfig modify|remove|update actions are writing to. (The administrator can also remove the link and create a file or create link pointing to an another file -- netconfig will honor it and not touch the /etc/resolv.conf any more.) To revert to use netconfig or fix settings applied by tools not doing it correctly [�], call `netconfig update -f`. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

18 Aug 18 Aug

08:09

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c2 --- Comment #2 from Jonathan Kang --- (In reply to Douglas Kosovic from comment #0)

...

For NetworkManager VPN plugins that use pppd, netconfig seems to be getting run twice (once by NetworkManager and once by pppd) resulting in /etc/resolv.conf not being restored after the VPN connection is terminated.

I'm curious why netconfig run by pppd didn't restore the correct /etc/resolv.conf. When the connection is down, shouldn't pppd remove dns searches/servers from /etc/resolv.conf? -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

19 Aug 19 Aug

13:18

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c3 --- Comment #3 from Douglas Kosovic --- Created attachment 851925 --> https://bugzilla.suse.com/attachment.cgi?id=851925&action=edit pppd up script output -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

13:20

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c4 --- Comment #4 from Douglas Kosovic --- (In reply to Jonathan Kang from comment #2)

...

I'm curious why netconfig run by pppd didn't restore the correct /etc/resolv.conf. When the connection is down, shouldn't pppd remove dns searches/servers from /etc/resolv.conf?

Editing /etc/ppp/netconfig and removing the comments chars as suggested like so : ### ### remove comment chars to trace this script: ### exec &>/tmp/${ACTION//\//-}.$$.trace set -x echo 1>&2 "$0: $@" env 1>&2 I see a /tmp/ip-up.d-10-netconfig.2539.trace file that gets generated, but there is no corresponding /tmp/ip-down.d-90-netconfig.2539.trace file. So looks like netconfig is never called in a pppd down script when a NetworkManager pppd based VPN is used. For completeness, I've attached the generated /tmp/ip-up.d-10-netconfig.2539.trace file. Originally in my pull request, I thought disarming netconfig in /etc/ppp/netconfig when a pppd based NetworkManager VPN is used was the correct approach : https://github.com/openSUSE/sysconfig/pull/30 But Marius suggested that wasn't the correct approach. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

13:21

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 Douglas Kosovic changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #851925|pppd up script output |ip-up.d-10-netconfig.2539.t description| |race -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

24 Aug 24 Aug

08:37

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c5 --- Comment #5 from Marius Tomaschewski --- (In reply to Jonathan Kang from comment #2)

...

I'm curious why netconfig run by pppd didn't restore the correct /etc/resolv.conf. When the connection is down, shouldn't pppd remove dns searches/servers from /etc/resolv.conf?

It does not remove the dns settings added by the NetworkManager. Correct implementation is AFAIK: by NetworkManager definitions, all plugins have to deliver the settings to NetworkManager and NetworkManager is applying the settings, in pppd case, e.g. a: /etc/ppp/ip-up.d/network-manager script sending them to NetworkManager. NetworkManager maintains the currently valid dns settings and their order itself and is applying them via a call to: /sbin/netconfig modify -s NetworkManager When there aren't any settings, it can either reset them via modify to an empty set or call: /sbin/netconfig remove -s NetworkManager The per interface calls made by pppd in this case: up/start -> /sbin/netconfig modify $VERBOSE -s pppd-ipv4 -i "$INTERFACE" down/stop -> /sbin/netconfig remove $VERBOSE -s pppd-ipv4 -i "$INTERFACE" are filtered _out_ by the default DNS policy 'STATIC_FALLBACK NetworkManager' policy completely, so there is no explicit hard-coded guard / check for NM vs. other network.service needed in the ip-*.d scripts as netconfig guards it already. The default DNS policy 'STATIC_FALLBACK NetworkManager' causes also, that when the NetworkManager didn't provided any settings or reset them to empty set, netconfig will apply a static setting are applied as fallback (if any) or reset to an empty set, where the nameserver listening on loopback IPs is tried to be used by the glibc. The now broken default DNS 'STATIC_FALLBACK * NetworkManager', requested via in bug 1079793 may even cause that these (from all services) settings are applied twice -- once by the service (pppd) and once by NetworkManager and the logic to apply them inside of NetworkManager does not work any more. When the user wants to permit non-NetworkManager services to apply settings beside NetworkManager, the user still can change the NETCONFIG_DNS_POLICY='auto' which is resolve to the network.service depending default policy, to an explicit policy (can be done via yast2 or manually): NETCONFIG_DNS_POLICY='STATIC_FALLBACK ppp0 NetworkManager' NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager ppp0' NETCONFIG_DNS_POLICY='STATIC_FALLBACK * NetworkManager' or whatever the user prefers to use. So it's simply a all based on the wrong decision in bug 1079793 to change the default behavior to adopt for a specific, non-standard use-case. Also, instead to hack ip-*.d scripts, this bug can be resolved by setting: NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager' in /etc/sysconfig/network/config as netconfig already contains a guard. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

08:48

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c6 --- Comment #6 from Marius Tomaschewski --- (In reply to Douglas Kosovic from comment #4)

...

Originally in my pull request, I thought disarming netconfig in /etc/ppp/netconfig when a pppd based NetworkManager VPN is used was the correct approach : https://github.com/openSUSE/sysconfig/pull/30

But Marius suggested that wasn't the correct approach.

As I've With the now default policy we use now, the correct approach is to set an explicit NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager' dns (ntp, nis) policy in /etc/sysconfig/network/config, which causes to discard settings provided by pppd (by everything except of NetworkManager). I'd just like we discuss, whether the defaults to permit breaking the NetworkManager by anything else are appropriate... -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

25 Aug 25 Aug

01:56

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c7 --- Comment #7 from Jonathan Kang --- (In reply to Marius Tomaschewski from comment #5)

...

The now broken default DNS 'STATIC_FALLBACK * NetworkManager', requested via in bug 1079793 may even cause that these (from all services) settings are applied twice -- once by the service (pppd) and once by NetworkManager and the logic to apply them inside of NetworkManager does not work any more.

My original thought about this is we want to enable users to use other services outside NetworkManager by default as well.

...

When the user wants to permit non-NetworkManager services to apply settings beside NetworkManager, the user still can change the NETCONFIG_DNS_POLICY='auto' which is resolve to the network.service depending default policy, to an explicit policy (can be done via yast2 or manually): NETCONFIG_DNS_POLICY='STATIC_FALLBACK ppp0 NetworkManager' NETCONFIG_DNS_POLICY='STATIC_FALLBACK NetworkManager ppp0' NETCONFIG_DNS_POLICY='STATIC_FALLBACK * NetworkManager' or whatever the user prefers to use.

This is indeed an better solution to me. @Frederic What's your opinion about this? -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

12 Sep 12 Sep

01:53

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c8 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fcrozat@suse.com) --- Comment #8 from Marius Tomaschewski --- Frederic? -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

13 Sep 13 Sep

09:37

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c9 Frederic Crozat changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fcrozat@suse.com) | --- Comment #9 from Frederic Crozat --- (In reply to Marius Tomaschewski from comment #8)

...

Frederic?

I think the big problem is simply we can't expect users to go and edit configuration files (like /etc/sysconfig/network/config ) if they start enabling services which happen to be non managed by NM, to have a working network setup. This was the reason for the request to change the fallback in auto policy, so it works out of the box, even for services non managed by NM. And in the proposal here, I don't see a solution which doesn't require users to again edit configuration files. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

22 Sep 22 Sep

11:18

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c10 --- Comment #10 from Marius Tomaschewski --- (In reply to Frederic Crozat from comment #9)

...

(In reply to Marius Tomaschewski from comment #8)

...
Frederic?

I think the big problem is simply we can't expect users to go and edit configuration files (like /etc/sysconfig/network/config ) if they start enabling services which happen to be non managed by NM, to have a working network setup.

Regardless that NetworkManager has a defined feature set and own support for openvpn (as in the original issue) and already using the non-nm variant of the service sounds odd.

...

This was the reason for the request to change the fallback in auto policy, so it works out of the box, even for services non managed by NM.

So better other non-nm things work and it's better to break NetworkManager plugins as default?

...

And in the proposal here, I don't see a solution which doesn't require users to again edit configuration files.

Nobody needs to edit config files -> yast2 network supports to adjust the netconfig update policies since ever. IMO it's better when the users need to adjust the default policy to extent it to cover special / non-standard cases of a non-NetworkManager service use rather than be forced to adjust the policy by default (without even using non-nm services) as the new default policy is causing to break NetworkManager plugins. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

11:23

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c11 --- Comment #11 from Marius Tomaschewski --- Please make decision whether we revert this incorrect defaults change or not. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

11:45

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c12 --- Comment #12 from Frederic Crozat --- (In reply to Marius Tomaschewski from comment #10)

...

(In reply to Frederic Crozat from comment #9)

...
(In reply to Marius Tomaschewski from comment #8)

...
Frederic?

I think the big problem is simply we can't expect users to go and edit configuration files (like /etc/sysconfig/network/config ) if they start enabling services which happen to be non managed by NM, to have a working network setup.

Regardless that NetworkManager has a defined feature set and own support for openvpn (as in the original issue) and already using the non-nm variant of the service sounds odd.

...
This was the reason for the request to change the fallback in auto policy, so it works out of the box, even for services non managed by NM.

So better other non-nm things work and it's better to break NetworkManager plugins as default?

This was obviously missed by me, when requesting a change to the fallback policy (which, by its name, is supposed to be just a fallback, when the rest doesn't work in auto).

...

...
And in the proposal here, I don't see a solution which doesn't require users to again edit configuration files.

Nobody needs to edit config files -> yast2 network supports to adjust the netconfig update policies since ever.

Using yast2 to adjust netconfig update policy is still editing a configuration file: it requires user interaction, who needs to know why buttons / check box to tweak.

...

IMO it's better when the users need to adjust the default policy to extent it to cover special / non-standard cases of a non-NetworkManager service use rather than be forced to adjust the policy by default (without even using non-nm services) as the new default policy is causing to break NetworkManager plugins.

This implies the user know it is going "out of policy", which is not obvious. (In reply to Marius Tomaschewski from comment #11)

...

Please make decision whether we revert this incorrect defaults change or not.

Then, please revert it. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

13:23

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c13 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |doug@uq.edu.au, | |songchuan.kang@suse.com Flags| |needinfo?(doug@uq.edu.au), | |needinfo?(songchuan.kang@su | |se.com) --- Comment #13 from Marius Tomaschewski --- Jonathan, Douglas, the revert is in https://github.com/openSUSE/sysconfig/pull/32 now and will filter settings from services they try to apply directly instead to send them to the NetworkManager. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

23 Sep 23 Sep

02:08

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c14 Jonathan Kang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(songchuan.kang@su | |se.com) | --- Comment #14 from Jonathan Kang --- (In reply to Marius Tomaschewski from comment #10)

...

IMO it's better when the users need to adjust the default policy to extent it to cover special / non-standard cases of a non-NetworkManager service use rather than be forced to adjust the policy by default (without even using non-nm services) as the new default policy is causing to break NetworkManager plugins.

I agree. Between these two solutions, this seems to be the better one. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

8 Nov 8 Nov

07:45

New subject: [Bug 1185882] /etc/resolv.conf not restored after NetworkManager VPN connection terminates

https://bugzilla.suse.com/show_bug.cgi?id=1185882 https://bugzilla.suse.com/show_bug.cgi?id=1185882#c15 --- Comment #15 from Jonathan Kang --- (In reply to Marius Tomaschewski from comment #13)

...

Jonathan, Douglas,

the revert is in https://github.com/openSUSE/sysconfig/pull/32 now and will filter settings from services they try to apply directly instead to send them to the NetworkManager.

Hi Marius It seems that this is not available in openSUSE:Factory yet. Is this planned to be released for Tumbleweed so that we can close this bug? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.