Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove resolvconf dependency on Focal #5809

Merged
merged 1 commit into from
Feb 23, 2021
Merged

Remove resolvconf dependency on Focal #5809

merged 1 commit into from
Feb 23, 2021

Conversation

rmol
Copy link
Contributor

@rmol rmol commented Feb 22, 2021

Status

Ready for review

Description of Changes

Stops installing resolvconf on Focal. Keeps systemd-resolved disabled. Name resolution keeps working: man resolv.conf.

Testing

  • git checkout -b remove-resolvconf origin/remove-resolvconf
  • make build-debs-focal
  • make staging-focal

Servers should not have resolvconf installed, nor systemd-resolved running. DNS lookups should still succeed.

Deployment

Changes resolver configuration.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

Sorry, something went wrong.

Verified

This commit was signed with the committer’s verified signature. The key has expired.
@rmol rmol assigned rmol and emkll and unassigned rmol Feb 22, 2021
@rmol rmol added this to the 1.8.0 milestone Feb 22, 2021
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes here look functionally good to me, as tested in Focal VMs. It looks like systemd-resolved is disabled by default on Focal install.
Its presence is not strictly necessary here: running a local resolver would only be helpful to cache DNS requests

@rmol
Copy link
Contributor Author

rmol commented Feb 23, 2021

Did you find systemd-resolved disabled on a fresh, pre-SecureDrop Focal server? We have a step to disable it. I thought it was enabled by default when I checked a new Focal machine.

@emkll
Copy link
Contributor

emkll commented Feb 23, 2021

It is enabled by default on a fresh focal install:

$ systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-02-23 00:12:54 UTC; 42s ago
       Docs: man:systemd-resolved.service(8)
             https://www.freedesktop.org/wiki/Software/systemd/resolved
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
   Main PID: 621 (systemd-resolve)
     Status: "Processing requests..."
      Tasks: 1 (limit: 470)
     Memory: 7.6M
     CGroup: /system.slice/systemd-resolved.service

It is however disabled in Debian by default per the below and [1]

$ systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
   Loaded: loaded (/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/systemd-resolved.service.d
           └─resolvconf.conf
   Active: inactive (dead)
     Docs: man:systemd-resolved.service(8)
           https://www.freedesktop.org/wiki/Software/systemd/resolved
           https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
           https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

If we were to enable (or rather, preserve enabled) systemd-resolved under Focal, we will need to configure it differently, as /etc/resolv.conf is managed my systemd-resolved and a symlink to /run/systemd/resolve/stub-resolv.conf, pointing to a local resolver. /etc/systemd/resolved.conf would be the file where we would configure the DNS servers.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866624

@conorsch
Copy link
Contributor

Looks like systemd-resolved is enabled by default on a clean Focal install. To test, I ran molecule create -s qubes-staging-focal, then molecule login -s qubes-staging-focal -h app-staging:

sdadmin@app-staging:~$ uname -r
5.4.0-59-generic
sdadmin@app-staging:~$ sudo systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-02-23 00:22:17 UTC; 4min 5s ago

See context in #5638. At the very least, we should have a config test verifying that state, but that doesn't block here. @kushaldas please refer the relevant documentation for systemd-resolved and resolv.conf. If you agree with the behavior here, go ahead and merge!

Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DNS still working, no resolvconf installed on the servers. Approved.

@kushaldas kushaldas merged commit da9dbf2 into develop Feb 23, 2021
@kushaldas kushaldas deleted the remove-resolvconf branch February 23, 2021 05:04
@kushaldas kushaldas mentioned this pull request Feb 26, 2021
27 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants