Bug 1648108

Summary: DNS for the VPN isn't initialized correctly with standard /etc/nsswitch.conf after openconnect
Product: [Fedora] Fedora Reporter: Jim Hennessy <jphxxxx>
Component: vpnc-scriptAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: chkr, dwmw2, jan.public, mbayer, nmavrogi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: vpnc-script-20171004-4.git6f87b0f.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-07 02:38:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Hennessy 2018-11-08 20:49:35 UTC 
After using openconnect to establish a VPN connection, I can't resolve host names for hosts in the new network, *unless* the "resolve" module is named on the "hosts" line in /etc/nsswitch.conf, which is not the default configuration in Fedora 29.  This worked in Fedora 28 with the default configuration.

In Fedora 28, the /etc/vpnc-script would modify the /etc/resolv.conf file with the DNS information for the VPN.  In Fedora 29, it no longer takes that path.  The vpnc-script looks in /etc/nsswitch.conf to see if "resolve" appears on the "hosts" line.  If it doesn't, it tries to avoid depending on systemd-resolved.  But if it sees the /sbin/resolvconf executable, it uses it.  On Fedora 29, however, /sbin/resolvconf is a symbolic link to /bin/resolvectl, and resolvectl just talks to systemd-resolved, which vpnc-script doesn't appear to expect.  So on systems where "resolve" doesn't appear on the "hosts" line of /etc/nsswitch.conf, name resolving still won't work.  Since this seems to be the default configuration in Fedora 29, even on a freshly-installed system, that's not ideal.

To make openconnect work for me on Fedora 29, I had to comment out the lines in vpnc-script that check for /sbin/resolvconf, and use the --script option of openconnect to point to my modified version of vpnc-script.  It also works if I add "resolve [!UNAVAIL=return]" just before the "dns" entry on the "hosts" line in /etc/nsswitch.conf (now that https://bugzilla.redhat.com/show_bug.cgi?id=1644860 is fixed).


Version-Release number of selected component (if applicable):

vpnc-script-20171004-3.git6f87b0f.fc29.noarch

How reproducible:

It fails every time with the default /etc/nsswitch.conf file.

Steps to Reproduce:

Use openconnect to create a tunnel to a private network that has its own DNS servers.  Try to resolve a host name using a command like "ping" that ultimately uses /etc/nsswitch.conf to control name resolution.  Observe that names can't be resolved.

Actual results:

Host names can't be resolved.

Expected results:

Host names can be resolved.

Additional info:

none
Comment 1 Nikos Mavrogiannopoulos 2018-11-09 07:29:11 UTC 
Forwarded upstream:
https://gitlab.com/openconnect/openconnect/issues/11
Comment 2 Jan Vlug 2018-11-09 07:33:59 UTC 
Maybe duplicate of bug 1646760.
Comment 3 Nikos Mavrogiannopoulos 2018-11-24 14:48:34 UTC 
*** Bug 1646760 has been marked as a duplicate of this bug. ***
Comment 4 Nikos Mavrogiannopoulos 2018-11-24 14:49:40 UTC 
There is indeed an issue on vpnc-script which makes it unusable in fedora. There are a little more info in the upstream tracker, though I have no time to follow up on that. If you send a pull request on vpnc-script which addresses the issue I will merge it.
Comment 5 Nikos Mavrogiannopoulos 2018-11-24 14:50:09 UTC 
If better someone else would like to take over this package, I'll be grateful.
Comment 6 Jim Hennessy 2018-11-25 19:26:22 UTC 
I can do a pull request.  Are you suggesting I file it against a Fedora repo (https://src.fedoraproject.org/rpms/vpnc-script.git?) or the upstream repo at http://git.infradead.org/users/dwmw2/vpnc-scripts.git/?
Comment 7 Nikos Mavrogiannopoulos 2018-11-26 09:44:19 UTC 
The fedora repo is best so we can try it there and if that works we can follow on upstream.
Comment 8 Jim Hennessy 2018-12-01 20:04:16 UTC 
I submitted pull request https://src.fedoraproject.org/rpms/vpnc-script/pull-request/1 to change the script to accommodate the Fedora 29 arrangement.
Comment 9 Fedora Update System 2018-12-03 08:01:25 UTC 
vpnc-script-20171004-4.git6f87b0f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0e6c79cb84
Comment 10 Nikos Mavrogiannopoulos 2018-12-03 08:01:47 UTC 
Thank you! I've created builds for it.
Comment 11 Fedora Update System 2018-12-04 05:01:54 UTC 
vpnc-script-20171004-4.git6f87b0f.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0e6c79cb84
Comment 12 Fedora Update System 2018-12-07 02:38:55 UTC 
vpnc-script-20171004-4.git6f87b0f.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Michael Bayer 2019-05-23 17:54:17 UTC 
I've created bz#1713455 for a similar issue in openvpn.