Bug 885933
Summary: | dns lookup gives permission denied error | ||
---|---|---|---|
Product: | OpenShift Online | Reporter: | Aditya Patawari <adimania> |
Component: | Containers | Assignee: | Rob Millner <rmillner> |
Status: | CLOSED UPSTREAM | QA Contact: | libra bugs <libra-bugs> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 2.x | CC: | bhatiam, error, mfisher |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-30 05:26:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aditya Patawari
2012-12-11 03:56:04 UTC
Also see: https://openshift.redhat.com/community/forums/openshift/dns-lookup-gives-permission-denied-error This is due to an SELinux denial. We will investigate opening this permission. Normal host-name resolution works through the NSS methods (gethostbyname); just not through the DNS specific tools that directly send DNS packets. I understand that this won't be on top priority but do we have an estimate on how much time will it take to get this feature? Gear users can issue the standard gethostbyname and gethostbyaddr calls. The thing blocking nslookup, dig and host are that they bind to a UDP port. To be useful, they either have to bind to the external IP address or to the any address (0.0.0.0); neither of which we allow on the platform. We're discussing how to resolve this with the SELinux team inside Red Hat and will hopefully have a solution shortly. Rob, do we have any update on this? Had a discussion with the SELinux experts about enabling this. It will require changes to the targeted policies for RHEL 6, Fedora 17 and Fedora 18. We're working through the change and are expecting to have an update in a few weeks. I won't need this anymore since I have moved out of openshift. The ticket was marked as high priority and it has been months since that action. Clearly, I was wasting my time here. SELinux feature request moved to Trello Card: https://trello.com/c/BZrNDAhP/205-selinux-allows-dns-command-line-tools-to-work This remains an issue on OpenShift Online. Has there been any progress toward resolving it? I want to query SOA records, as part of the process of validating email addresses. This appears to be the only way to do so, as other syscalls that work, such as getaddrinfo(), aren't really set up to retrieve anything but address records. |