Bug 1405431 - NM changes /etc/resolv.conf even though there is PEERDNS=no in ifcfg-* files
Summary: NM changes /etc/resolv.conf even though there is PEERDNS=no in ifcfg-* files
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: NetworkManager
Version: 7.3
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Beniamino Galvani
QA Contact: Desktop QE
Depends On:
Blocks: 1393481 1426748
TreeView+ depends on / blocked
Reported: 2016-12-16 13:52 UTC by Rastislav Hepner
Modified: 2018-07-30 11:07 UTC (History)
12 users (show)

Fixed In Version: NetworkManager-1.8.0-0.2.git20170215.1d40c5f4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1426748 (view as bug list)
Last Closed: 2017-08-01 09:22:07 UTC

Attachments (Terms of Use)
[PATCH] policy: don't apply DNS configuration for non-active devices (1.45 KB, patch)
2016-12-19 14:24 UTC, Beniamino Galvani
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2299 normal SHIPPED_LIVE Moderate: NetworkManager and libnl3 security, bug fix and enhancement update 2017-08-01 12:40:28 UTC

Description Rastislav Hepner 2016-12-16 13:52:01 UTC
Description of problem:
NM changes /etc/resolv.conf even though there is PEERDNS=no in ifcfg-* files
Behaviour was noticed by our customer on NM from RHEL 7.3. NM Version 1.0.6-31.el7_2 seems to work as expected and it doesn't change /etc/resolv.conf if PEERDNS=no is present in ifcfg-* files.

Version-Release number of selected component (if applicable):
problematic version of NM is 1.4.0-12.el7 

How reproducible:
Every time 

Steps to Reproduce:
1.put PEERDNS=no into /etc/sysconfig/network-scripts/ifcfg-* files 
2.install NM version 1.4.0-12.el7.
3.Restart NM and check /etc/resolv.conf for changes

Actual results:
/etc/resolv.conf is changed after NM version 1.4.0-12.el7 is started.
Acc. to my knowledge it shouldn't be changed. when there are PEERDNS=no on interfaces

Expected results:
NM will not change dns settings in /etc/resolv.conf

Additional info:
if there is dns=none in /etc/NetworkManager/NetworkManager.conf /etc/resolv is not changed even with NM version 1.4.0-12.el7

I was able to reproduce it please let me know if something else is needed.

Comment 1 Thomas Haller 2016-12-16 14:23:10 UTC
This is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1344303#c8

`man nm-settings-ifcfg-rh` says:

   Semantic change of variables
     NetworkManager had to slightly change the semantic for a few variables.

     ยท   PEERDNS - initscripts interpret PEERDNS=no to mean "never touch 
         resolv.conf". NetworkManager interprets it to say "never add 
         automatic (DHCP, PPP, VPN, etc.) nameservers to resolv.conf".

resolv.conf is system-wide, while the PEERDNS configuration is per-connection. Setting PEERDNS=no in an ifcfg-rh causes NM not to add DNS information *from that connection* to resolv.conf.

It doesn't mean not to touch resolv.conf.

That can be configured via "main.dns=none" or "main.rc-manager=unmanaged". See `man NetworkManager.conf`.

If the user didn't expirience that with 1.0.6, it's probably a different bug. IIRC, NetworkManager only updates resolv.conf when it gets some new DNS information. That means, if you for example put NM_CONTROLLED=no for all devices, there are no managed interfaces and usually no DNS configuration. I think that is wrong, because *no* configuration is also a kind of and NM should consistently write whatever is there -- even if there are no DNS servers.

Assign to Beniamino for his opinion :)

Comment 3 Rastislav Hepner 2016-12-19 10:43:52 UTC

thanks for sharing that doc snippet. It makes sense. 

Wondering now whether the correct behaviour related to /etc/resolv.conf is seen in NM 1.0.6-31.el7_2 or in 1.4.0-12.el7.

Comment 4 Beniamino Galvani 2016-12-19 14:24:37 UTC
Created attachment 1233391 [details]
[PATCH] policy: don't apply DNS configuration for non-active devices

I agree with Thomas that the proper way to have NM not touching
resolv.conf is through the 'dns=none' option in NetworkManager.conf.
Any other way is not guaranteed to work, as the user may force the
rewrite of resolv.conf (sending SIGHUP to NM or through D-Bus). Also,
NM may automatically create new DHCP connections for hot-plugged
devices (if configured to do so), or there could be a global DNS
configuration set through D-Bus that causes resolv.conf to be modified.

That said, at the moment NM doesn't overwrite resolv.conf at startup
if there is no configured DNS server (or PEERDNS=no). This happens
with both 1.0.6 and 1.4.

However, there is an issue when restarting NM on 1.4, which causes NM
to temporarily write the DNS configuration captured from any existing
DHCP lease to resolv.conf, before clearing it again. The temporary
change in the configuration is why resolv.conf gets rewritten when
restarting NM, and the attached patch fixes this.

Anyway, the recommendation is to always set 'dns=none' if you don't
want NM to interfere with resolv.conf.

Comment 5 Thomas Haller 2016-12-19 15:07:18 UTC
(In reply to Beniamino Galvani from comment #4)
> Created attachment 1233391 [details]
> [PATCH] policy: don't apply DNS configuration for non-active devices

patch lgtm

Comment 9 errata-xmlrpc 2017-08-01 09:22:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.