Red Hat Bugzilla – Bug 1405431
NM changes /etc/resolv.conf even though there is PEERDNS=no in ifcfg-* files
Last modified: 2018-07-30 07:07:00 EDT
Description of problem: NM changes /etc/resolv.conf even though there is PEERDNS=no in ifcfg-* files Behaviour was noticed by our customer on NM from RHEL 7.3. NM Version 1.0.6-31.el7_2 seems to work as expected and it doesn't change /etc/resolv.conf if PEERDNS=no is present in ifcfg-* files. Version-Release number of selected component (if applicable): problematic version of NM is 1.4.0-12.el7 How reproducible: Every time Steps to Reproduce: 1.put PEERDNS=no into /etc/sysconfig/network-scripts/ifcfg-* files 2.install NM version 1.4.0-12.el7. 3.Restart NM and check /etc/resolv.conf for changes Actual results: /etc/resolv.conf is changed after NM version 1.4.0-12.el7 is started. Acc. to my knowledge it shouldn't be changed. when there are PEERDNS=no on interfaces Expected results: NM will not change dns settings in /etc/resolv.conf Additional info: if there is dns=none in /etc/NetworkManager/NetworkManager.conf /etc/resolv is not changed even with NM version 1.4.0-12.el7 I was able to reproduce it please let me know if something else is needed.
This is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1344303#c8 `man nm-settings-ifcfg-rh` says: Semantic change of variables NetworkManager had to slightly change the semantic for a few variables. ยท PEERDNS - initscripts interpret PEERDNS=no to mean "never touch resolv.conf". NetworkManager interprets it to say "never add automatic (DHCP, PPP, VPN, etc.) nameservers to resolv.conf". resolv.conf is system-wide, while the PEERDNS configuration is per-connection. Setting PEERDNS=no in an ifcfg-rh causes NM not to add DNS information *from that connection* to resolv.conf. It doesn't mean not to touch resolv.conf. That can be configured via "main.dns=none" or "main.rc-manager=unmanaged". See `man NetworkManager.conf`. If the user didn't expirience that with 1.0.6, it's probably a different bug. IIRC, NetworkManager only updates resolv.conf when it gets some new DNS information. That means, if you for example put NM_CONTROLLED=no for all devices, there are no managed interfaces and usually no DNS configuration. I think that is wrong, because *no* configuration is also a kind of and NM should consistently write whatever is there -- even if there are no DNS servers. Assign to Beniamino for his opinion :)
Thomas, thanks for sharing that doc snippet. It makes sense. Wondering now whether the correct behaviour related to /etc/resolv.conf is seen in NM 1.0.6-31.el7_2 or in 1.4.0-12.el7.
Created attachment 1233391 [details] [PATCH] policy: don't apply DNS configuration for non-active devices I agree with Thomas that the proper way to have NM not touching resolv.conf is through the 'dns=none' option in NetworkManager.conf. Any other way is not guaranteed to work, as the user may force the rewrite of resolv.conf (sending SIGHUP to NM or through D-Bus). Also, NM may automatically create new DHCP connections for hot-plugged devices (if configured to do so), or there could be a global DNS configuration set through D-Bus that causes resolv.conf to be modified. That said, at the moment NM doesn't overwrite resolv.conf at startup if there is no configured DNS server (or PEERDNS=no). This happens with both 1.0.6 and 1.4. However, there is an issue when restarting NM on 1.4, which causes NM to temporarily write the DNS configuration captured from any existing DHCP lease to resolv.conf, before clearing it again. The temporary change in the configuration is why resolv.conf gets rewritten when restarting NM, and the attached patch fixes this. Anyway, the recommendation is to always set 'dns=none' if you don't want NM to interfere with resolv.conf.
(In reply to Beniamino Galvani from comment #4) > Created attachment 1233391 [details] > [PATCH] policy: don't apply DNS configuration for non-active devices patch lgtm
Applied to master: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=30a1e17cc032676cdfb04e2abcfab9db0d0cf085
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2299