Bug 1648108 - DNS for the VPN isn't initialized correctly with standard /etc/nsswitch.conf after openconnect
Summary: DNS for the VPN isn't initialized correctly with standard /etc/nsswitch.conf ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: vpnc-script
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1646760 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-08 20:49 UTC by Jim Hennessy
Modified: 2019-05-23 17:54 UTC (History)
5 users (show)

Fixed In Version: vpnc-script-20171004-4.git6f87b0f.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-07 02:38:55 UTC


Attachments (Terms of Use)

Description Jim Hennessy 2018-11-08 20:49:35 UTC
After using openconnect to establish a VPN connection, I can't resolve host names for hosts in the new network, *unless* the "resolve" module is named on the "hosts" line in /etc/nsswitch.conf, which is not the default configuration in Fedora 29.  This worked in Fedora 28 with the default configuration.

In Fedora 28, the /etc/vpnc-script would modify the /etc/resolv.conf file with the DNS information for the VPN.  In Fedora 29, it no longer takes that path.  The vpnc-script looks in /etc/nsswitch.conf to see if "resolve" appears on the "hosts" line.  If it doesn't, it tries to avoid depending on systemd-resolved.  But if it sees the /sbin/resolvconf executable, it uses it.  On Fedora 29, however, /sbin/resolvconf is a symbolic link to /bin/resolvectl, and resolvectl just talks to systemd-resolved, which vpnc-script doesn't appear to expect.  So on systems where "resolve" doesn't appear on the "hosts" line of /etc/nsswitch.conf, name resolving still won't work.  Since this seems to be the default configuration in Fedora 29, even on a freshly-installed system, that's not ideal.

To make openconnect work for me on Fedora 29, I had to comment out the lines in vpnc-script that check for /sbin/resolvconf, and use the --script option of openconnect to point to my modified version of vpnc-script.  It also works if I add "resolve [!UNAVAIL=return]" just before the "dns" entry on the "hosts" line in /etc/nsswitch.conf (now that https://bugzilla.redhat.com/show_bug.cgi?id=1644860 is fixed).


Version-Release number of selected component (if applicable):

vpnc-script-20171004-3.git6f87b0f.fc29.noarch

How reproducible:

It fails every time with the default /etc/nsswitch.conf file.

Steps to Reproduce:

Use openconnect to create a tunnel to a private network that has its own DNS servers.  Try to resolve a host name using a command like "ping" that ultimately uses /etc/nsswitch.conf to control name resolution.  Observe that names can't be resolved.

Actual results:

Host names can't be resolved.

Expected results:

Host names can be resolved.

Additional info:

none

Comment 1 Nikos Mavrogiannopoulos 2018-11-09 07:29:11 UTC
Forwarded upstream:
https://gitlab.com/openconnect/openconnect/issues/11

Comment 2 Jan Vlug 2018-11-09 07:33:59 UTC
Maybe duplicate of bug 1646760.

Comment 3 Nikos Mavrogiannopoulos 2018-11-24 14:48:34 UTC
*** Bug 1646760 has been marked as a duplicate of this bug. ***

Comment 4 Nikos Mavrogiannopoulos 2018-11-24 14:49:40 UTC
There is indeed an issue on vpnc-script which makes it unusable in fedora. There are a little more info in the upstream tracker, though I have no time to follow up on that. If you send a pull request on vpnc-script which addresses the issue I will merge it.

Comment 5 Nikos Mavrogiannopoulos 2018-11-24 14:50:09 UTC
If better someone else would like to take over this package, I'll be grateful.

Comment 6 Jim Hennessy 2018-11-25 19:26:22 UTC
I can do a pull request.  Are you suggesting I file it against a Fedora repo (https://src.fedoraproject.org/rpms/vpnc-script.git?) or the upstream repo at http://git.infradead.org/users/dwmw2/vpnc-scripts.git/?

Comment 7 Nikos Mavrogiannopoulos 2018-11-26 09:44:19 UTC
The fedora repo is best so we can try it there and if that works we can follow on upstream.

Comment 8 Jim Hennessy 2018-12-01 20:04:16 UTC
I submitted pull request https://src.fedoraproject.org/rpms/vpnc-script/pull-request/1 to change the script to accommodate the Fedora 29 arrangement.

Comment 9 Fedora Update System 2018-12-03 08:01:25 UTC
vpnc-script-20171004-4.git6f87b0f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0e6c79cb84

Comment 10 Nikos Mavrogiannopoulos 2018-12-03 08:01:47 UTC
Thank you! I've created builds for it.

Comment 11 Fedora Update System 2018-12-04 05:01:54 UTC
vpnc-script-20171004-4.git6f87b0f.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0e6c79cb84

Comment 12 Fedora Update System 2018-12-07 02:38:55 UTC
vpnc-script-20171004-4.git6f87b0f.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Michael Bayer 2019-05-23 17:54:17 UTC
I've created bz#1713455 for a similar issue in openvpn.


Note You need to log in before you can comment on or make changes to this bug.