Bug 1648108 - DNS for the VPN isn't initialized correctly with standard /etc/nsswitch.conf after openconnect
Summary: DNS for the VPN isn't initialized correctly with standard /etc/nsswitch.conf ...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: vpnc-script
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 1646760 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-08 20:49 UTC by Jim Hennessy
Modified: 2019-01-02 13:59 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-12-07 02:38:55 UTC


Attachments (Terms of Use)

Description Jim Hennessy 2018-11-08 20:49:35 UTC
After using openconnect to establish a VPN connection, I can't resolve host names for hosts in the new network, *unless* the "resolve" module is named on the "hosts" line in /etc/nsswitch.conf, which is not the default configuration in Fedora 29.  This worked in Fedora 28 with the default configuration.

In Fedora 28, the /etc/vpnc-script would modify the /etc/resolv.conf file with the DNS information for the VPN.  In Fedora 29, it no longer takes that path.  The vpnc-script looks in /etc/nsswitch.conf to see if "resolve" appears on the "hosts" line.  If it doesn't, it tries to avoid depending on systemd-resolved.  But if it sees the /sbin/resolvconf executable, it uses it.  On Fedora 29, however, /sbin/resolvconf is a symbolic link to /bin/resolvectl, and resolvectl just talks to systemd-resolved, which vpnc-script doesn't appear to expect.  So on systems where "resolve" doesn't appear on the "hosts" line of /etc/nsswitch.conf, name resolving still won't work.  Since this seems to be the default configuration in Fedora 29, even on a freshly-installed system, that's not ideal.

To make openconnect work for me on Fedora 29, I had to comment out the lines in vpnc-script that check for /sbin/resolvconf, and use the --script option of openconnect to point to my modified version of vpnc-script.  It also works if I add "resolve [!UNAVAIL=return]" just before the "dns" entry on the "hosts" line in /etc/nsswitch.conf (now that https://bugzilla.redhat.com/show_bug.cgi?id=1644860 is fixed).


Version-Release number of selected component (if applicable):

vpnc-script-20171004-3.git6f87b0f.fc29.noarch

How reproducible:

It fails every time with the default /etc/nsswitch.conf file.

Steps to Reproduce:

Use openconnect to create a tunnel to a private network that has its own DNS servers.  Try to resolve a host name using a command like "ping" that ultimately uses /etc/nsswitch.conf to control name resolution.  Observe that names can't be resolved.

Actual results:

Host names can't be resolved.

Expected results:

Host names can be resolved.

Additional info:

none

Comment 1 Nikos Mavrogiannopoulos 2018-11-09 07:29:11 UTC
Forwarded upstream:
https://gitlab.com/openconnect/openconnect/issues/11

Comment 2 Jan Vlug 2018-11-09 07:33:59 UTC
Maybe duplicate of bug 1646760.

Comment 3 Nikos Mavrogiannopoulos 2018-11-24 14:48:34 UTC
*** Bug 1646760 has been marked as a duplicate of this bug. ***

Comment 4 Nikos Mavrogiannopoulos 2018-11-24 14:49:40 UTC
There is indeed an issue on vpnc-script which makes it unusable in fedora. There are a little more info in the upstream tracker, though I have no time to follow up on that. If you send a pull request on vpnc-script which addresses the issue I will merge it.

Comment 5 Nikos Mavrogiannopoulos 2018-11-24 14:50:09 UTC
If better someone else would like to take over this package, I'll be grateful.

Comment 6 Jim Hennessy 2018-11-25 19:26:22 UTC
I can do a pull request.  Are you suggesting I file it against a Fedora repo (https://src.fedoraproject.org/rpms/vpnc-script.git?) or the upstream repo at http://git.infradead.org/users/dwmw2/vpnc-scripts.git/?

Comment 7 Nikos Mavrogiannopoulos 2018-11-26 09:44:19 UTC
The fedora repo is best so we can try it there and if that works we can follow on upstream.

Comment 8 Jim Hennessy 2018-12-01 20:04:16 UTC
I submitted pull request https://src.fedoraproject.org/rpms/vpnc-script/pull-request/1 to change the script to accommodate the Fedora 29 arrangement.

Comment 9 Fedora Update System 2018-12-03 08:01:25 UTC
vpnc-script-20171004-4.git6f87b0f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0e6c79cb84

Comment 10 Nikos Mavrogiannopoulos 2018-12-03 08:01:47 UTC
Thank you! I've created builds for it.

Comment 11 Fedora Update System 2018-12-04 05:01:54 UTC
vpnc-script-20171004-4.git6f87b0f.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0e6c79cb84

Comment 12 Fedora Update System 2018-12-07 02:38:55 UTC
vpnc-script-20171004-4.git6f87b0f.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.