-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NixOS] Handling multi-layer and parent symlinks for /etc/resolv.conf
#333
Labels
Comments
This was referenced Dec 24, 2023
cc @giuseppe |
AkihiroSuda
added
enhancement
New feature or request
help wanted
Extra attention is needed
labels
Dec 25, 2023
AkihiroSuda
changed the title
Handling multi-layer and parent symlinks for
[NixOS] Handling multi-layer and parent symlinks for Dec 25, 2023
/etc/resolv.conf
/etc/resolv.conf
@KiruyaMomochi Do you plan to submit a PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The pull request #318 adds support for escaping
resolv.conf
symlinks.However, I've encountered some issues in more complex environments like NixOS, where symlinks can have multiple layers and even parent folders can be symlinked.
Multi-layer symbolic link
NixOS often generates files under
/etc
from a config file and places them in/nix/store
, symlinking them back to/etc
.This can result in multi-layer symlinks like:
In my humble opinion, one of the solution could be mounting the realpath to the first unresolvable layer of symlink.
Parent folder is also symbolic link
The real case is not that simple.
The file
/etc/resolv.conf
is actually a symlink to/etc/static/resolv.conf
.It is
/etc/static
that being symlinked to/nix/store/
:This makes it difficult to resolve the actual path using
readlink
orrealpath
.Possible Solutions and Workarounds
pivot_root
:At the very least, I think we may add a check after
pivot_root
to warn users if/etc/resolv.conf
isn't readable.This could provide insights into DNS resolution issues.
We may need to find paths to do bind mount from every layers of the symlink, and also each parent paths.
This could potentially ensure resolvability after switching root.
It will be easier if we can bind mount to
/etc/resolv.conf
directly. During searching I have foundMS_NOSYMFOLLOW
in mount(2), but that does not work for me. I have also found https://serverfault.com/a/1126837/979197, which suggests usingAT_SYMLINK_NOFOLLOW
.As a alternative, it's also possible to patch slirp4ns in Nix package registry to additionly bind-mount
/nix
into the sandbox.The text was updated successfully, but these errors were encountered: