PR#45: Fix nss-resolve to properly fallback in a Flatpak sandbox - rpms/systemd

rpms / systemd

#45 Fix nss-resolve to properly fallback in a Flatpak sandbox

Merged 3 years ago by zbyszek. Opened 3 years ago by otaylor.

rpms/ otaylor/systemd nss-resolve-fallback into f33

Fix nss-resolve to properly fallback in a Flatpak sandbox

Owen W. Taylor • 3 years ago

779685b

file added

+13

		`@@ -0,0 +1,13 @@`
		`+ diff -up systemd-stable-246.9/src/nss-resolve/nss-resolve.c.fallback systemd-stable-246.9/src/nss-resolve/nss-resolve.c`
		`+ --- systemd-stable-246.9/src/nss-resolve/nss-resolve.c.fallback 2021-01-04 15:48:33.668757361 -0500`
		`+ +++ systemd-stable-246.9/src/nss-resolve/nss-resolve.c 2021-01-04 15:49:00.111891935 -0500`
		`+ @@ -23,7 +23,8 @@ NSS_GETHOSTBYNAME_PROTOTYPES(resolve);`
		`+ NSS_GETHOSTBYADDR_PROTOTYPES(resolve);`
		`+`
		`+ static bool bus_error_shall_fallback(sd_bus_error *e) {`
		`+ - return sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) \|\|`
		`+ + return sd_bus_error_get_errno(e) == ENOTCONN \|\|`
		`+ + sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) \|\|`
		`+ sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER) \|\|`
		`+ sd_bus_error_has_name(e, SD_BUS_ERROR_NO_REPLY) \|\|`
		`+ sd_bus_error_has_name(e, SD_BUS_ERROR_ACCESS_DENIED) \|\|`

systemd.spec

file modified

+6 -1

		`@@ -21,7 +21,7 @@`
		`Name: systemd`
		`Url: https://www.freedesktop.org/wiki/Software/systemd`
		`Version: 246.9`
		`- Release: 2%{?dist}`
		`+ Release: 3%{?dist}`
		`# For a breakdown of the licensing, see README`
		`License: LGPLv2+ and MIT and GPLv2+`
		`Summary: System and Service Manager`
		`@@ -81,6 +81,8 @@`

		`Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch`

		`+ Patch0010: systemd-246-nss-resolve-fallback.patch`
		`+`
		`%ifarch %{ix86} x86_64 aarch64`
		`%global have_gnu_efi 1`
		`%endif`
		`@@ -880,6 +882,9 @@`
		`%files standalone-sysusers -f .file-list-standalone-sysusers`

		`%changelog`
		`+ * Mon Jan 4 2021 Owen Taylor <otaylor@redhat.com> - 246.9-3`
		`+ - Fix nss-resolve to properly fallback in a Flatpak sandbox`
		`+`
		`* Sat Jan 2 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 246.9-2`
		`- Fix bfq patch again (#1813219)`

otaylor commented 3 years ago

This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1912131 - the Epiphany Flatpak fails to resolve any URLs because the 'resolve' nss plugin is used, it fails to connect to resolved, and fails all lookups with "not found" because of the particular way it fails to connect to resolved.

A Flatpak can have three different views of the system bus:
- No system bus
- A filtered view
- Complete system bus access

The problem only occurs in the second case - there seems to be some incompatibility between sd-bus and the filtered proxy that Flatpak exports so connection to the bus starts, but then the connection drops before the first call is made. I haven't investigated what the problem is in more detail.

(Since resolved is not in the filtered view, all that would happen if things worked better would be a clean org.freedesktop.DBus.Error.ServiceUnknown error.)

We can work around this by sed'ing /etc/nssswitch.conf when creating the Flatpak container to remove references to resolv, so we don't strongly need this fix, but since I spent quite a bit of time debugging this with @catanzaro and testing a fix, I figured I'd submit a PR anyways :-) There seems to be no upstream relevance since the 246 branch of systemd that f33 uses is EOL, and newer branches use varlink instead.

zuul commented 3 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

rpm-scratch-build : SUCCESS in 10m 11s
rpm-linter : SUCCESS in 7m 27s
rpm-rpminspect : SUCCESS in 14m 45s (non-voting)
check-for-tests : SUCCESS in 5s
rpm-install-test : FAILURE in 6m 41s
rpm-test : SKIPPED

catanzaro commented 3 years ago

I guess we could submit the patch to https://github.com/systemd/systemd-stable. Pretty annoying that the stable branches are maintained separately from the main repo.

zbyszek commented 3 years ago

Is this a backport of an upstream patch?

otaylor commented 3 years ago

Is this a backport of an upstream patch?

I didn't know about the separate systemd-stable repository when I filed this, so no - there's no upstream bug, since it's not relevant to any active branches in the main systemd repository. I can file it against systemd-stable if that makes sense.

otaylor commented 3 years ago

https://github.com/systemd/systemd-stable/pull/85

zbyszek commented 3 years ago

This seems suitable as downstream patch. Not sure about upstream. Let's apply this here for now.