1912131 – [Flatpak] Domain name resolution (DNS) fails to resolve anything (“Name or service not known”)

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1912131 - [Flatpak] Domain name resolution (DNS) fails to resolve anything (“Name or service not known”)

Summary: [Flatpak] Domain name resolution (DNS) fails to resolve anything (“Name or se...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora Modules
Classification:	Fedora
Component:	flatpak-runtime
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Owen Taylor
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-03 17:31 UTC by rugk
Modified:	2021-01-20 01:41 UTC (History)
CC List:	13 users (show)
Fixed In Version:	flatpak-runtime-f33-3320210116175640.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-20 01:41:23 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
Epiphany DNS error with fragdenstaat.de in background and Firefox Sync/Accounts in the foreground (95.01 KB, image/png) 2021-01-03 17:31 UTC, rugk	no flags	Details
View All

Description rugk 2021-01-03 17:31:27 UTC

Created attachment 1744112 [details]
Epiphany DNS error with fragdenstaat.de in background and Firefox Sync/Accounts in the foreground

Description of problem:
Any website I try to access fails to resolve, because of DNS errors.

Version-Release number of selected component (if applicable):
3.38.2

How reproducible:
Always.

Steps to Reproduce:
1. Open epiphany and open any website.
2. Also try the settings -> Firefox sync settings. That fails, too.

Actual results:
Error resolving “accounts.firefox.com”: Name or service not known

Expected results:
I should be able to access DNS requests.

Additional info:

I've tried to find an "offline mode" setting in Epiphany, but could not find anything, so I assume that is not the cause.

I've tried to test it with curl and even that fails:

$ flatpak enter org.gnome.Epiphany /bin/bash
[📦 org.gnome.Epiphany ~]$ curl test.de
curl: (6) Could not resolve host: test.de
[📦 org.gnome.Epiphany ~]$ curl test.de^C
[📦 org.gnome.Epiphany ~]$ systemd-resolve test.de
test.de: resolve call failed: Der Socket ist nicht verbunden

This curl requests works outside of the flatpak.

$ flatpak info org.gnome.Epiphany 

GNOME Web - Webbrowser für GNOME

         Kennung: org.gnome.Epiphany
             Ref: app/org.gnome.Epiphany/x86_64/stable
     Architektur: x86_64
           Zweig: stable
         Version: 3.38.2
         License: GPL-3.0+
        Ursprung: fedora
      Collection: 
    Installation: system
       Installed: 12,8 MB
Laufzeitumgebung: org.fedoraproject.Platform/x86_64/f33
             Sdk: org.fedoraproject.Sdk/x86_64/f33

          Commit: cbe2075a7b6e84ae85b2e872ff39d0b2c804e5e1217c2321960fb96c1da2a1ab
         Subject: Export org.gnome.Epiphany
            Date: 2020-12-16 10:17:28 +0000
          Alt-id: e5481236e3183a6e5402ff878b322b1713e800e0dbdbbf5413f8ba7574133931

This is Fedora Silverblue.

ostree://fedora:fedora/33/x86_64/silverblue
Fedora 33.20201230.0 (Silverblue)

Comment 1 Michael Catanzaro 2021-01-04 18:31:41 UTC

From the GNOME nightly runtime, where DNS works:

 flatpak run --command=/bin/bash org.gnome.Epiphany.Devel
[📦 org.gnome.Epiphany.Devel ~]$ cat /etc/nsswitch.conf 
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files
group: files
shadow: files

publickey: files

hosts: files dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files


Whereas the Fedora 33 runtime has Fedora's full /etc/nsswitch.conf containing the following hosts line:

hosts:      files resolve [!UNAVAIL=return] myhostname dns


And nss-resolve is not going to work inside the flatpak environment because its D-Bus calls will be filtered by xdg-dbus-proxy. Hm...

Comment 2 Michael Catanzaro 2021-01-04 19:40:35 UTC

So it should be falling back to nss-dns, but clearly it is not.

Inside the sandbox, we have:

$ gdbus call --system --dest org.freedesktop.resolve1 --object-path /org/freedesktop/resolve1 --method org.freedesktop.resolve1.Manager.ResolveHostname example.com
Error: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown

Which is what I would expect. Now, nss-resolve knows it should fallback to nss-dns by returning NSS_STATUS_UNAVAIL when it sees org.freedesktop.DBus.Error.ServiceUnknown, see https://github.com/systemd/systemd/blob/v246/src/nss-resolve/nss-resolve.c#L25. There, bus_error_shall_fallback() should return true, leading to NSS_STATUS_UNAVAIL, which should trigger fallback to nss-dns. But that is not happening for reasons unknown. I got as far as running resolvectl under gdb inside the runtime before I remembered that Fedora runtimes don't have debuginfo yet, so that's the end of the journey for now... too hard to debug further.

Behavior in the Fedora 34 runtime should be different. There, systemd will use a varlink socket instead of D-Bus, /run/systemd/resolve/io.systemd.Resolve. This socket is not going to be mounted in the sandbox, so it should again fallback to nss-dns. My guess is there is less room for error here, so I guess it should probably be fixed in the F34 runtime. Owen says the F34 runtime doesn't exist yet, though.

So for F33, my suggestion is to hack up /etc/nsswitch.conf to look more like the upstream nsswitch.conf:

hosts: files dns

Owen has pointed to https://src.fedoraproject.org/modules/flatpak-runtime/blob/f33/f/container.yaml.

Comment 3 Owen Taylor 2021-01-05 05:55:42 UTC

Filed https://src.fedoraproject.org/rpms/systemd/pull-request/45 with a fix for systemd (tested the fix with a local build of flatpak-runtime that included a patched systemd), but it may be more expeditious to just use cleanup-commands to rewrite nsswitch.conf for F33.

Comment 4 Fedora Update System 2021-01-16 20:09:27 UTC

FEDORA-FLATPAK-2021-1ed8faa49d has been submitted as an update to Fedora 33 Flatpaks. https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2021-1ed8faa49d

Comment 5 Fedora Update System 2021-01-17 02:13:55 UTC

FEDORA-FLATPAK-2021-1ed8faa49d has been pushed to the Fedora 33 Flatpaks testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2021-1ed8faa49d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-01-20 01:41:23 UTC

FEDORA-FLATPAK-2021-1ed8faa49d has been pushed to the Fedora 33 Flatpaks stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.