From e638a4d86b7a990999dba86c2c5a1267d135080b Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 9 Apr 2021 02:52:21 -0700 Subject: [PATCH] net/dns: make directManager support split DNS, and work in sandboxes. Fixes #1495, #683. Signed-off-by: David Anderson --- net/dns/direct.go | 139 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 96 insertions(+), 43 deletions(-) diff --git a/net/dns/direct.go b/net/dns/direct.go index 31613902a..c9081b16e 100644 --- a/net/dns/direct.go +++ b/net/dns/direct.go @@ -9,8 +9,6 @@ package dns import ( "bufio" "bytes" - "errors" - "fmt" "io" "io/ioutil" "os" @@ -23,7 +21,6 @@ import ( ) const ( - tsConf = "/etc/resolv.tailscale.conf" backupConf = "/etc/resolv.pre-tailscale-backup.conf" resolvConf = "/etc/resolv.conf" ) @@ -47,11 +44,10 @@ func writeResolvConf(w io.Writer, servers []netaddr.IP, domains []string) { } } -// readResolvConf reads DNS configuration from /etc/resolv.conf. -func readResolvConf() (OSConfig, error) { +func readResolvFile(path string) (OSConfig, error) { var config OSConfig - f, err := os.Open("/etc/resolv.conf") + f, err := os.Open(path) if err != nil { return config, err } @@ -82,6 +78,11 @@ func readResolvConf() (OSConfig, error) { return config, nil } +// readResolvConf reads DNS configuration from /etc/resolv.conf. +func readResolvConf() (OSConfig, error) { + return readResolvFile(resolvConf) +} + // isResolvedRunning reports whether systemd-resolved is running on the system, // even if it is not managing the system DNS settings. func isResolvedRunning() bool { @@ -114,46 +115,72 @@ func newDirectManager() directManager { return directManager{} } -func (m directManager) SetDNS(config OSConfig) error { - // Write the tsConf file. - buf := new(bytes.Buffer) - writeResolvConf(buf, config.Nameservers, config.SearchDomains) - if err := atomicfile.WriteFile(tsConf, buf.Bytes(), 0644); err != nil { +// ownedByTailscale reports whether /etc/resolv.conf seems to be a +// tailscale-managed file. +func (m directManager) ownedByTailscale() (bool, error) { + st, err := os.Stat(resolvConf) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + if !st.Mode().IsRegular() { + return false, nil + } + bs, err := ioutil.ReadFile(resolvConf) + if err != nil { + return false, err + } + if bytes.Contains(bs, []byte("generated by tailscale")) { + return true, nil + } + return false, nil +} + +// backupConfig creates or updates a backup of /etc/resolv.conf, if +// resolv.conf does not currently contain a Tailscale-managed config. +func (m directManager) backupConfig() error { + if _, err := os.Stat(resolvConf); err != nil { + if os.IsNotExist(err) { + // No resolv.conf, nothing to back up. Also get rid of any + // existing backup file, to avoid restoring something old. + os.Remove(backupConf) + return nil + } return err } - if linkPath, err := os.Readlink(resolvConf); err != nil { - // Remove any old backup that may exist. - os.Remove(backupConf) - - // Backup the existing /etc/resolv.conf file. - contents, err := ioutil.ReadFile(resolvConf) - // If the original did not exist, still back up an empty file. - // The presence of a backup file is the way we know that Up ran. - if err != nil && !errors.Is(err, os.ErrNotExist) { - return err - } - if err := atomicfile.WriteFile(backupConf, contents, 0644); err != nil { - return err - } - } else if linkPath != tsConf { - // Backup the existing symlink. - os.Remove(backupConf) - if err := os.Symlink(linkPath, backupConf); err != nil { - return err - } - } else { - // Nothing to do, resolvConf already points to tsConf. + owned, err := m.ownedByTailscale() + if err != nil { + return err + } + if owned { return nil } - os.Remove(resolvConf) - if err := os.Symlink(tsConf, resolvConf); err != nil { + return os.Rename(resolvConf, backupConf) +} + +func (m directManager) SetDNS(config OSConfig) error { + if err := m.backupConfig(); err != nil { return err } + buf := new(bytes.Buffer) + writeResolvConf(buf, config.Nameservers, config.SearchDomains) + if err := atomicfile.WriteFile(resolvConf, buf.Bytes(), 0644); err != nil { + return err + } + + // We might have taken over a configuration managed by resolved, + // in which case it will notice this on restart and gracefully + // start using our configuration. This shouldn't happen because we + // try to manage DNS through resolved when it's around, but as a + // best-effort fallback if we messed up the detection, try to + // restart resolved to make the system configuration consistent. if isResolvedRunning() { - exec.Command("systemctl", "restart", "systemd-resolved.service").Run() // Best-effort. + exec.Command("systemctl", "restart", "systemd-resolved.service").Run() } return nil @@ -164,27 +191,53 @@ func (m directManager) SupportsSplitDNS() bool { } func (m directManager) GetBaseConfig() (OSConfig, error) { - return OSConfig{}, ErrGetBaseConfigNotSupported + owned, err := m.ownedByTailscale() + if err != nil { + return OSConfig{}, err + } + fileToRead := resolvConf + if owned { + fileToRead = backupConf + } + + return readResolvFile(fileToRead) } func (m directManager) Close() error { + // We used to keep a file for the tailscale config and symlinked + // to it, but then we stopped because /etc/resolv.conf being a + // symlink to surprising places breaks snaps and other sandboxing + // things. Clean it up if it's still there. + os.Remove("/etc/resolv.tailscale.conf") + if _, err := os.Stat(backupConf); err != nil { - // If the backup file does not exist, then Up never ran successfully. if os.IsNotExist(err) { + // No backup, nothing we can do. return nil } return err } - - if ln, err := os.Readlink(resolvConf); err != nil { + owned, err := m.ownedByTailscale() + if err != nil { return err - } else if ln != tsConf { - return fmt.Errorf("resolv.conf is not a symlink to %s", tsConf) } + _, err = os.Stat(resolvConf) + if err != nil && !os.IsNotExist(err) { + return err + } + resolvConfExists := !os.IsNotExist(err) + + if resolvConfExists && !owned { + // There's already a non-tailscale config in place, get rid of + // our backup. + os.Remove(backupConf) + return nil + } + + // We own resolv.conf, and a backup exists. if err := os.Rename(backupConf, resolvConf); err != nil { return err } - os.Remove(tsConf) if isResolvedRunning() { exec.Command("systemctl", "restart", "systemd-resolved.service").Run() // Best-effort.