It must be noted that no actual network operation happen, so this
doesn't fall into the "no network activity" bucket.
This is the bug that was filed against dnspython: https://bugs.debian.org/989171
Do anybody on the list have any opinion on where is the bug, on
dnspython, or on the build environment?
On Mon, 06 Sep 2021, Mattia Rizzolo wrote:
It must be noted that no actual network operation happen, so this
doesn't fall into the "no network activity" bucket.
This is the bug that was filed against dnspython: https://bugs.debian.org/989171
Do anybody on the list have any opinion on where is the bug, on
dnspython, or on the build environment?
Do you know why dnspython doesn't just fall back to socket.getaddrinfo
if it can't parse /etc/resolv.conf [or maybe why python applications
using dnspython don't fall back to that if dnspython fails?]
That seems like the right default unless you really, really need to talk
to a full-fledged DNS server directly.
Therefore, I am in the opinion that we should let the package run its
test as much as possible, especially considering that it's not doing
actual network outbound connections.
Hi,
during the year, a src:dnspython change made it so that any software importing that library now requires a valid /etc/resolv.conf with at
least one nameserver configured.
This also made it so that something between 50-100 packages now fail to
build if the build system doesn't have any working /etc/resolv.conf. I venture to say that this is a very reasonable configuration to have in a build system that tries to be network-disabled.
It must be noted that no actual network operation happen, so this
doesn't fall into the "no network activity" bucket.
This is the bug that was filed against dnspython: https://bugs.debian.org/989171
Do anybody on the list have any opinion on where is the bug, on
dnspython, or on the build environment?
As the pbuilder maintainer, I've been asked to make it serve a
non-working /etc/resolv.conf just to make that bug above moot, so I'm
quite biased on the matter myself :)
On ബു, സെപ്റ്റം 8 2021 at 04:18:46 വൈകു +0200 +0200, Thomas Goirand <zigo@debian.org> wrote:
Therefore, I am in the opinion that we should let the package run its
test as much as possible, especially considering that it's not doing
actual network outbound connections.
Can't we run these tests as autopkgtests?
Do anybody on the list have any opinion on where is the bug, on
dnspython, or on the build environment?
during the year, a src:dnspython change made it so that any software importing that library now requires a valid /etc/resolv.conf with at
least one nameserver configured.
This also made it so that something between 50-100 packages now fail to
build if the build system doesn't have any working /etc/resolv.conf. I venture to say that this is a very reasonable configuration to have in a build system that tries to be network-disabled.
It must be noted that no actual network operation happen, so this
doesn't fall into the "no network activity" bucket.
This is the bug that was filed against dnspython: https://bugs.debian.org/989171
Do anybody on the list have any opinion on where is the bug, on
dnspython, or on the build environment?
On Mon, Sep 06, 2021 at 04:39:39PM +0200, Mattia Rizzolo wrote:
Do anybody on the list have any opinion on where is the bug, on
dnspython, or on the build environment?
I concur that the absence of /etc/resolv.conf is a sensible
configuration. Indeed, it is my method-of-choice for implementing
poor-man's network-less builds with sbuild: Delete /etc/resolv.conf. It doesn't actually prevent network access, but makes accidental network
access very unlikely.
...
As such, I err on dnspython being in need of a fix.
Helmut
As such, I err on dnspython being in need of a fix.
Now, that said, if the build process actually wants a DNS server to
run tests against, it should provide or depend on such a DNS server,
and configure it for such tests.
On Wed, Sep 08, 2021 at 07:57:20PM +0530, Pirate Praveen wrote:
On ബു, സെപ്റ്റം 8 2021 at 04:18:46 വൈകു
+0200 +0200, Thomas Goirand <zigo@debian.org> wrote:
Therefore, I am in the opinion that we should let the package runits
test as much as possible, especially considering that it's notdoing
actual network outbound connections.
Can't we run these tests as autopkgtests?
That would only move the problem elsewhere, since this creates a
similar
question whether such tests should need a "needs-internet" restriction
for autopkgtest which might result in them being skipped in most
cases.
Later on, the class calls the method read_resolv_conf that has:
So, any test case that does that fails simply because the *FILE* /etc/resolv.conf isn't there on the filesystem (and not because there's
no working DNS server, which would be just fine).
One could argue that the test cases should aways instantiate the
Resolver object with a non-default (test only) filename argument.
I agree with that: please propose such a patch upstream. But does it
deserve anyone time? I don't think so. We're achieving absolutely
nothing doing this: this doesn't improve Debian...
...
That seems like a bug in the test cases, they shouldn't be testing the
build time environment like that, since it could differ from the
runtime environment.
There are nss_wrapper/resolv_wrapper for mocking
away the build-time DNS resolving infrastructure.
https://cwrap.org/nss_wrapper.html
https://cwrap.org/resolv_wrapper.html
...
bye,
pabs
On 9/8/21 6:01 PM, Josh Triplett wrote:
Now, that said, if the build process actually wants a DNS server to
run tests against, it should provide or depend on such a DNS server,
and configure it for such tests.
Just to be 100% sure we're on the same page: that's *not* what dnspython
is doing. It's a client library that's testing parsing of the /etc/resolv.conf format, and it just expects it to be there for parsing.
...
I think dnspython's previous approach was correct: just like glibc, musl, and other libraries, if /etc/resolv.conf is missing they should treat that as though it specified a nameserver on localhost.
The change to make that a
configuration error, instead, breaks real configurations that intentionally don't have /etc/resolv.conf.
Among other things, having a DNS server on localhost (or forwarding the DNS port on localhost to your real DNS server) means that a chroot without /etc/resolv.conf still has functional DNS.
Now, that said, if the build process actually wants a DNS server to run tests against, it should provide or depend on such a DNS server, and configure it for
such tests.
...
- Josh Triplett
On Thu, Sep 09, 2021 at 04:45:35AM +0000, Paul Wise wrote:
...
That seems like a bug in the test cases, they shouldn't be testing the
build time environment like that, since it could differ from the
runtime environment.
These are usually not the tests of dnspython.
dnspython even has some support for using a different file instead of /etc/resolv.conf, the problem is that there are several other packages
in the callstack before dnspython in these failing tests.
Note that even if you would be mocking /etc/resolv.conf, you'd still
have to add a nameserver IP address in the mocked /etc/resolv.conf
At that point you might as well install the mocked resolv.conf
as /etc/resolv.conf in build environments.
Thomas Goirand wrote:
On 9/8/21 6:01 PM, Josh Triplett wrote:
Now, that said, if the build process actually wants a DNS server to
run tests against, it should provide or depend on such a DNS server,
and configure it for such tests.
Just to be 100% sure we're on the same page: that's *not* what dnspython
is doing. It's a client library that's testing parsing of the
/etc/resolv.conf format, and it just expects it to be there for parsing.
I understood that; I'd just wanted to make it clear that while programs parsing /etc/resolv.conf should assume a nameserver on localhost if /etc/resolv.conf doesn't exist
On 9/10/21 10:53 AM, Josh Triplett wrote:
Thomas Goirand wrote:
On 9/8/21 6:01 PM, Josh Triplett wrote:
Now, that said, if the build process actually wants a DNS server to
run tests against, it should provide or depend on such a DNS server,
and configure it for such tests.
Just to be 100% sure we're on the same page: that's *not* what dnspython >> is doing. It's a client library that's testing parsing of the
/etc/resolv.conf format, and it just expects it to be there for parsing.
I understood that; I'd just wanted to make it clear that while programs parsing /etc/resolv.conf should assume a nameserver on localhost if /etc/resolv.conf doesn't exist
I don't understand why that should be the case. If there's a local nameserver, then it should be configured in resolv.conf as "nameserver 127.0.0.1" no?
On Wed, Sep 08, 2021 at 09:01:31AM -0700, Josh Triplett wrote:
...
I think dnspython's previous approach was correct: just like glibc, musl, and
other libraries, if /etc/resolv.conf is missing they should treat that as though it specified a nameserver on localhost.
How libraries implement a standard high-level C interface is not
necessarily relevant for how a DNS library implements a low-level
interface.
As the pbuilder maintainer, I've been asked to make it serve a non-working /etc/resolv.conf just to make that bug above moot, so I'm quite biased on the matter myself :)
On Fri, 10 Sep 2021, Adrian Bunk wrote:
On Wed, Sep 08, 2021 at 09:01:31AM -0700, Josh Triplett wrote:
...
I think dnspython's previous approach was correct: just like glibc, musl, and
other libraries, if /etc/resolv.conf is missing they should treat that as though it specified a nameserver on localhost.
How libraries implement a standard high-level C interface is not necessarily relevant for how a DNS library implements a low-level interface.
It seems to me that upstream should just not raise
NoResolverConfiguration, and instead not configure any nameservers.
Then, if someone tries to resolve without any configured nameservers, NoNameservers will be raised, which is the same thing that happens if
there are no good nameservers, and is less inconsistent with the
previous behavior.
Hi,
Quoting Mattia Rizzolo (2021-09-06 16:39:39)
As the pbuilder maintainer, I've been asked to make it serve a non-working /etc/resolv.conf just to make that bug above moot, so I'm quite biased on the
matter myself :)
sbuild already disables network access for all chroot backends that support it.
Schroot, the default chroot backend, currently doesn't allow this. See #802849.
The only chroot backend that allows disabling the network is the unshare backend. It does so, by unsharing the network namespace, only bringing up the loopback interface and writing an empty /etc/resolv.conf.
Quoting Mattia Rizzolo (2021-09-14 15:34:36)
On Tue, Sep 14, 2021 at 10:05:01AM +0200, Johannes Schauer Marin Rodrigues wrote:
Hi,
Quoting Mattia Rizzolo (2021-09-06 16:39:39)
As the pbuilder maintainer, I've been asked to make it serve a non-working
/etc/resolv.conf just to make that bug above moot, so I'm quite biased on the
matter myself :)
sbuild already disables network access for all chroot backends that support it.
As several people already stated, this is *not* about network access.
Yes, I mention it for context.
Schroot, the default chroot backend, currently doesn't allow this. See
#802849.
Likewise pbuilder, yes.
The only chroot backend that allows disabling the network is the unshare >> > backend. It does so, by unsharing the network namespace, only bringing up the
loopback interface and writing an empty /etc/resolv.conf.
So you ship an *empty* /etc/resolv.conf? Then I suppose you also can't build
packages using dnspython in their tests with your configuration?
Correct. This currently fails:
sbuild -d unstable --chroot-mode=unshare python-oslo.rootwrap
The error message is the same as for the package mentioned in #989171, namely:
https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/python-oslo.rootwrap.html
This is why I'm writing about sbuild. I wonder if it's a bug for sbuild to >write out an empty /etc/resolv.conf.
On Tue, Sep 14, 2021 at 10:05:01AM +0200, Johannes Schauer Marin Rodrigues wrote:
Hi,
Quoting Mattia Rizzolo (2021-09-06 16:39:39)
As the pbuilder maintainer, I've been asked to make it serve a non-working
/etc/resolv.conf just to make that bug above moot, so I'm quite biased on the
matter myself :)
sbuild already disables network access for all chroot backends that support it.
As several people already stated, this is *not* about network access.
Schroot, the default chroot backend, currently doesn't allow this. See #802849.
Likewise pbuilder, yes.
The only chroot backend that allows disabling the network is the unshare backend. It does so, by unsharing the network namespace, only bringing up the
loopback interface and writing an empty /etc/resolv.conf.
So you ship an *empty* /etc/resolv.conf? Then I suppose you also can't build packages using dnspython in their tests with your configuration?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 51:25:16 |
Calls: | 6,649 |
Calls today: | 1 |
Files: | 12,200 |
Messages: | 5,330,304 |