Systemd-Nspawn - Failing DNS lookups

January 13, 2018 — Team localos

Using systemd as init system is a matter of taste, hence we do not want to elaborate this here in more detail.

Systemd-nspawn [1] is a tool which in some kind is like chroot on steroids and provides a lightweight container for, e.g. testing, debugging, development purpose and of course for quick and dirty research stuff.

A tool like mkosi, which "stands for Make Operating System Image, and is a tool for precisely that: generating an OS tree or image that can be booted", can be used to build raw images, for e.g. use with qemu, and some kind of re-usable container based on nspawn.

Situation and Problem

For quite a while there have been several bugs in terms of DNS related problems and nspawn.

After playing around with several configurations of mkosi and porting them to different systems of the same Linux distribution (here: Arch Linux), a strange behavior occurred.

On most systems, everything was working as expected. But on one system, which was on the same patchlevel and has no special configuration, DNS lookups were not possible. The usual networking functionality was fine, but systemd-resolved was crashing all the time without reasonable error and even using an "own" resolv.conf had no effect. Since there was no firewalling in place for this configuration, the problem could only have been somewhere in the DNS part of the system.

Possible more or less Workaround

To cut through the shit and without analyzing why this happened etc., comparing all dns related config files among the different systems/container was not working out, since they were all identical.

A possible "workaround" is adding dns to /etc/nsswitch.conf in order to use an "own" /etc/resolv.conf (the entry resolve can be replaced by this). Disabling systemd-resolved should be done in addition.

[user@blubs ~]$ cat /etc/nsswitch.conf [...] hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname [...] [user@blubs ~]$ sudo systemctl disable systemd-resolved

Since there was no time left for a deep analysis why this was happing on this single system and of course it was only for testing purpose, the shown "workaround" helped to get the research done...even when this is not very satisfying. Maybe something was missed ...

[1] https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
[2] http://0pointer.net/blog/mkosi-a-tool-for-generating-os-images.html

Tags: dns, container, systemd, nspawn, kb, mkosi