DNS endpoint resolution in container namespace

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: "Ondřej Grover" <ondrej.grover@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: DNS endpoint resolution in container namespace
Date: Thu, 24 Nov 2022 11:03:14 +0100	[thread overview]
Message-ID: <CAOyjJOLRZb7BuGBQAK6_bKBCcLOkQnHQ7FcZuaLy0=_+EsJXeg@mail.gmail.com> (raw)

Hi,

I tried to follow the example here
https://www.wireguard.com/netns/#ordinary-containerization
but I found out that the DNS endpoint resolution through

ip netns exec container wg setconf wg0 /etc/wireguard/wg0.conf

won't work, because it is run in the new container namespace not yet
capable of DNS resolution.
Looking at the source code here
https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n242
confirmed my suspicion that the DNS resolution is done by the wg tool
in the container namespace rather than in the original namespace.

In an ideal world the DNS resolution should IMHO happen in the
original namespace capable of DNS resolution where the world-facing
UDP socket using that endpoint IP is anyway.
Often one could use just a hard-coded IP (that's indeed what I
resorted to in the end, or  perform DNS resolution at container
provisioning time as suggested by mrngm in IRC) for the wg0.conf in
the container, but with DynDNS and similar setups this may not be
possible.

But since that might require significant changes (e.g. requesting DNS
resolution in the original namespace through the kernel?), perhaps at
least in the short term I would  recommend that this caveat is
mentioned on the webpage and/or perhaps in the example the `wg
setconf` step would be run in the original namespace (unless there is
some repercussion to that I did not consider).

Best wishes and thanks for all your work making wireguard what it is today,
Ondrej G.

                 reply	other threads:[~2022-12-01 13:11 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAOyjJOLRZb7BuGBQAK6_bKBCcLOkQnHQ7FcZuaLy0=_+EsJXeg@mail.gmail.com' \
    --to=ondrej.grover@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).