Bug 1194561 - After boot avahi-daemon needs restart for unicast DNS/wide area lookups to work
After boot avahi-daemon needs restart for unicast DNS/wide area lookups to work
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Network
Leap 15.3
x86-64 openSUSE Leap 15.3
: P5 - None : Normal (vote)
: ---
Assigned To: E-mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-11 20:49 UTC by Pieter Hollants
Modified: 2022-05-13 21:37 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pieter Hollants 2022-01-11 20:49:21 UTC
After boot avahi-daemon.service needs to be restart for unicast DNS/wide area lookups to work.

Steps to reproduce:
1. Boot
2. Try "avahi-browse -akr zeroconf.org". No results shown. Wireshark shows that Avahi incorrectly does mDNS instead of unicast DNS lookups.
3. systemctl restart avahi-daemon.service
4. "avahi-browse -akr zeroconf.org" now returns the DNS-SD records from zeroconf.org correctly. Wiresharks shows that Avahi now does unicast DNS lookups as it should for anything but ".local" addresses (conformant to /etc/avahi/avahi-daemon.conf parameter "enable-wide-area = yes").

I'm not sure if this is a question on when to start Avahi or an upstream bug. I tried "systemctl edit avahi-daemon.service" to get it to start after Network-online.target but I'm not sure if I achieved that.
Comment 1 Michael Gorse 2022-01-14 17:50:42 UTC
If I edit /usr/lib/systemd/system/avahi-daemon.service and add
After=network-online.target
in the [unit] section, then this appears to fix the problem for me.
Comment 5 Ludwig Nussel 2022-02-15 13:29:09 UTC
making avahi start only after network-online.target is certainly incorrect. That leaves the system unnecessarily in booting stage until NM may finally connect to eg some wifi.
avahi can detect interface changes just fine as such it should also detect name server changes. This needs a proper fix.
Comment 6 Ludwig Nussel 2022-02-15 14:17:56 UTC
it has inotify watches only on it's service dirs, not resolv.conf https://github.com/lathiat/avahi/blob/master/avahi-daemon/main.c#L927

avahi-daemon reloads everything on SIGHUP so a quick hack would also be to add a NM dispatcher script to kill -HUP avahi.
Comment 7 Michael Gorse 2022-02-15 21:18:51 UTC
I have a test package in home:mgorse:branches:GNOME:Next with a patch to add an inotify watch for /etc/resolv.conf. It seems to work for me. It isn't enough to solve the issue upstream because it doesn't take the chroot helper into account. That wouldn't matter for our package at the moment because we don't BuildRequire libpcap, so chrooting is not supported, although maybe we should enable it.
But I have several other packages that also have After=Network-online.target (samba and nfs-server, for instance), so I'm not seeing how avahi is uniquely a problem here.
Comment 8 Ludwig Nussel 2022-02-16 08:13:21 UTC
it's not correct for those either :-) It's just less obvious as samba and nfs-server are not used on desktops by default. avahi is installed and enabled on every single installation.

Instead of the chroot option of avahi it would also be possible to use systemd's hardending features. I'm actually surprised avahi didn't catch attention of security yet :-) https://bugzilla.suse.com/show_bug.cgi?id=1181400

# systemd-analyze security avahi-daemon.service
[...]
→ Overall exposure level for avahi-daemon.service: 9.6 UNSAFE 
Comment 9 Johannes Segitz 2022-02-16 08:27:53 UTC
It now has, thanks :)
Comment 13 Swamp Workflow Management 2022-03-17 14:23:25 UTC
openSUSE-RU-2022:0888-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179060,1194561,1195614,1196282
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    avahi-glib2-0.7-3.18.1
openSUSE Leap 15.3 (src):    avahi-0.7-3.18.1, avahi-glib2-0.7-3.18.1
Comment 14 Swamp Workflow Management 2022-03-17 14:29:04 UTC
SUSE-RU-2022:0888-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179060,1194561,1195614,1196282
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    avahi-0.7-3.18.1, avahi-glib2-0.7-3.18.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    avahi-0.7-3.18.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    avahi-0.7-3.18.1, avahi-glib2-0.7-3.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    avahi-0.7-3.18.1, avahi-glib2-0.7-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-04-19 22:22:46 UTC
SUSE-RU-2022:0888-2: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179060,1194561,1195614,1196282
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    avahi-0.7-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Michael Gorse 2022-05-13 21:37:55 UTC
Fixed.