我正在尝试创建一个 chroot 来运行一个需要互联网访问的程序来为自己构建一个沙盒的、不可变的开发人员环境。到目前为止,我的 jail 运行良好:我可以在其中运行 bash 并从那里运行简单的程序!但是 DNS 解析不起作用:
bash-3.2$ curl google.ca
curl: (6) Could not resolve host: google.ca
我几乎肯定这是因为内部进程无法连接到在 jail 外部运行的 mDNSResponder
守护进程。在 jail 外面有一个mDNSResponder
套接字供整个系统使用:
host ➜ ls -lA /var/run/mDNSResponder
srw-rw-rw- 1 root daemon 0 22 Oct 10:41 /var/run/mDNSResponder
但是, jail 里没有。因此,我尝试使用 socat
创建一个从 jail 内部到外部的 unix 套接字“代理”:我运行 socat
(下面的命令)在我的内部创建一个套接字 jail ,然后在 jail 内再次运行curl,但curl仍然给出相同的错误消息。使用 SIGUSR1 打开 mDNSResponder
的详细日志记录后,我在系统日志中看到了这一点:
2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:30.835 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23271](socat)
2015-10-26 5:32:30.836 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0
2015-10-26 5:32:31.339 PM curl[23269]: dnssd_clientstub write_all(4) failed -1/28 32 Broken pipe
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.341 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23272](socat)
2015-10-26 5:32:31.342 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:31.844 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:31.846 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: read_msg: ERROR failed to get errsd via SCM_RIGHTS
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23274](socat)
2015-10-26 5:32:31.847 PM mDNSResponder[95]: 12: Removing FD
2015-10-26 5:32:32.349 PM curl[23269]: dnssd_clientstub read_all(5) failed 0/4 0
2015-10-26 5:32:32.350 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 0
2015-10-26 5:32:32.351 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23275](socat)
2015-10-26 5:32:33.361 PM mDNSResponder[95]: 12: Removing FD
在我看来,通过 dnssd_clientstub
的 curl
正在尝试三次来解析该名称。这是被监禁进程尝试连接时的 socat
日志:
host ~/C/jail (master*) ➜
sudo socat -v -d -d UNIX-LISTEN:/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder,mode=666,fork,user=root,group=daemon UNIX-CLIENT:/private/var/run/mDNSResponder
Password:
2015/10/26 18:16:03 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N accepting connection from LEN=16 AF=1 "" on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24334] N forked off child process 24341
2015/10/26 18:16:07 socat[24334] N listening on LEN=67 AF=1 "/Users/hornairs/Code/jail/jail-test/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N opening connection to LEN=32 AF=1 "/private/var/run/mDNSResponder"
2015/10/26 18:16:07 socat[24341] N successfully connected from local address LEN=16 AF=1 ""
2015/10/26 18:16:07 socat[24341] N starting data transfer loop with FDs [6,6] and [5,5]
> 2015/10/26 18:16:07.081847 length=28 from=0 to=27
............................< 2015/10/26 18:16:07.082019 length=4 from=0 to=3
....> 2015/10/26 18:16:07.082167 length=50 from=28 to=77
...............\b...............P.....google.ca....> 2015/10/26 18:16:07.082287 length=1 from=78 to=78
.2015/10/26 18:16:07 socat[24341] N socket 2 (fd 5) is at EOF
2015/10/26 18:16:07 socat[24341] N exiting with status 0
2015/10/26 18:16:07 socat[24334] N childdied(): handling signal 20
为了进行比较,以下是我从主机运行查找时成功的查找结果:
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: connect_callback: Adding FD for uid 501
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceCreateConnection START PID[23190](curl)
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000001
2015-10-26 5:31:56.524 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., Addr) START PID[23190]()
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000001 (0)
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.251
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.249
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) ADD 4 google.ca. Addr 74.216.233.227
*snip*
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: Result code socket 27 created 00000000 00000002
2015-10-26 5:31:56.525 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(15000, 0, google.ca., AAAA) START PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Result code socket 27 closed 00000000 00000002 (0)
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) ADD 16 google.ca. AAAA 2607:F8B0:400B:080A:0000:0000:0000:100F
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000001
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., Addr) STOP PID[23190]()
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: Cancel 00000000 00000002
2015-10-26 5:31:56.526 PM mDNSResponder[95]: 12: DNSServiceQueryRecord(google.ca., AAAA) STOP PID[23190]()
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: DNSServiceCreateConnection STOP PID[23190](curl)
2015-10-26 5:31:56.587 PM mDNSResponder[95]: 12: Removing FD
我注意到失败和成功之间的主要区别是, jail 内的请求的 uid
为 0,而 jail 外的请求的 uid 为 501。很好奇,但这似乎并不是请求实际失败的地方。
来自mDNSResponder
的错误消息似乎与通过套接字从传入请求获取errsd
有关。 https://github.com/jevinskie/mDNSResponder/blob/2942dde61f920fbbf96ff9a3840567ebbe7cb1b6/mDNSShared/uds_daemon.c#L3660
在我看来,mDNSResponder
希望它的客户端通过套接字向其传递一对 fd 以响应客户端,我不确定这是否可以做到在 chroot 内部。我是一个非常糟糕的 C 程序员,所以我可能是错的,但如果这是事实,是否有可能做到这一点,以及是否有更好的方法让 DNS 在 chroot 内工作?
其他花絮:
您可以将
mDNSResponder
配置为监听其 launchd plist 文件中的多个套接字,但该文件现在受到系统完整性保护的保护,我不想禁用它让这个发挥作用。它很糟糕,而且很容易与我经常在主机上更改的 jail 文件系统不同步,如果由于文件不存在而无法创建套接字之一,这会破坏每个进程的 DNS。运行代理似乎更有弹性ping
在 jail 中立即死亡,这就是我使用curl
的原因。它会立即在控制台上收到Killed: 9
消息。我正在使用绑定(bind)挂载将一些其他文件放入 chroot,但我无法使其在
mDNSResponder
套接字上工作。我用http://bindfs.org (因为 OS X 不支持 Linux 的mount --bind
)在/var/run 中挂载到 chroot,但是在尝试连接时会出现在日志中:2015-10-26 6:39:40.833 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1 2015-10-26 6:39:41.837 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2 2015-10-26 6:39:42.843 PM curl[25002]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3 2015-10-26 6:39:43.848 PM curl[25002]: dnssd_clientstub ConnectToServer: connect() failed path:/var/run/mDNSResponder Socket:4 Err:-1 Errno:61 Connection refused
最佳答案
这里的问题是 /var/run/mDNSResponder
套接字上的请求和响应使用 recvmsg
和 sendmsg< 的“辅助数据”功能
系统调用,socat 不代理辅助数据。我能够获得一个自定义代理,它可以中继辅助数据以进行工作,并为 chroot 内的进程提供 DNS。
关于macos - 如何让 DNS 解析在 El Capitan 上的 Mac OS X `chroot` 内工作?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33356677/