Start/stop RDNSS monitor.

jglogan · jglogan · commit 81f288516f5e · 2026-03-13T20:02:46.000-07:00
diff --git a/Sources/Containerization/ContainerManager.swift b/Sources/Containerization/ContainerManager.swift
@@ -483,7 +483,7 @@ public struct ContainerManager: Sendable {
                         message: "missing ipv4 gateway for container \(id)"
                     )
                 }
-                config.dns = .init(nameservers: [gateway.description])
+                config.dns = .init(nameservers: [gateway.description], enableRDNSSMonitor: true)
             }
             config.bootLog = BootLog.file(path: self.containerRoot.appendingPathComponent(id).appendingPathComponent("bootlog.log"))
             try configuration(&config)
diff --git a/Sources/Containerization/DNSConfiguration.swift b/Sources/Containerization/DNSConfiguration.swift
@@ -29,17 +29,22 @@ public struct DNS: Sendable {
     public var searchDomains: [String]
     /// The DNS options to use.
     public var options: [String]
+    /// When true, vminitd will listen for IPv6 Router Advertisements and
+    /// merge RDNSS nameservers into this resolv.conf entry.
+    public var enableRDNSSMonitor: Bool
 
     public init(
         nameservers: [String] = defaultNameservers,
         domain: String? = nil,
         searchDomains: [String] = [],
-        options: [String] = []
+        options: [String] = [],
+        enableRDNSSMonitor: Bool = false
     ) {
         self.nameservers = nameservers
         self.domain = domain
         self.searchDomains = searchDomains
         self.options = options
+        self.enableRDNSSMonitor = enableRDNSSMonitor
     }
 }
 
diff --git a/Sources/Containerization/LinuxContainer.swift b/Sources/Containerization/LinuxContainer.swift
@@ -996,6 +996,18 @@ extension LinuxContainer {
         }
     }
 
+    /// Update the DNS configuration for this container on the running VM.
+    /// Replaces the current /etc/resolv.conf content and updates the RDNSS
+    /// monitor state to match the new config's `enableRDNSSMonitor` flag.
+    public func updateDNS(_ dns: DNS) async throws {
+        try await self.state.withLock {
+            let state = try $0.startedState("updateDNS")
+            try await state.vm.withAgent { agent in
+                try await agent.configureDNS(config: dns, location: Self.guestRootfsPath(self.id))
+            }
+        }
+    }
+
     /// Get statistics for the container.
     public func statistics(categories: StatCategory = .all) async throws -> ContainerStatistics {
         try await self.state.withLock {
diff --git a/Sources/Containerization/LinuxPod.swift b/Sources/Containerization/LinuxPod.swift
@@ -834,6 +834,18 @@ extension LinuxPod {
         }
     }
 
+    /// Update the DNS configuration for a container in the pod on the running VM.
+    /// Replaces the container's /etc/resolv.conf content and updates the RDNSS
+    /// monitor state to match the new config's `enableRDNSSMonitor` flag.
+    public func updateDNS(_ dns: DNS, containerID: String) async throws {
+        try await self.state.withLock { state in
+            let createdState = try state.phase.createdState("updateDNS")
+            try await createdState.vm.withAgent { agent in
+                try await agent.configureDNS(config: dns, location: Self.guestRootfsPath(containerID))
+            }
+        }
+    }
+
     /// Get statistics for containers in the pod.
     public func statistics(containerIDs: [String]? = nil, categories: StatCategory = .all) async throws -> [ContainerStatistics] {
         let (createdState, ids) = try await self.state.withLock { state in
diff --git a/Sources/Containerization/SandboxContext/SandboxContext.pb.swift b/Sources/Containerization/SandboxContext/SandboxContext.pb.swift
@@ -1072,6 +1072,8 @@ public struct Com_Apple_Containerization_Sandbox_V3_ConfigureDnsRequest: Sendabl
 
   public var options: [String] = []
 
+  public var enableRdnssMonitor: Bool = false
+
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
   public init() {}
@@ -3046,7 +3048,7 @@ extension Com_Apple_Containerization_Sandbox_V3_IpRouteAddDefaultResponse: Swift
 
 extension Com_Apple_Containerization_Sandbox_V3_ConfigureDnsRequest: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".ConfigureDnsRequest"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}location\0\u{1}nameservers\0\u{1}domain\0\u{1}searchDomains\0\u{1}options\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}location\0\u{1}nameservers\0\u{1}domain\0\u{1}searchDomains\0\u{1}options\0\u{3}enable_rdnss_monitor\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
@@ -3059,6 +3061,7 @@ extension Com_Apple_Containerization_Sandbox_V3_ConfigureDnsRequest: SwiftProtob
       case 3: try { try decoder.decodeSingularStringField(value: &self._domain) }()
       case 4: try { try decoder.decodeRepeatedStringField(value: &self.searchDomains) }()
       case 5: try { try decoder.decodeRepeatedStringField(value: &self.options) }()
+      case 6: try { try decoder.decodeSingularBoolField(value: &self.enableRdnssMonitor) }()
       default: break
       }
     }
@@ -3084,6 +3087,9 @@ extension Com_Apple_Containerization_Sandbox_V3_ConfigureDnsRequest: SwiftProtob
     if !self.options.isEmpty {
       try visitor.visitRepeatedStringField(value: self.options, fieldNumber: 5)
     }
+    if self.enableRdnssMonitor != false {
+      try visitor.visitSingularBoolField(value: self.enableRdnssMonitor, fieldNumber: 6)
+    }
     try unknownFields.traverse(visitor: &visitor)
   }
 
@@ -3093,6 +3099,7 @@ extension Com_Apple_Containerization_Sandbox_V3_ConfigureDnsRequest: SwiftProtob
     if lhs._domain != rhs._domain {return false}
     if lhs.searchDomains != rhs.searchDomains {return false}
     if lhs.options != rhs.options {return false}
+    if lhs.enableRdnssMonitor != rhs.enableRdnssMonitor {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }
diff --git a/Sources/Containerization/SandboxContext/SandboxContext.proto b/Sources/Containerization/SandboxContext/SandboxContext.proto
@@ -303,6 +303,7 @@ message ConfigureDnsRequest {
   optional string domain = 3;
   repeated string searchDomains = 4;
   repeated string options = 5;
+  bool enable_rdnss_monitor = 6;
 }
 
 message ConfigureDnsResponse {}
diff --git a/Sources/Containerization/Vminitd.swift b/Sources/Containerization/Vminitd.swift
@@ -496,6 +496,7 @@ extension Vminitd {
                 }
                 $0.searchDomains = config.searchDomains
                 $0.options = config.options
+                $0.enableRdnssMonitor = config.enableRDNSSMonitor
             })
     }
 
diff --git a/Sources/Integration/ContainerTests.swift b/Sources/Integration/ContainerTests.swift
@@ -4176,9 +4176,10 @@ extension IntegrationSuite {
             try await container.create()
             try await container.start()
 
-            // The vmnet router sends Router Advertisements with RDNSS options.
+            // ContainerManager sets enableRDNSSMonitor on the DNS config, so vminitd
+            // starts the monitor automatically when configureDNS is called.
             // Poll resolv.conf until the DNSMonitor has received an RA and merged
-            // an IPv6 nameserver into the file (identified by a colon in the address).
+            // an IPv6 nameserver into the file.
             var found = false
             let deadline = Date.now.addingTimeInterval(15)
             while Date.now < deadline {
@@ -4196,22 +4197,53 @@ extension IntegrationSuite {
                 if status.exitCode == 0,
                     let output = String(data: buffer.data, encoding: .utf8),
                     output.split(separator: "\n")
-                        .contains(where: { $0.hasPrefix("nameserver") && $0.contains(":") })
+                        .contains(where: {
+                            guard $0.hasPrefix("nameserver ") else { return false }
+                            let addr = $0.dropFirst("nameserver ".count).trimmingCharacters(in: .whitespaces)
+                            return (try? IPv6Address(addr)) != nil
+                        })
                 {
                     found = true
                     break
                 }
             }
 
-            try await container.kill(SIGKILL)
-            try await container.wait()
-            try await container.stop()
-
             guard found else {
                 throw IntegrationError.assert(
                     msg: "resolv.conf was not updated with an IPv6 nameserver from RDNSS within timeout"
                 )
             }
+
+            // Disable the RDNSS monitor by updating DNS config with the flag off.
+            // The monitor should stop and purge IPv6 nameservers from resolv.conf.
+            let staticDNS = DNS(nameservers: container.config.dns?.nameservers ?? [], enableRDNSSMonitor: false)
+            try await container.updateDNS(staticDNS)
+
+            let cleanBuffer = BufferWriter()
+            let cleanExec = try await container.exec("check-resolv-clean") { config in
+                config.arguments = ["cat", "/etc/resolv.conf"]
+                config.stdout = cleanBuffer
+            }
+            try await cleanExec.start()
+            let cleanStatus = try await cleanExec.wait()
+            try await cleanExec.delete()
+            if cleanStatus.exitCode == 0,
+                let cleanOutput = String(data: cleanBuffer.data, encoding: .utf8),
+                cleanOutput.split(separator: "\n")
+                    .contains(where: {
+                        guard $0.hasPrefix("nameserver ") else { return false }
+                        let addr = $0.dropFirst("nameserver ".count).trimmingCharacters(in: .whitespaces)
+                        return (try? IPv6Address(addr)) != nil
+                    })
+            {
+                throw IntegrationError.assert(
+                    msg: "resolv.conf still contains an IPv6 nameserver after disabling the RDNSS monitor"
+                )
+            }
+
+            try await container.kill(SIGKILL)
+            try await container.wait()
+            try await container.stop()
         } catch {
             try? await container.stop()
             throw error
diff --git a/Sources/Integration/PodTests.swift b/Sources/Integration/PodTests.swift
@@ -17,6 +17,7 @@
 import ArgumentParser
 import Containerization
 import ContainerizationError
+import ContainerizationExtras
 import ContainerizationOCI
 import ContainerizationOS
 import Foundation
@@ -2032,4 +2033,84 @@ extension IntegrationSuite {
             throw error
         }
     }
+
+    @available(macOS 26.0, *)
+    func testPodRDNSSUpdatesResolvConf() async throws {
+        let id = "test-pod-rdnss-updates-resolv-conf"
+        let bs = try await bootstrap(id)
+
+        var network = try ContainerManager.VmnetNetwork()
+
+        guard let interface = try network.create("\(id)-c1"),
+            let gateway = interface.ipv4Gateway
+        else {
+            throw IntegrationError.assert(msg: "failed to get vmnet interface or gateway")
+        }
+
+        let pod = try LinuxPod(id, vmm: bs.vmm) { config in
+            config.cpus = 4
+            config.memoryInBytes = 1024.mib()
+            config.bootLog = bs.bootLog
+            config.interfaces = [interface]
+            config.dns = DNS(nameservers: [gateway.description], enableRDNSSMonitor: true)
+        }
+
+        try await pod.addContainer("container1", rootfs: try cloneRootfs(bs.rootfs, testID: id, containerID: "container1")) { config in
+            config.process.arguments = ["sleep", "30"]
+        }
+
+        try await pod.addContainer("container2", rootfs: try cloneRootfs(bs.rootfs, testID: id, containerID: "container2")) { config in
+            config.process.arguments = ["sleep", "30"]
+        }
+
+        do {
+            try await pod.create()
+            try await pod.startContainer("container1")
+            try await pod.startContainer("container2")
+
+            // Both containers share the pod's DNS config with enableRDNSSMonitor = true,
+            // so vminitd starts the RDNSS monitor automatically. Poll each container's
+            // resolv.conf until an IPv6 nameserver appears.
+            for containerID in ["container1", "container2"] {
+                var found = false
+                let deadline = Date.now.addingTimeInterval(15)
+                while Date.now < deadline {
+                    try await Task.sleep(for: .seconds(1))
+
+                    let buffer = BufferWriter()
+                    let exec = try await pod.execInContainer(containerID, processID: "check-resolv-\(containerID)") { config in
+                        config.arguments = ["cat", "/etc/resolv.conf"]
+                        config.stdout = buffer
+                    }
+                    try await exec.start()
+                    let status = try await exec.wait()
+                    try await exec.delete()
+
+                    if status.exitCode == 0,
+                        let output = String(data: buffer.data, encoding: .utf8),
+                        output.split(separator: "\n")
+                            .contains(where: {
+                                guard $0.hasPrefix("nameserver ") else { return false }
+                                let addr = $0.dropFirst("nameserver ".count).trimmingCharacters(in: .whitespaces)
+                                return (try? IPv6Address(addr)) != nil
+                            })
+                    {
+                        found = true
+                        break
+                    }
+                }
+
+                guard found else {
+                    throw IntegrationError.assert(
+                        msg: "\(containerID): resolv.conf was not updated with an IPv6 nameserver from RDNSS within timeout"
+                    )
+                }
+            }
+
+            try await pod.stop()
+        } catch {
+            try? await pod.stop()
+            throw error
+        }
+    }
 }
diff --git a/Sources/Integration/Suite.swift b/Sources/Integration/Suite.swift
@@ -265,6 +265,7 @@ struct IntegrationSuite: AsyncParsableCommand {
                 Test("container networking disabled", testNetworkingDisabled),
                 Test("container networking enabled", testNetworkingEnabled),
                 Test("container RDNSS updates resolv.conf", testRDNSSUpdatesResolvConf),
+                Test("pod RDNSS updates resolv.conf", testPodRDNSSUpdatesResolvConf),
             ]
         }
         return []
diff --git a/vminitd/Sources/vminitd/DNSMonitor.swift b/vminitd/Sources/vminitd/DNSMonitor.swift
diff --git a/vminitd/Sources/vminitd/Server+GRPC.swift b/vminitd/Sources/vminitd/Server+GRPC.swift
diff --git a/vminitd/Sources/vminitd/Server.swift b/vminitd/Sources/vminitd/Server.swift

Original file line number	Diff line number	Diff line change
`@@ -483,7 +483,7 @@ public struct ContainerManager: Sendable {`
`483`	`483`	`message: "missing ipv4 gateway for container \(id)"`
`484`	`484`	`)`
`485`	`485`	`}`
`486`		`- config.dns = .init(nameservers: [gateway.description])`
	`486`	`+ config.dns = .init(nameservers: [gateway.description], enableRDNSSMonitor: true)`
`487`	`487`	`}`
`488`	`488`	`config.bootLog = BootLog.file(path: self.containerRoot.appendingPathComponent(id).appendingPathComponent("bootlog.log"))`
`489`	`489`	`try configuration(&config)`
Original file line number	Diff line number	Diff line change
`@@ -303,6 +303,7 @@ message ConfigureDnsRequest {`
`303`	`303`	`optional string domain = 3;`
`304`	`304`	`repeated string searchDomains = 4;`
`305`	`305`	`repeated string options = 5;`
	`306`	`+ bool enable_rdnss_monitor = 6;`
`306`	`307`	`}`
`307`	`308`
`308`	`309`	`message ConfigureDnsResponse {}`
Original file line number	Diff line number	Diff line change
`@@ -496,6 +496,7 @@ extension Vminitd {`
`496`	`496`	`}`
`497`	`497`	`$0.searchDomains = config.searchDomains`
`498`	`498`	`$0.options = config.options`
	`499`	`+ $0.enableRdnssMonitor = config.enableRDNSSMonitor`
`499`	`500`	`})`
`500`	`501`	`}`
`501`	`502`
Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,7 @@ struct IntegrationSuite: AsyncParsableCommand {`
`265`	`265`	`Test("container networking disabled", testNetworkingDisabled),`
`266`	`266`	`Test("container networking enabled", testNetworkingEnabled),`
`267`	`267`	`Test("container RDNSS updates resolv.conf", testRDNSSUpdatesResolvConf),`
	`268`	`+ Test("pod RDNSS updates resolv.conf", testPodRDNSSUpdatesResolvConf),`
`268`	`269`	`]`
`269`	`270`	`}`
`270`	`271`	`return []`