On Wed, Feb 13, 2019 at 02:31:00PM +0100, Flo Rance wrote:
On Wed, Feb 13, 2019 at 1:23 PM Peter Pentchev roam@ringlet.net wrote:
On Wed, Feb 13, 2019 at 01:12:54PM +0100, Flo Rance wrote:
Regards, Flo
On Wed, Feb 13, 2019 at 1:00 PM tom posturne@gmail.com wrote:
Hello,
Are you sure 'foobar.remote.site' should resolve? Does "ping foobar.remote.site" work?
yes, the host is resolved on commandline and other services on this system can reach this host.
Do you have a /var/run/stunnel/etc/resolv.conf file?
No at this time I dont have this file, but it doesnt change anything if I copy the original from /etc to this lokation. But this brings me to the point try to dissable chroot and in this case stunnel is working as expected. So far so good - there is something wrong in the chroot jail.
I try to put it to /var/run/stunnel - no luck, but maybe there are other files missing as well?
If you want to resolv hostnames using resolv.conf file, you need the appropriate library libresolv which is part of libc. So you'll need to copy the libc librairies in your chroot environment.
Mmm, I don't think that the resolver libraries are loaded dynamically; they are usually loaded in the stunnel binary at startup.
Ok, but in that case you should remove "delay = yes" and the hostname will be resolved at startup, before chroot
This would be true if the resolver libraries are loaded dynamically... which seems to be true. I just found a CentOS 7 system to test on, and it seems that libnss loads its modules dynamically, grrrrr.
OK, so, tom, you should also find your libnss_* libraries - the easiest way is through `ldconfig -p | fgrep -e libnss_files` - and copy all of the libnss_*.so* (both the *.so ones and the *.so.something ones) into the corresponding directories in your chroot. I believe that the ones in the /lib64 directory should be enough - e.g. I think that it might be enough to do this:
mkdir /var/run/stunnel/lib64 cp -p /lib64/libnss_*.so* /var/run/stunnel/lib64/
...but if this doesn't work, you should also copy all others from all the directories mentioned in the `ldconfig -p | fgrep -e libnss_files` output.
Sorry for doubting the "dynamically loaded resolver modules" idea at first :(
G'luck, Peter