net/dns: fall back to copy+delete/truncate if moving to/from /etc/resolv.conf fails.

In some containers, /etc/resolv.conf is a bind-mount from outside the container.
This prevents renaming to or from /etc/resolv.conf, because it's on a different
filesystem from linux's perspective. It also prevents removing /etc/resolv.conf,
because doing so would break the bind-mount.

If we find ourselves within this environment, fall back to using copy+delete when
renaming to /etc/resolv.conf, and copy+truncate when renaming from /etc/resolv.conf.

Fixes #3000

Co-authored-by: Denton Gentry <dgentry@tailscale.com>
Signed-off-by: David Anderson <danderson@tailscale.com>

net/dns/direct_test.go

@@ -5,31 +5,65 @@
 package dns
 
 import (
-	"io/ioutil"
+	"errors"
+	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
+	"strings"
+	"syscall"
 	"testing"
 
 	"inet.af/netaddr"
 	"tailscale.com/util/dnsname"
 )
 
-func TestSetDNS(t *testing.T) {
-	const orig = "nameserver 9.9.9.9 # orig"
+func TestDirectManager(t *testing.T) {
 	tmp := t.TempDir()
-	resolvPath := filepath.Join(tmp, "etc", "resolv.conf")
-	backupPath := filepath.Join(tmp, "etc", "resolv.pre-tailscale-backup.conf")
-
-	if err := os.MkdirAll(filepath.Dir(resolvPath), 0777); err != nil {
+	if err := os.MkdirAll(filepath.Join(tmp, "etc"), 0700); err != nil {
 		t.Fatal(err)
 	}
-	if err := ioutil.WriteFile(resolvPath, []byte(orig), 0644); err != nil {
+	testDirect(t, directFS{prefix: tmp})
+}
+
+type boundResolvConfFS struct {
+	directFS
+}
+
+func (fs boundResolvConfFS) Rename(old, new string) error {
+	if old == "/etc/resolv.conf" || new == "/etc/resolv.conf" {
+		return errors.New("cannot move to/from /etc/resolv.conf")
+	}
+	return fs.directFS.Rename(old, new)
+}
+
+func (fs boundResolvConfFS) Remove(name string) error {
+	if name == "/etc/resolv.conf" {
+		return errors.New("cannot remove /etc/resolv.conf")
+	}
+	return fs.directFS.Remove(name)
+}
+
+func TestDirectBrokenRename(t *testing.T) {
+	tmp := t.TempDir()
+	if err := os.MkdirAll(filepath.Join(tmp, "etc"), 0700); err != nil {
+		t.Fatal(err)
+	}
+	testDirect(t, boundResolvConfFS{directFS{prefix: tmp}})
+}
+
+func testDirect(t *testing.T, fs wholeFileFS) {
+	const orig = "nameserver 9.9.9.9 # orig"
+	resolvPath := "/etc/resolv.conf"
+	backupPath := "/etc/resolv.pre-tailscale-backup.conf"
+
+	if err := fs.WriteFile(resolvPath, []byte(orig), 0644); err != nil {
 		t.Fatal(err)
 	}
 
 	readFile := func(t *testing.T, path string) string {
 		t.Helper()
-		b, err := ioutil.ReadFile(path)
+		b, err := fs.ReadFile(path)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -39,12 +73,12 @@ func TestSetDNS(t *testing.T) {
 		if got := readFile(t, resolvPath); got != orig {
 			t.Fatalf("resolv.conf:\n%s, want:\n%s", got, orig)
 		}
-		if _, err := os.Stat(backupPath); !os.IsNotExist(err) {
+		if _, err := fs.Stat(backupPath); !os.IsNotExist(err) {
 			t.Fatalf("resolv.conf backup: want it to be gone but: %v", err)
 		}
 	}
 
-	m := directManager{fs: directFS{prefix: tmp}}
+	m := directManager{logf: t.Logf, fs: fs}
 	if err := m.SetDNS(OSConfig{
 		Nameservers:   []netaddr.IP{netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("8.8.4.4")},
 		SearchDomains: []dnsname.FQDN{"ts.net.", "ts-dns.test."},
@@ -81,3 +115,26 @@ search ts.net ts-dns.test
 	}
 	assertBaseState(t)
 }
+
+type brokenRemoveFS struct {
+	directFS
+}
+
+func (b brokenRemoveFS) Rename(old, new string) error {
+	return errors.New("nyaaah I'm a silly container!")
+}
+
+func (b brokenRemoveFS) Remove(name string) error {
+	if strings.Contains(name, "/etc/resolv.conf") {
+		return fmt.Errorf("Faking remove failure: %q", &fs.PathError{Err: syscall.EBUSY})
+	}
+	return b.directFS.Remove(name)
+}
+
+func TestDirectBrokenRemove(t *testing.T) {
+	tmp := t.TempDir()
+	if err := os.MkdirAll(filepath.Join(tmp, "etc"), 0700); err != nil {
+		t.Fatal(err)
+	}
+	testDirect(t, brokenRemoveFS{directFS{prefix: tmp}})
+}