feature/linuxdnsfight: move inotify watching of /etc/resolv.conf out to a feature

tsnet apps in particular never use the Linux DNS OSManagers, so they don't need
DBus, etc. I started to pull that all out into separate features so tsnet doesn't
need to bring in DBus, but hit this first.

Here you can see that tsnet (and the k8s-operator) no longer pulls in inotify.

Updates #17206

Change-Id: I7af0f391f60c5e7dbeed7a080346f83262346591
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

feature/buildfeatures/feature_linuxdnsfight_disabled.go

@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by gen.go; DO NOT EDIT.
+
+//go:build ts_omit_linuxdnsfight
+
+package buildfeatures
+
+// HasLinuxDNSFight is whether the binary was built with support for modular feature "Linux support for detecting DNS fights (inotify watching of /etc/resolv.conf)".
+// Specifically, it's whether the binary was NOT built with the "ts_omit_linuxdnsfight" build tag.
+// It's a const so it can be used for dead code elimination.
+const HasLinuxDNSFight = false

feature/buildfeatures/feature_linuxdnsfight_enabled.go

@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by gen.go; DO NOT EDIT.
+
+//go:build !ts_omit_linuxdnsfight
+
+package buildfeatures
+
+// HasLinuxDNSFight is whether the binary was built with support for modular feature "Linux support for detecting DNS fights (inotify watching of /etc/resolv.conf)".
+// Specifically, it's whether the binary was NOT built with the "ts_omit_linuxdnsfight" build tag.
+// It's a const so it can be used for dead code elimination.
+const HasLinuxDNSFight = true

feature/condregister/maybe_linuxdnsfight.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !android && !ts_omit_linuxdnsfight
+
+package condregister
+
+import _ "tailscale.com/feature/linuxdnsfight"

feature/featuretags/featuretags.go

@@ -105,6 +105,7 @@ var Features = map[FeatureTag]FeatureMeta{
 	"desktop_sessions": {"DesktopSessions", "Desktop sessions support", nil},
 	"drive":            {"Drive", "Tailscale Drive (file server) support", nil},
 	"kube":             {"Kube", "Kubernetes integration", nil},
+	"linuxdnsfight":    {"LinuxDNSFight", "Linux support for detecting DNS fights (inotify watching of /etc/resolv.conf)", nil},
 	"oauthkey":         {"OAuthKey", "OAuth secret-to-authkey resolution support", nil},
 	"outboundproxy": {
 		Sym:  "OutboundProxy",

feature/linuxdnsfight/linuxdnsfight.go

@@ -0,0 +1,51 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !android
+
+// Package linuxdnsfight provides Linux support for detecting DNS fights
+// (inotify watching of /etc/resolv.conf).
+package linuxdnsfight
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/illarion/gonotify/v3"
+	"tailscale.com/net/dns"
+)
+
+func init() {
+	dns.HookWatchFile.Set(watchFile)
+}
+
+// watchFile sets up an inotify watch for a given directory and
+// calls the callback function every time a particular file is changed.
+// The filename should be located in the provided directory.
+func watchFile(ctx context.Context, dir, filename string, cb func()) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	const events = gonotify.IN_ATTRIB |
+		gonotify.IN_CLOSE_WRITE |
+		gonotify.IN_CREATE |
+		gonotify.IN_DELETE |
+		gonotify.IN_MODIFY |
+		gonotify.IN_MOVE
+
+	watcher, err := gonotify.NewDirWatcher(ctx, events, dir)
+	if err != nil {
+		return fmt.Errorf("NewDirWatcher: %w", err)
+	}
+
+	for {
+		select {
+		case event := <-watcher.C:
+			if event.Name == filename {
+				cb()
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+}

feature/linuxdnsfight/linuxdnsfight_test.go

@@ -0,0 +1,63 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !android
+
+package linuxdnsfight
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"golang.org/x/sync/errgroup"
+)
+
+func TestWatchFile(t *testing.T) {
+	dir := t.TempDir()
+	filepath := dir + "/test.txt"
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	var callbackCalled atomic.Bool
+	callbackDone := make(chan bool)
+	callback := func() {
+		// We only send to the channel once to avoid blocking if the
+		// callback is called multiple times -- this happens occasionally
+		// if inotify sends multiple events before we cancel the context.
+		if !callbackCalled.Load() {
+			callbackDone <- true
+			callbackCalled.Store(true)
+		}
+	}
+
+	var eg errgroup.Group
+	eg.Go(func() error { return watchFile(ctx, dir, filepath, callback) })
+
+	// Keep writing until we get a callback.
+	func() {
+		for i := range 10000 {
+			if err := os.WriteFile(filepath, []byte(fmt.Sprintf("write%d", i)), 0644); err != nil {
+				t.Fatal(err)
+			}
+			select {
+			case <-callbackDone:
+				return
+			case <-time.After(10 * time.Millisecond):
+			}
+		}
+	}()
+
+	cancel()
+	if err := eg.Wait(); err != nil && !errors.Is(err, context.Canceled) {
+		t.Error(err)
+	}
+	if !callbackCalled.Load() {
+		t.Error("callback was not called")
+	}
+}