Enhancement #2926
DHCP: bind dnsmasq to specific interfaces
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-dnsmasq | |||
| Target version: | v6.5 | |||
| Resolution: | NEEDINFO: | No |
Description
When the DHCP/DNS is enabled, dnsmasq listens on all available interfaces.
This can be a problem when there are multiple dnsmasq instances, like for example on a machine with libvirt/KVM.
In a machine where dnsmasq is running, libvirt will fail to setup the network (virbr0) with following error:
Error creating virtual network: errore interno Child process (/usr/sbin/dnsmasq --strict-order --pid-file=/var/run/libvirt/network/rete1.pid --conf-file= --except-interface lo --bind-interfaces --listen-address 192.168.100.1 --dhcp-range 192.168.100.128,192.168.100.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/rete1.leases --dhcp-lease-max=127 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/rete1.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/rete1.addnhosts) unexpected exit status 2: dnsmasq: failed to bind DHCP server socket: Address already in useWe can workaround the problem by binding dnsmasq only to green interfaces using following options:
- interface
- bind-interfaces
Associated revisions
dnsmasq.conf tamplate: enable bind-interfaces Refs #2926
History
#1
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3
Updated by Giacomo Sanchietti almost 7 years ago
- Assignee deleted (
Giacomo Sanchietti) - NEEDINFO changed from No to Yes
The interface option should be used in conjunction with bind-interfaces.
From man page about bind-interfaces:
This option has been patched to always use SO_BINDTODEVICE socket option when binding to interfaces. As consequence, dnsmasq
WILL NOT ANSWER to any DNS Queries that come to the socket with the correct destination IP address, but originally on different
interface. This behavior differs from the original dnsmasq upstream version and is used for security reasons.
This means that dnsmasq will answer to dns queries only to clients inside green or blue networks.
On which interfaces dnsmasq should bind? Only on interfaces where DHCP is enabled? And if no interface uses DHCP, the DNS server will never be reachable.
A possible workaround is to use the except-interface options, something like this:
except-interface=virbr0 bind-interfaces
Still doesn't resolve the problem about dns reply from other interfaces (for example: dns queries from orange zone to green interface).
#4
Updated by Giacomo Sanchietti almost 7 years ago
- NEEDINFO changed from Yes to No
- use options
bind-interfacesandexcept-interface - excluded interfaces are all red interfaces plus interfaces listed in
except-interfaceproperty - default value of
except-interfaceproperty will bevirbr0to handle standard libvirt installations
#5
Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#6
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#7
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-dnsmasq-1.3.0-1.0git897da104.ns6.noarch.rpm
Test case 1
- Install the update package on a machine with only one green interface
- dnsmasq should work as usual
Test case 2
- Add a red interface
- dnsmasq must listen only on green interface
Test case 3
- From previous test case, add an orange and a blue
- dnsmasq must listen on all interfaces except red ones
Test case 4
- Install libvirt and start it:
yum install libvirt service libvirtd start
- Check there are two running dnsmasq instances
- Try to restart dnsmasq, no error should be raised
- From test cases 3
- Add an interface to the list of exception (eg. eth2):
config setprop dnsmasq execept-interface virbr0,eth2 signal-event nethserver-dnsmasq-update
- Check dnsmasq is not listening on eth2
#8
Updated by Alessandro Polidori over 6 years ago
- Assignee set to Alessandro Polidori
#9
Updated by Alessandro Polidori over 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Alessandro Polidori) - % Done changed from 70 to 90
Test case 1
- Install the update package on a machine with only one green interface
- dnsmasq should work as usual
Ok. I tested DHCP and DNS functions with a windows xp client.
Test case 2
- Add a red interface
- dnsmasq must listen only on green interface
Ok it works only with the green interface.
I created a red one and it can not be possible to enable DHCP on it.
/etc/dnsmasq.conf:
except-interface=eth1 except-interface=virbr0
where:
eth0 = green eth1 = red
Verified also using "netstat".
Test case 3
- From previous test case, add an orange and a blue
- dnsmasq must listen on all interfaces except red ones
Ok it works.
I created orange and blue iterfaces.
I can enable DHCP only with green and blue using the gui.
/etc/dnsmasq.conf:
except-interface=eth1 except-interface=virbr0
where:
eth0 = green eth1 = red eth2 = orange eth3 = blue
Verified also using "netstat".
DNS listening on all interfaces except the red.
Test case 4
- Check there are two running dnsmasq instances
libvirtd starts with no error and there are two dnsmasq processes. - Try to restart dnsmasq, no error should be raised
Restart of dnsmasq works with no errors.
Ok it works.
Note: "service libvirtd stop" does not stop the dnsmasq process.
Test case 5
- From test cases 3
- Add an interface to the list of exception (eg. eth2)
- Check dnsmasq is not listening on eth2
Ok it works.
Verified by /etc/dnsmasq.conf and "netstat".
#10
Updated by Davide Principi over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-dnsmasq-1.3.1-1.ns6.noarch.rpm