[libvirt] [PATCH] additional parameter needed for dnsmasq
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787 As currently configured, dnsmasq for a virtual network will pass some queries upstream toward the Internet. This includes AAAA and MX queries as well a A queries when dnsmasq cannot answer for that name. This is occurring whether a domain name is specified or not. The problem is that dnsmasq will, by default, forward all queries unless "local=" is specified. I cannot envision a situation where such queries should be forwarded. See the bugzilla report for more info. While I did a lot of testing to figure out the problem and what needed to be done to fix it, I am unable to actually rebuild the libvirt rpm in my environment. The solution is the following patch: diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c libvirt-0.9.11.4/src/network/bridge_driver.c --- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15 14:23:21.000000000 -0400 +++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21 09:03:17.387602485 -0400 @@ -491,7 +491,13 @@ virCommandAddArgList(cmd, "--strict-order", "--bind-interfaces", NULL); if (network->def->domain) - virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); +// virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); + virCommandAddArgFormat(cmd, + "--domain %s --local=/%s/", + network->def->domain, + network->def->domain); + else + virCommandAddArg(cmd, "--local="); if (pidfile) virCommandAddArgPair(cmd, "--pid-file", pidfile);
On Tue, Aug 21, 2012 at 10:43:44AM -0400, Gene Czarcinski wrote:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
As currently configured, dnsmasq for a virtual network will pass some queries upstream toward the Internet. This includes AAAA and MX queries as well a A queries when dnsmasq cannot answer for that name. This is occurring whether a domain name is specified or not. The problem is that dnsmasq will, by default, forward all queries unless "local=" is specified. I cannot envision a situation where such queries should be forwarded.
See the bugzilla report for more info. While I did a lot of testing to figure out the problem and what needed to be done to fix it, I am unable to actually rebuild the libvirt rpm in my environment.
The solution is the following patch:
diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c libvirt-0.9.11.4/src/network/bridge_driver.c --- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15 14:23:21.000000000 -0400 +++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21 09:03:17.387602485 -0400 @@ -491,7 +491,13 @@ virCommandAddArgList(cmd, "--strict-order", "--bind-interfaces", NULL);
if (network->def->domain) - virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); +// virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); + virCommandAddArgFormat(cmd, + "--domain %s --local=/%s/", + network->def->domain, + network->def->domain); + else + virCommandAddArg(cmd, "--local=");
if (pidfile) virCommandAddArgPair(cmd, "--pid-file", pidfile);
Since this changes the code that generates dnsmasq args, you'll also need to update the tests/networkxml2argvdata/ data files to take account of your new additions. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 08/21/2012 11:04 AM, Daniel P. Berrange wrote:
On Tue, Aug 21, 2012 at 10:43:44AM -0400, Gene Czarcinski wrote:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
As currently configured, dnsmasq for a virtual network will pass some queries upstream toward the Internet. This includes AAAA and MX queries as well a A queries when dnsmasq cannot answer for that name. This is occurring whether a domain name is specified or not. The problem is that dnsmasq will, by default, forward all queries unless "local=" is specified. I cannot envision a situation where such queries should be forwarded.
See the bugzilla report for more info. While I did a lot of testing to figure out the problem and what needed to be done to fix it, I am unable to actually rebuild the libvirt rpm in my environment.
The solution is the following patch:
diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c libvirt-0.9.11.4/src/network/bridge_driver.c --- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15 14:23:21.000000000 -0400 +++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21 09:03:17.387602485 -0400 @@ -491,7 +491,13 @@ virCommandAddArgList(cmd, "--strict-order", "--bind-interfaces", NULL);
if (network->def->domain) - virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); +// virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); + virCommandAddArgFormat(cmd, + "--domain %s --local=/%s/", + network->def->domain, + network->def->domain); + else + virCommandAddArg(cmd, "--local=");
if (pidfile) virCommandAddArgPair(cmd, "--pid-file", pidfile);
Since this changes the code that generates dnsmasq args, you'll also need to update the tests/networkxml2argvdata/ data files to take account of your new additions.
And here I thought it was just a tiny patch. When I get thinks finalized, there will be an update to the tests also. But, the patch itself is not good. For example, for no domain specified, instead of "--local=", it should be "--local-//". And then with the domain specified, this just does not work for some reason dnsmasq has errors starting. I must say that I believe that whoever chose to use dnsmasq definitely made the right choice. However, I wich it was easier to change and test new parameter seetings for dnsmasq rather than having it in the code. So that I do not have to go through a lot of code changes, I am testing with two virtual guests. The first has two NICs one connected to the default network and a second to a private network with dnsmasq (dns and dhcp) for the private network. The second guest is on the private network and tests the various setups for dnsmasq. My initial simplified test used the /etc/dnsmasq.conf and supplied some additional parameters that I had not realized. My testing is not attempting to create a situation similar to that for libvirtd which has everything specified on the command-line. Any comments, suggestions will be appreciated. Gene
On 08/22/2012 06:51 AM, Gene Czarcinski wrote:
On 08/21/2012 11:04 AM, Daniel P. Berrange wrote:
On Tue, Aug 21, 2012 at 10:43:44AM -0400, Gene Czarcinski wrote:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
As currently configured, dnsmasq for a virtual network will pass some queries upstream toward the Internet. This includes AAAA and MX queries as well a A queries when dnsmasq cannot answer for that name. This is occurring whether a domain name is specified or not. The problem is that dnsmasq will, by default, forward all queries unless "local=" is specified. I cannot envision a situation where such queries should be forwarded.
See the bugzilla report for more info. While I did a lot of testing to figure out the problem and what needed to be done to fix it, I am unable to actually rebuild the libvirt rpm in my environment.
The solution is the following patch:
diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c libvirt-0.9.11.4/src/network/bridge_driver.c --- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15 14:23:21.000000000 -0400 +++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21 09:03:17.387602485 -0400 @@ -491,7 +491,13 @@ virCommandAddArgList(cmd, "--strict-order", "--bind-interfaces", NULL);
if (network->def->domain) - virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); +// virCommandAddArgList(cmd, "--domain", network->def->domain, NULL); + virCommandAddArgFormat(cmd, + "--domain %s --local=/%s/", + network->def->domain, + network->def->domain); + else + virCommandAddArg(cmd, "--local=");
if (pidfile) virCommandAddArgPair(cmd, "--pid-file", pidfile);
Since this changes the code that generates dnsmasq args, you'll also need to update the tests/networkxml2argvdata/ data files to take account of your new additions.
And here I thought it was just a tiny patch. When I get thinks finalized, there will be an update to the tests also.
But, the patch itself is not good. For example, for no domain specified, instead of "--local=", it should be "--local-//". And then with the domain specified, this just does not work for some reason dnsmasq has errors starting.
I must say that I believe that whoever chose to use dnsmasq definitely made the right choice. However, I wich it was easier to change and test new parameter seetings for dnsmasq rather than having it in the code.
So that I do not have to go through a lot of code changes, I am testing with two virtual guests. The first has two NICs one connected to the default network and a second to a private network with dnsmasq (dns and dhcp) for the private network. The second guest is on the private network and tests the various setups for dnsmasq.
My initial simplified test used the /etc/dnsmasq.conf and supplied some additional parameters that I had not realized. My testing is not attempting to create a situation similar to that for libvirtd which has everything specified on the command-line.
Any comments, suggestions will be appreciated.
OK, I am going to need a little help here. First, is there any documentation on things that need to be done in test when changes are made? Right now there is a lot of stuff there and I am not sure what needs to be added where. Second, I have since the rpm will compile with my patch and goes through enough of -bi --short-circuit to create BUILDROOT/libvirt.../usr/sbin/libvirtd I am copying this over to a real system and installing it replacing the original /usr/sbin/libvirtd With my patch installed, when libvirtd attempts to start a network, it errors out with something like the follow: ==================== internal error Child process (/sbin/dnsmasq --strict-order --bind-interfaces --domain virt123 --local=/virt123/ --domain-needed --filterwin2k --pid-file=/var/run/libvirt/network/net123.pid --conf-file= --except-interface lo --listen-address 192.168.123.1 --dhcp-range 192.168.123.128,192.168.123.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/net123.leases --dhcp-lease-max=127 --dhcp-no-override --expand-hosts) status unexpected: exit status 1 ==================== About the only version that does not have a problem is replacing "--domain virt123 --local=/virt123/ --domain-needed --filterwin2k" with "--local=" OK, something is wrong. However, is I "kill -9 <the running instance or dnsmasq>" and then, as root, manually start dnsmasq with all of the above parameters, it runs and works find on the virtual network! Obviously, I am missing something! Can someone point me in the right direction? Gene
At Wed, 22 Aug 2012 10:23:44 -0400, Gene Czarcinski wrote:
Second, I have since the rpm will compile with my patch and goes through enough of -bi --short-circuit to create BUILDROOT/libvirt.../usr/sbin/libvirtd I am copying this over to a real system and installing it replacing the original /usr/sbin/libvirtd
With my patch installed, when libvirtd attempts to start a network, it errors out with something like the follow: ==================== internal error Child process (/sbin/dnsmasq --strict-order --bind-interfaces --domain virt123 --local=/virt123/ --domain-needed --filterwin2k --pid-file=/var/run/libvirt/network/net123.pid --conf-file= --except-interface lo --listen-address 192.168.123.1 --dhcp-range 192.168.123.128,192.168.123.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/net123.leases --dhcp-lease-max=127 --dhcp-no-override --expand-hosts) status unexpected: exit status 1 ====================
+ virCommandAddArgFormat(cmd, + "--domain %s --local=/%s/", + network->def->domain, + network->def->domain);
Here, you're adding "--domain D --local=/D/" as a *single* argument to the dnsmasq call. You need to provide "--domain", network->def->domain, "--local=/D/" as 3 arguments to the call, ie. first use virCommandAddArgPair(cmd, "--domain", D), then use virCommandAddArgFormat for the --local part. Claudio -- AV-Test GmbH, Henricistraße 20, 04155 Leipzig, Germany Phone: +49 341 265 310 19 Web:<http://www.av-test.org> Eingetragen am / Registered at: Amtsgericht Stendal (HRB 114076) Geschaeftsfuehrer (CEO): Andreas Marx, Guido Habicht, Maik Morgenstern
On 08/22/2012 10:48 AM, Claudio Bley wrote:
>>>+ "--domain %s --local=/%s/", >>>+ network->def->domain, >>>+ network->def->domain); Here, you're adding "--domain D --local=/D/" as a*single* argument to
+ virCommandAddArgFormat(cmd, the dnsmasq call.
You need to provide "--domain", network->def->domain, "--local=/D/" as 3 arguments to the call, ie. first use virCommandAddArgPair(cmd, "--domain", D), then use virCommandAddArgFormat for the --local part. Much thanks. That did the trick.
I also now see what the tests are doing ... going to need to change the file pairs for all nine test. Oh well, it cannot be that much work. BTW, even if a domain name is not specified, the "--local=//" is needed so that most stuff is not forwarded. For some reason, dnsmasq wants to forward and MX queries. I am going to take that issue up with the dnsmasq folks directly. I will re-post the patches when I complete and test them. Gene
participants (3)
-
Claudio Bley -
Daniel P. Berrange -
Gene Czarcinski