9:43 a.m.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
As currently configured, dnsmasq for a virtual network will pass some
queries upstream toward the Internet. This includes AAAA and MX queries
as well a A queries when dnsmasq cannot answer for that name. This is
occurring whether a domain name is specified or not. The problem is that
dnsmasq will, by default, forward all queries unless "local=" is
specified. I cannot envision a situation where such queries should be
forwarded.
See the bugzilla report for more info. While I did a lot of testing to
figure out the problem and what needed to be done to fix it, I am unable
to actually rebuild the libvirt rpm in my environment.
The solution is the following patch:
diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c
libvirt-0.9.11.4/src/network/bridge_driver.c
--- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15
14:23:21.000000000 -0400
+++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21
09:03:17.387602485 -0400
@@ -491,7 +491,13 @@
virCommandAddArgList(cmd, "--strict-order", "--bind-interfaces",
NULL);
if (network->def->domain)
- virCommandAddArgList(cmd, "--domain", network->def->domain,
NULL);
+// virCommandAddArgList(cmd, "--domain", network->def->domain,
NULL);
+ virCommandAddArgFormat(cmd,
+ "--domain %s --local=/%s/",
+ network->def->domain,
+ network->def->domain);
+ else
+ virCommandAddArg(cmd, "--local=");
if (pidfile)
virCommandAddArgPair(cmd, "--pid-file", pidfile);
10:04 a.m.
On Tue, Aug 21, 2012 at 10:43:44AM -0400, Gene Czarcinski wrote:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
As currently configured, dnsmasq for a virtual network will pass
some queries upstream toward the Internet. This includes AAAA and
MX queries as well a A queries when dnsmasq cannot answer for that
name. This is occurring whether a domain name is specified or not.
The problem is that dnsmasq will, by default, forward all queries
unless "local=" is specified. I cannot envision a situation where
such queries should be forwarded.
See the bugzilla report for more info. While I did a lot of testing
to figure out the problem and what needed to be done to fix it, I am
unable to actually rebuild the libvirt rpm in my environment.
The solution is the following patch:
diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c
libvirt-0.9.11.4/src/network/bridge_driver.c
--- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15
14:23:21.000000000 -0400
+++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21
09:03:17.387602485 -0400
@@ -491,7 +491,13 @@
virCommandAddArgList(cmd, "--strict-order",
"--bind-interfaces", NULL);
if (network->def->domain)
- virCommandAddArgList(cmd, "--domain", network->def->domain,
NULL);
+// virCommandAddArgList(cmd, "--domain",
network->def->domain, NULL);
+ virCommandAddArgFormat(cmd,
+ "--domain %s --local=/%s/",
+ network->def->domain,
+ network->def->domain);
+ else
+ virCommandAddArg(cmd, "--local=");
if (pidfile)
virCommandAddArgPair(cmd, "--pid-file", pidfile);
Since this changes the code that generates dnsmasq args, you'll
also need to update the tests/networkxml2argvdata/ data files
to take account of your new additions.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
5:51 a.m.
On 08/21/2012 11:04 AM, Daniel P. Berrange wrote:
On Tue, Aug 21, 2012 at 10:43:44AM -0400, Gene Czarcinski wrote:
> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
>
> As currently configured, dnsmasq for a virtual network will pass
> some queries upstream toward the Internet. This includes AAAA and
> MX queries as well a A queries when dnsmasq cannot answer for that
> name. This is occurring whether a domain name is specified or not.
> The problem is that dnsmasq will, by default, forward all queries
> unless "local=" is specified. I cannot envision a situation where
> such queries should be forwarded.
>
> See the bugzilla report for more info. While I did a lot of testing
> to figure out the problem and what needed to be done to fix it, I am
> unable to actually rebuild the libvirt rpm in my environment.
>
> The solution is the following patch:
>
> diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c
> libvirt-0.9.11.4/src/network/bridge_driver.c
> --- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15
> 14:23:21.000000000 -0400
> +++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21
> 09:03:17.387602485 -0400
> @@ -491,7 +491,13 @@
> virCommandAddArgList(cmd, "--strict-order",
> "--bind-interfaces", NULL);
>
> if (network->def->domain)
> - virCommandAddArgList(cmd, "--domain", network->def->domain,
NULL);
> +// virCommandAddArgList(cmd, "--domain",
> network->def->domain, NULL);
> + virCommandAddArgFormat(cmd,
> + "--domain %s --local=/%s/",
> + network->def->domain,
> + network->def->domain);
> + else
> + virCommandAddArg(cmd, "--local=");
>
> if (pidfile)
> virCommandAddArgPair(cmd, "--pid-file", pidfile);
Since this changes the code that generates dnsmasq args, you'll
also need to update the tests/networkxml2argvdata/ data files
to take account of your new additions.
And here I thought it was just a tiny patch. When I get thinks
finalized, there will be an update to the tests also.
But, the patch itself is not good. For example, for no domain
specified, instead of "--local=", it should be "--local-//". And then
with the domain specified, this just does not work for some reason
dnsmasq has errors starting.
I must say that I believe that whoever chose to use dnsmasq definitely
made the right choice. However, I wich it was easier to change and test
new parameter seetings for dnsmasq rather than having it in the code.
So that I do not have to go through a lot of code changes, I am testing
with two virtual guests. The first has two NICs one connected to the
default network and a second to a private network with dnsmasq (dns and
dhcp) for the private network. The second guest is on the private
network and tests the various setups for dnsmasq.
My initial simplified test used the /etc/dnsmasq.conf and supplied some
additional parameters that I had not realized. My testing is not
attempting to create a situation similar to that for libvirtd which has
everything specified on the command-line.
Any comments, suggestions will be appreciated.
Gene
9:23 a.m.
On 08/22/2012 06:51 AM, Gene Czarcinski wrote:
On 08/21/2012 11:04 AM, Daniel P. Berrange wrote:
> On Tue, Aug 21, 2012 at 10:43:44AM -0400, Gene Czarcinski wrote:
>> RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=849787
>>
>> As currently configured, dnsmasq for a virtual network will pass
>> some queries upstream toward the Internet. This includes AAAA and
>> MX queries as well a A queries when dnsmasq cannot answer for that
>> name. This is occurring whether a domain name is specified or not.
>> The problem is that dnsmasq will, by default, forward all queries
>> unless "local=" is specified. I cannot envision a situation where
>> such queries should be forwarded.
>>
>> See the bugzilla report for more info. While I did a lot of testing
>> to figure out the problem and what needed to be done to fix it, I am
>> unable to actually rebuild the libvirt rpm in my environment.
>>
>> The solution is the following patch:
>>
>> diff -uNr libvirt-0.9.11.4.orig/src/network/bridge_driver.c
>> libvirt-0.9.11.4/src/network/bridge_driver.c
>> --- libvirt-0.9.11.4.orig/src/network/bridge_driver.c 2012-06-15
>> 14:23:21.000000000 -0400
>> +++ libvirt-0.9.11.4/src/network/bridge_driver.c 2012-08-21
>> 09:03:17.387602485 -0400
>> @@ -491,7 +491,13 @@
>> virCommandAddArgList(cmd, "--strict-order",
>> "--bind-interfaces", NULL);
>>
>> if (network->def->domain)
>> - virCommandAddArgList(cmd, "--domain",
network->def->domain,
>> NULL);
>> +// virCommandAddArgList(cmd, "--domain",
>> network->def->domain, NULL);
>> + virCommandAddArgFormat(cmd,
>> + "--domain %s --local=/%s/",
>> + network->def->domain,
>> + network->def->domain);
>> + else
>> + virCommandAddArg(cmd, "--local=");
>>
>> if (pidfile)
>> virCommandAddArgPair(cmd, "--pid-file", pidfile);
>
> Since this changes the code that generates dnsmasq args, you'll
> also need to update the tests/networkxml2argvdata/ data files
> to take account of your new additions.
>
>
And here I thought it was just a tiny patch. When I get thinks
finalized, there will be an update to the tests also.
But, the patch itself is not good. For example, for no domain
specified, instead of "--local=", it should be "--local-//". And
then
with the domain specified, this just does not work for some reason
dnsmasq has errors starting.
I must say that I believe that whoever chose to use dnsmasq definitely
made the right choice. However, I wich it was easier to change and
test new parameter seetings for dnsmasq rather than having it in the
code.
So that I do not have to go through a lot of code changes, I am
testing with two virtual guests. The first has two NICs one connected
to the default network and a second to a private network with dnsmasq
(dns and dhcp) for the private network. The second guest is on the
private network and tests the various setups for dnsmasq.
My initial simplified test used the /etc/dnsmasq.conf and supplied
some additional parameters that I had not realized. My testing is not
attempting to create a situation similar to that for libvirtd which
has everything specified on the command-line.
Any comments, suggestions will be appreciated.
OK, I am going to need a little help here.
First, is there any documentation on things that need to be done in test
when changes are made? Right now there is a lot of stuff there and I am
not sure what needs to be added where.
Second, I have since the rpm will compile with my patch and goes through
enough of -bi --short-circuit to create
BUILDROOT/libvirt.../usr/sbin/libvirtd I am copying this over to a real
system and installing it replacing the original /usr/sbin/libvirtd
With my patch installed, when libvirtd attempts to start a network, it
errors out with something like the follow:
====================
internal error Child process (/sbin/dnsmasq --strict-order
--bind-interfaces --domain virt123 --local=/virt123/ --domain-needed
--filterwin2k --pid-file=/var/run/libvirt/network/net123.pid
--conf-file= --except-interface lo --listen-address 192.168.123.1
--dhcp-range 192.168.123.128,192.168.123.254
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/net123.leases
--dhcp-lease-max=127 --dhcp-no-override --expand-hosts) status
unexpected: exit status 1
====================
About the only version that does not have a problem is replacing
"--domain virt123 --local=/virt123/ --domain-needed --filterwin2k" with
"--local="
OK, something is wrong.
However, is I "kill -9 <the running instance or dnsmasq>" and then, as
root, manually start dnsmasq with all of the above parameters, it runs
and works find on the virtual network!
Obviously, I am missing something! Can someone point me in the right
direction?
Gene
9:48 a.m.
At Wed, 22 Aug 2012 10:23:44 -0400,
Gene Czarcinski wrote:
Second, I have since the rpm will compile with my patch and goes
through enough of -bi --short-circuit to create
BUILDROOT/libvirt.../usr/sbin/libvirtd I am copying this over to a
real system and installing it replacing the original
/usr/sbin/libvirtd
With my patch installed, when libvirtd attempts to start a network, it
errors out with something like the follow:
====================
internal error Child process (/sbin/dnsmasq --strict-order
--bind-interfaces --domain virt123 --local=/virt123/ --domain-needed
--filterwin2k --pid-file=/var/run/libvirt/network/net123.pid
--conf-file= --except-interface lo --listen-address 192.168.123.1
--dhcp-range 192.168.123.128,192.168.123.254
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/net123.leases
--dhcp-lease-max=127 --dhcp-no-override --expand-hosts) status
unexpected: exit status 1
====================
>>> + virCommandAddArgFormat(cmd,
>>> + "--domain %s --local=/%s/",
>>> + network->def->domain,
>>> + network->def->domain);
Here, you're adding "--domain D --local=/D/" as a *single* argument to
the dnsmasq call.
You need to provide "--domain", network->def->domain,
"--local=/D/" as
3 arguments to the call, ie. first use
virCommandAddArgPair(cmd, "--domain", D), then use virCommandAddArgFormat
for the --local part.
Claudio
--
AV-Test GmbH, Henricistraße 20, 04155 Leipzig, Germany
Phone: +49 341 265 310 19
Web:<http://www.av-test.org>
Eingetragen am / Registered at: Amtsgericht Stendal (HRB 114076)
Geschaeftsfuehrer (CEO): Andreas Marx, Guido Habicht, Maik Morgenstern
11 a.m.
On 08/22/2012 10:48 AM, Claudio Bley wrote:
>>>> + virCommandAddArgFormat(cmd,
>>>> > >>>+ "--domain %s --local=/%s/",
>>>> > >>>+ network->def->domain,
>>>> > >>>+ network->def->domain);
Here, you're adding "--domain D --local=/D/" as a*single* argument to
the dnsmasq call.
You need to provide "--domain", network->def->domain,
"--local=/D/" as
3 arguments to the call, ie. first use
virCommandAddArgPair(cmd, "--domain", D), then use virCommandAddArgFormat
for the --local part.
Much thanks. That did the trick.
I also now see what the tests are doing ... going to need to change the
file pairs for all nine test. Oh well, it cannot be that much work.
BTW, even if a domain name is not specified, the "--local=//" is needed
so that most stuff is not forwarded. For some reason, dnsmasq wants to
forward and MX queries. I am going to take that issue up with the
dnsmasq folks directly.
I will re-post the patches when I complete and test them.
Gene
4475
days inactive
4476
days old
5 comments
3 participants
participants (3)
-
Claudio Bley -
Daniel P. Berrange -
Gene Czarcinski