[libvirt] Proposal: no dnsmasq (no dhcp and no dns) and no radvd option
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface. Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force. This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq. Questions: Useful? Worth the time and effort? And then there is how should this be specified in the network xml file? ... some new parameter? ... A subperameter of <dns> such as <dns disable='yes' /> ? ... a subparameter of <bridge> such as <bridge name="virbr0" dns="disable" /> ? Comments? Suggestions? Gene
Quoting Gene Czarcinski (gene@czarc.net):
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? And then there is
Useful, yes, it's been requested by Scott Moser before (https://www.redhat.com/archives/libvirt-users/2012-September/msg00095.html)
how should this be specified in the network xml file? ... some new parameter? ... A subperameter of <dns> such as <dns disable='yes' /> ? ... a subparameter of <bridge> such as <bridge name="virbr0" dns="disable" /> ?
Comments? Suggestions?
No opinions from me, both seem doable. Don't know if anyone will eventually want further dns(masq) customization. -serge
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort?
That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when :-).
And then there is how should this be specified in the network xml file? ... some new parameter? ... A subperameter of <dns> such as <dns disable='yes' /> ? ... a subparameter of <bridge> such as <bridge name="virbr0" dns="disable" /> ?
The <bridge> element is commonly *not* specified manually, but is filled in automatically be libvirt, so I don't think it's a good place to put optional flags (you would end up manually specifying settings for the things that are automatically filled in, like the bridge name). If anything, I would say the choice would be between putting it in <dns> or in the toplevel <network>, i.e.: <network> ... <dns disable='yes'/> (or maybe "<dns enable='no'/> is better) ... </network> or <network dns='no'> ... </network> Or, maybe it would be even better to put it in the <ip> element: <ip address='192.168.122.1' netmask='255.255.255.0' dns='no'/> that way you could have dnsmasq listen on some of the IP addresses defined for a network, but not others. At the same time, we probably to be able to disable ipv6 RA as well. Since that's only enabled when there is an ipv6 address, it can also be added into the <ip> element config: <ip family='ipv6' address='f00d::1' ra='no'/> (or maybe "autoconf='no'" ?) Yeah, I think I like it best in <ip> (unless someone else has a better idea).
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when :-).
And then there is how should this be specified in the network xml file? ... some new parameter? ... A subperameter of <dns> such as <dns disable='yes' /> ? ... a subparameter of <bridge> such as <bridge name="virbr0" dns="disable" /> ? The <bridge> element is commonly *not* specified manually, but is filled in automatically be libvirt, so I don't think it's a good place to put optional flags (you would end up manually specifying settings for the things that are automatically filled in, like the bridge name).
If anything, I would say the choice would be between putting it in <dns> or in the toplevel <network>, i.e.:
<network> ... <dns disable='yes'/> (or maybe "<dns enable='no'/> is better) ... </network>
or
<network dns='no'> ... </network>
Or, maybe it would be even better to put it in the <ip> element:
<ip address='192.168.122.1' netmask='255.255.255.0' dns='no'/>
that way you could have dnsmasq listen on some of the IP addresses defined for a network, but not others.
At the same time, we probably to be able to disable ipv6 RA as well. Since that's only enabled when there is an ipv6 address, it can also be added into the <ip> element config:
<ip family='ipv6' address='f00d::1' ra='no'/> (or maybe "autoconf='no'" ?)
Yeah, I think I like it best in <ip> (unless someone else has a better idea). Not really better since I like the idea of adding this to <ip>. However, I believe this is wrong! it is a mistake to tie this to an IP address. Look at the problems that have occurred with dnsmasq. It "likes" to deal with an interface and all addresses on that interface. See:
https://bugzilla.redhat.com/show_bug.cgi?id=833033 https://bugzilla.redhat.com/show_bug.cgi?id=874702 Instead, I suggest that this be an expansion to <network>. For example, <network dns='no'>. This could also scratch an itch of mine for specifying logging: <network dnslog='yes" dhcplog='yes'>. Then there is the issue with bind-intererface and bind-dynamic: <network bind='dynamic'> All of these parameters involve the whole interface and not just one or the other of an IP address. I suspect that many/most virtual network definitions involve a single IPv4 address so, in that light, it would not make any difference. However, I believe that there will be more and more virtual networks which support both IPv4 and IPv6. To be honest, I see little actual use/need of multiple IPv4 and IPv6 addresses on a single virtual network interface. One other thing. I believe this "new feature" should be available to as many old versions as practical and not just for "current" and future versions of libvirt. That is, at least to the v0.9.6-maint, v0.9.11-maint, and v0.10.2-maint levels. Also, the default values (if nothing is specified) should be to run as it would today. Gene
On Wed, Nov 21, 2012 at 07:18:20AM -0500, Gene Czarcinski wrote:
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when :-).
And then there is how should this be specified in the network xml file? ... some new parameter? ... A subperameter of <dns> such as <dns disable='yes' /> ? ... a subparameter of <bridge> such as <bridge name="virbr0" dns="disable" /> ? The <bridge> element is commonly *not* specified manually, but is filled in automatically be libvirt, so I don't think it's a good place to put optional flags (you would end up manually specifying settings for the things that are automatically filled in, like the bridge name).
If anything, I would say the choice would be between putting it in <dns> or in the toplevel <network>, i.e.:
<network> ... <dns disable='yes'/> (or maybe "<dns enable='no'/> is better) ... </network>
or
<network dns='no'> ... </network>
Or, maybe it would be even better to put it in the <ip> element:
<ip address='192.168.122.1' netmask='255.255.255.0' dns='no'/>
that way you could have dnsmasq listen on some of the IP addresses defined for a network, but not others.
At the same time, we probably to be able to disable ipv6 RA as well. Since that's only enabled when there is an ipv6 address, it can also be added into the <ip> element config:
<ip family='ipv6' address='f00d::1' ra='no'/> (or maybe "autoconf='no'" ?)
Yeah, I think I like it best in <ip> (unless someone else has a better idea). Not really better since I like the idea of adding this to <ip>. However, I believe this is wrong! it is a mistake to tie this to an IP address. Look at the problems that have occurred with dnsmasq.
I agree, we should let this be controlled independently of the <ip> tag. You might want to allow DNS, without defining any IP elements at all.
Instead, I suggest that this be an expansion to <network>. For example, <network dns='no'>. This could also scratch an itch of mine for specifying logging: <network dnslog='yes" dhcplog='yes'>. Then there is the issue with bind-intererface and bind-dynamic: <network bind='dynamic'>
Since you envisage multiple config parameters related to DNS, this argues for a top level <dns> element to group them all together. <network> ... <dns.../> ... </network> Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when :-).
And then there is how should this be specified in the network xml file? ... some new parameter? ... A subperameter of <dns> such as <dns disable='yes' /> ? ... a subparameter of <bridge> such as <bridge name="virbr0" dns="disable" /> ? The <bridge> element is commonly *not* specified manually, but is filled in automatically be libvirt, so I don't think it's a good place to put optional flags (you would end up manually specifying settings for the things that are automatically filled in, like the bridge name).
If anything, I would say the choice would be between putting it in <dns> or in the toplevel <network>, i.e.:
<network> ... <dns disable='yes'/> (or maybe "<dns enable='no'/> is better) ... </network>
or
<network dns='no'> ... </network>
Or, maybe it would be even better to put it in the <ip> element:
<ip address='192.168.122.1' netmask='255.255.255.0' dns='no'/>
that way you could have dnsmasq listen on some of the IP addresses defined for a network, but not others.
At the same time, we probably to be able to disable ipv6 RA as well. Since that's only enabled when there is an ipv6 address, it can also be added into the <ip> element config:
<ip family='ipv6' address='f00d::1' ra='no'/> (or maybe "autoconf='no'" ?)
Yeah, I think I like it best in <ip> (unless someone else has a better idea). Not really better since I like the idea of adding this to <ip>. However, I believe this is wrong! it is a mistake to tie this to an IP address. Look at the problems that have occurred with dnsmasq. I agree, we should let this be controlled independently of
On Wed, Nov 21, 2012 at 07:18:20AM -0500, Gene Czarcinski wrote: the <ip> tag. You might want to allow DNS, without defining any IP elements at all. Mmmm. The only way this could work is if --interface=<virbrnn> was specified. Right now, if no IPv4 or IPv6 addresses are specified, this
On 11/21/2012 07:31 AM, Daniel P. Berrange wrote: this is not a virtual gateway device but a virtual network interface for very isolated guest-to-guest only communications. [see patch I just submitted to make IPv6 have the same functionality as IPv4].
Instead, I suggest that this be an expansion to <network>. For example, <network dns='no'>. This could also scratch an itch of mine for specifying logging: <network dnslog='yes" dhcplog='yes'>. Then there is the issue with bind-intererface and bind-dynamic: <network bind='dynamic'> Since you envisage multiple config parameters related to DNS, this argues for a top level <dns> element to group them all together.
<network> ... <dns.../> ... </network>
Yes, dns currently has two possible items: dns=yes/no and dnslog=noyes. But dhcplog=no/yes and bind=interface/dynamic are not really related to dns. I suggest just keeping it simple and at a single level under <network>. I hope I am making my point understandable because I am not sure of the terminology used for discussing xml. Gene
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when:-).
OK, color this "almost done" (doc and schemas need updating). Three new parameters are added: <network disableDnsmasq='yes' logDnsQueries='yes' logDhcp='yes' > If nothing is specified, then the default is no, no, no so that things work as they do now. Currently, if the boolean value is 'no' or false, then that parameter is not written out. I could easily change that depending on what others want to do. Laine, I changed this to be disableDnsmasq because that is the real result. If this is specified, then starting radvd will also be suppressed. It is as if no IPv4 or IPv6 addresses were specified. However, the iptables and ip6tables rules will remain the same since it is assumed that gateway addresses will be specified. I have scratched an itch of mine by providing a way to specify that dns-queries and dhcp activity should be logged and that this is specified separately for each virtual network interface. Dan suggested that a user might still want to run dnsmasq's dns service even if no IP addresses are specified. However, in that case I am not sure what dnsmasq is suppose to monitor for queries ... it needs some kind of address or we will have the problems which the bind-dynamic update is suppose to fix. I have not integrated this with the bind-dynamic update but plan to before I submit it. I will be submitting this patch with the IPV6 enhancement, DHCPv6, etc. series since it is yet again messing with the same code. If any of the series get rejected rather than accepted, it will not be too much of a problem to rework them. Gene
On 11/23/2012 02:18 PM, Gene Czarcinski wrote:
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force.
This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when:-).
OK, color this "almost done" (doc and schemas need updating).
Three new parameters are added: <network disableDnsmasq='yes' logDnsQueries='yes' logDhcp='yes' >
Don't refer to dnsmasq specifically in the XML unless it's something that is unique to dnsmasq (and then we should seriously consider if we're thinking about it the right way before adding it). The intent is that the XML should describe the desired configuration in a manner high level enough that a new driver using different backend components would be able to use the same XML attributes and arrive at similar functionality. For example, there is active work right now to support libvirt's server side on FreeBSD, and they may decide that they want to implement their networks using different implementations of DNS and dhcp servers (they will already need to do something different in place of Linux host brdges and iptables, so it will have to be a completely new driver anyway). Obviously there are cases where something specific to the backend needs to be in the XML; for example the virtio-net drivers can specify <driver name='qemu' ...> and in that case can have an option ioeventfd and event_idx options which would probably be meaningless to any netdev driver for another hypervisor, but we aim to keep that to a minimum, and use it only when the characteristic described really is unique to particular backend). (At any rate, it seems reasonable to me that someone may want us to provide a dhcp server but no dns server. Yes, this also implies that we should have a way in the config to feed in the address of an alternative DNS server ("--dhcp-option=option:dns-server,x.x.x.x" and "--dhcp-option=option6:dnsserver,xxxx::xxxx") to send to dhcp clients when they've disabled dnsmasq's own dns server (in case you hadn't found it in the manpage yet - you can run dnsmasq with no dns server by adding "--port=0" to the commandline). As soon as I hit send on this, I'm going to type up a short mail asking for comments on how to add support for any standard dhcp option. As for the other two - any reason why you used "logDnsQueries" instead of "logDns"? Also, do you think we might want the ability to specify a level in the future? (I guess if we did, that could coexist with yes|no). And while we're on the topic of logging: one thing that's bothered me a lot, and we've had other people complain about it as well, is that every single DHCP lease renewal results in a message to /var/log/messages, and there doesn't seem to be any way to suppress it. Is that correct?
If nothing is specified, then the default is no, no, no so that things work as they do now. Currently, if the boolean value is 'no' or false, then that parameter is not written out. I could easily change that depending on what others want to do.
Laine, I changed this to be disableDnsmasq because that is the real result. If this is specified, then starting radvd will also be suppressed. It is as if no IPv4 or IPv6 addresses were specified. However, the iptables and ip6tables rules will remain the same since it is assumed that gateway addresses will be specified.
Actually that's yet another switch that we need to add - the ability to suppress all iptables rules for a particular network (unless it is in NAT mode, in which case it makes no sense, because it's the difference in rules that changes it from mode='route' to mode='nat'). Perhaps it could be something like filter='none|open|restricted', although I don't know if that's descriptive enough - even without getting into specific protocols (which I don't think should be done - at that point they should really be using a guest-specific filterref) you might still want to know if there should be any rules at all, allow everything, allow outgoing sessions but not incoming, allow inter-guest traffic but not incoming from the outside, allow nothing (all of these could be overridden by a particular guest's filterref)
I have scratched an itch of mine by providing a way to specify that dns-queries and dhcp activity should be logged and that this is specified separately for each virtual network interface.
Dan suggested that a user might still want to run dnsmasq's dns service even if no IP addresses are specified. However, in that case I am not sure what dnsmasq is suppose to monitor for queries ... it needs some kind of address or we will have the problems which the bind-dynamic update is suppose to fix.
Yeah, I didn't understand that either - If the bridge has no IP address, there's no target IP for a DNS request to be sent to. I just assumed he was thinking of something else.
I have not integrated this with the bind-dynamic update but plan to before I submit it. I will be submitting this patch with the IPV6 enhancement, DHCPv6, etc. series since it is yet again messing with the same code.
If any of the series get rejected rather than accepted, it will not be too much of a problem to rework them.
On 11/24/2012 04:19 PM, Laine Stump wrote:
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force. This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when:-).
OK, color this "almost done" (doc and schemas need updating).
Three new parameters are added: <network disableDnsmasq='yes' logDnsQueries='yes' logDhcp='yes' > Don't refer to dnsmasq specifically in the XML unless it's something
On 11/23/2012 02:18 PM, Gene Czarcinski wrote: that is unique to dnsmasq (and then we should seriously consider if we're thinking about it the right way before adding it). The intent is that the XML should describe the desired configuration in a manner high level enough that a new driver using different backend components would be able to use the same XML attributes and arrive at similar functionality. For example, there is active work right now to support libvirt's server side on FreeBSD, and they may decide that they want to implement their networks using different implementations of DNS and dhcp servers (they will already need to do something different in place of Linux host brdges and iptables, so it will have to be a completely new driver anyway).
Obviously there are cases where something specific to the backend needs to be in the XML; for example the virtio-net drivers can specify <driver name='qemu' ...> and in that case can have an option ioeventfd and event_idx options which would probably be meaningless to any netdev driver for another hypervisor, but we aim to keep that to a minimum, and use it only when the characteristic described really is unique to particular backend).
(At any rate, it seems reasonable to me that someone may want us to provide a dhcp server but no dns server. Yes, this also implies that we should have a way in the config to feed in the address of an alternative DNS server ("--dhcp-option=option:dns-server,x.x.x.x" and "--dhcp-option=option6:dnsserver,xxxx::xxxx") to send to dhcp clients when they've disabled dnsmasq's own dns server (in case you hadn't found it in the manpage yet - you can run dnsmasq with no dns server by adding "--port=0" to the commandline). As soon as I hit send on this, I'm going to type up a short mail asking for comments on how to add support for any standard dhcp option.
As for the other two - any reason why you used "logDnsQueries" instead of "logDns"? Also, do you think we might want the ability to specify a level in the future? (I guess if we did, that could coexist with yes|no).
And while we're on the topic of logging: one thing that's bothered me a lot, and we've had other people complain about it as well, is that every single DHCP lease renewal results in a message to /var/log/messages, and there doesn't seem to be any way to suppress it. Is that correct?
OK, I had not realized that it was possible to not have dns while continuing to do dhcp. So, it now becomes disableDns="yes" which results in --port=0 being passed to dnsmasq. For completeness, I suggest that disableDhcp="yes" and disableRA="yes" be added. I have changed my mind and will make it logDns=, logDhcp= and (again for completeness) logRA= ... this last one may require a small dnsmasq update. However, I still like the idea of not starting anything and, as I state below, you can start dnsmasq even if it is configured to do nothing. Therefore, I propose adding "disableDaemons=" which is not specific to any package but would mean not to start either dnsmasq or radvd regardless of whether or not they would be started. Lease renewal messages should not be that frequent it is probably a "small matter of programming" to get an option to suppress them ... if Simon Kelley would add that. Speaking of logging, if you do not like the lease renewal messages, then you will have a bigger problem with the "RTR-ADVERT" messages that dnsmasq issues every 3//4/5 seconds for every started interface. I have submitted a "tiny" patch to dnsmasq which ties issuing this message to log-dhcp being enabled.
If nothing is specified, then the default is no, no, no so that things work as they do now. Currently, if the boolean value is 'no' or false, then that parameter is not written out. I could easily change that depending on what others want to do.
Laine, I changed this to be disableDnsmasq because that is the real result. If this is specified, then starting radvd will also be suppressed. It is as if no IPv4 or IPv6 addresses were specified. However, the iptables and ip6tables rules will remain the same since it is assumed that gateway addresses will be specified. Actually that's yet another switch that we need to add - the ability to suppress all iptables rules for a particular network (unless it is in NAT mode, in which case it makes no sense, because it's the difference in rules that changes it from mode='route' to mode='nat'). Perhaps it could be something like filter='none|open|restricted', although I don't know if that's descriptive enough - even without getting into specific protocols (which I don't think should be done - at that point they should really be using a guest-specific filterref) you might still want to know if there should be any rules at all, allow everything, allow outgoing sessions but not incoming, allow inter-guest traffic but not incoming from the outside, allow nothing (all of these could be overridden by a particular guest's filterref)
Easy enough to implement but what is the purpose. If there are no rules at all (and perhaps no gateway addresses), then the interface will not work for guest-to-guest communications either. But wait, if there are no rules at all the the "default" "--reject-with icmp-port-unreachable" will not be there either so maybe things will work. However, I thought that filters were specified as part of the <interface> definition, not the <network> definition. So, where should this be handled? It makes some sense to me that for the types of networks src/network/bridge_driver.c handles, maybe <network> is more appropriate.
I have scratched an itch of mine by providing a way to specify that dns-queries and dhcp activity should be logged and that this is specified separately for each virtual network interface.
Dan suggested that a user might still want to run dnsmasq's dns service even if no IP addresses are specified. However, in that case I am not sure what dnsmasq is suppose to monitor for queries ... it needs some kind of address or we will have the problems which the bind-dynamic update is suppose to fix.
Yeah, I didn't understand that either - If the bridge has no IP address, there's no target IP for a DNS request to be sent to. I just assumed he was thinking of something else.
Believe it or not, it is possible to start dnsmasq on an interface which has no gateway addresses and --port=0 so that there no dns ... it runs and appears to do nothing. Again, what purpose is there to starting dnsmasq in this situation?
I have not integrated this with the bind-dynamic update but plan to before I submit it. I will be submitting this patch with the IPV6 enhancement, DHCPv6, etc. series since it is yet again messing with the same code.
If any of the series get rejected rather than accepted, it will not be too much of a problem to rework them.
One last question. Considering all of these various new xml parameters/attributes, should they all be on the <network> statement, only part of them on <network> and others on a (perhaps) a <logging> defintion, or maybe an <options> statement. Comments? Suggesting? Gene
On 11/25/2012 08:25 AM, Gene Czarcinski wrote:
On 11/24/2012 04:19 PM, Laine Stump wrote:
On 11/20/2012 05:29 PM, Laine Stump wrote:
On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
Laine mentioned something yesterday that got me to thinking: being able to specify that dnsmasq is not to be started for an interface.
Let me expand that by saying that libvirt would not start dnsmasq for either dns or dhcp and also would not start radvd. However, the IPv4 and IPv6 gateway addresses would be defined on the virtual network interface and the "usual" iptables and ip6tables rules would be in force. This would allow a user to configure dnsmasq to meet any user desires or use something completely different instead of dnsmasq.
Questions: Useful? Worth the time and effort? That was already determined before I mentioned it to you - it's been requested several times, and I've told some people it was "going to happen", although didn't say when:-).
OK, color this "almost done" (doc and schemas need updating).
Three new parameters are added: <network disableDnsmasq='yes' logDnsQueries='yes' logDhcp='yes' > Don't refer to dnsmasq specifically in the XML unless it's something
On 11/23/2012 02:18 PM, Gene Czarcinski wrote: that is unique to dnsmasq (and then we should seriously consider if we're thinking about it the right way before adding it). The intent is that the XML should describe the desired configuration in a manner high level enough that a new driver using different backend components would be able to use the same XML attributes and arrive at similar functionality. For example, there is active work right now to support libvirt's server side on FreeBSD, and they may decide that they want to implement their networks using different implementations of DNS and dhcp servers (they will already need to do something different in place of Linux host brdges and iptables, so it will have to be a completely new driver anyway).
Obviously there are cases where something specific to the backend needs to be in the XML; for example the virtio-net drivers can specify <driver name='qemu' ...> and in that case can have an option ioeventfd and event_idx options which would probably be meaningless to any netdev driver for another hypervisor, but we aim to keep that to a minimum, and use it only when the characteristic described really is unique to particular backend).
(At any rate, it seems reasonable to me that someone may want us to provide a dhcp server but no dns server. Yes, this also implies that we should have a way in the config to feed in the address of an alternative DNS server ("--dhcp-option=option:dns-server,x.x.x.x" and "--dhcp-option=option6:dnsserver,xxxx::xxxx") to send to dhcp clients when they've disabled dnsmasq's own dns server (in case you hadn't found it in the manpage yet - you can run dnsmasq with no dns server by adding "--port=0" to the commandline). As soon as I hit send on this, I'm going to type up a short mail asking for comments on how to add support for any standard dhcp option.
As for the other two - any reason why you used "logDnsQueries" instead of "logDns"? Also, do you think we might want the ability to specify a level in the future? (I guess if we did, that could coexist with yes|no).
And while we're on the topic of logging: one thing that's bothered me a lot, and we've had other people complain about it as well, is that every single DHCP lease renewal results in a message to /var/log/messages, and there doesn't seem to be any way to suppress it. Is that correct?
OK, I had not realized that it was possible to not have dns while continuing to do dhcp. So, it now becomes disableDns="yes" which results in --port=0 being passed to dnsmasq. For completeness, I suggest that disableDhcp="yes" and disableRA="yes" be added.
disableDhcp already exists - you just don't have a <dhcp> section (and if you do have a <dhcp> section, it seems very illogical that you would want dhcp disabled). disableRA may be a valid concern, since that's on by default if there are any IPv6 addresses. However, to pull the discussion back in - I had earlier suggested *not* having an attribute called "disableXXX" because it starts to get confusing - you're saying "Yes, I don't want this feature.". It's simpler to understand "*No*, I *don't* want this feature". And I'd also suggested making it an option of the already existing <dns> element (see below).
I have changed my mind and will make it logDns=, logDhcp= and (again for completeness) logRA= ... this last one may require a small dnsmasq update.
I like "<dns log='xxx'.../>" (edit: I may have changed my opinion on this - see the end of the message)
However, I still like the idea of not starting anything and, as I state below, you can start dnsmasq even if it is configured to do nothing.
Why? That would only make sense if it was a placeholder that could be modified later to do something (and even then only if it would be impossible to just start it at a later time instead).
Therefore, I propose adding "disableDaemons=" which is not specific to any package but would mean not to start either dnsmasq or radvd regardless of whether or not they would be started.
I dislike that idea - it give two ways to specify the same thing, which is bad. Experience has shown that it's better to have a single way to specify each thing; that way there is no ambiguity when doing a parse->format->parse cycle. Remember that you can easily have no dnsmasq daemon by simply specifying: <dns enable='no'> and then having no <dhcp> element anywhere. As for RA, that will require an option to turn off. We currently only start radvd if networkRadvdConfContents returns a non-NULL string, and it is *perfectly* setup to have an "enableRa='yes|no'" (with default of 'yes') on each IP address - it would simply not append the lines for an IP address to the conffile string if that IP's enableRa was no. So, if all the ipv6 addresses had enableRa='no', radvd wouldn't be run (and I'm sure you could do something similar for the ra implementation in dnsmasq).
Lease renewal messages should not be that frequent it is probably a "small matter of programming" to get an option to suppress them ... if Simon Kelley would add that.
An indicator that something more than just log='yes|no' may be desired.
Speaking of logging, if you do not like the lease renewal messages, then you will have a bigger problem with the "RTR-ADVERT" messages that dnsmasq issues every 3//4/5 seconds for every started interface.
Yes, that's definitely a no-go. I'm pretty sure nobody would stand for that. If that's how dnsmasq operates, we can't switch to using dnsmasq until that's remedied.
I have submitted a "tiny" patch to dnsmasq which ties issuing this message to log-dhcp being enabled.
That will be good, but since it will be something not detectable from the --help output, it will mean that use of dnsmasq for RA will need to be dependent on an "even later" version of dnsmasq.
If nothing is specified, then the default is no, no, no so that things work as they do now. Currently, if the boolean value is 'no' or false, then that parameter is not written out. I could easily change that depending on what others want to do.
Laine, I changed this to be disableDnsmasq because that is the real result. If this is specified, then starting radvd will also be suppressed. It is as if no IPv4 or IPv6 addresses were specified. However, the iptables and ip6tables rules will remain the same since it is assumed that gateway addresses will be specified. Actually that's yet another switch that we need to add - the ability to suppress all iptables rules for a particular network (unless it is in NAT mode, in which case it makes no sense, because it's the difference in rules that changes it from mode='route' to mode='nat'). Perhaps it could be something like filter='none|open|restricted', although I don't know if that's descriptive enough - even without getting into specific protocols (which I don't think should be done - at that point they should really be using a guest-specific filterref) you might still want to know if there should be any rules at all, allow everything, allow outgoing sessions but not incoming, allow inter-guest traffic but not incoming from the outside, allow nothing (all of these could be overridden by a particular guest's filterref)
Easy enough to implement but what is the purpose. If there are no rules at all (and perhaps no gateway addresses), then the interface will not work for guest-to-guest communications either.
Because some people want libvirt-created networks, but want to manage the firewall rules themselves. (btw, you must be running with net.bridge.bridge-nf-call-iptables=1, otherwise communications between guests (ipv4 and ipv6) would work just fine with no extra rules)
But wait, if there are no rules at all the the "default" "--reject-with icmp-port-unreachable" will not be there either so maybe things will work. However, I thought that filters were specified as part of the <interface> definition, not the <network> definition.
Yes, exactly. The network would have no rules of its own (or maybe a ruleset to allow only incoming, as is currently the case for a NATed network), and each guest's interface could override that with its own rules to allow incoming.
So, where should this be handled? It makes some sense to me that for the types of networks src/network/bridge_driver.c handles, maybe <network> is more appropriate.
More appropriate than what? Than using a <filterref> in each guest's interface? Or more appropriate than making it an option of <forward>? I think it makes sense to have this be an option of <forward>, because it is controlling exactly what traffic is allowed to be forwarded. And when you look at the existing forwarding modes: <forward mode='nat'> It doesn't make sense to have different levels of filtering for a NATed network, because the filter rules are required for NAT to work at all, and due to the way NAT works, incoming sessions are impractical anyway: none - nonsensical (if you're not going to allow any traffic in-out, then why have <forward> at all?) open - nonsensical (incoming sessions can't work without additional forwarding rules anyway) restricted - that's what it does anyway <forward mode='bridge|hostdev'> These networks have nothing managed by libvirt anyway <forward mode='none'> (i.e. "no <forward> element) By definition if you have this type of network, you don't want to allow any traffic in or out of the network (heck, we even run dnsmasq with different options so that the dns server won't forward requests for unknown hosts). <forward mode='route'> This is the *only* type of forwarding where it makes sense to offer different options for the stock filters provided by libvirt. none - the host admin will be managing filters themselves external to libvirt. open - this is what it currently does - allows incoming and outgoing sessions restricted - this would be similar to what is currently done in NAT mode (allow outgoing sessions but not incoming), but without the extra mangling rules to NAT the packets. Since the different filtering options only make sense for forward mode='route', it's sensible to put the option in the <forward> element. But that's really a separate topic that I didn't originally intend to get entwined with the dns/ra/logging things we're talking about now...
I have scratched an itch of mine by providing a way to specify that dns-queries and dhcp activity should be logged and that this is specified separately for each virtual network interface.
Dan suggested that a user might still want to run dnsmasq's dns service even if no IP addresses are specified. However, in that case I am not sure what dnsmasq is suppose to monitor for queries ... it needs some kind of address or we will have the problems which the bind-dynamic update is suppose to fix.
Yeah, I didn't understand that either - If the bridge has no IP address, there's no target IP for a DNS request to be sent to. I just assumed he was thinking of something else.
Believe it or not, it is possible to start dnsmasq on an interface which has no gateway addresses and --port=0 so that there no dns ... it runs and appears to do nothing. Again, what purpose is there to starting dnsmasq in this situation?
As I implied above, I don't think there is any purpose to it.
I have not integrated this with the bind-dynamic update but plan to before I submit it. I will be submitting this patch with the IPV6 enhancement, DHCPv6, etc. series since it is yet again messing with the same code.
If any of the series get rejected rather than accepted, it will not be too much of a problem to rework them.
One last question. Considering all of these various new xml parameters/attributes, should they all be on the <network> statement, only part of them on <network> and others on a (perhaps) a <logging> defintion, or maybe an <options> statement.
If you want to consolidate options, rather than grouping according to <logging> and <options>, why not put the dhcp-related options in the <dhcp> element (edit: see below - I think I've changed my mind about <dhcp>), and the dns-related options in the <dns> element as I originally proposed. I can't think of any reason why (especially considering that the <dns> element already exists as a direct sub-element of <network> that this: <network> <dns enable='no'/> or: <network> <dns log='yes'/> <!-- or perhaps use "debug|info|warn|error|none" or something --> is any worse than this: <network disableDns='yes'> or <network logDns='yes'> or this: <network> <option disableDns='yes'/> or <network> <logging dns='yes'/> or even this: <network enableDns='no'> or <network> <option enableDns='no'/> Rather, I would argue that it is *better* to put dns-related options in the already-existing <dns> element. Why create a new element that mixes the options of different functions when an element for each of those functions already exists.
Comments? Suggesting?
1) I think dns should be disabled with "<dns enable='no'/>". The element already exists, and is the perfect place to add dns-related options (that is *why* it exists) 2) disabling IPv6 RA should be done by having <ip family='ipv6' .... enableRa='no' ...> in each ipv6 ip address element - if all ipv6 addresses have enableRa='no', then radvd (or the ra in dnsmasq) won't be run. 3) we don't need any option to disable dhcp - that's what happens if there are no <dhcp> elements. 4) I think I've changed my mind about logging options - these options would need to be set on at least a network-wide scale, but while there is a perfect existing element for that for dns, the <dhcp> and <ip> options are one-per IP address, which would lead to ambiguity and/or conflict. Beyond that, there is no existing example of setting logging level anywhere in libvirt XML - the only logging controls are done in the environment or via libvirtd.conf, and I don't know that either of those places are appropriate either. So I think we should separate that off and discuss it separately.
On 11/25/2012 05:08 PM, Laine Stump wrote:
> On 11/25/2012 08:25 AM, Gene Czarcinski wrote:
>> On 11/24/2012 04:19 PM, Laine Stump wrote:
>>> On 11/23/2012 02:18 PM, Gene Czarcinski wrote:
>>>> On 11/20/2012 05:29 PM, Laine Stump wrote:
>>>>> On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
>>>>>>> Laine mentioned something yesterday that got me to thinking: being
>>>>>>> able to specify that dnsmasq is not to be started for an interface.
>>>>>>>
>>>>>>> Let me expand that by saying that libvirt would not start dnsmasq
>>>>>>> for
>>>>>>> either dns or dhcp and also would not start radvd. However, the
>>>>>>> IPv4
>>>>>>> and IPv6 gateway addresses would be defined on the virtual network
>>>>>>> interface and the "usual" iptables and ip6tables rules would be in
>>>>>> force.
>>>>>>> This would allow a user to configure dnsmasq to meet any user
>>>>>>> desires
>>>>>>> or use something completely different instead of dnsmasq.
>>>>>>>
>>>>>>> Questions: Useful? Worth the time and effort?
>>>>> That was already determined before I mentioned it to you - it's been
>>>>> requested several times, and I've told some people it was "going to
>>>>> happen", although didn't say when:-).
>>>>>
>>>> OK, color this "almost done" (doc and schemas need updating).
>>>>
>>>> Three new parameters are added:
>>>> <network disableDnsmasq='yes' logDnsQueries='yes'
>>>> logDhcp='yes' >
>>> Don't refer to dnsmasq specifically in the XML unless it's something
>>> that is unique to dnsmasq (and then we should seriously consider if
>>> we're thinking about it the right way before adding it). The intent is
>>> that the XML should describe the desired configuration in a manner high
>>> level enough that a new driver using different backend components would
>>> be able to use the same XML attributes and arrive at similar
>>> functionality. For example, there is active work right now to support
>>> libvirt's server side on FreeBSD, and they may decide that they want to
>>> implement their networks using different implementations of DNS and dhcp
>>> servers (they will already need to do something different in place of
>>> Linux host brdges and iptables, so it will have to be a completely new
>>> driver anyway).
>>>
>>> Obviously there are cases where something specific to the backend needs
>>> to be in the XML; for example the virtio-net drivers can specify <driver
>>> name='qemu' ...> and in that case can have an option ioeventfd and
>>> event_idx options which would probably be meaningless to any netdev
>>> driver for another hypervisor, but we aim to keep that to a minimum, and
>>> use it only when the characteristic described really is unique to
>>> particular backend).
>>>
>>> (At any rate, it seems reasonable to me that someone may want us to
>>> provide a dhcp server but no dns server. Yes, this also implies that we
>>> should have a way in the config to feed in the address of an alternative
>>> DNS server ("--dhcp-option=option:dns-server,x.x.x.x" and
>>> "--dhcp-option=option6:dnsserver,xxxx::xxxx") to send to dhcp clients
>>> when they've disabled dnsmasq's own dns server (in case you hadn't found
>>> it in the manpage yet - you can run dnsmasq with no dns server by adding
>>> "--port=0" to the commandline). As soon as I hit send on this, I'm going
>>> to type up a short mail asking for comments on how to add support for
>>> any standard dhcp option.
>>>
>>> As for the other two - any reason why you used "logDnsQueries" instead
>>> of "logDns"? Also, do you think we might want the ability to specify a
>>> level in the future? (I guess if we did, that could coexist with
>>> yes|no).
>>>
>>> And while we're on the topic of logging: one thing that's bothered me a
>>> lot, and we've had other people complain about it as well, is that every
>>> single DHCP lease renewal results in a message to /var/log/messages, and
>>> there doesn't seem to be any way to suppress it. Is that correct?
>> OK, I had not realized that it was possible to not have dns while
>> continuing to do dhcp. So, it now becomes disableDns="yes" which
>> results in --port=0 being passed to dnsmasq. For completeness, I
>> suggest that disableDhcp="yes" and disableRA="yes" be added.
> disableDhcp already exists - you just don't have a <dhcp> section (and
> if you do have a <dhcp> section, it seems very illogical that you would
> want dhcp disabled).
Yes, you are correct. I was adding that for the symmetry and
completeness ;)
>
> disableRA may be a valid concern, since that's on by default if there
> are any IPv6 addresses.
>
>
> However, to pull the discussion back in - I had earlier suggested *not*
> having an attribute called "disableXXX" because it starts to get
> confusing - you're saying "Yes, I don't want this feature.". It's
> simpler to understand "*No*, I *don't* want this feature". And I'd also
> suggested making it an option of the already existing <dns> element (see
> below).
I understand your point and will use an "enable" user interface with the
default being that, in general, things are enabled unless "enableXX='no'
is specified.
>
>> I have changed my mind and will make it logDns=, logDhcp= and (again
>> for completeness) logRA= ... this last one may require a small dnsmasq
>> update.
> I like "<dns log='xxx'.../>" (edit: I may have changed my opinion on
> this - see the end of the message)
And where would you suggest logDhcp adding logDhcp? Remember that
things done with dnsmasq are for an interface and not an address. If I
specify log='yes' for an IPv4 dhcp specification, then I will also get
it for any IPv6 DHCP also ... and maybe that is not all bad.
>
>> However, I still like the idea of not starting anything and, as I
>> state below, you can start dnsmasq even if it is configured to do nothing.
> Why? That would only make sense if it was a placeholder that could be
> modified later to do something (and even then only if it would be
> impossible to just start it at a later time instead).
I was attempting to honor the point made by David Allen in that bugzilla
report that more or less stated some users (certainly not most) would
want complete control over dns/dhcp/ra services.
>
>> Therefore, I propose adding "disableDaemons=" which is not specific
>> to any package but would mean not to start either dnsmasq or radvd
>> regardless of whether or not they would be started.
> I dislike that idea - it give two ways to specify the same thing, which
> is bad. Experience has shown that it's better to have a single way to
> specify each thing; that way there is no ambiguity when doing a
> parse->format->parse cycle.
>
> Remember that you can easily have no dnsmasq daemon by simply specifying:
>
> <dns enable='no'>
>
> and then having no <dhcp> element anywhere.
That is not true. Specifying --port=0 disables the dns and with no dhcp
range or host specified there will be no dhcp but dnsmasq can be
started. If you do not want dns but do want dhcp then --port=0 is the
right way to do it. I can implement that if enableDns='no' and there is
no dhcp specified, then dnsmasq will not be started.
>
> As for RA, that will require an option to turn off. We currently only
> start radvd if networkRadvdConfContents returns a non-NULL string, and
> it is *perfectly* setup to have an "enableRa='yes|no'" (with default of
> 'yes') on each IP address - it would simply not append the lines for an
> IP address to the conffile string if that IP's enableRa was no. So, if
> all the ipv6 addresses had enableRa='no', radvd wouldn't be run (and I'm
> sure you could do something similar for the ra implementation in dnsmasq).
I am not sure about dnsmasq being "tunable" with respect to RA. I will
have to check the code and ask Simon Kelley.
I understand that you can define multiple IPv4 and multiple IPv6 gateway
addresses on a network interface but only one IPv4 DHCP and one IPv6
DHCP. I can see the need for both IPv4 and IPv6 protocols on a single
network "fabric" but I am not sure how many real network "fabrics" have
multiple subnetworks on them. Yes, it could be done but I am not
certain why you would do that (and I am also sure that someone has a
very valid reason for doing that).
>
>
>> Lease renewal messages should not be that frequent it is probably a
>> "small matter of programming" to get an option to suppress them ... if
>> Simon Kelley would add that.
> An indicator that something more than just log='yes|no' may be desired.
>
>> Speaking of logging, if you do not like the lease renewal messages,
>> then you will have a bigger problem with the "RTR-ADVERT" messages
>> that dnsmasq issues every 3//4/5 seconds for every started interface.
> Yes, that's definitely a no-go. I'm pretty sure nobody would stand for
> that. If that's how dnsmasq operates, we can't switch to using dnsmasq
> until that's remedied.
I agree ... all those messages are a non starter! I am hoping that
there will be a log-ra parameter since that should be handled by the
capability code you are adding.
But, I also want to get log-dhcp "fixed" because it mostly determines
the formation and not "if" a syslog message is generated. [See
dnsmasq-discussion]
>
>> I have submitted a "tiny" patch to dnsmasq which ties issuing this
>> message to log-dhcp being enabled.
>
> That will be good, but since it will be something not detectable from
> the --help output, it will mean that use of dnsmasq for RA will need to
> be dependent on an "even later" version of dnsmasq.
That is why I really want "log-ra" added so that it will appear in
dnsmasq --help
>
>
>>>> If nothing is specified, then the default is no, no, no so that things
>>>> work as they do now. Currently, if the boolean value is 'no' or
>>>> false, then that parameter is not written out. I could easily change
>>>> that depending on what others want to do.
>>>>
>>>> Laine, I changed this to be disableDnsmasq because that is the real
>>>> result. If this is specified, then starting radvd will also be
>>>> suppressed. It is as if no IPv4 or IPv6 addresses were specified.
>>>> However, the iptables and ip6tables rules will remain the same since
>>>> it is assumed that gateway addresses will be specified.
>>> Actually that's yet another switch that we need to add - the ability to
>>> suppress all iptables rules for a particular network (unless it is in
>>> NAT mode, in which case it makes no sense, because it's the difference
>>> in rules that changes it from mode='route' to mode='nat'). Perhaps it
>>> could be something like filter='none|open|restricted', although I don't
>>> know if that's descriptive enough - even without getting into specific
>>> protocols (which I don't think should be done - at that point they
>>> should really be using a guest-specific filterref) you might still want
>>> to know if there should be any rules at all, allow everything, allow
>>> outgoing sessions but not incoming, allow inter-guest traffic but not
>>> incoming from the outside, allow nothing (all of these could be
>>> overridden by a particular guest's filterref)
>> Easy enough to implement but what is the purpose. If there are no
>> rules at all (and perhaps no gateway addresses), then the interface
>> will not work for guest-to-guest communications either.
> Because some people want libvirt-created networks, but want to manage
> the firewall rules themselves.
OK. Understood and I agree. However, should this be specified in the
<network> or <interface>?
>
> (btw, you must be running with net.bridge.bridge-nf-call-iptables=1,
> otherwise communications between guests (ipv4 and ipv6) would work just
> fine with no extra rules)
Did not know that (there are a lot of things I do not know or
understand). I will have to do some testing.
BTW, if this is true, why are the IPv4 (iptables) rules added when there
are no IP addresses (v4 or v6) specified on an network interface?
I need to figure out what is setting this (or is it a default) because:
sysctl -a | grep "bridge-nf-call"
results in:
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
So yes, the rule is needed.
>
>> But wait, if there are no rules at all the the "default"
>> "--reject-with icmp-port-unreachable" will not be there either so
>> maybe things will work. However, I thought that filters were
>> specified as part of the <interface> definition, not the <network>
>> definition.
> Yes, exactly. The network would have no rules of its own (or maybe a
> ruleset to allow only incoming, as is currently the case for a NATed
> network), and each guest's interface could override that with its own
> rules to allow incoming.
>
>> So, where should this be handled? It makes some sense to me that for
>> the types of networks src/network/bridge_driver.c handles, maybe
>> <network> is more appropriate.
> More appropriate than what? Than using a <filterref> in each guest's
> interface? Or more appropriate than making it an option of <forward>? I
> think it makes sense to have this be an option of <forward>, because it
> is controlling exactly what traffic is allowed to be forwarded. And when
> you look at the existing forwarding modes:
>
> <forward mode='nat'>
>
> It doesn't make sense to have different levels of filtering for a NATed
> network, because the filter rules are required for NAT to work at all,
> and due to the way NAT works, incoming sessions are impractical anyway:
>
> none - nonsensical (if you're not going to allow any traffic in-out,
> then why have <forward> at all?)
> open - nonsensical (incoming sessions can't work without additional
> forwarding rules anyway)
> restricted - that's what it does anyway
>
> <forward mode='bridge|hostdev'>
>
> These networks have nothing managed by libvirt anyway
>
> <forward mode='none'> (i.e. "no <forward> element)
>
> By definition if you have this type of network, you don't want to allow
> any traffic in or out of the network (heck, we even run dnsmasq with
> different options so that the dns server won't forward requests for
> unknown hosts).
>
> <forward mode='route'>
>
> This is the *only* type of forwarding where it makes sense to offer
> different options for the stock filters provided by libvirt.
>
> none - the host admin will be managing filters themselves external to
> libvirt.
>
> open - this is what it currently does - allows incoming and outgoing
> sessions
>
> restricted - this would be similar to what is currently done in NAT mode
> (allow outgoing sessions but not incoming), but without the
> extra mangling rules to NAT the packets.
>
> Since the different filtering options only make sense for forward
> mode='route', it's sensible to put the option in the <forward> element.
>
> But that's really a separate topic that I didn't originally intend to
> get entwined with the dns/ra/logging things we're talking about now...
Yes, but it all does tie together.
By default, if no IP addresses are specified, then you are "restricted"
in that no communications exists between any guests using that virtual
interface and the virtualization host. But, if no IP addresses are
specified, then, as currently implemented, IPv4 communications is
permitted between guest virtual systems. I only wish to have this same
capability available to IPv6.
BTW, if a user want dns, dhcp, Ra, etc. services, then it has to be
implemented in a guest virtual system.
>
>>>> I have scratched an itch of mine by providing a way to specify that
>>>> dns-queries and dhcp activity should be logged and that this is
>>>> specified separately for each virtual network interface.
>>>>
>>>> Dan suggested that a user might still want to run dnsmasq's dns
>>>> service even if no IP addresses are specified. However, in that case
>>>> I am not sure what dnsmasq is suppose to monitor for queries ... it
>>>> needs some kind of address or we will have the problems which the
>>>> bind-dynamic update is suppose to fix.
>>> Yeah, I didn't understand that either - If the bridge has no IP address,
>>> there's no target IP for a DNS request to be sent to. I just assumed he
>>> was thinking of something else.
>> Believe it or not, it is possible to start dnsmasq on an interface
>> which has no gateway addresses and --port=0 so that there no dns ...
>> it runs and appears to do nothing. Again, what purpose is there to
>> starting dnsmasq in this situation?
>
> As I implied above, I don't think there is any purpose to it.
I agree. And since we are in agreement, that is how I will implement
it. And, it would make sense to have:
<dns enable='yes|no' />
>
>
>>>
>>>> I have not integrated this with the bind-dynamic update but plan to
>>>> before I submit it. I will be submitting this patch with the IPV6
>>>> enhancement, DHCPv6, etc. series since it is yet again messing with
>>>> the same code.
>>>>
>>>> If any of the series get rejected rather than accepted, it will not be
>>>> too much of a problem to rework them.
>> One last question. Considering all of these various new xml
>> parameters/attributes, should they all be on the <network> statement,
>> only part of them on <network> and others on a (perhaps) a <logging>
>> defintion, or maybe an <options> statement.
> If you want to consolidate options, rather than grouping according to
> <logging> and <options>, why not put the dhcp-related options in the
> <dhcp> element (edit: see below - I think I've changed my mind about
> <dhcp>), and the dns-related options in the <dns> element as I
> originally proposed. I can't think of any reason why (especially
> considering that the <dns> element already exists as a direct
> sub-element of <network> that this:
>
> <network>
> <dns enable='no'/>
>
> or:
>
> <network>
> <dns log='yes'/> <!-- or perhaps use "debug|info|warn|error|none" or
> something -->
>
> is any worse than this:
>
> <network disableDns='yes'>
>
> or
>
> <network logDns='yes'>
>
> or this:
>
> <network>
> <option disableDns='yes'/>
>
> or
>
> <network>
> <logging dns='yes'/>
>
> or even this:
>
> <network enableDns='no'>
>
> or
>
> <network>
> <option enableDns='no'/>
>
> Rather, I would argue that it is *better* to put dns-related options in
> the already-existing <dns> element. Why create a new element that mixes
> the options of different functions when an element for each of those
> functions already exists.
OK, enable= and log= will go in the <dns> element.
For, enableRA, it will go in any <ip family='ipv6">. If enableRA='yes'
and if dhcp is specified for that element, the stateful RA will be
configured. If enableRA='yes' (the default) and no dhcp is specified,
then stateless RA is configured. If enableRA='no', no RA is configured
for that subnet. If all ipv6 specifications have enableRA='no', then
nether radvd will be started nor will dnsmasq be configured for RA.
If any IPv4 or IPv6 DHCP specification which includes log='yes', then
log-dhcp will be specified for the interface.
When (hopefully not if) dnsmasq is changed to include log-ra to enable
messages about RA sent to syslog and log-ra is added to --help, then any
<IP family='ipv6' logRA='yes' ... /> will enable it for all IPv6
addresses on that interface.
If dns is disabled and there is no dhcp specification but RA is not
disabled on all IPv6 specifications, then ??
It is not clear to me that dnsmasq could handle state-less RA if there
is no dns and no dhcp specified. In fact, the way state-less RA is
specified is with dhcp-range=<ipv6-address>,ra-only ... more testing!
>
>
>> Comments? Suggesting?
> 1) I think dns should be disabled with "<dns enable='no'/>". The element
> already exists, and is the perfect place to add dns-related options
> (that is *why* it exists)
OK, for the <dns> element, enable= and log= will be added.
>
> 2) disabling IPv6 RA should be done by having <ip family='ipv6' ....
> enableRa='no' ...> in each ipv6 ip address element - if all ipv6
> addresses have enableRa='no', then radvd (or the ra in dnsmasq) won't be
> run.
Yup.
>
> 3) we don't need any option to disable dhcp - that's what happens if
> there are no <dhcp> elements.
Yup.
>
>
> 4) I think I've changed my mind about logging options - these options
> would need to be set on at least a network-wide scale, but while there
> is a perfect existing element for that for dns, the <dhcp> and <ip>
> options are one-per IP address, which would lead to ambiguity and/or
> conflict. Beyond that, there is no existing example of setting logging
> level anywhere in libvirt XML - the only logging controls are done in
> the environment or via libvirtd.conf, and I don't know that either of
> those places are appropriate either. So I think we should separate that
> off and discuss it separately.
See above ... if any log(dhcp)='yes' or any logRA='yes', that logging
will be enabled for the interface. As I see it, the alternative is to
add it to <network>.
Now, a little coding and a whole bunch of testing. And, some
"discussion" about what/how-much dnsmasq send to syslog.
Gene
On 11/26/2012 10:40 AM, Gene Czarcinski wrote:
OK, enable= and log= will go in the <dns> element.
For, enableRA, it will go in any <ip family='ipv6">. If enableRA='yes' and if dhcp is specified for that element, the stateful RA will be configured. If enableRA='yes' (the default) and no dhcp is specified, then stateless RA is configured. If enableRA='no', no RA is configured for that subnet. If all ipv6 specifications have enableRA='no', then nether radvd will be started nor will dnsmasq be configured for RA.
If any IPv4 or IPv6 DHCP specification which includes log='yes', then log-dhcp will be specified for the interface.
When (hopefully not if) dnsmasq is changed to include log-ra to enable messages about RA sent to syslog and log-ra is added to --help, then any <IP family='ipv6' logRA='yes' ... /> will enable it for all IPv6 addresses on that interface.
If dns is disabled and there is no dhcp specification but RA is not disabled on all IPv6 specifications, then ??
It is not clear to me that dnsmasq could handle state-less RA if there is no dns and no dhcp specified. In fact, the way state-less RA is specified is with dhcp-range=<ipv6-address>,ra-only ... more testing! On other thing ...
When a network specification is saved back to an xml file, should the default values of these new parameters be saved. I believe the answer is no. For example, <ip family='ipv4' is the default but is not saved as such. Gene
On 11/26/2012 10:56 AM, Gene Czarcinski wrote:
One other thing ...
When a network specification is saved back to an xml file, should the default values of these new parameters be saved. I believe the answer is no. For example, <ip family='ipv4' is the default but is not saved as such.
Generally the *Format() functions omit attributes/elements if they are set to the default value.
On 11/26/2012 10:40 AM, Gene Czarcinski wrote:
I understand that you can define multiple IPv4 and multiple IPv6 gateway addresses on a network interface but only one IPv4 DHCP and one IPv6 DHCP. I can see the need for both IPv4 and IPv6 protocols on a single network "fabric" but I am not sure how many real network "fabrics" have multiple subnetworks on them. Yes, it could be done but I am not certain why you would do that (and I am also sure that someone has a very valid reason for doing that). Oops! There may be a problem here with radvd!.
I have difficulty in understanding why one would define multiple IPv6 (or even IPv4) subnetworks on a single interface. Well, I guess the radvd authors did also: the AdvManagedFlag on/off applies to the entire interface and no a specific network. I am verifying this but there is a chance that dsnmasq could support both for different subnetworks. I guess that dnsmasq could be used to support one and radvd used to support the other but ??? I believe this may need more discussion from others. I would like to have someone other than the two of us chime in on this. Gene
On 11/26/2012 11:19 AM, Gene Czarcinski wrote:
On 11/26/2012 10:40 AM, Gene Czarcinski wrote:
I understand that you can define multiple IPv4 and multiple IPv6 gateway addresses on a network interface but only one IPv4 DHCP and one IPv6 DHCP. I can see the need for both IPv4 and IPv6 protocols on a single network "fabric" but I am not sure how many real network "fabrics" have multiple subnetworks on them. Yes, it could be done but I am not certain why you would do that (and I am also sure that someone has a very valid reason for doing that). Oops! There may be a problem here with radvd!.
I have difficulty in understanding why one would define multiple IPv6 (or even IPv4) subnetworks on a single interface. Well, I guess the radvd authors did also: the AdvManagedFlag on/off applies to the entire interface and no a specific network.
I am verifying this but there is a chance that dsnmasq could support both for different subnetworks.
I guess that dnsmasq could be used to support one and radvd used to support the other but ???
I believe this may need more discussion from others. I would like to have someone other than the two of us chime in on this. The answer is not good. Both radvd and dnsmasq are the same and you must choose state-full (DHCPv6) or state-less (SLAAC):
As Simon Kelley says: "OK, you prompted me to look at the code, which makes radvd's behavior more understandable. The Managed flag is in the header of the route-advertisement packet so it has, logically, to apply at all the prefixes contained therein. The dnsmasq implementation sets the managed flag if any of the prefixes has DHCPv6 available, but clients will take is applying to them all." So, for IPv6 on a virtual network you either have one IPv6 subnetwork with state-full DHCPv6 or you can have multiple IPv6 subnetworks with SLAAC addressing. Options: 1. Ignore the true situation and keep going. I believe some users might not like this and I certainly do not like this. 2. Start a separate radvd (or dnsmasq) to support state-full DHCPv6 and another radvd to support additional SLAAC subnetworks. [Personally, I do not like this solution.] /// The problem is that this solution may not work. /// I just checked and now I remember ... it will not work. Only one RA server per network fabric (think virtual network interface) since ff02:: addresses are being used. 3. If an IPv6 DHCP range is specified, then any additional IPv6 subnetworks are a configuration error. I believe that this is the only reasonable thing to do. So, if you want to define two IPv6 subnets, do it on two different interfaces. I believe there is not much choice in this ... it is just the way IPv6 was defined and works. [Aside: I sure would like to know of a real-world need for multiple IPv4 or multiple IPv6 subnetworks on a single network "fabric." The only possible thing I could think of is the need for a data network and a separate control network. But, from a security perspective, you really need to use either networks with encryption separation or real hardware separation.] Gene
On 11/25/2012 05:08 PM, Laine Stump wrote:
(btw, you must be running with net.bridge.bridge-nf-call-iptables=1, otherwise communications between guests (ipv4 and ipv6) would work just fine with no extra rules) Do you know what sets this?
On a system with no virtualization installed, net.bridge.bridge-nf-call-iptables=0 but with virtualization (and a lot of other stuff) installed, it is set to 1. I found only a single reference within libvirt which tests to see if they are set to 1. The values in /etc/sysctl.conf are all =0 so this must be related to something virtualization is doing (but not necessarily libvirt). Regardless, they are set so the ip6tables rule to allow guest-to-guest commo is needed. Gene
On 11/25/2012 05:08 PM, Laine Stump wrote:
then you will have a bigger problem with the "RTR-ADVERT" messages that dnsmasq issues every 3//4/5 seconds for every started interface. Yes, that's definitely a no-go. I'm pretty sure nobody would stand for
Speaking of logging, if you do not like the lease renewal messages, that. If that's how dnsmasq operates, we can't switch to using dnsmasq until that's remedied.
One-line replacement fix should "fix" the problem: change LOG_INFO to LOG_DEBUG and I am confident that it should be in 2.64. You mentioned that users were griping about other messages. I do believe that there are too many LOG_INFO messages and perhaps some of them need to have more to differentiate them and, even more likely, do issue many of those messages unless log-dhcp is specified. [otherwise, finding the real information in vast quantities of data becomes very challenging] But, it was also pointed out that too many messages means that you have not "tuned" (filtered) you syslog sufficiently. That is a very real point and could have been used for the RTR-ADVERT messages too except they really belongs in LOG_DEBUG. Gene
participants (4)
-
Daniel P. Berrange -
Gene Czarcinski -
Laine Stump -
Serge Hallyn