[libvirt] [PATCH 0/2] network: add dnsmasq option 'dhcp-authoritative'
Lest it be forgotten, here is a rebased version of my "dhcp-authoritative" patch (against 77d24de). According to dnsmasq(8), this option "should be set when dnsmasq is definitely the only DHCP server on a network", whis is the case for libvirt-managed networks. In practice, this option has the effect that an expired lease can be reacquired by the client using a DHCPREQUEST unless it has been given to another client in the meantime. Without "dhcp-authoritative", this operation always fails, which can be quite cumbersome. There is no protection against rogue clients hijacking other client's IP addresses, but that isn't specific to libvirt, and IP addresses don't provide security anyway. This is ovbiously not aimed at production environments; it's a convenience for developers and casual users who'd rather not be bothered with network XML host entries or the like. Original submission: https://www.redhat.com/archives/libvir-list/2016-September/msg00739.html Daniel's post where he said that "unless there's a obvious downside to it, it seems reasonable to add that": https://www.redhat.com/archives/libvir-list/2016-September/msg01305.html Regards, Martin Martin Wilck (2): network: add dnsmasq option 'dhcp-authoritative' tests/networkxml2confdata: add dhcp-authoritative option src/network/bridge_driver.c | 4 +++- tests/networkxml2confdata/dhcp6-nat-network.conf | 1 + tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 + tests/networkxml2confdata/isolated-network.conf | 1 + tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 1 + tests/networkxml2confdata/nat-network-dns-srv-record.conf | 1 + tests/networkxml2confdata/nat-network-dns-txt-record.conf | 1 + tests/networkxml2confdata/nat-network-name-with-quotes.conf | 1 + tests/networkxml2confdata/nat-network.conf | 1 + tests/networkxml2confdata/netboot-network.conf | 1 + tests/networkxml2confdata/netboot-proxy-network.conf | 1 + 11 files changed, 13 insertions(+), 1 deletion(-) -- 2.10.0
The dnsmasq man page recommends that dhcp-authoritative "should be set when dnsmasq is definitely the only DHCP server on a network". This is the case for libvirt-managed virtual networks. The effect of this is that VMs that fail to renew their DHCP lease in time (e.g. if the VM or host is suspended) will be able to re-acquire the lease even if it's expired, unless the IP address has been taken by some other host. This avoids various annoyances caused by changing VM IP addresses. Signed-off-by: Martin Wilck <mwilck@suse.de> --- src/network/bridge_driver.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 7b99aca..cb4fb1c 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1258,8 +1258,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network, /* Note: the following is IPv4 only */ if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) { - if (ipdef->nranges || ipdef->nhosts) + if (ipdef->nranges || ipdef->nhosts) { virBufferAddLit(&configbuf, "dhcp-no-override\n"); + virBufferAddLit(&configbuf, "dhcp-authoritative\n"); + } if (ipdef->tftproot) { virBufferAddLit(&configbuf, "enable-tftp\n"); -- 2.10.0
The previous patch changes the confdata output for dnsmasq. Adapt the expected test results to match. Signed-off-by: Martin Wilck <mwilck@suse.de> --- tests/networkxml2confdata/dhcp6-nat-network.conf | 1 + tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 + tests/networkxml2confdata/isolated-network.conf | 1 + tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 1 + tests/networkxml2confdata/nat-network-dns-srv-record.conf | 1 + tests/networkxml2confdata/nat-network-dns-txt-record.conf | 1 + tests/networkxml2confdata/nat-network-name-with-quotes.conf | 1 + tests/networkxml2confdata/nat-network.conf | 1 + tests/networkxml2confdata/netboot-network.conf | 1 + tests/networkxml2confdata/netboot-proxy-network.conf | 1 + 10 files changed, 10 insertions(+) diff --git a/tests/networkxml2confdata/dhcp6-nat-network.conf b/tests/networkxml2confdata/dhcp6-nat-network.conf index 17076b8..d1058df 100644 --- a/tests/networkxml2confdata/dhcp6-nat-network.conf +++ b/tests/networkxml2confdata/dhcp6-nat-network.conf @@ -10,6 +10,7 @@ bind-dynamic interface=virbr0 dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-range=2001:db8:ac10:fd01::1:10,2001:db8:ac10:fd01::1:ff,64 dhcp-lease-max=493 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile diff --git a/tests/networkxml2confdata/dhcp6host-routed-network.conf b/tests/networkxml2confdata/dhcp6host-routed-network.conf index 5728ee4..87a1498 100644 --- a/tests/networkxml2confdata/dhcp6host-routed-network.conf +++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf @@ -10,6 +10,7 @@ bind-dynamic interface=virbr1 dhcp-range=192.168.122.1,static dhcp-no-override +dhcp-authoritative dhcp-range=2001:db8:ac10:fd01::1,static,64 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/local.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/local.addnhosts diff --git a/tests/networkxml2confdata/isolated-network.conf b/tests/networkxml2confdata/isolated-network.conf index fbdf75a..ce4a59f 100644 --- a/tests/networkxml2confdata/isolated-network.conf +++ b/tests/networkxml2confdata/isolated-network.conf @@ -12,6 +12,7 @@ dhcp-option=3 no-resolv dhcp-range=192.168.152.2,192.168.152.254 dhcp-no-override +dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/private.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/private.addnhosts diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf index 08ed672..f35ea1d 100644 --- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf +++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf @@ -15,6 +15,7 @@ listen-address=10.24.10.1 srv-host=_name._tcp dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record.conf b/tests/networkxml2confdata/nat-network-dns-srv-record.conf index d7de422..af1ed70 100644 --- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf +++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf @@ -17,6 +17,7 @@ srv-host=_name6._tcp.test6.com,test6.example.com,6666,0,666 srv-host=_name7._tcp.test7.com,test7.example.com,1,0,777 dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts diff --git a/tests/networkxml2confdata/nat-network-dns-txt-record.conf b/tests/networkxml2confdata/nat-network-dns-txt-record.conf index 44ed6bd..7f560fb 100644 --- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf +++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf @@ -11,6 +11,7 @@ interface=virbr0 txt-record=example,example value dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts diff --git a/tests/networkxml2confdata/nat-network-name-with-quotes.conf b/tests/networkxml2confdata/nat-network-name-with-quotes.conf index a1c839e..36e11d1 100644 --- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf +++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf @@ -15,6 +15,7 @@ listen-address=10.24.10.1 srv-host=_name._tcp dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default"with"quotes".hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default"with"quotes".addnhosts diff --git a/tests/networkxml2confdata/nat-network.conf b/tests/networkxml2confdata/nat-network.conf index 34d5b17..a3c8b10 100644 --- a/tests/networkxml2confdata/nat-network.conf +++ b/tests/networkxml2confdata/nat-network.conf @@ -10,6 +10,7 @@ bind-dynamic interface=virbr0 dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts diff --git a/tests/networkxml2confdata/netboot-network.conf b/tests/networkxml2confdata/netboot-network.conf index 4b8f0cc..b554a54 100644 --- a/tests/networkxml2confdata/netboot-network.conf +++ b/tests/networkxml2confdata/netboot-network.conf @@ -12,6 +12,7 @@ bind-interfaces listen-address=192.168.122.1 dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative enable-tftp tftp-root=/var/lib/tftproot dhcp-boot=pxeboot.img diff --git a/tests/networkxml2confdata/netboot-proxy-network.conf b/tests/networkxml2confdata/netboot-proxy-network.conf index 61a025c..afb4033 100644 --- a/tests/networkxml2confdata/netboot-proxy-network.conf +++ b/tests/networkxml2confdata/netboot-proxy-network.conf @@ -12,6 +12,7 @@ bind-interfaces listen-address=192.168.122.1 dhcp-range=192.168.122.2,192.168.122.254 dhcp-no-override +dhcp-authoritative dhcp-boot=pxeboot.img,,10.20.30.40 dhcp-lease-max=253 dhcp-hostsfile=/var/lib/libvirt/dnsmasq/netboot.hostsfile -- 2.10.0
Heh. I finally got around to pushing your patch maybe 5 or 10 minutes before you resent, and just now hit send on the reply message, then saw this in my inbox :-) Sorry again for seeming so much like a government bureaucracy. On 10/10/2016 03:20 PM, Martin Wilck wrote:
Lest it be forgotten, here is a rebased version of my "dhcp-authoritative" patch (against 77d24de). According to dnsmasq(8), this option "should be set when dnsmasq is definitely the only DHCP server on a network", whis is the case for libvirt-managed networks. In practice, this option has the effect that an expired lease can be reacquired by the client using a DHCPREQUEST unless it has been given to another client in the meantime. Without "dhcp-authoritative", this operation always fails, which can be quite cumbersome. There is no protection against rogue clients hijacking other client's IP addresses, but that isn't specific to libvirt, and IP addresses don't provide security anyway. This is ovbiously not aimed at production environments; it's a convenience for developers and casual users who'd rather not be bothered with network XML host entries or the like.
Original submission: https://www.redhat.com/archives/libvir-list/2016-September/msg00739.html
Daniel's post where he said that "unless there's a obvious downside to it, it seems reasonable to add that": https://www.redhat.com/archives/libvir-list/2016-September/msg01305.html
Regards, Martin
Martin Wilck (2): network: add dnsmasq option 'dhcp-authoritative' tests/networkxml2confdata: add dhcp-authoritative option
src/network/bridge_driver.c | 4 +++- tests/networkxml2confdata/dhcp6-nat-network.conf | 1 + tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 + tests/networkxml2confdata/isolated-network.conf | 1 + tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 1 + tests/networkxml2confdata/nat-network-dns-srv-record.conf | 1 + tests/networkxml2confdata/nat-network-dns-txt-record.conf | 1 + tests/networkxml2confdata/nat-network-name-with-quotes.conf | 1 + tests/networkxml2confdata/nat-network.conf | 1 + tests/networkxml2confdata/netboot-network.conf | 1 + tests/networkxml2confdata/netboot-proxy-network.conf | 1 + 11 files changed, 13 insertions(+), 1 deletion(-)
On Mon, 2016-10-10 at 15:28 -0400, Laine Stump wrote:
Heh. I finally got around to pushing your patch maybe 5 or 10 minutes before you resent, and just now hit send on the reply message, then saw this in my inbox :-) Sorry again for seeming so much like a government bureaucracy.
No problem at all, I'm glad you merged my patch despite its formal problems. Thanks a lot! Weird coincidence that we both worked on this literally in the same minute :-) Regards Martin
participants (2)
-
Laine Stump -
Martin Wilck