2:20 p.m.
Lest it be forgotten, here is a rebased version of my "dhcp-authoritative"
patch (against 77d24de). According to dnsmasq(8), this option "should
be set when dnsmasq is definitely the only DHCP server on a network",
whis is the case for libvirt-managed networks.
In practice, this option has the effect that an expired lease can be
reacquired by the client using a DHCPREQUEST unless it has been given
to another client in the meantime. Without "dhcp-authoritative", this
operation always fails, which can be quite cumbersome.
There is no protection against rogue clients hijacking other client's
IP addresses, but that isn't specific to libvirt, and IP addresses don't
provide security anyway.
This is ovbiously not aimed at production environments; it's a convenience
for developers and casual users who'd rather not be bothered with network
XML host entries or the like.
Original submission:
https://www.redhat.com/archives/libvir-list/2016-September/msg00739.html
Daniel's post where he said that "unless there's a obvious downside to it,
it seems reasonable to add that":
https://www.redhat.com/archives/libvir-list/2016-September/msg01305.html
Regards,
Martin
Martin Wilck (2):
network: add dnsmasq option 'dhcp-authoritative'
tests/networkxml2confdata: add dhcp-authoritative option
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/dhcp6-nat-network.conf | 1 +
tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 +
tests/networkxml2confdata/isolated-network.conf | 1 +
tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 1 +
tests/networkxml2confdata/nat-network-dns-srv-record.conf | 1 +
tests/networkxml2confdata/nat-network-dns-txt-record.conf | 1 +
tests/networkxml2confdata/nat-network-name-with-quotes.conf | 1 +
tests/networkxml2confdata/nat-network.conf | 1 +
tests/networkxml2confdata/netboot-network.conf | 1 +
tests/networkxml2confdata/netboot-proxy-network.conf | 1 +
11 files changed, 13 insertions(+), 1 deletion(-)
--
2.10.0
2:20 p.m.
New subject: [libvirt] [PATCH 1/2] network: add dnsmasq option 'dhcp-authoritative'
The dnsmasq man page recommends that dhcp-authoritative "should be
set when dnsmasq is definitely the only DHCP server on a network".
This is the case for libvirt-managed virtual networks.
The effect of this is that VMs that fail to renew their DHCP lease
in time (e.g. if the VM or host is suspended) will be able to
re-acquire the lease even if it's expired, unless the IP address has
been taken by some other host. This avoids various annoyances caused
by changing VM IP addresses.
Signed-off-by: Martin Wilck <mwilck(a)suse.de>
---
src/network/bridge_driver.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 7b99aca..cb4fb1c 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1258,8 +1258,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
/* Note: the following is IPv4 only */
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) {
- if (ipdef->nranges || ipdef->nhosts)
+ if (ipdef->nranges || ipdef->nhosts) {
virBufferAddLit(&configbuf, "dhcp-no-override\n");
+ virBufferAddLit(&configbuf, "dhcp-authoritative\n");
+ }
if (ipdef->tftproot) {
virBufferAddLit(&configbuf, "enable-tftp\n");
--
2.10.0
2:20 p.m.
New subject: [libvirt] [PATCH 2/2] tests/networkxml2confdata: add dhcp-authoritative option
The previous patch changes the confdata output for dnsmasq. Adapt
the expected test results to match.
Signed-off-by: Martin Wilck <mwilck(a)suse.de>
---
tests/networkxml2confdata/dhcp6-nat-network.conf | 1 +
tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 +
tests/networkxml2confdata/isolated-network.conf | 1 +
tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 1 +
tests/networkxml2confdata/nat-network-dns-srv-record.conf | 1 +
tests/networkxml2confdata/nat-network-dns-txt-record.conf | 1 +
tests/networkxml2confdata/nat-network-name-with-quotes.conf | 1 +
tests/networkxml2confdata/nat-network.conf | 1 +
tests/networkxml2confdata/netboot-network.conf | 1 +
tests/networkxml2confdata/netboot-proxy-network.conf | 1 +
10 files changed, 10 insertions(+)
diff --git a/tests/networkxml2confdata/dhcp6-nat-network.conf
b/tests/networkxml2confdata/dhcp6-nat-network.conf
index 17076b8..d1058df 100644
--- a/tests/networkxml2confdata/dhcp6-nat-network.conf
+++ b/tests/networkxml2confdata/dhcp6-nat-network.conf
@@ -10,6 +10,7 @@ bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-range=2001:db8:ac10:fd01::1:10,2001:db8:ac10:fd01::1:ff,64
dhcp-lease-max=493
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
diff --git a/tests/networkxml2confdata/dhcp6host-routed-network.conf
b/tests/networkxml2confdata/dhcp6host-routed-network.conf
index 5728ee4..87a1498 100644
--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf
+++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf
@@ -10,6 +10,7 @@ bind-dynamic
interface=virbr1
dhcp-range=192.168.122.1,static
dhcp-no-override
+dhcp-authoritative
dhcp-range=2001:db8:ac10:fd01::1,static,64
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/local.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/local.addnhosts
diff --git a/tests/networkxml2confdata/isolated-network.conf
b/tests/networkxml2confdata/isolated-network.conf
index fbdf75a..ce4a59f 100644
--- a/tests/networkxml2confdata/isolated-network.conf
+++ b/tests/networkxml2confdata/isolated-network.conf
@@ -12,6 +12,7 @@ dhcp-option=3
no-resolv
dhcp-range=192.168.152.2,192.168.152.254
dhcp-no-override
+dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/private.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/private.addnhosts
diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
index 08ed672..f35ea1d 100644
--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
+++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
@@ -15,6 +15,7 @@ listen-address=10.24.10.1
srv-host=_name._tcp
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
index d7de422..af1ed70 100644
--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
+++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
@@ -17,6 +17,7 @@ srv-host=_name6._tcp.test6.com,test6.example.com,6666,0,666
srv-host=_name7._tcp.test7.com,test7.example.com,1,0,777
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
diff --git a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
index 44ed6bd..7f560fb 100644
--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
+++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
@@ -11,6 +11,7 @@ interface=virbr0
txt-record=example,example value
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
diff --git a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
index a1c839e..36e11d1 100644
--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
+++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
@@ -15,6 +15,7 @@ listen-address=10.24.10.1
srv-host=_name._tcp
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default"with"quotes".hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default"with"quotes".addnhosts
diff --git a/tests/networkxml2confdata/nat-network.conf
b/tests/networkxml2confdata/nat-network.conf
index 34d5b17..a3c8b10 100644
--- a/tests/networkxml2confdata/nat-network.conf
+++ b/tests/networkxml2confdata/nat-network.conf
@@ -10,6 +10,7 @@ bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
diff --git a/tests/networkxml2confdata/netboot-network.conf
b/tests/networkxml2confdata/netboot-network.conf
index 4b8f0cc..b554a54 100644
--- a/tests/networkxml2confdata/netboot-network.conf
+++ b/tests/networkxml2confdata/netboot-network.conf
@@ -12,6 +12,7 @@ bind-interfaces
listen-address=192.168.122.1
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
enable-tftp
tftp-root=/var/lib/tftproot
dhcp-boot=pxeboot.img
diff --git a/tests/networkxml2confdata/netboot-proxy-network.conf
b/tests/networkxml2confdata/netboot-proxy-network.conf
index 61a025c..afb4033 100644
--- a/tests/networkxml2confdata/netboot-proxy-network.conf
+++ b/tests/networkxml2confdata/netboot-proxy-network.conf
@@ -12,6 +12,7 @@ bind-interfaces
listen-address=192.168.122.1
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
+dhcp-authoritative
dhcp-boot=pxeboot.img,,10.20.30.40
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/netboot.hostsfile
--
2.10.0
2:28 p.m.
Heh. I finally got around to pushing your patch maybe 5 or 10 minutes
before you resent, and just now hit send on the reply message, then saw
this in my inbox :-) Sorry again for seeming so much like a government
bureaucracy.
On 10/10/2016 03:20 PM, Martin Wilck wrote:
Lest it be forgotten, here is a rebased version of my
"dhcp-authoritative"
patch (against 77d24de). According to dnsmasq(8), this option "should
be set when dnsmasq is definitely the only DHCP server on a network",
whis is the case for libvirt-managed networks.
In practice, this option has the effect that an expired lease can be
reacquired by the client using a DHCPREQUEST unless it has been given
to another client in the meantime. Without "dhcp-authoritative", this
operation always fails, which can be quite cumbersome.
There is no protection against rogue clients hijacking other client's
IP addresses, but that isn't specific to libvirt, and IP addresses don't
provide security anyway.
This is ovbiously not aimed at production environments; it's a convenience
for developers and casual users who'd rather not be bothered with network
XML host entries or the like.
Original submission:
https://www.redhat.com/archives/libvir-list/2016-September/msg00739.html
Daniel's post where he said that "unless there's a obvious downside to it,
it seems reasonable to add that":
https://www.redhat.com/archives/libvir-list/2016-September/msg01305.html
Regards,
Martin
Martin Wilck (2):
network: add dnsmasq option 'dhcp-authoritative'
tests/networkxml2confdata: add dhcp-authoritative option
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/dhcp6-nat-network.conf | 1 +
tests/networkxml2confdata/dhcp6host-routed-network.conf | 1 +
tests/networkxml2confdata/isolated-network.conf | 1 +
tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 1 +
tests/networkxml2confdata/nat-network-dns-srv-record.conf | 1 +
tests/networkxml2confdata/nat-network-dns-txt-record.conf | 1 +
tests/networkxml2confdata/nat-network-name-with-quotes.conf | 1 +
tests/networkxml2confdata/nat-network.conf | 1 +
tests/networkxml2confdata/netboot-network.conf | 1 +
tests/networkxml2confdata/netboot-proxy-network.conf | 1 +
11 files changed, 13 insertions(+), 1 deletion(-)
2:31 p.m.
On Mon, 2016-10-10 at 15:28 -0400, Laine Stump wrote:
Heh. I finally got around to pushing your patch maybe 5 or 10
minutes
before you resent, and just now hit send on the reply message, then
saw
this in my inbox :-) Sorry again for seeming so much like a
government
bureaucracy.
No problem at all, I'm glad you merged my patch despite its formal
problems. Thanks a lot! Weird coincidence that we both worked on this
literally in the same minute :-)
Regards
Martin
2965
days inactive
2965
days old
4 comments
2 participants
participants (2)
-
Laine Stump -
Martin Wilck