Bug 1179756
| Summary: | dnsmasq does not support MAC address based matching for IPv6 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ihar Hrachyshka <ihrachys> | ||||||
| Component: | dnsmasq | Assignee: | Pavel Šimerda (pavlix) <psimerda> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-daemons | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.0 | CC: | afazekas, apevec, chrisw, ihrachys, jscotka, lhh, lpeer, nyechiel, oblaut, psimerda, sclewis, tfreger, thozza, yeylon | ||||||
| Target Milestone: | rc | Keywords: | Patch, UserExperience, ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | 1174215 | ||||||||
| : | 1195356 1196533 (view as bug list) | Environment: | |||||||
| Last Closed: | 2015-11-20 10:26:40 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1168526, 1177797 | ||||||||
| Bug Blocks: | 1195356, 1196533 | ||||||||
| Attachments: |
|
||||||||
You just run dnsmasq with host file that is designed to match against hwaddr, and IPv6 addresses. Then you issue an IPv6 address request from your DHCPv6 client that is located in the same subnet. It fails with 'no addresses available' since dnsmasq fails to match hwaddr of DHCPv6 client. For 2.67, it correctly provides the address set in host file. RFC 6939 is about new DHCP option. In Openstack Neutron, we don't need it since we always run dnsmasq in the same broadcast domain as our DHCPv6 clients. We only need to be able to match against hwaddr provided as part of Ethernet frame. Created attachment 993897 [details]
patch adding requested functionality
Patch adding support for assigning IPv6 addresses based on MAC address for DHCPv6 in options --dhcp-host --dhcp-mac
Created attachment 993898 [details]
patch adding requested functionality
Fixed one compiler warning
Created attachment 993933 [details] patch adding requested functionality Hopefully final version including fixes for suspicious issues found by covscan: http://cov01.lab.eng.brq.redhat.com/covscanhub/task/16901/log/added.err Latest scan: http://cov01.lab.eng.brq.redhat.com/covscanhub/task/16903/ OK, so Nir Magnezi and me tested the provided package. Here are the results. - it works in Permissive SELinux mode. - it fails as follows in Enforcing mode. in /var/log/messages, we get: Feb 23 17:30:20 puma07 dnsmasq[21407]: failed to bind DHCP server socket: Permission denied Feb 23 17:30:20 puma07 dnsmasq[21407]: FAILED to start up Feb 23 17:30:20 puma07 neutron-dhcp-agent: Traceback (most recent call last): Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 455, in fire_timers Feb 23 17:30:20 puma07 neutron-dhcp-agent: timer() Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/eventlet/hubs/timer.py", line 58, in __call__ Feb 23 17:30:20 puma07 neutron-dhcp-agent: cb(*args, **kw) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 212, in main Feb 23 17:30:20 puma07 neutron-dhcp-agent: result = function(*args, **kwargs) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/openstack/common/lockutils.py", line 249, in inner Feb 23 17:30:20 puma07 neutron-dhcp-agent: return f(*args, **kwargs) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 284, in _check_child_processes Feb 23 17:30:20 puma07 neutron-dhcp-agent: self._execute_action(service_id) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 295, in _execute_action Feb 23 17:30:20 puma07 neutron-dhcp-agent: action_function(service_id) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 301, in _respawn_action Feb 23 17:30:20 puma07 neutron-dhcp-agent: self._process_managers[service_id].enable() Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 81, in enable Feb 23 17:30:20 puma07 neutron-dhcp-agent: ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 550, in execute Feb 23 17:30:20 puma07 neutron-dhcp-agent: check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes) Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 86, in execute Feb 23 17:30:20 puma07 neutron-dhcp-agent: raise RuntimeError(m) Feb 23 17:30:20 puma07 neutron-dhcp-agent: RuntimeError: Feb 23 17:30:20 puma07 neutron-dhcp-agent: Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qdhcp-39e052d4-ad43-4022-8730-d3b83e9c3f0e', 'env', 'NEUTRON_NETWORK_ID=39e052d4-ad43-4022-8730-d3b83e9c3f0e', 'dnsmasq', '--no-hosts', '--no-resolv', '--strict-order', '--bind-interfaces', '--interface=tap3291745d-5a', '--except-interface=lo', '--pid-file=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/pid', '--dhcp-hostsfile=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/host', '--addn-hosts=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/addn_hosts', '--dhcp-optsfile=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/opts', '--leasefile-ro', '--dhcp-range=set:tag0,10.35.209.0,static,86400s', '--dhcp-lease-max=256', '--conf-file=', '--domain=openstacklocal'] Feb 23 17:30:20 puma07 neutron-dhcp-agent: Exit code: 2 Feb 23 17:30:20 puma07 neutron-dhcp-agent: Stdout: '' Feb 23 17:30:20 puma07 neutron-dhcp-agent: Stderr: '\ndnsmasq: failed to bind DHCP server socket: Permission denied\n' In openstack setup, dnsmasq is executed by neutron-dhcp-agent which runs as 'neutron' user. The failure is because dnsmasq fails to bind to a privileged port. It seems that SELinux rules are not applied to the path. dnsmasq is located at /usr/sbin/dnsmasq. Once I copy the executable to /usr/bin/dnsmasq and run restorecon /usr/bin/dnsmasq, everything works fine. We've tested against RHEL 7.1 installation, so I guess platform is correct. (In reply to Ihar Hrachyshka from comment #25) > OK, so Nir Magnezi and me tested the provided package. Here are the results. > > - it works in Permissive SELinux mode. > > - it fails as follows in Enforcing mode. Thank you for testing. As for the SELinux part, please file a new bug against selinux-policy component and set it as "blocking Bug" for this dnsmasq bug. Thank you! Ouch, it seems that moving the file is irrelevant. What is relevant is that I ran 'restorecon /usr/sbin/dnsmasq'. So I guess pure rpm installation doesn't trigger update for selinux contexts (?) This bug has been closed as CURRENTRELEASE due to delivery of the fix in a z-stream. As the component is not on ACL, the fix is currently included in y-stream as well. For more information please see the zstream process documentation: * https://engineering.redhat.com/trac/ZStream/attachment/wiki/WikiStart/Z-Stream_process_update_4.odp . |
OpenStack Neutron 2014.2+ (Juno) requires dnsmasq 2.67+ to support DHCPv6 stateful mode for its DHCP agent. This is because older dnsmasq versions didn't include the following patch: commit 89500e31f199e9ae1eadc86213b911ff44d30d6f Author: Simon Kelley <simon.uk> Date: Fri Sep 20 16:29:20 2013 +0100 Support MAC addresses in dhcp-host and dhcp-mac for DHCPv6.