1179756 – dnsmasq does not support MAC address based matching for IPv6

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1179756 - dnsmasq does not support MAC address based matching for IPv6

Summary: dnsmasq does not support MAC address based matching for IPv6

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	dnsmasq
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Šimerda (pavlix)
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:	1168526 1177797
Blocks:	1195356 1196533
TreeView+	depends on / blocked

Reported:	2015-01-07 13:45 UTC by Ihar Hrachyshka
Modified:	2019-11-14 06:35 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1174215
Clones:	1195356 1196533 (view as bug list)
Environment:
Last Closed:	2015-11-20 10:26:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
patch adding requested functionality (44.65 KB, patch) 2015-02-20 13:04 UTC, Tomáš Hozza	no flags	Details \| Diff
patch adding requested functionality (44.65 KB, patch) 2015-02-20 13:10 UTC, Tomáš Hozza	no flags	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1408297	0	None	None	None	Never

Comment 1 Ihar Hrachyshka 2015-01-07 13:49:06 UTC

OpenStack Neutron 2014.2+ (Juno) requires dnsmasq 2.67+ to support DHCPv6 stateful mode for its DHCP agent. This is because older dnsmasq versions didn't include the following patch:

commit 89500e31f199e9ae1eadc86213b911ff44d30d6f
Author: Simon Kelley <simon.uk>
Date:   Fri Sep 20 16:29:20 2013 +0100

    Support MAC addresses in dhcp-host and dhcp-mac for DHCPv6.

Comment 4 Ihar Hrachyshka 2015-01-08 13:16:53 UTC

You just run dnsmasq with host file that is designed to match against hwaddr, and IPv6 addresses. Then you issue an IPv6 address request from your DHCPv6 client that is located in the same subnet. It fails with 'no addresses available' since dnsmasq fails to match hwaddr of DHCPv6 client. For 2.67, it correctly provides the address set in host file.

RFC 6939 is about new DHCP option. In Openstack Neutron, we don't need it since we always run dnsmasq in the same broadcast domain as our DHCPv6 clients. We only need to be able to match against hwaddr provided as part of Ethernet frame.

Comment 20 Tomáš Hozza 2015-02-20 13:04:18 UTC

Created attachment 993897 [details]
patch adding requested functionality

Patch adding support for assigning IPv6 addresses based on MAC address for DHCPv6 in options --dhcp-host --dhcp-mac

Comment 21 Tomáš Hozza 2015-02-20 13:10:14 UTC

Created attachment 993898 [details]
patch adding requested functionality

Fixed one compiler warning

Comment 23 Tomáš Hozza 2015-02-20 14:51:18 UTC

Created attachment 993933 [details]
patch adding requested functionality

Hopefully final version including fixes for suspicious issues found by covscan:
http://cov01.lab.eng.brq.redhat.com/covscanhub/task/16901/log/added.err

Latest scan:
http://cov01.lab.eng.brq.redhat.com/covscanhub/task/16903/

Comment 25 Ihar Hrachyshka 2015-02-23 15:44:45 UTC

OK, so Nir Magnezi and me tested the provided package. Here are the results.

- it works in Permissive SELinux mode.

- it fails as follows in Enforcing mode.

in /var/log/messages, we get:

Feb 23 17:30:20 puma07 dnsmasq[21407]: failed to bind DHCP server socket: Permission denied
Feb 23 17:30:20 puma07 dnsmasq[21407]: FAILED to start up
Feb 23 17:30:20 puma07 neutron-dhcp-agent: Traceback (most recent call last):
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 455, in fire_timers
Feb 23 17:30:20 puma07 neutron-dhcp-agent: timer()
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/eventlet/hubs/timer.py", line 58, in __call__
Feb 23 17:30:20 puma07 neutron-dhcp-agent: cb(*args, **kw)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 212, in main
Feb 23 17:30:20 puma07 neutron-dhcp-agent: result = function(*args, **kwargs)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/openstack/common/lockutils.py", line 249, in inner
Feb 23 17:30:20 puma07 neutron-dhcp-agent: return f(*args, **kwargs)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 284, in _check_child_processes
Feb 23 17:30:20 puma07 neutron-dhcp-agent: self._execute_action(service_id)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 295, in _execute_action
Feb 23 17:30:20 puma07 neutron-dhcp-agent: action_function(service_id)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 301, in _respawn_action
Feb 23 17:30:20 puma07 neutron-dhcp-agent: self._process_managers[service_id].enable()
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/external_process.py", line 81, in enable
Feb 23 17:30:20 puma07 neutron-dhcp-agent: ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 550, in execute
Feb 23 17:30:20 puma07 neutron-dhcp-agent: check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 86, in execute
Feb 23 17:30:20 puma07 neutron-dhcp-agent: raise RuntimeError(m)
Feb 23 17:30:20 puma07 neutron-dhcp-agent: RuntimeError:
Feb 23 17:30:20 puma07 neutron-dhcp-agent: Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qdhcp-39e052d4-ad43-4022-8730-d3b83e9c3f0e', 'env', 'NEUTRON_NETWORK_ID=39e052d4-ad43-4022-8730-d3b83e9c3f0e', 'dnsmasq', '--no-hosts', '--no-resolv', '--strict-order', '--bind-interfaces', '--interface=tap3291745d-5a', '--except-interface=lo', '--pid-file=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/pid', '--dhcp-hostsfile=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/host', '--addn-hosts=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/addn_hosts', '--dhcp-optsfile=/var/lib/neutron/dhcp/39e052d4-ad43-4022-8730-d3b83e9c3f0e/opts', '--leasefile-ro', '--dhcp-range=set:tag0,10.35.209.0,static,86400s', '--dhcp-lease-max=256', '--conf-file=', '--domain=openstacklocal']
Feb 23 17:30:20 puma07 neutron-dhcp-agent: Exit code: 2
Feb 23 17:30:20 puma07 neutron-dhcp-agent: Stdout: ''
Feb 23 17:30:20 puma07 neutron-dhcp-agent: Stderr: '\ndnsmasq: failed to bind DHCP server socket: Permission denied\n'

In openstack setup, dnsmasq is executed by neutron-dhcp-agent which runs as 'neutron' user. The failure is because dnsmasq fails to bind to a privileged port. It seems that SELinux rules are not applied to the path.

dnsmasq is located at /usr/sbin/dnsmasq. Once I copy the executable to /usr/bin/dnsmasq and run restorecon /usr/bin/dnsmasq, everything works fine.

We've tested against RHEL 7.1 installation, so I guess platform is correct.

Comment 26 Tomáš Hozza 2015-02-23 15:50:12 UTC

(In reply to Ihar Hrachyshka from comment #25)
> OK, so Nir Magnezi and me tested the provided package. Here are the results.
> 
> - it works in Permissive SELinux mode.
> 
> - it fails as follows in Enforcing mode.

Thank you for testing. As for the SELinux part, please file a new bug against selinux-policy component and set it as "blocking Bug" for this dnsmasq bug.

Thank you!

Comment 27 Ihar Hrachyshka 2015-02-23 16:13:38 UTC

Ouch, it seems that moving the file is irrelevant. What is relevant is that I ran 'restorecon /usr/sbin/dnsmasq'. So I guess pure rpm installation doesn't trigger update for selinux contexts (?)

Comment 34 Jan Kurik 2015-11-20 10:26:40 UTC

This bug has been closed as CURRENTRELEASE due to delivery of the fix in a z-stream. As the component is not on ACL, the fix is currently included in y-stream as well.

For more information please see the zstream process documentation:
* https://engineering.redhat.com/trac/ZStream/attachment/wiki/WikiStart/Z-Stream_process_update_4.odp .

Note You need to log in before you can comment on or make changes to this bug.