Description of problem: As currrently started by libvirt, the dnsmasq instances for a virtual network is undesirably passing some queries upstream. When host is used, it standardly queries for A (ipv4), AAAA (ipv6), and MX records. BTW, nslookup only does the A record query by default. Even with NO domain name specified (just plain names), dnsmasq will provide the A answer but forward the AAAA MX queries. This should not be happening! Version-Release number of selected component (if applicable): Fedora 17, libvirt 0.9.11.4-3.fc17, dnsmasq-2.59-5.fc17 How reproducible: yes, every time Steps to Reproduce: 1.do query from guest that should only be resolved by the dnsmasq for that virtual network 2.Using wireshark or whatever, monitor what the dnsmasq sends upstream 3.(I was actually using query-loggin on the upstream dnsmasq server.) Actual results: queries for AAAA and MX forwarded; query for A was answered by the dnsmasq server. Expected results: no queries forwarded upstream for the "domain" controlled the dnsmasq (in other words, only those from /etc/hosts and from the dhcp service). Additional info: First, I wish there was an easier way to test changes to how the dnsmasq is started. Rahter than beatting my head up against doing a whole bunch of software changes, I tested things virtually. I set up a guest with two NICs: default and a private network. I ran dnsmasq supporting dns and dhcp for the private network. From another guest which which had that private network on a NIC, do queries (host or nslookup) for its name. If you enable query logging for the dnsmasq server, you can see what is going on. If "domain" is not specified, the dnsmasq uses the system's name for the domain. The real problem is that "local=/<domain>/" needs to be specified. After much looking, googling, and reading, the answer is quite clear in the example dnsmasq.conf Lets say that a user specified <domain name="virt" /> then --local="virt" must also be specified. If no domain name is specified, then you could use the name of the system the dnsmasq server is running on or (probably better) make up some name that you create. This has been bothering me so I spent some time to figure out what was going on. If you have any questions, just say them.
Created attachment 605934 [details] add --local= or --local=/<domainname>/ OK, I have does a whole bunch of experimenting (testing with virtual guests certainly makes things easier) and have come up with the needed changes ... namely adding "--local=" I have tested these changes with a dnsmasq on a virtual but have not really rebuilt libvirt with the patch applied ... it is going to take me some time to figure out the #$%^ spec file. The patch will produce either "--domain <domain> --local=/<domain>/" or "--local=" which results in no forwarding for the names/IPs that dnsmasq controls. Naturally, everything else gets forwarded.
Created attachment 605942 [details] first patch had slight error ... missing ";"
Can you please also post your patches upstream to libvir-list? You will get faster review response there.
Patch submitted to libvir-list I am still unable to rebuild the libvirt rpm ... I got the fillowing doing and rpmbuild -bi --short-circuit [-bp and -bc worked] TEST: jsontest .... 4 OK PASS: jsontest TEST: networkxml2xmltest ............. 13 OK PASS: networkxml2xmltest TEST: networkxml2argvtest !!!!!!!!! 9 FAIL FAIL: networkxml2argvtest TEST: nwfilterxml2xmltest ........................................ 40 OK PASS: nwfilterxml2xmltest
Created attachment 606340 [details] update with tests updated OK, this "should" do it. Both the code and the patches in tests/networkxml2argvdata/ have been updated. A test rpm has been built on an x86_64 system and the updated code has been tested. As far as I can see, it works. Note: dnsmasq will still pass some MX queries upstream ... ones that should not be done. I will take this up with the dnsmasq folks. I am also posting this to the libvir-list+
My oh my. Putting something on the libvir-list does get some very prompt handling of a patch (even if I did not know all the rules for contributing fixes to libvirt). The patch has been added to git: http://libvirt.org/git/?p=libvirt.git;a=commit;h=f3868259ca0517212e439a65c9060868f673b6c9 I am not sure what this means with respect to this bug report or how soon it will actually be part of the published package. I have my locally created rpms with the fix and can easily reapply it locally if there are new libcirt packages without the fix.
F18 and rawhide will pick up this fix by virtue of the fact that they are rebasing to 0.10.0 or newer; but for F17, we now need this fix backported to the upstream v0.9.11-maint branch, and wait for Cole to cut v0.9.11.6 when more bugs have been collected (he just built 0.9.11.5 this week, so it may be another couple of weeks before another maintenance build is worthwhile). I'm moving this bug to POST to track that it's ready for backport.
The patch is included in libvirt-0.10.0-1.fc17 which is now available at ftp://libvirt.org/libvirt/ Is there any reason not to build this and run it on F17?
Unfortunately, this fix needs a bit more work. As it is, forwarding name queries for the dnsmasq local domain will not occur. However, dnsmasq will still forward PTR queries for its domain. I am going to attempt to fix things without adding something to the network configuration file such as: <domain name="virt" addr="192.168.122.0/24" /domain>
Also, as pointed out in Bug 854137 and on the mailing list, the patch referenced about added --filterwin2k, which prevents guests attached to the libvirt network from joining a Windows domain. That part of the patch definitely shouldn't go into F17. BTW, if you'd like to run newer libvirt on F17, you can add the virt-preview repo to your yum configuration: http://fedorapeople.org/groups/virt/virt-preview This will always be the version of libvirt used by Fedora ${your-release}+1, but built on Fedora ${your-release}.
New patch submitted to libvir-list to remove "--filterwin2k"
The following patch was pushed upstream. If you decide to include the earlier patch in F17, you should also include this one: commit f20b7dbe633acf7df9921027c6ca4f0b97918c8c Author: Gene Czarcinski <gene> Date: Thu Sep 6 12:08:22 2012 -0400 remove dnsmasq command line parameter "--filterwin2k" This patch removed the "--filterwin2k" dnsmasq command line parameter which was unnecessary for domain specification, possibly blocked some usage, and was command line clutter. Gene Czarcinski <gene>
libvirt-0.9.11.6-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/libvirt-0.9.11.6-1.fc17
I am sure this will fix things but I have moved along and am running libvirt-0.10.2-1 (with some patches by me.
Package libvirt-0.9.11.6-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libvirt-0.9.11.6-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15634/libvirt-0.9.11.6-1.fc17 then log in and leave karma (feedback).