<div dir="ltr">I tested all the combinations:<div> - just --no-ping: dnsmasq: process is missing required capability NET_ADMIN</div><div> - --no-ping + --dhcp-broadcast=mgmt: dnsmasq: process is missing required capability NET_ADMIN</div><div> - --no-ping + --dhcp-broadcast: works fine</div><div><br></div><div>Best regards,</div><div>Martin</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 21, 2024 at 1:07 AM Simon Kelley <<a href="mailto:simon@thekelleys.org.uk">simon@thekelleys.org.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">That would work, I think. Please try it and report back.<br>
<br>
Simon.<br>
<br>
On 20/02/2024 23:53, Martin Ivičič wrote:<br>
> Our intent is to run tests in CI where we can't use root user or set any <br>
> capabilities (eventually we'll be running with <br>
> --dhcp-alternate-port=1067,1068 as well)<br>
> What do you think about the following?<br>
> <br>
> diff --git a/src/dnsmasq.c b/src/dnsmasq.c<br>
> index 30fb419..5969e01 100644<br>
> --- a/src/dnsmasq.c<br>
> +++ b/src/dnsmasq.c<br>
> @@ -315,7 +315,8 @@ int main (int argc, char **argv)<br>
> # ifdef HAVE_LINUX_NETWORK<br>
> if (!option_bool(OPT_NO_PING))<br>
> need_cap_net_raw = 1;<br>
> - need_cap_net_admin = 1;<br>
> + if (!option_bool(OPT_NO_PING) || daemon->force_broadcast == NULL <br>
> || daemon->force_broadcast->list != NULL)<br>
> + need_cap_net_admin = 1;<br>
> # endif<br>
> }<br>
> <br>
> Best regards,<br>
> Martin<br>
><br>
> On Tue, Feb 20, 2024 at 10:21 AM Simon Kelley <<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a> <br>
> <mailto:<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>>> wrote:<br>
> <br>
> Ah, this is working because you include --dhcp-broadcast, which avoids<br>
> the ARP-cache access.<br>
> <br>
> I'm not clear why you want to avoid CAP_NET_ADMIN, but a correct patch<br>
> to do that would only not set need_cap_netadmin when --broadcast is<br>
> set,<br>
> and only when it's set unconditionally, without tags.<br>
> <br>
> Cheers,<br>
> <br>
> Simon.<br>
> <br>
> <br>
> On 20/02/2024 00:50, Martin Ivičič wrote:<br>
> > I'm currently running dnsmasq (with my patch applied) using the<br>
> following script and everything seems to work fine actually - no<br>
> errors reported.<br>
> > (I have only added CAP_NET_BIND_SERVICE in order to be able to<br>
> bind to port 67.)<br>
> ><br>
> > #!/bin/bash<br>
> > set -euo pipefail<br>
> > SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null<br>
> && pwd )"<br>
> ><br>
> > PID_FILE=$SCRIPT_DIR/dnsmasq.pid<br>
> ><br>
> > dnsmasq \<br>
> > --pid-file=$PID_FILE \<br>
> > --dhcp-leasefile=$SCRIPT_DIR/dnsmasq.leases \<br>
> > --strict-order \<br>
> > --bind-interfaces \<br>
> > --dhcp-authoritative \<br>
> > --no-ping \<br>
> > --dhcp-broadcast \<br>
> > --port=0 \<br>
> > --conf-file= \<br>
> > --no-hosts \<br>
> > --interface=br-mgmt \<br>
> > --listen-address=10.0.0.254 \<br>
> > --dhcp-range=net:mgmt,10.0.0.1,10.0.0.250,255.255.255.0,10.0.0.255 \<br>
> > --dhcp-option=mgmt,option:router \<br>
> > --dhcp-host=52:54:00:00:00:01,id:*,net:mgmt,10.0.0.1 \<br>
> > --dhcp-host=52:54:00:00:00:02,id:*,net:mgmt,10.0.0.2 \<br>
> > --dhcp-host=52:54:00:00:00:03,id:*,net:mgmt,10.0.0.3 \<br>
> > \<br>
> > --interface=br-dth \<br>
> > --listen-address=10.0.1.254 \<br>
> > --dhcp-range=net:dth,10.0.1.1,10.0.1.250,255.255.255.0,10.0.1.255 \<br>
> > --dhcp-option=dth,option:router \<br>
> ><br>
> --dhcp-option=dth,option:classless-static-route,<a href="http://10.235.0.0/16,10.0.1.254" rel="noreferrer" target="_blank">10.235.0.0/16,10.0.1.254</a> <<a href="http://10.235.0.0/16,10.0.1.254" rel="noreferrer" target="_blank">http://10.235.0.0/16,10.0.1.254</a>> <<a href="http://10.235.0.0/16,10.0.1.254" rel="noreferrer" target="_blank">http://10.235.0.0/16,10.0.1.254</a> <<a href="http://10.235.0.0/16,10.0.1.254" rel="noreferrer" target="_blank">http://10.235.0.0/16,10.0.1.254</a>>> \<br>
> > --dhcp-host=52:54:00:00:01:01,id:*,net:dth,10.0.1.1 \<br>
> > --dhcp-host=52:54:00:00:01:02,id:*,net:dth,10.0.1.2 \<br>
> > --dhcp-host=52:54:00:00:01:03,id:*,net:dth,10.0.1.3 \<br>
> > \<br>
> > --interface=br-inet \<br>
> > --listen-address=10.0.2.254 \<br>
> > --dhcp-range=net:inet,10.0.2.1,10.0.2.250,255.255.255.0,10.0.2.255 \<br>
> > --dhcp-option=inet,option:router,10.0.2.254 \<br>
> > --dhcp-host=52:54:00:00:02:01,id:*,net:inet,10.0.2.1 \<br>
> > --dhcp-host=52:54:00:00:02:02,id:*,net:inet,10.0.2.2 \<br>
> > --dhcp-host=52:54:00:00:02:03,id:*,net:inet,10.0.2.3 \<br>
> > \<br>
> > --no-daemon<br>
> ><br>
> ><br>
> > this is the output:<br>
> ><br>
> > dnsmasq: started, version 2.90deb2-1-g1ed783b DNS disabled<br>
> > dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus<br>
> no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset<br>
> auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile<br>
> > dnsmasq-dhcp: DHCP, IP range 10.0.2.1 -- 10.0.2.250, lease time 1h<br>
> > dnsmasq-dhcp: DHCP, IP range 10.0.1.1 -- 10.0.1.250, lease time 1h<br>
> > dnsmasq-dhcp: DHCP, IP range 10.0.0.1 -- 10.0.0.250, lease time 1h<br>
> > dnsmasq-dhcp: DHCPDISCOVER(br-mgmt) 52:54:00:00:00:01<br>
> > dnsmasq-dhcp: DHCPOFFER(br-mgmt) 10.0.0.1 52:54:00:00:00:01<br>
> > dnsmasq-dhcp: DHCPDISCOVER(br-dth) 52:54:00:00:01:01<br>
> > dnsmasq-dhcp: DHCPOFFER(br-dth) 10.0.1.1 52:54:00:00:01:01<br>
> > dnsmasq-dhcp: DHCPDISCOVER(br-inet) 52:54:00:00:02:01<br>
> > dnsmasq-dhcp: DHCPOFFER(br-inet) 10.0.2.1 52:54:00:00:02:01<br>
> > dnsmasq-dhcp: DHCPREQUEST(br-mgmt) 10.0.0.1 52:54:00:00:00:01<br>
> > dnsmasq-dhcp: DHCPACK(br-mgmt) 10.0.0.1 52:54:00:00:00:01<br>
> > dnsmasq-dhcp: DHCPREQUEST(br-inet) 10.0.2.1 52:54:00:00:02:01<br>
> > dnsmasq-dhcp: DHCPACK(br-inet) 10.0.2.1 52:54:00:00:02:01<br>
> > dnsmasq-dhcp: DHCPREQUEST(br-dth) 10.0.1.1 52:54:00:00:01:01<br>
> > dnsmasq-dhcp: DHCPACK(br-dth) 10.0.1.1 52:54:00:00:01:01<br>
> ><br>
> ><br>
> > inside the VM:<br>
> ><br>
> > root@localhost:~# ip addr<br>
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state<br>
> UNKNOWN group default qlen 1000<br>
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
> > inet127.0.0.1/8 <<a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">http://127.0.0.1/8</a> <<a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">http://127.0.0.1/8</a>>> <br>
> scope host lo<br>
> > valid_lft forever preferred_lft forever<br>
> > 2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc<br>
> pfifo_fast state UP group default qlen 1000<br>
> > link/ether 52:54:00:00:00:01 brd ff:ff:ff:ff:ff:ff<br>
> > inet10.0.0.1/24 <<a href="http://10.0.0.1/24" rel="noreferrer" target="_blank">http://10.0.0.1/24</a> <<a href="http://10.0.0.1/24" rel="noreferrer" target="_blank">http://10.0.0.1/24</a>>> <br>
> metric 1024 brd 10.0.0.255 scope global dynamic enp0s1<br>
> > valid_lft 3525sec preferred_lft 3525sec<br>
> > 3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc<br>
> pfifo_fast state UP group default qlen 1000<br>
> > link/ether 52:54:00:00:01:01 brd ff:ff:ff:ff:ff:ff<br>
> > inet10.0.1.1/24 <<a href="http://10.0.1.1/24" rel="noreferrer" target="_blank">http://10.0.1.1/24</a> <<a href="http://10.0.1.1/24" rel="noreferrer" target="_blank">http://10.0.1.1/24</a>>> <br>
> metric 1024 brd 10.0.1.255 scope global dynamic enp0s2<br>
> > valid_lft 3525sec preferred_lft 3525sec<br>
> > 4: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc<br>
> pfifo_fast state UP group default qlen 1000<br>
> > link/ether 52:54:00:00:02:01 brd ff:ff:ff:ff:ff:ff<br>
> > inet10.0.2.1/24 <<a href="http://10.0.2.1/24" rel="noreferrer" target="_blank">http://10.0.2.1/24</a> <<a href="http://10.0.2.1/24" rel="noreferrer" target="_blank">http://10.0.2.1/24</a>>> <br>
> metric 1024 brd 10.0.2.255 scope global dynamic enp0s3<br>
> > valid_lft 3525sec preferred_lft 3525sec<br>
> ><br>
> ><br>
> > Best regards,<br>
> > Martin<br>
> ><br>
> ><br>
> > On Tue, Feb 20, 2024 at 1:46 AM Simon Kelley<br>
> <<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a> <mailto:<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>><br>
> > <mailto:<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a><br>
> <mailto:<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>>>> wrote:<br>
> ><br>
> > If you're doing DHCP, even if you're not sending ICMP ping<br>
> packets, you<br>
> > still need CAP_NET_ADMIN, because the DHCP server has to be<br>
> able to<br>
> > manipulate the ARP table.<br>
> ><br>
> > I guess you're starting dnsmasq without CAP_NET_ADMIN, dnsmasq is<br>
> > determining that it needs CPA_NET_ADMIN to run the DHCP<br>
> server, and<br>
> > erroring out because it doesn't have it.<br>
> ><br>
> ><br>
> > Simon.<br>
> ><br>
> ><br>
> > On 19/02/2024 15:32, Martin Ivičič wrote:<br>
> > > Hello,<br>
> > ><br>
> > > I might have stumbled upon a minor bug in dnsmasq which causes<br>
> > NET_ADMIN<br>
> > > capability being required even if it's actually not needed<br>
> > (according to<br>
> > > provided command line arguments).<br>
> > ><br>
> > > diff --git a/src/dnsmasq.c b/src/dnsmasq.c<br>
> > > index 30fb419..cef42f6 100644<br>
> > > --- a/src/dnsmasq.c<br>
> > > +++ b/src/dnsmasq.c<br>
> > > @@ -313,9 +313,10 @@ int main (int argc, char **argv)<br>
> > > {<br>
> > > dhcp_init();<br>
> > > # ifdef HAVE_LINUX_NETWORK<br>
> > > - if (!option_bool(OPT_NO_PING))<br>
> > > - need_cap_net_raw = 1;<br>
> > > - need_cap_net_admin = 1;<br>
> > > + if (!option_bool(OPT_NO_PING)) {<br>
> > > + need_cap_net_raw = 1;<br>
> > > + need_cap_net_admin = 1;<br>
> > > + }<br>
> > > # endif<br>
> > > }<br>
> > ><br>
> > > Without this patch, with following arguments, dnsmasq ends<br>
> with<br>
> > > "dnsmasq: process is missing required capability NET_ADMIN"<br>
> > ><br>
> > > src/dnsmasq \<br>
> > > --strict-order \<br>
> > > --bind-interfaces \<br>
> > > --interface=br-mgmt \<br>
> > > --listen-address=10.0.0.254 \<br>
> > > --dhcp-range=10.0.0.1,10.0.0.250 \<br>
> > > --dhcp-authoritative \<br>
> > > --no-ping \<br>
> > > --dhcp-broadcast \<br>
> > > --port=0 \<br>
> > > --conf-file= \<br>
> > > --pid-file=/tmp/dnsmasq.pid \<br>
> > > --dhcp-leasefile=/tmp/dnsmasq.leases \<br>
> > > --dhcp-no-override \<br>
> > > --no-daemon<br>
> > ><br>
> > > After applying the patch dnsmasq starts and runs fine.<br>
> > ><br>
> > > Best regards,<br>
> > > Martin<br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > Dnsmasq-discuss mailing list<br>
> > > <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <mailto:<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a>><br>
> > <mailto:<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <mailto:<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a>>><br>
> > ><br>
> ><br>
> <a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a> <<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>> <<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a> <<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>>><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Dnsmasq-discuss mailing list<br>
> > <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <mailto:<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a>><br>
> > <mailto:<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <mailto:<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a>>><br>
> ><br>
> <a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a> <<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>> <<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a> <<a href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>>><br>
> ><br>
> <br>
<br>
</blockquote></div>