[Dnsmasq-discuss] Fwd: no-ping
Simon Kelley
simon at thekelleys.org.uk
Wed Feb 21 00:50:45 UTC 2024
OK I committed to patch to this effect.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=9adbf009a6df76d9ae5be2b93a90e210e9aa8216
Cheers,
Simon.
On 21/02/2024 00:13, Martin Ivičič wrote:
> I tested all the combinations:
> - just --no-ping: dnsmasq: process is missing required capability
> NET_ADMIN
> - --no-ping + --dhcp-broadcast=mgmt: dnsmasq: process is missing
> required capability NET_ADMIN
> - --no-ping + --dhcp-broadcast: works fine
>
> Best regards,
> Martin
>
> On Wed, Feb 21, 2024 at 1:07 AM Simon Kelley <simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>> wrote:
>
> That would work, I think. Please try it and report back.
>
> Simon.
>
> On 20/02/2024 23:53, Martin Ivičič wrote:
> > Our intent is to run tests in CI where we can't use root user or
> set any
> > capabilities (eventually we'll be running with
> > --dhcp-alternate-port=1067,1068 as well)
> > What do you think about the following?
> >
> > diff --git a/src/dnsmasq.c b/src/dnsmasq.c
> > index 30fb419..5969e01 100644
> > --- a/src/dnsmasq.c
> > +++ b/src/dnsmasq.c
> > @@ -315,7 +315,8 @@ int main (int argc, char **argv)
> > # ifdef HAVE_LINUX_NETWORK
> > if (!option_bool(OPT_NO_PING))
> > need_cap_net_raw = 1;
> > - need_cap_net_admin = 1;
> > + if (!option_bool(OPT_NO_PING) || daemon->force_broadcast
> == NULL
> > || daemon->force_broadcast->list != NULL)
> > + need_cap_net_admin = 1;
> > # endif
> > }
> >
> > Best regards,
> > Martin
> >
> > On Tue, Feb 20, 2024 at 10:21 AM Simon Kelley
> <simon at thekelleys.org.uk <mailto:simon at thekelleys.org.uk>
> > <mailto:simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>>> wrote:
> >
> > Ah, this is working because you include --dhcp-broadcast,
> which avoids
> > the ARP-cache access.
> >
> > I'm not clear why you want to avoid CAP_NET_ADMIN, but a
> correct patch
> > to do that would only not set need_cap_netadmin when
> --broadcast is
> > set,
> > and only when it's set unconditionally, without tags.
> >
> > Cheers,
> >
> > Simon.
> >
> >
> > On 20/02/2024 00:50, Martin Ivičič wrote:
> > > I'm currently running dnsmasq (with my patch applied)
> using the
> > following script and everything seems to work fine actually - no
> > errors reported.
> > > (I have only added CAP_NET_BIND_SERVICE in order to be able to
> > bind to port 67.)
> > >
> > > #!/bin/bash
> > > set -euo pipefail
> > > SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &>
> /dev/null
> > && pwd )"
> > >
> > > PID_FILE=$SCRIPT_DIR/dnsmasq.pid
> > >
> > > dnsmasq \
> > > --pid-file=$PID_FILE \
> > > --dhcp-leasefile=$SCRIPT_DIR/dnsmasq.leases \
> > > --strict-order \
> > > --bind-interfaces \
> > > --dhcp-authoritative \
> > > --no-ping \
> > > --dhcp-broadcast \
> > > --port=0 \
> > > --conf-file= \
> > > --no-hosts \
> > > --interface=br-mgmt \
> > > --listen-address=10.0.0.254 \
> > >
> --dhcp-range=net:mgmt,10.0.0.1,10.0.0.250,255.255.255.0,10.0.0.255 \
> > > --dhcp-option=mgmt,option:router \
> > > --dhcp-host=52:54:00:00:00:01,id:*,net:mgmt,10.0.0.1 \
> > > --dhcp-host=52:54:00:00:00:02,id:*,net:mgmt,10.0.0.2 \
> > > --dhcp-host=52:54:00:00:00:03,id:*,net:mgmt,10.0.0.3 \
> > > \
> > > --interface=br-dth \
> > > --listen-address=10.0.1.254 \
> > >
> --dhcp-range=net:dth,10.0.1.1,10.0.1.250,255.255.255.0,10.0.1.255 \
> > > --dhcp-option=dth,option:router \
> > >
> >
> --dhcp-option=dth,option:classless-static-route,10.235.0.0/16,10.0.1.254 <http://10.235.0.0/16,10.0.1.254> <http://10.235.0.0/16,10.0.1.254 <http://10.235.0.0/16,10.0.1.254>> <http://10.235.0.0/16,10.0.1.254 <http://10.235.0.0/16,10.0.1.254> <http://10.235.0.0/16,10.0.1.254 <http://10.235.0.0/16,10.0.1.254>>> \
> > > --dhcp-host=52:54:00:00:01:01,id:*,net:dth,10.0.1.1 \
> > > --dhcp-host=52:54:00:00:01:02,id:*,net:dth,10.0.1.2 \
> > > --dhcp-host=52:54:00:00:01:03,id:*,net:dth,10.0.1.3 \
> > > \
> > > --interface=br-inet \
> > > --listen-address=10.0.2.254 \
> > >
> --dhcp-range=net:inet,10.0.2.1,10.0.2.250,255.255.255.0,10.0.2.255 \
> > > --dhcp-option=inet,option:router,10.0.2.254 \
> > > --dhcp-host=52:54:00:00:02:01,id:*,net:inet,10.0.2.1 \
> > > --dhcp-host=52:54:00:00:02:02,id:*,net:inet,10.0.2.2 \
> > > --dhcp-host=52:54:00:00:02:03,id:*,net:inet,10.0.2.3 \
> > > \
> > > --no-daemon
> > >
> > >
> > > this is the output:
> > >
> > > dnsmasq: started, version 2.90deb2-1-g1ed783b DNS disabled
> > > dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus
> > no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset
> no-nftset
> > auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile
> > > dnsmasq-dhcp: DHCP, IP range 10.0.2.1 -- 10.0.2.250, lease
> time 1h
> > > dnsmasq-dhcp: DHCP, IP range 10.0.1.1 -- 10.0.1.250, lease
> time 1h
> > > dnsmasq-dhcp: DHCP, IP range 10.0.0.1 -- 10.0.0.250, lease
> time 1h
> > > dnsmasq-dhcp: DHCPDISCOVER(br-mgmt) 52:54:00:00:00:01
> > > dnsmasq-dhcp: DHCPOFFER(br-mgmt) 10.0.0.1 52:54:00:00:00:01
> > > dnsmasq-dhcp: DHCPDISCOVER(br-dth) 52:54:00:00:01:01
> > > dnsmasq-dhcp: DHCPOFFER(br-dth) 10.0.1.1 52:54:00:00:01:01
> > > dnsmasq-dhcp: DHCPDISCOVER(br-inet) 52:54:00:00:02:01
> > > dnsmasq-dhcp: DHCPOFFER(br-inet) 10.0.2.1 52:54:00:00:02:01
> > > dnsmasq-dhcp: DHCPREQUEST(br-mgmt) 10.0.0.1 52:54:00:00:00:01
> > > dnsmasq-dhcp: DHCPACK(br-mgmt) 10.0.0.1 52:54:00:00:00:01
> > > dnsmasq-dhcp: DHCPREQUEST(br-inet) 10.0.2.1 52:54:00:00:02:01
> > > dnsmasq-dhcp: DHCPACK(br-inet) 10.0.2.1 52:54:00:00:02:01
> > > dnsmasq-dhcp: DHCPREQUEST(br-dth) 10.0.1.1 52:54:00:00:01:01
> > > dnsmasq-dhcp: DHCPACK(br-dth) 10.0.1.1 52:54:00:00:01:01
> > >
> > >
> > > inside the VM:
> > >
> > > root at localhost:~# ip addr
> > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> > UNKNOWN group default qlen 1000
> > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > > inet127.0.0.1/8 <http://127.0.0.1/8
> <http://127.0.0.1/8> <http://127.0.0.1/8 <http://127.0.0.1/8>>>
> > scope host lo
> > > valid_lft forever preferred_lft forever
> > > 2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> > pfifo_fast state UP group default qlen 1000
> > > link/ether 52:54:00:00:00:01 brd ff:ff:ff:ff:ff:ff
> > > inet10.0.0.1/24 <http://10.0.0.1/24
> <http://10.0.0.1/24> <http://10.0.0.1/24 <http://10.0.0.1/24>>>
> > metric 1024 brd 10.0.0.255 scope global dynamic enp0s1
> > > valid_lft 3525sec preferred_lft 3525sec
> > > 3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> > pfifo_fast state UP group default qlen 1000
> > > link/ether 52:54:00:00:01:01 brd ff:ff:ff:ff:ff:ff
> > > inet10.0.1.1/24 <http://10.0.1.1/24
> <http://10.0.1.1/24> <http://10.0.1.1/24 <http://10.0.1.1/24>>>
> > metric 1024 brd 10.0.1.255 scope global dynamic enp0s2
> > > valid_lft 3525sec preferred_lft 3525sec
> > > 4: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> > pfifo_fast state UP group default qlen 1000
> > > link/ether 52:54:00:00:02:01 brd ff:ff:ff:ff:ff:ff
> > > inet10.0.2.1/24 <http://10.0.2.1/24
> <http://10.0.2.1/24> <http://10.0.2.1/24 <http://10.0.2.1/24>>>
> > metric 1024 brd 10.0.2.255 scope global dynamic enp0s3
> > > valid_lft 3525sec preferred_lft 3525sec
> > >
> > >
> > > Best regards,
> > > Martin
> > >
> > >
> > > On Tue, Feb 20, 2024 at 1:46 AM Simon Kelley
> > <simon at thekelleys.org.uk <mailto:simon at thekelleys.org.uk>
> <mailto:simon at thekelleys.org.uk <mailto:simon at thekelleys.org.uk>>
> > > <mailto:simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>
> > <mailto:simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>>>> wrote:
> > >
> > > If you're doing DHCP, even if you're not sending ICMP ping
> > packets, you
> > > still need CAP_NET_ADMIN, because the DHCP server has
> to be
> > able to
> > > manipulate the ARP table.
> > >
> > > I guess you're starting dnsmasq without CAP_NET_ADMIN,
> dnsmasq is
> > > determining that it needs CPA_NET_ADMIN to run the DHCP
> > server, and
> > > erroring out because it doesn't have it.
> > >
> > >
> > > Simon.
> > >
> > >
> > > On 19/02/2024 15:32, Martin Ivičič wrote:
> > > > Hello,
> > > >
> > > > I might have stumbled upon a minor bug in dnsmasq
> which causes
> > > NET_ADMIN
> > > > capability being required even if it's actually not
> needed
> > > (according to
> > > > provided command line arguments).
> > > >
> > > > diff --git a/src/dnsmasq.c b/src/dnsmasq.c
> > > > index 30fb419..cef42f6 100644
> > > > --- a/src/dnsmasq.c
> > > > +++ b/src/dnsmasq.c
> > > > @@ -313,9 +313,10 @@ int main (int argc, char **argv)
> > > > {
> > > > dhcp_init();
> > > > # ifdef HAVE_LINUX_NETWORK
> > > > - if (!option_bool(OPT_NO_PING))
> > > > - need_cap_net_raw = 1;
> > > > - need_cap_net_admin = 1;
> > > > + if (!option_bool(OPT_NO_PING)) {
> > > > + need_cap_net_raw = 1;
> > > > + need_cap_net_admin = 1;
> > > > + }
> > > > # endif
> > > > }
> > > >
> > > > Without this patch, with following arguments,
> dnsmasq ends
> > with
> > > > "dnsmasq: process is missing required capability
> NET_ADMIN"
> > > >
> > > > src/dnsmasq \
> > > > --strict-order \
> > > > --bind-interfaces \
> > > > --interface=br-mgmt \
> > > > --listen-address=10.0.0.254 \
> > > > --dhcp-range=10.0.0.1,10.0.0.250 \
> > > > --dhcp-authoritative \
> > > > --no-ping \
> > > > --dhcp-broadcast \
> > > > --port=0 \
> > > > --conf-file= \
> > > > --pid-file=/tmp/dnsmasq.pid \
> > > > --dhcp-leasefile=/tmp/dnsmasq.leases \
> > > > --dhcp-no-override \
> > > > --no-daemon
> > > >
> > > > After applying the patch dnsmasq starts and runs fine.
> > > >
> > > > Best regards,
> > > > Martin
> > > >
> > > >
> > > > _______________________________________________
> > > > Dnsmasq-discuss mailing list
> > > > Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> > <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>>
> > > <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> > <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>>>
> > > >
> > >
> >
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>>>
> > >
> > >
> > > _______________________________________________
> > > Dnsmasq-discuss mailing list
> > > Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> > <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>>
> > > <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> > <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>>>
> > >
> >
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>>>
> > >
> >
>
More information about the Dnsmasq-discuss
mailing list