I'm currently running dnsmasq (with my patch applied) using the following script and everything seems to work fine actually - no errors reported. (I have only added CAP_NET_BIND_SERVICE in order to be able to bind to port 67.)
#!/bin/bash set -euo pipefail SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" PID_FILE=$SCRIPT_DIR/dnsmasq.pid dnsmasq \ --pid-file=$PID_FILE \ --dhcp-leasefile=$SCRIPT_DIR/dnsmasq.leases \ --strict-order \ --bind-interfaces \ --dhcp-authoritative \ --no-ping \ --dhcp-broadcast \ --port=0 \ --conf-file= \ --no-hosts \ --interface=br-mgmt \ --listen-address=10.0.0.254 \ --dhcp-range=net:mgmt,10.0.0.1,10.0.0.250,255.255.255.0,10.0.0.255 \ --dhcp-option=mgmt,option:router \ --dhcp-host=52:54:00:00:00:01,id:*,net:mgmt,10.0.0.1 \ --dhcp-host=52:54:00:00:00:02,id:*,net:mgmt,10.0.0.2 \ --dhcp-host=52:54:00:00:00:03,id:*,net:mgmt,10.0.0.3 \ \ --interface=br-dth \ --listen-address=10.0.1.254 \ --dhcp-range=net:dth,10.0.1.1,10.0.1.250,255.255.255.0,10.0.1.255 \ --dhcp-option=dth,option:router \ --dhcp-option=dth,option:classless-static-route,10.235.0.0/16,10.0.1.254 \ --dhcp-host=52:54:00:00:01:01,id:*,net:dth,10.0.1.1 \ --dhcp-host=52:54:00:00:01:02,id:*,net:dth,10.0.1.2 \ --dhcp-host=52:54:00:00:01:03,id:*,net:dth,10.0.1.3 \ \ --interface=br-inet \ --listen-address=10.0.2.254 \ --dhcp-range=net:inet,10.0.2.1,10.0.2.250,255.255.255.0,10.0.2.255 \ --dhcp-option=inet,option:router,10.0.2.254 \ --dhcp-host=52:54:00:00:02:01,id:*,net:inet,10.0.2.1 \ --dhcp-host=52:54:00:00:02:02,id:*,net:inet,10.0.2.2 \ --dhcp-host=52:54:00:00:02:03,id:*,net:inet,10.0.2.3 \ \ --no-daemon this is the output: dnsmasq: started, version 2.90deb2-1-g1ed783b DNS disabled dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile dnsmasq-dhcp: DHCP, IP range 10.0.2.1 -- 10.0.2.250, lease time 1h dnsmasq-dhcp: DHCP, IP range 10.0.1.1 -- 10.0.1.250, lease time 1h dnsmasq-dhcp: DHCP, IP range 10.0.0.1 -- 10.0.0.250, lease time 1h dnsmasq-dhcp: DHCPDISCOVER(br-mgmt) 52:54:00:00:00:01 dnsmasq-dhcp: DHCPOFFER(br-mgmt) 10.0.0.1 52:54:00:00:00:01 dnsmasq-dhcp: DHCPDISCOVER(br-dth) 52:54:00:00:01:01 dnsmasq-dhcp: DHCPOFFER(br-dth) 10.0.1.1 52:54:00:00:01:01 dnsmasq-dhcp: DHCPDISCOVER(br-inet) 52:54:00:00:02:01 dnsmasq-dhcp: DHCPOFFER(br-inet) 10.0.2.1 52:54:00:00:02:01 dnsmasq-dhcp: DHCPREQUEST(br-mgmt) 10.0.0.1 52:54:00:00:00:01 dnsmasq-dhcp: DHCPACK(br-mgmt) 10.0.0.1 52:54:00:00:00:01 dnsmasq-dhcp: DHCPREQUEST(br-inet) 10.0.2.1 52:54:00:00:02:01 dnsmasq-dhcp: DHCPACK(br-inet) 10.0.2.1 52:54:00:00:02:01 dnsmasq-dhcp: DHCPREQUEST(br-dth) 10.0.1.1 52:54:00:00:01:01 dnsmasq-dhcp: DHCPACK(br-dth) 10.0.1.1 52:54:00:00:01:01 inside the VM: root@localhost:~# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:00:00:01 brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 metric 1024 brd 10.0.0.255 scope global dynamic enp0s1 valid_lft 3525sec preferred_lft 3525sec 3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:00:01:01 brd ff:ff:ff:ff:ff:ff inet 10.0.1.1/24 metric 1024 brd 10.0.1.255 scope global dynamic enp0s2 valid_lft 3525sec preferred_lft 3525sec 4: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:00:02:01 brd ff:ff:ff:ff:ff:ff inet 10.0.2.1/24 metric 1024 brd 10.0.2.255 scope global dynamic enp0s3 valid_lft 3525sec preferred_lft 3525sec Best regards, Martin On Tue, Feb 20, 2024 at 1:46 AM Simon Kelley <si...@thekelleys.org.uk> wrote: > If you're doing DHCP, even if you're not sending ICMP ping packets, you > still need CAP_NET_ADMIN, because the DHCP server has to be able to > manipulate the ARP table. > > I guess you're starting dnsmasq without CAP_NET_ADMIN, dnsmasq is > determining that it needs CPA_NET_ADMIN to run the DHCP server, and > erroring out because it doesn't have it. > > > Simon. > > > On 19/02/2024 15:32, Martin Ivičič wrote: > > Hello, > > > > I might have stumbled upon a minor bug in dnsmasq which causes NET_ADMIN > > capability being required even if it's actually not needed (according to > > provided command line arguments). > > > > diff --git a/src/dnsmasq.c b/src/dnsmasq.c > > index 30fb419..cef42f6 100644 > > --- a/src/dnsmasq.c > > +++ b/src/dnsmasq.c > > @@ -313,9 +313,10 @@ int main (int argc, char **argv) > > { > > dhcp_init(); > > # ifdef HAVE_LINUX_NETWORK > > - if (!option_bool(OPT_NO_PING)) > > - need_cap_net_raw = 1; > > - need_cap_net_admin = 1; > > + if (!option_bool(OPT_NO_PING)) { > > + need_cap_net_raw = 1; > > + need_cap_net_admin = 1; > > + } > > # endif > > } > > > > Without this patch, with following arguments, dnsmasq ends with > > "dnsmasq: process is missing required capability NET_ADMIN" > > > > src/dnsmasq \ > > --strict-order \ > > --bind-interfaces \ > > --interface=br-mgmt \ > > --listen-address=10.0.0.254 \ > > --dhcp-range=10.0.0.1,10.0.0.250 \ > > --dhcp-authoritative \ > > --no-ping \ > > --dhcp-broadcast \ > > --port=0 \ > > --conf-file= \ > > --pid-file=/tmp/dnsmasq.pid \ > > --dhcp-leasefile=/tmp/dnsmasq.leases \ > > --dhcp-no-override \ > > --no-daemon > > > > After applying the patch dnsmasq starts and runs fine. > > > > Best regards, > > Martin > > > > > > _______________________________________________ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss