I tested all the combinations: - just --no-ping: dnsmasq: process is missing required capability NET_ADMIN - --no-ping + --dhcp-broadcast=mgmt: dnsmasq: process is missing required capability NET_ADMIN - --no-ping + --dhcp-broadcast: works fine
Best regards, Martin On Wed, Feb 21, 2024 at 1:07 AM Simon Kelley <si...@thekelleys.org.uk> wrote: > That would work, I think. Please try it and report back. > > Simon. > > On 20/02/2024 23:53, Martin Ivičič wrote: > > Our intent is to run tests in CI where we can't use root user or set any > > capabilities (eventually we'll be running with > > --dhcp-alternate-port=1067,1068 as well) > > What do you think about the following? > > > > diff --git a/src/dnsmasq.c b/src/dnsmasq.c > > index 30fb419..5969e01 100644 > > --- a/src/dnsmasq.c > > +++ b/src/dnsmasq.c > > @@ -315,7 +315,8 @@ int main (int argc, char **argv) > > # ifdef HAVE_LINUX_NETWORK > > if (!option_bool(OPT_NO_PING)) > > need_cap_net_raw = 1; > > - need_cap_net_admin = 1; > > + if (!option_bool(OPT_NO_PING) || daemon->force_broadcast == NULL > > || daemon->force_broadcast->list != NULL) > > + need_cap_net_admin = 1; > > # endif > > } > > > > Best regards, > > Martin > > > > On Tue, Feb 20, 2024 at 10:21 AM Simon Kelley <si...@thekelleys.org.uk > > <mailto:si...@thekelleys.org.uk>> wrote: > > > > Ah, this is working because you include --dhcp-broadcast, which > avoids > > the ARP-cache access. > > > > I'm not clear why you want to avoid CAP_NET_ADMIN, but a correct > patch > > to do that would only not set need_cap_netadmin when --broadcast is > > set, > > and only when it's set unconditionally, without tags. > > > > Cheers, > > > > Simon. > > > > > > On 20/02/2024 00:50, Martin Ivičič wrote: > > > I'm currently running dnsmasq (with my patch applied) using the > > following script and everything seems to work fine actually - no > > errors reported. > > > (I have only added CAP_NET_BIND_SERVICE in order to be able to > > bind to port 67.) > > > > > > #!/bin/bash > > > set -euo pipefail > > > SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null > > && pwd )" > > > > > > PID_FILE=$SCRIPT_DIR/dnsmasq.pid > > > > > > dnsmasq \ > > > --pid-file=$PID_FILE \ > > > --dhcp-leasefile=$SCRIPT_DIR/dnsmasq.leases \ > > > --strict-order \ > > > --bind-interfaces \ > > > --dhcp-authoritative \ > > > --no-ping \ > > > --dhcp-broadcast \ > > > --port=0 \ > > > --conf-file= \ > > > --no-hosts \ > > > --interface=br-mgmt \ > > > --listen-address=10.0.0.254 \ > > > > --dhcp-range=net:mgmt,10.0.0.1,10.0.0.250,255.255.255.0,10.0.0.255 \ > > > --dhcp-option=mgmt,option:router \ > > > --dhcp-host=52:54:00:00:00:01,id:*,net:mgmt,10.0.0.1 \ > > > --dhcp-host=52:54:00:00:00:02,id:*,net:mgmt,10.0.0.2 \ > > > --dhcp-host=52:54:00:00:00:03,id:*,net:mgmt,10.0.0.3 \ > > > \ > > > --interface=br-dth \ > > > --listen-address=10.0.1.254 \ > > > --dhcp-range=net:dth,10.0.1.1,10.0.1.250,255.255.255.0,10.0.1.255 > \ > > > --dhcp-option=dth,option:router \ > > > > > --dhcp-option=dth,option:classless-static-route, > 10.235.0.0/16,10.0.1.254 <http://10.235.0.0/16,10.0.1.254> < > http://10.235.0.0/16,10.0.1.254 <http://10.235.0.0/16,10.0.1.254>> \ > > > --dhcp-host=52:54:00:00:01:01,id:*,net:dth,10.0.1.1 \ > > > --dhcp-host=52:54:00:00:01:02,id:*,net:dth,10.0.1.2 \ > > > --dhcp-host=52:54:00:00:01:03,id:*,net:dth,10.0.1.3 \ > > > \ > > > --interface=br-inet \ > > > --listen-address=10.0.2.254 \ > > > > --dhcp-range=net:inet,10.0.2.1,10.0.2.250,255.255.255.0,10.0.2.255 \ > > > --dhcp-option=inet,option:router,10.0.2.254 \ > > > --dhcp-host=52:54:00:00:02:01,id:*,net:inet,10.0.2.1 \ > > > --dhcp-host=52:54:00:00:02:02,id:*,net:inet,10.0.2.2 \ > > > --dhcp-host=52:54:00:00:02:03,id:*,net:inet,10.0.2.3 \ > > > \ > > > --no-daemon > > > > > > > > > this is the output: > > > > > > dnsmasq: started, version 2.90deb2-1-g1ed783b DNS disabled > > > dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus > > no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset > > auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile > > > dnsmasq-dhcp: DHCP, IP range 10.0.2.1 -- 10.0.2.250, lease time 1h > > > dnsmasq-dhcp: DHCP, IP range 10.0.1.1 -- 10.0.1.250, lease time 1h > > > dnsmasq-dhcp: DHCP, IP range 10.0.0.1 -- 10.0.0.250, lease time 1h > > > dnsmasq-dhcp: DHCPDISCOVER(br-mgmt) 52:54:00:00:00:01 > > > dnsmasq-dhcp: DHCPOFFER(br-mgmt) 10.0.0.1 52:54:00:00:00:01 > > > dnsmasq-dhcp: DHCPDISCOVER(br-dth) 52:54:00:00:01:01 > > > dnsmasq-dhcp: DHCPOFFER(br-dth) 10.0.1.1 52:54:00:00:01:01 > > > dnsmasq-dhcp: DHCPDISCOVER(br-inet) 52:54:00:00:02:01 > > > dnsmasq-dhcp: DHCPOFFER(br-inet) 10.0.2.1 52:54:00:00:02:01 > > > dnsmasq-dhcp: DHCPREQUEST(br-mgmt) 10.0.0.1 52:54:00:00:00:01 > > > dnsmasq-dhcp: DHCPACK(br-mgmt) 10.0.0.1 52:54:00:00:00:01 > > > dnsmasq-dhcp: DHCPREQUEST(br-inet) 10.0.2.1 52:54:00:00:02:01 > > > dnsmasq-dhcp: DHCPACK(br-inet) 10.0.2.1 52:54:00:00:02:01 > > > dnsmasq-dhcp: DHCPREQUEST(br-dth) 10.0.1.1 52:54:00:00:01:01 > > > dnsmasq-dhcp: DHCPACK(br-dth) 10.0.1.1 52:54:00:00:01:01 > > > > > > > > > inside the VM: > > > > > > root@localhost:~# ip addr > > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > > UNKNOWN group default qlen 1000 > > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > > inet127.0.0.1/8 <http://127.0.0.1/8 <http://127.0.0.1/8>> > > scope host lo > > > valid_lft forever preferred_lft forever > > > 2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > > pfifo_fast state UP group default qlen 1000 > > > link/ether 52:54:00:00:00:01 brd ff:ff:ff:ff:ff:ff > > > inet10.0.0.1/24 <http://10.0.0.1/24 <http://10.0.0.1/24>> > > metric 1024 brd 10.0.0.255 scope global dynamic enp0s1 > > > valid_lft 3525sec preferred_lft 3525sec > > > 3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > > pfifo_fast state UP group default qlen 1000 > > > link/ether 52:54:00:00:01:01 brd ff:ff:ff:ff:ff:ff > > > inet10.0.1.1/24 <http://10.0.1.1/24 <http://10.0.1.1/24>> > > metric 1024 brd 10.0.1.255 scope global dynamic enp0s2 > > > valid_lft 3525sec preferred_lft 3525sec > > > 4: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > > pfifo_fast state UP group default qlen 1000 > > > link/ether 52:54:00:00:02:01 brd ff:ff:ff:ff:ff:ff > > > inet10.0.2.1/24 <http://10.0.2.1/24 <http://10.0.2.1/24>> > > metric 1024 brd 10.0.2.255 scope global dynamic enp0s3 > > > valid_lft 3525sec preferred_lft 3525sec > > > > > > > > > Best regards, > > > Martin > > > > > > > > > On Tue, Feb 20, 2024 at 1:46 AM Simon Kelley > > <si...@thekelleys.org.uk <mailto:si...@thekelleys.org.uk> > > > <mailto:si...@thekelleys.org.uk > > <mailto:si...@thekelleys.org.uk>>> wrote: > > > > > > If you're doing DHCP, even if you're not sending ICMP ping > > packets, you > > > still need CAP_NET_ADMIN, because the DHCP server has to be > > able to > > > manipulate the ARP table. > > > > > > I guess you're starting dnsmasq without CAP_NET_ADMIN, > dnsmasq is > > > determining that it needs CPA_NET_ADMIN to run the DHCP > > server, and > > > erroring out because it doesn't have it. > > > > > > > > > Simon. > > > > > > > > > On 19/02/2024 15:32, Martin Ivičič wrote: > > > > Hello, > > > > > > > > I might have stumbled upon a minor bug in dnsmasq which > causes > > > NET_ADMIN > > > > capability being required even if it's actually not needed > > > (according to > > > > provided command line arguments). > > > > > > > > diff --git a/src/dnsmasq.c b/src/dnsmasq.c > > > > index 30fb419..cef42f6 100644 > > > > --- a/src/dnsmasq.c > > > > +++ b/src/dnsmasq.c > > > > @@ -313,9 +313,10 @@ int main (int argc, char **argv) > > > > { > > > > dhcp_init(); > > > > # ifdef HAVE_LINUX_NETWORK > > > > - if (!option_bool(OPT_NO_PING)) > > > > - need_cap_net_raw = 1; > > > > - need_cap_net_admin = 1; > > > > + if (!option_bool(OPT_NO_PING)) { > > > > + need_cap_net_raw = 1; > > > > + need_cap_net_admin = 1; > > > > + } > > > > # endif > > > > } > > > > > > > > Without this patch, with following arguments, dnsmasq ends > > with > > > > "dnsmasq: process is missing required capability NET_ADMIN" > > > > > > > > src/dnsmasq \ > > > > --strict-order \ > > > > --bind-interfaces \ > > > > --interface=br-mgmt \ > > > > --listen-address=10.0.0.254 \ > > > > --dhcp-range=10.0.0.1,10.0.0.250 \ > > > > --dhcp-authoritative \ > > > > --no-ping \ > > > > --dhcp-broadcast \ > > > > --port=0 \ > > > > --conf-file= \ > > > > --pid-file=/tmp/dnsmasq.pid \ > > > > --dhcp-leasefile=/tmp/dnsmasq.leases \ > > > > --dhcp-no-override \ > > > > --no-daemon > > > > > > > > After applying the patch dnsmasq starts and runs fine. > > > > > > > > Best regards, > > > > Martin > > > > > > > > > > > > _______________________________________________ > > > > Dnsmasq-discuss mailing list > > > > Dnsmasq-discuss@lists.thekelleys.org.uk > > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk> > > > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk > > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>> > > > > > > > > > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss < > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss> > <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > >> > > > > > > > > > _______________________________________________ > > > Dnsmasq-discuss mailing list > > > Dnsmasq-discuss@lists.thekelleys.org.uk > > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk> > > > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk > > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>> > > > > > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss < > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss> > <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > >> > > > > > > >
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss