Discussion:
[libvirt-users] libvirt and NAT on a system that already has a DHCP server
j***@bluemarble.net
2018-01-31 00:37:43 UTC
Permalink
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.

Thanks.
Laine Stump
2018-02-01 14:19:11 UTC
Permalink
Post by j***@bluemarble.net
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.
The dnsmasq processes run by libvirt to serve dhcp for the virtual
networks already does this - they listen *only* on the bridge created
for their particular network, nothing else. Your problem is that your
host system's dhcp server has been configured to automatically listen on
all interfaces.

So it's not the configuration of the libvirt network that needs to
change, it's the configuration of the host system's dhcp server. It
needs to be told that it shouldn't automatically listen on all new
interfaces, but to just listen on certain specific interfaces.
Daniel P. Berrangé
2018-02-01 14:22:34 UTC
Permalink
Post by Laine Stump
Post by j***@bluemarble.net
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.
The dnsmasq processes run by libvirt to serve dhcp for the virtual
networks already does this - they listen *only* on the bridge created
for their particular network, nothing else. Your problem is that your
host system's dhcp server has been configured to automatically listen on
all interfaces.
So it's not the configuration of the libvirt network that needs to
change, it's the configuration of the host system's dhcp server. It
needs to be told that it shouldn't automatically listen on all new
interfaces, but to just listen on certain specific interfaces.
Checkout this

https://wiki.libvirt.org/page/Libvirtd_and_dnsmasq

Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Laine Stump
2018-02-01 14:28:45 UTC
Permalink
Post by Daniel P. Berrangé
Post by Laine Stump
Post by j***@bluemarble.net
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.
The dnsmasq processes run by libvirt to serve dhcp for the virtual
networks already does this - they listen *only* on the bridge created
for their particular network, nothing else. Your problem is that your
host system's dhcp server has been configured to automatically listen on
all interfaces.
So it's not the configuration of the libvirt network that needs to
change, it's the configuration of the host system's dhcp server. It
needs to be told that it shouldn't automatically listen on all new
interfaces, but to just listen on certain specific interfaces.
Checkout this
https://wiki.libvirt.org/page/Libvirtd_and_dnsmasq
Useful for dnsmasq, but he says his host is using "kea dhcp server",
which appears to be some off-shoot of ISC dhcpd, so the config would be
different.
John Ratliff
2018-02-07 20:07:18 UTC
Permalink
Post by Laine Stump
Post by Daniel P. Berrangé
Post by Laine Stump
Post by j***@bluemarble.net
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.
The dnsmasq processes run by libvirt to serve dhcp for the virtual
networks already does this - they listen *only* on the bridge created
for their particular network, nothing else. Your problem is that your
host system's dhcp server has been configured to automatically listen on
all interfaces.
So it's not the configuration of the libvirt network that needs to
change, it's the configuration of the host system's dhcp server. It
needs to be told that it shouldn't automatically listen on all new
interfaces, but to just listen on certain specific interfaces.
Checkout this
https://wiki.libvirt.org/page/Libvirtd_and_dnsmasq
Useful for dnsmasq, but he says his host is using "kea dhcp server",
which appears to be some off-shoot of ISC dhcpd, so the config would be
different.
Thanks. I asked on the kea list and they say they don't have a method to
do this. Something about raw packets. I may try to switch to dnsmasq for
my DHCP server on the machine. For now, I'm back to VirtualBox.

Thanks.
Laine Stump
2018-02-08 14:05:34 UTC
Permalink
Post by John Ratliff
Post by Laine Stump
Post by Daniel P. Berrangé
Post by Laine Stump
Post by j***@bluemarble.net
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the
dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.
The dnsmasq processes run by libvirt to serve dhcp for the virtual
networks already does this - they listen *only* on the bridge created
for their particular network, nothing else. Your problem is that your
host system's dhcp server has been configured to automatically listen on
all interfaces.
So it's not the configuration of the libvirt network that needs to
change, it's the configuration of the host system's dhcp server. It
needs to be told that it shouldn't automatically listen on all new
interfaces, but to just listen on certain specific interfaces.
Checkout this
https://wiki.libvirt.org/page/Libvirtd_and_dnsmasq
Useful for dnsmasq, but he says his host is using "kea dhcp server",
which appears to be some off-shoot of ISC dhcpd, so the config would be
different.
Thanks. I asked on the kea list and they say they don't have a method to
do this. Something about raw packets. I may try to switch to dnsmasq for
my DHCP server on the machine. For now, I'm back to VirtualBox.
Really? That seems like a serious limitation - imagine a machine that's
acting as a router from a public network to your own private network,
and you want that same machine to serve DHCP only on the private side
(to avoid making the admin of the public side angry :-). I could see how
using raw sockets could muddy the waters, but surely they must have a
way to configure their server to only listen on a particular interface?
John Ratliff
2018-02-08 18:30:46 UTC
Permalink
Post by Laine Stump
Post by John Ratliff
Post by Laine Stump
Post by Daniel P. Berrangé
Post by Laine Stump
Post by j***@bluemarble.net
I'm trying to use virt-manager and qemu/kvm on Arch Linux. The box I'm
using is also the router for my house. It runs a kea DHCP server. When I
try to start the default NAT network, it can't start dnsmasq because that
port is already bound. Is there a way to have it not bind on this
interface? I see there is an except-on statement in the
dnsmasq.conf, but
I can't add lines to that directly, and I didn't see any way to add
special options using virsh net-edit default.
The dnsmasq processes run by libvirt to serve dhcp for the virtual
networks already does this - they listen *only* on the bridge created
for their particular network, nothing else. Your problem is that your
host system's dhcp server has been configured to automatically listen on
all interfaces.
So it's not the configuration of the libvirt network that needs to
change, it's the configuration of the host system's dhcp server. It
needs to be told that it shouldn't automatically listen on all new
interfaces, but to just listen on certain specific interfaces.
Checkout this
https://wiki.libvirt.org/page/Libvirtd_and_dnsmasq
Useful for dnsmasq, but he says his host is using "kea dhcp server",
which appears to be some off-shoot of ISC dhcpd, so the config would be
different.
Thanks. I asked on the kea list and they say they don't have a method to
do this. Something about raw packets. I may try to switch to dnsmasq for
my DHCP server on the machine. For now, I'm back to VirtualBox.
Really? That seems like a serious limitation - imagine a machine that's
acting as a router from a public network to your own private network,
and you want that same machine to serve DHCP only on the private side
(to avoid making the admin of the public side angry :-). I could see how
using raw sockets could muddy the waters, but surely they must have a
way to configure their server to only listen on a particular interface?
This is the response I got from the kea list. It's from a member of the
ISC, Francis Dupont.

--------------
There is no good solution: Kea uses LPF raw sockets on Linux by default
with a fallback socket which is used to:
1- send some packets back
2- avoid the kernel to return ICMP port unreachables because no socket
is bound to the service port
The result is that it is complex and sometime impossible to run multiple
DHCP services on the same system. BTW unfortunately it is not a new
problem...

Some extra comments:
- the openFallbackSocket() method is generic so does not use the Linux
specific SO_BINDTODEVICE.
- SO_REUSEADDR won't help on Linux because its implementation is broken:
when set to 1 it simply disables conflict detection.
- I saw the word NAT in your message: if dnsmasq is run behind a NAT the
best solution is to translate the DHCP server port and to use for
dnsmasq this alternate port.
--------------------------

Loading...