[libvirt] Proposal: no dnsmasq (no dhcp and no dns) and no radvd option
gene at czarc.net
Wed Nov 21 12:18:20 UTC 2012
On 11/20/2012 05:29 PM, Laine Stump wrote:
> On 11/20/2012 02:36 PM, Gene Czarcinski wrote:
>> Laine mentioned something yesterday that got me to thinking: being
>> able to specify that dnsmasq is not to be started for an interface.
>> Let me expand that by saying that libvirt would not start dnsmasq for
>> either dns or dhcp and also would not start radvd. However, the IPv4
>> and IPv6 gateway addresses would be defined on the virtual network
>> interface and the "usual" iptables and ip6tables rules would be in force.
>> This would allow a user to configure dnsmasq to meet any user desires
>> or use something completely different instead of dnsmasq.
>> Questions: Useful? Worth the time and effort?
> That was already determined before I mentioned it to you - it's been
> requested several times, and I've told some people it was "going to
> happen", although didn't say when :-).
>> And then there is how should this be specified in the network xml
>> file? ... some new parameter? ... A subperameter of <dns> such as
>> <dns disable='yes' /> ? ... a subparameter of <bridge> such as
>> <bridge name="virbr0" dns="disable" /> ?
> The <bridge> element is commonly *not* specified manually, but is filled
> in automatically be libvirt, so I don't think it's a good place to put
> optional flags (you would end up manually specifying settings for the
> things that are automatically filled in, like the bridge name).
> If anything, I would say the choice would be between putting it in <dns>
> or in the toplevel <network>, i.e.:
> <dns disable='yes'/> (or maybe "<dns enable='no'/> is better)
> <network dns='no'>
> Or, maybe it would be even better to put it in the <ip> element:
> <ip address='192.168.122.1' netmask='255.255.255.0' dns='no'/>
> that way you could have dnsmasq listen on some of the IP addresses
> defined for a network, but not others.
> At the same time, we probably to be able to disable ipv6 RA as well.
> Since that's only enabled when there is an ipv6 address, it can also be
> added into the <ip> element config:
> <ip family='ipv6' address='f00d::1' ra='no'/> (or maybe
> "autoconf='no'" ?)
> Yeah, I think I like it best in <ip> (unless someone else has a better
Not really better since I like the idea of adding this to <ip>.
However, I believe this is wrong! it is a mistake to tie this to an IP
address. Look at the problems that have occurred with dnsmasq. It
"likes" to deal with an interface and all addresses on that interface. See:
Instead, I suggest that this be an expansion to <network>. For example, <network dns='no'>. This could also scratch an itch of mine for specifying logging: <network dnslog='yes" dhcplog='yes'>. Then there is the issue with bind-intererface and bind-dynamic: <network bind='dynamic'>
All of these parameters involve the whole interface and not just one or the other of an IP address. I suspect that many/most virtual network definitions involve a single IPv4 address so, in that light, it would not make any difference. However, I believe that there will be more and more virtual networks which support both IPv4 and IPv6. To be honest, I see little actual use/need of multiple IPv4 and IPv6 addresses on a single virtual network interface.
One other thing. I believe this "new feature" should be available to as many old versions as practical and not just for "current" and future versions of libvirt. That is, at least to the v0.9.6-maint, v0.9.11-maint, and v0.10.2-maint levels.
Also, the default values (if nothing is specified) should be to run as it would today.
More information about the libvir-list