[libvirt] [PATCH] network: don't use dhcp-authoritative on static networks

Martin Wilck mwilck at suse.com
Mon Dec 19 13:40:16 UTC 2016

On Sun, 2016-12-18 at 20:37 -0500, Laine Stump wrote:
> On 12/16/2016 11:58 AM, Martin Wilck wrote:
> > "Static" DHCP networks are those where no dynamic DHCP range is
> > defined, only a list of host entries is used to serve permanent
> > IP addresses. On such networks, we don't want dnsmasq to reply
> > to other requests than those statically defined. But
> > "dhcp-authoritative" will cause dnsmasq to do just that.
> > Therefore we can't use "dhcp-authoritative" for static networks.
> Not surprising that this simple change would have unexpected 
> consequences - that seems to be a basic law of the universe :-)
> ACK to this, but it has me wondering 1) what is the range for which
> it 
> returns a positive response? Is it for anything within the IP 
> address/netmask of the interface it's listening on? Or something
> larger 
> than that? (Does it just blindly ACK any request it gets?) and 2) Do
> we 
> know for certain that the same thing doesn't happen when there is
> also a 
> dhcp range defined?

I can't answer this for certain at the moment. I got a report from our
cloud people and this patch fixed their configuration; I haven't seen
it in my own environment.

Wrt 2), I'd bet that the same thing will happen with a DHCP range
defined. But would that be wrong? If dnsmasq is allowed to take IP
addresses from a dynamic range, why shouldn't it do so (*)? Several
DHCP servers in the same subnet are a strange configuration anyway. In
the case of the "static" network it makes a certain amount of sense (in
our case, the libvirt DHCP server was only used to serve the IP of a
single static host, which was then used as DHCP server for all other
hosts on the network), but if a "dynamic" dhcp service already exists,
adding another one looks like begging for trouble to me.

I can try to figure stuff out in more detail, but it'll take some time.


(*) I can see a corner case: when libvirt dnsmasq's dynamic range was
depleted. Should it be allowed to respond to queries in that case?
Sorry, I don't know.

Dr. Martin Wilck <mwilck at suse.com>, Tel. +49 (0)911 74053 2107
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

More information about the libvir-list mailing list