Dnsmasq spawned by neutron-dhcp-agent should use bind-dynamic option instead of bind-interfaces

Bug #1828473 reported by Slawek Kaplonski
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Brian Haley

Bug Description

According to warning log from dnsmasq:

May 09 23:08:59 devstack-ubuntu-ovs dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)

Option bind-interfaces is available since dnsmasq 2.63 (https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and we are already requiring 2.67 at least so we should change this option in calling dnsmasq process.

Revision history for this message
Brian Haley (brian-haley) wrote :

It does seem like this should work correctly. Let me throw something up to see how it behaves in testing.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/658240

Changed in neutron:
assignee: Slawek Kaplonski (slaweq) → Brian Haley (brian-haley)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/658240
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=09ee9347864d731ce7ccf241178559815e82f57c
Submitter: Zuul
Branch: master

commit 09ee9347864d731ce7ccf241178559815e82f57c
Author: Brian Haley <email address hidden>
Date: Thu May 9 22:33:02 2019 -0400

    Use --bind-dynamic with dnsmasq instead of --bind-interfaces

    Dnsmasq emits a warning when started in most neutron deployments:

    dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
        --bind-interfaces to avoid DNS amplification attacks via
        these interface(s)

    Since option --bind-dynamic is available since dnsmasq 2.63
    (https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
    we require 2.67, change to use this option instead.

    Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
    Closes-bug: #1828473

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/670682

Revision history for this message
norman shen (jshen28) wrote :

we also observe an excessive amount of same logs....

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/670691

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/670692

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/670692
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7ec7fd8fdf4dae028469b644c922cc47e8a6eab1
Submitter: Zuul
Branch: stable/queens

commit 7ec7fd8fdf4dae028469b644c922cc47e8a6eab1
Author: Brian Haley <email address hidden>
Date: Thu May 9 22:33:02 2019 -0400

    Use --bind-dynamic with dnsmasq instead of --bind-interfaces

    Dnsmasq emits a warning when started in most neutron deployments:

    dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
        --bind-interfaces to avoid DNS amplification attacks via
        these interface(s)

    Since option --bind-dynamic is available since dnsmasq 2.63
    (https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
    we require 2.67, change to use this option instead.

    Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
    Closes-bug: #1828473
    (cherry picked from commit 09ee9347864d731ce7ccf241178559815e82f57c)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/670682
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=431ba12873c358260b1275470916ca2d3544a3dd
Submitter: Zuul
Branch: stable/stein

commit 431ba12873c358260b1275470916ca2d3544a3dd
Author: Brian Haley <email address hidden>
Date: Thu May 9 22:33:02 2019 -0400

    Use --bind-dynamic with dnsmasq instead of --bind-interfaces

    Dnsmasq emits a warning when started in most neutron deployments:

    dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
        --bind-interfaces to avoid DNS amplification attacks via
        these interface(s)

    Since option --bind-dynamic is available since dnsmasq 2.63
    (https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
    we require 2.67, change to use this option instead.

    Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
    Closes-bug: #1828473
    (cherry picked from commit 09ee9347864d731ce7ccf241178559815e82f57c)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/670691
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=00df9b0a853313ac2c58772e363099192e3dca4d
Submitter: Zuul
Branch: stable/rocky

commit 00df9b0a853313ac2c58772e363099192e3dca4d
Author: Brian Haley <email address hidden>
Date: Thu May 9 22:33:02 2019 -0400

    Use --bind-dynamic with dnsmasq instead of --bind-interfaces

    Dnsmasq emits a warning when started in most neutron deployments:

    dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
        --bind-interfaces to avoid DNS amplification attacks via
        these interface(s)

    Since option --bind-dynamic is available since dnsmasq 2.63
    (https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
    we require 2.67, change to use this option instead.

    Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
    Closes-bug: #1828473
    (cherry picked from commit 09ee9347864d731ce7ccf241178559815e82f57c)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.0.0b1

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.3

This issue was fixed in the openstack/neutron 14.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.5

This issue was fixed in the openstack/neutron 13.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.1.1

This issue was fixed in the openstack/neutron 12.1.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.