Bridge not created if bind9 is on

Bug #1240757 reported by José Antonio Rey on 2013-10-17
86
This bug affects 16 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Medium
LaMont Jones
lxc (Ubuntu)
Medium
Unassigned
lxd (Ubuntu)
Medium
Unassigned

Bug Description

LXC will not create the lxcbr0 bridge if bind9 is on, as it can not take the 10.0.3.1 address. If bind9 is stopped, then LXC successfully creates the bridge.

Expected result: LXC will create the bridge, even if bind9 is on.
---
ApportVersion: 2.9.2-0ubuntu8.3
Architecture: i386
DistroRelease: Ubuntu 13.04
InstallationDate: Installed on 2013-06-29 (110 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release i386 (20130424)
MarkForUpload: True
Package: lxc
PackageArchitecture: i386
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.8.0-31-generic root=UUID=4c07e19b-cf33-4cbd-ab6d-fe300398b22b ro quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 3.8.0-31.46-generic 3.8.13.8
RelatedPackageVersions:
 bind9utils 1:9.9.2.dfsg.P1-2ubuntu2.1
 apparmor 2.8.0-0ubuntu11
Tags: raring
Uname: Linux 3.8.0-31-generic i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
modified.conffile..etc.bind.named.conf.local: [modified]
mtime.conffile..etc.bind.named.conf.local: 2013-08-01T12:03:20.742316

Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug.

Note that another workaround should be to put 'listen-on { ! 10.0.3.1 };' in the named.conf.

However, when I tried to reproduce this in saucy I could not, so I wonder if there is something specific in your configuration customizations which caused this.

Could you please re-enable bind and then run 'apport-collect 1240757'? Hopefully apport will report customizations.

Changed in bind9 (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Changed in lxc (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete

apport information

tags: added: apport-collected raring
description: updated

apport information

apport information

apport information

Serge Hallyn (serge-hallyn) wrote :

Unfortunately that didn't give me as much information as I'd hoped.

Could you please tell us what release you are on, and (after sanitizing for any private information) the contents of /etc/bind/named* ?

José Antonio Rey (jose) wrote :

Currently on Raring. I'm adding comments with the respective files attached:

José Antonio Rey (jose) wrote :
José Antonio Rey (jose) wrote :
José Antonio Rey (jose) wrote :
Serge Hallyn (serge-hallyn) wrote :

I can reproduce this if I add a 'sleep 10' right before the dnsmasq call in /etc/init/lxc-net.conf, so it appears to be purely timing related. (in other words, bind will always by default attach to all interfaces as they come up; it's not anything in your configs)

The question is then just how to properly handle this.

Changed in lxc (Ubuntu):
status: Incomplete → Confirmed
Changed in bind9 (Ubuntu):
status: Incomplete → Confirmed
Serge Hallyn (serge-hallyn) wrote :

Leaving medium prio since there's a manual workaround (using listen-on).

Leaving confirmed in both lxc and bind9, as the best fix may still include a change to the bind9 package, rather than named.conf.options changes made by lxc postinst.

Simon Déziel (sdeziel) wrote :

Another potential workaround would be to instruct bind9 to not poll to discover new interfaces (with interface-interval 0;). I have not tested this.

ogai (y-launchpad-ogai-name) wrote :

This bug just hit me in Ubuntu 14.04 LTS and is quite serious because LTS is used in servers, and it is common to try to have virtualization (LXC) as well as being configured as DNS servers (bind9).

Additionally, under some configurations at least, the whole DNS resolving becomes malfunctioning as 10.0.3.1 is the first entry in /etc/resolv.conf (put by resolvconf / dnsmasq) but it is not accessible. As a result, any DNS resolving wait some seconds for a timeout!

A detailed workaround without reboot:

1. Add this line in /etc/bind/named.conf.options before the last line::

    listen-on { ! 10.0.3.1; };

2. Restart bind9::

    service bind9 restart

3. Restart the LXC network::

    service lxc-net restart

Serge Hallyn (serge-hallyn) wrote :

It would be ideal if we could create a /etc/named.conf.d/lxc file and put the "listen-on { ! 10.0.3.1; };" there.

Serge Hallyn (serge-hallyn) wrote :

Does bind9 yet support named.conf.d ?

tags: added: landscape
Chad Smith (chad.smith) wrote :

Looks like the proper syntax for the listen-on named config is either

Just tested on MAAS dns service which fails > 75% of the time when brought up in a vm due to timing issues.

The proposed "listen-on { ! 10.0.3.1; };" cannot be parsed by bind because ! is supposed to be outside the address list match element. (per http://www.zytrax.com/books/dns/ch7/address_match_list.html)

I think the fix should be:

listen-on ! { 10.0.3.1; };

With this setting in my maas dns/bind conf, bind comes up without error and I don't get collisions with lxc ips on the system.

Chad Smith (chad.smith) wrote :

hmm, I should've validated this statement above further on deployments. I am seeing other errors with bind with the above suggestion. I'll debug more and present results.

Chad Smith (chad.smith) wrote :

Ok attempt #2.

Looks like the original clause below didn't match any addresses so I was getting connection refused messages

listen-on { ! 10.0.3.1; };

What I found worked on my end was specifying a secondary address match list 'any' which we fall through to match any ipv4 address that is not 10.0.3.1:

listen-on { ! 10.0.3.1; any; };

Ivan Ogai (ubuntu-yd) wrote :

Yes, I can confirm that the proper setting for ipv4 is:

    listen-on { ! 10.0.3.1; any; };

Now, the problem at hands appears again with ipv6. In /var/log/upstart/lxc-net.log:

    dnsmasq: failed to create listening socket for<some ipv6 address>%lxcbr0: Address already in use.

Deactivating ipv6 in bind solves it, but is of course not a final solution. In /etc/bind/named.conf.options

    listen-on-v6 { none; };

Stéphane Graber (stgraber) wrote :

Unfortunately this isn't something that LXC itself can do, unless there is some kind of .d mechanism where we can dump a bind config snippet into.

David Favor (davidfavor) wrote :

Having bind use .d mechanism seems like the cleanest way to handle this.

Changed in lxd (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
LaMont Jones (lamont) on 2016-06-14
Changed in bind9 (Ubuntu):
milestone: none → xenial-updates
assignee: nobody → LaMont Jones (lamont)
Changed in lxd (Ubuntu):
status: Confirmed → Triaged
Changed in lxc (Ubuntu):
status: Confirmed → Triaged
Changed in bind9 (Ubuntu):
status: Confirmed → Triaged
Stéphane Graber (stgraber) wrote :

Marking this won't fix for LXD since LXD is now letting API users create bridges dynamically which makes generating .d files very impractical for us. We may however be able to add a check for this issue and at least report a better error to the user.

For LXC, we could still use a .d mechanism since we have a fixed bridge there.

Changed in lxd (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers