From f61fafabe43c18a10f01030a8cce30bfe4f9c5c5 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 28 Feb 2024 11:50:57 +0000 Subject: [PATCH] Add NET_RAW to dnsmasq container When using dnsmasq as a DHCP server, unless you use the noping option (and that is not recommended), the NET_RAW capabilty is required so that dnsmasq can send ICMP packets. These are used to check an address is not currently in use[1]. Docker enables this capability by default. Podman runs containers with a minimal set of capabilities[3]. [1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html [2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities [3] https://github.com/rhatdan/common/blob/f39f2a3f8c7680b9e456b9d235570e511807d6c6/docs/containers.conf.5.md?plain=1#L84-L101 Closes-Bug: #2055282 Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690 --- ansible/roles/ironic/defaults/main.yml | 1 + ...t-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 releasenotes/notes/adds-net-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index 1181cf4297..82823b8b86 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -82,6 +82,7 @@ ironic_services: enabled: true cap_add: - NET_ADMIN + - NET_RAW image: "{{ ironic_dnsmasq_image_full }}" volumes: "{{ ironic_dnsmasq_default_volumes + ironic_dnsmasq_extra_volumes }}" dimensions: "{{ ironic_dnsmasq_dimensions }}" diff --git a/releasenotes/notes/adds-net-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml b/releasenotes/notes/adds-net-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml new file mode 100644 index 0000000000..bd9022b7f0 --- /dev/null +++ b/releasenotes/notes/adds-net-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes an issue with ironic dnsmasq failing to start in deployments + using podman because it requires the NET_RAW capability. See `LP#2055282 + `__.