Add NET_RAW to dnsmasq container

When using dnsmasq as a DHCP server, unless you use the noping option (and that is not recommended), the NET_RAW capabilty is required so that dnsmasq can send ICMP packets. These are used to check an address is not currently in use[1]. Docker enables this capability by default. Podman runs containers with a minimal set of capabilities[3]. [1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q1/012840.html [2] https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities [3] f39f2a3f8c/docs/containers.conf.5.md (L84-L101) Closes-Bug: #2055282 Change-Id: Ib3a1313df680d91c7f008063937ca7d37e82f690
2024-02-28 11:50:57 +00:00 · 2024-02-28 11:50:57 +00:00 · f61fafabe4
commit f61fafabe4
parent 9b3428c504
2 changed files with 7 additions and 0 deletions
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@ -82,6 +82,7 @@ ironic_services:
    enabled: true
    cap_add:
      - NET_ADMIN
+      - NET_RAW
    image: "{{ ironic_dnsmasq_image_full }}"
    volumes: "{{ ironic_dnsmasq_default_volumes + ironic_dnsmasq_extra_volumes }}"
    dimensions: "{{ ironic_dnsmasq_dimensions }}"
--- a/releasenotes/notes/adds-net-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml
+++ b/releasenotes/notes/adds-net-raw-capability-to-ironic-dnsmasq-40f5894c5180b12d.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue with ironic dnsmasq failing to start in deployments
+    using podman because it requires the NET_RAW capability. See `LP#2055282
+    <https://bugs.launchpad.net/kolla-ansible/+bug/2055282>`__.