[SOLVED] dhcp issue with KVM, LXC does not have the issue

[RobFantini]

Hello
we use pve enterprise repos all up to date.

dhcp server is isc-kea

we have fixed reservations set up at dhcp server based on mac address for some kvm's which are configured as dhcp clients in /etc/network/interfaces .
those kvms are not getting the reserved IP, instead they get an IP from the dhcp pool.

lxc does not have this issue.

I have been working on this for some hours . If anyone has a suggestion to fix or debug please send a communication .

Next I'll see if desktops have the same issue.

 

[RobFantini]

desktops do get a fixed reservation from the dhcp server.

 

[RobFantini]

i have a kvm which does get the correct address from dhcp.

/etc/network/interfaces :

# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

here is what a kvm which does not get the correct address has:

source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
 
allow-hotplug eth0
  iface eth0 inet dhcp

 

[RobFantini]

so I installed network-manager on the kvm and eliminated the eth0 part of interfaces. still not solved
both systems are running debian bookworm .
and on the same vlan.

 

[RobFantini]

i moved the kvm to the same node as the one that gets correct address. that did not fix the issue.

 

[RobFantini]

I just tested a windows kvm, and it got the correct IP address from the dhcp server reservations.

next I'll try to test a non debian linux kvm

 

[RobFantini]

a centos kvm got the correct address.

so looks like a debian configuration issue

 

[wahmed]

The isc-dhcp-client is responsible on the Debian side to receive correct IP based on MAC. It is installed by default. But for some odd reason it is not:
apt install isc-dhcp-client

Tried to forcefully release and renew IP?:
dhclient -r <interface>
dhclient <interface>

Also check the content here to see if something is odd:
cat /var/lib/dhcp/dhclient.leases

With isc-dhcp-client, the interface simply receives the IP without fuss. It is as simple as it gets as you know.

 

[RobFantini]

Hello Wasim

# apt install isc-dhcp-client
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
isc-dhcp-client is already the newest version (4.4.3-P1-2).

# dhclient ens18
RTNETLINK answers: File exists

I think the issue is with kea-dhcp , or my configuration at kea-dhcp . It is strange that non debian systems do not have an issue.

Next I'll use this to try to see differences between centos and debian at the server using

sudo tcpdump -i eth0 port 67 or port 68 -e -n -vv

 

[RobFantini]

another question - is it possible to set the dhcp-relay for the pve vlans at the vmbr bridge or in network config? currently the relay is set at the switch which all the nodes are connected to.

 

[RobFantini]

this issue was caused by my deleting a couple of subnets from our network configuration system [ONA OpenNetAdmin IP Address Management (IPAM) system ] . after that the generated kea-dhcp4 configuration had some changes subnet id's ... so kea-dhcp say lease request coming in from a wrong network and rejected the request for a reservation. more detail is available at kea-users@lists.isc.org

 

[wahmed]

another question - is it possible to set the dhcp-relay for the pve vlans at the vmbr bridge or in network config? currently the relay is set at the switch which all the nodes are connected to.

Yes, it is possible to setup dhcp-relay for vlans and offload it from the switch. The configuration is done at the Proxmox node itself. It does work, but I was never able to make it work without some glitches. The root cause was unknown. It was a specific environment with specific requirement.

It is done using isc-dhcp-relay package:

apt install isc-dhcp-relay

Configure DHCP relay using the config file in /etc/default/isc-dhcp-relay:

SERVERS="192.168.1.1"  # Replace with the IP of your DHCP server
INTERFACES="vmbr0.10 vmbr0.20"  # Replace with your VLAN interfaces
OPTIONS=""

Restart the relay:

systemctl restart isc-dhcp-relay

This works with both default Linux Bridge and openvswitch. The configuration of vlan in the /etc/network/interfaces remains the same. There is no specialty there. For default linux bridge (over simplified):

auto vmbr0
iface vmbr0 inet manual
    bridge-ports enp0s0
    bridge-stp off
    bridge-fd 0

# VLAN 10
auto vmbr0.10
iface vmbr0.10 inet manual
    vlan-raw-device vmbr0

# VLAN 20
auto vmbr0.20
iface vmbr0.20 inet manual
    vlan-raw-device vmbr0

For openvswitch (over simplified):

auto vmbr0
iface vmbr0 inet manual
    ovs_type OVSBridge
    ovs_ports enp0s0

auto enp0s0
iface enp0s0 inet manual
    ovs_bridge vmbr0
    ovs_type OVSPort

# VLAN 10
auto vmbr0.10
iface vmbr0.10 inet manual
    ovs_bridge vmbr0
    ovs_type OVSIntPort
    ovs_options tag=10

# VLAN 20
auto vmbr0.20
iface vmbr0.20 inet manual
    ovs_bridge vmbr0
    ovs_type OVSIntPort
    ovs_options tag=20

this issue was caused by my deleting a couple of subnets from our network configuration system [ONA OpenNetAdmin IP Address Management (IPAM) system ] . after that the generated kea-dhcp4 configuration had some changes subnet id's ... so kea-dhcp say lease request coming in from a wrong network and rejected the request for a reservation. more detail is available at kea-users@lists.isc.org

Glad it worked out!

 

[RobFantini]

Yes, it is possible to setup dhcp-relay for vlans and offload it from the switch. The configuration is done at the Proxmox node itself. It does work, but I was never able to make it work without some glitches. The root cause was unknown. It was a specific environment with specific requirement.

It is done using isc-dhcp-relay package:

apt install isc-dhcp-relay

Configure DHCP relay using the config file in /etc/default/isc-dhcp-relay:

SERVERS="192.168.1.1"  # Replace with the IP of your DHCP server
INTERFACES="vmbr0.10 vmbr0.20"  # Replace with your VLAN interfaces
OPTIONS=""

Restart the relay:

systemctl restart isc-dhcp-relay

This works with both default Linux Bridge and openvswitch. The configuration of vlan in the /etc/network/interfaces remains the same. There is no specialty there. For default linux bridge (over simplified):

auto vmbr0
iface vmbr0 inet manual
    bridge-ports enp0s0
    bridge-stp off
    bridge-fd 0

# VLAN 10
auto vmbr0.10
iface vmbr0.10 inet manual
    vlan-raw-device vmbr0

# VLAN 20
auto vmbr0.20
iface vmbr0.20 inet manual
    vlan-raw-device vmbr0

For openvswitch (over simplified):

auto vmbr0
iface vmbr0 inet manual
    ovs_type OVSBridge
    ovs_ports enp0s0

auto enp0s0
iface enp0s0 inet manual
    ovs_bridge vmbr0
    ovs_type OVSPort

# VLAN 10
auto vmbr0.10
iface vmbr0.10 inet manual
    ovs_bridge vmbr0
    ovs_type OVSIntPort
    ovs_options tag=10

# VLAN 20
auto vmbr0.20
iface vmbr0.20 inet manual
    ovs_bridge vmbr0
    ovs_type OVSIntPort
    ovs_options tag=20

Glad it worked out!

Hello Wasim.
currently in interfaces I do not have sections for each vlan. so no vmbr0.20 etc.
i do have this:

auto vmbr3
iface vmbr3 inet static
        address 10.1.10.2/24
        gateway 10.1.10.1
        bridge-ports bond3
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-250
        mtu 9000

as I am using ' bridge-vids ' would I still need to put a vlan stanzas?

also do you recollect what the issues were using dhcp relay?

thanks for the assistance!

 

[wahmed]

as I am using ' bridge-vids ' would I still need to put a vlan stanzas?

As far as I know the configuration requires an interface of some sort to work. So in your case, you can try to use vmbr3 as the interface. If it works, the relay will get applied to all the vlans that you have configured. Currently I am assuming you tag your VMs with proper vlan ID. If all your vlans should not be part of same DHCP pool, they yes you will have to configure vlan interfaces separately.

also do you recollect what the issues were using dhcp relay?

The issue was not something major. It was hit and miss occasionally. A VM would not receive an IP initially or it wont receive when it was time to renew. But after a little while it will receive on its own. But the hit and miss was not wide spread and wasnt frequent enough to raise any concern. Who knows it may not have been due to the relay at all but something else. The cost/benefit was not profitable enough to dig deeper into it and client was fine with it.

 

[spirit]

for dhcp relay (or dhcp server without relay), you need to have 1ip in each subnet to be able to deliver the dhcp response.

 

[RobFantini]

the best way may be one network interface per vlan at the dhcp server.

do you know off hand if there is a limit to the number of interfaces a pct can have? 23 have 20 vlans...

 

[RobFantini]

just checked , for containers... I'll check kvm next
"You can configure up to 10 network interfaces for a single container."

 

[RobFantini]

for dhcp relay (or dhcp server without relay), you need to have 1ip in each subnet to be able to deliver the dhcp response.

do you mean an address in the pve interfaces file , for each vlan an ip address?

# VLAN 10
auto vmbr0.10
iface vmbr0.10 inet manual
    vlan-raw-device vmbr0
    address 10.1.10.2/24
    gateway 10.1.10.1

 

[wahmed]

do you mean an address in the pve interfaces file , for each vlan an ip address?

# VLAN 10
auto vmbr0.10
iface vmbr0.10 inet manual
    vlan-raw-device vmbr0
    address 10.1.10.2/24
    gateway 10.1.10.1

That's what @spirit meant. But you do not need to mention the gateway IP. Just the address is fine. If you have separate pool in your DHCP server for each vlan, a request goes to the server with the address of the vlan. That way the DHCP server knows which pool to assign the IP from.

If you are using a single IP pool for all your vlans, that will work too but it comes with some quirks, specially if your devices will move between vlans. Also ARP table management can become complex with all vlans sharing same IP pool.

 

[RobFantini]

I ended up with one dhcp server per vlan using pct. we have approx 20 managed switches and 20 dumb switches in our factory. with a dhcp server for each vlan switch configuration errors are less likely to block parts of dhcp traffic. I was seeing dhcp acks ignored on a couple of vlans.
also dhcp clients are now getting an address much faster then before [ a couple of milliseconds compared to .5 second ]