On 20/02/2026 17:18, Simon Kelley wrote:
A problem with this patch is the error handling. You can't call die() in the second call to inotify_dnsmasq_init() because the daemon has forked into the background by then. It's necessary to do the whole fatal_event() stuff to make sure that the original process exits with a suitable error code. Some of the errors have turned into warnings, but there are still errors in there that should be fatal.
Can you give an example, please? If the /etc/resolv.conf points to localhost, such as in my case, there is no reason for using watch on it. Nor fail hard because of it failed to allocate. Unless I am able to specify what I want, it should not be fatal error IMO.
What is the reason for inotify usage in TCP forks anyway? They are never long-living, after they handle the TCP socket request, they always die, right? Dnsmasq does not support pipelining of multiple requests and idling with TCP sockets waiting for new queries, right? I think it should be okay in that case to wait for new TCP fork again and let it use whatever it already had. Eventually main process might send HUP from main process, since it has the pid of child.
Can it even use the inotify from worker forks? Should it close inotifyfd right after fork? I am not sure whether it even allocates additional socket or not.
Given that this patch makes dnsmasq change its behaviour from what's configured, sometimes, and with only a log warning, do you still think it's worth doing now you've found the root cause?Simon.
Yes! Because I know the cause, but there is not simple workaround in dnsmasq. I think it could be used to DoS the system by leaking inotify sockets intentionally. I have never instructed dnsmasq to insist on inotify watch, nor I can configure it optional nor disabled anywhere. Because some platforms do not even have inotify support, I think we can handle failed initialization the same way.
I expect adding new option for fatal exit on inotify watch failure is not what you would prefer. Is it? Should we add new option for inotify instead?
inotify=required # fail hardinotify=optional # try to use inotify, but continue if it fails, proposed new default? inotify=disabled # do not even attempt to use inotify, even if the platform has it and no-resolv is unused
What is your preference? Cheers, Petr
On 11.02.2026 21:12, Petr Menšík via Dnsmasq-discuss wrote:Hello!I have recently started to have issues when starting libvirt, which starts dnsmasq for DHCP and local machine DNS.I have started seeing inotify sockets failures in multiple packages. But the thing is, I cannot start libvirt network now. I think inotify socket should not usually be cause of fatal error.sudo virsh net-start default ends always with this failure. It usually helps to reboot the machine. I am not sure how to identify inotify usage on my machine.Strange is this seems to be problem only of root user. $ sudo inotifywatch /etc/resolv.conf Establishing watches...Failed to watch /etc/resolv.conf; upper limit on inotify watches reached!$ inotifywatch /etc/resolv.conf Establishing watches... Finished establishing watches, now collecting statistics. Strange is number of user watches should be somehow high: $ cat /proc/sys/fs/inotify/max_user_watches 511013So I started thinking, should be a failure to initialize inotify socket a fatal error? It seems to me warning would be all right.dnsmasq supports running even without inotify support. I have created a modification to run even in that case, only emit warning. I think failure to observe resolv.conf changes should not be a fatal error, unless requested somehow more explicitly.In attached change, I retry inotify creation with dropped privileges. It might help in my case and even for others. First time it fails only silently, because logging is not yet prepared. Only second time it also logs warnings.Minor change is making more obvious difference between main inotify socket and inotify watch creation error.Regards, Petr
-- Petr Menšík Senior Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_0x4931CA5B6C9FC5CB.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
