Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1033639: kea-dhcp6-server wont start (apparmor and problems binding sockets)
188 views
Skip to first unread message
Markus Viitamäki
Mar 29, 2023, 4:20:04 AM3/29/23
to
Package: kea-dhcp6-server
Version: 2.2.0-5
System:
Debian 12 (Bookworm)
Linux dhcp 6.1.0-6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.15-1 (2023-03-05) x86_64 GNU/Linux
There are multiple issues.
I have managed to fix one, but I am stuck on the second.
First off apparmor blocked kea-dhcp6-server to start (error from syslog):
[Tue Mar 28 10:40:14 2023] audit: type=1400 audit(1679992815.512:30): apparmor="DENIED" operation="create" profile="kea-dhcp6" pid=1070 comm="kea-dhcp6" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
I solved by applying this change:
diff /tmp/usr.sbin.kea-dhcp6.orig usr.sbin.kea-dhcp6
12,13c12,13
< network inet dgram,
< network inet stream,
---
> network inet6 dgram,
> network inet6 stream,
Now however kea-dhcp6-server is not blocked by apparmor but instead these log entries are found in /var/log/kea/kea-dhcp6.log:
2023-03-29 09:39:07.851 WARN [kea-dhcp6.dhcpsrv/7362.140490067909056] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open unicast socket on interface ens192, reason: Failed to bind socket 17 to 2a0e:XXXX:XXXX:XXXX::5/port=547: Permission denied
2023-03-29 09:39:07.851 WARN [kea-dhcp6.dhcpsrv/7362.140490067909056] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open multicast socket on interface ens192, reason: Failed to open link-local socket on interface ens192: Failed to bind socket 17 to fe80::250:56ff:fe96:dfb3/port=547: Permission denied
While I do not know how to solve this, I think it could be related to AmbientCapabilities in kea-dhcp6-server.service.
However this is just speculation from my side.
Also maybe good to mention, kea-dhcp4-server works fine on the same machine.
Version: 2.2.0-5
System:
Debian 12 (Bookworm)
Linux dhcp 6.1.0-6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.15-1 (2023-03-05) x86_64 GNU/Linux
There are multiple issues.
I have managed to fix one, but I am stuck on the second.
First off apparmor blocked kea-dhcp6-server to start (error from syslog):
[Tue Mar 28 10:40:14 2023] audit: type=1400 audit(1679992815.512:30): apparmor="DENIED" operation="create" profile="kea-dhcp6" pid=1070 comm="kea-dhcp6" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
I solved by applying this change:
diff /tmp/usr.sbin.kea-dhcp6.orig usr.sbin.kea-dhcp6
12,13c12,13
< network inet dgram,
< network inet stream,
---
> network inet6 dgram,
> network inet6 stream,
Now however kea-dhcp6-server is not blocked by apparmor but instead these log entries are found in /var/log/kea/kea-dhcp6.log:
2023-03-29 09:39:07.851 WARN [kea-dhcp6.dhcpsrv/7362.140490067909056] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open unicast socket on interface ens192, reason: Failed to bind socket 17 to 2a0e:XXXX:XXXX:XXXX::5/port=547: Permission denied
2023-03-29 09:39:07.851 WARN [kea-dhcp6.dhcpsrv/7362.140490067909056] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open multicast socket on interface ens192, reason: Failed to open link-local socket on interface ens192: Failed to bind socket 17 to fe80::250:56ff:fe96:dfb3/port=547: Permission denied
While I do not know how to solve this, I think it could be related to AmbientCapabilities in kea-dhcp6-server.service.
However this is just speculation from my side.
Also maybe good to mention, kea-dhcp4-server works fine on the same machine.
Andreas Hasenack
Mar 29, 2023, 5:10:06 PM3/29/23
to
Thanks for filing this. The inet6 inclusion should be handled by the
same fix for #1033640 (the nameservice abstraction).
About the other problem you hit, did you make changes to the kea-dhcp6
configuration file, or are you getting these errors right after
install? I see you have a valid IPv6 address on the system.
If you made changes to /etc/kea/kea-dhcp6.conf, would you mind to
share them, so I can more easily reproduce the problem?
same fix for #1033640 (the nameservice abstraction).
About the other problem you hit, did you make changes to the kea-dhcp6
configuration file, or are you getting these errors right after
install? I see you have a valid IPv6 address on the system.
If you made changes to /etc/kea/kea-dhcp6.conf, would you mind to
share them, so I can more easily reproduce the problem?
Markus Viitamäki
Mar 30, 2023, 4:00:03 AM3/30/23
to
Hey,
I have indeed a edited config, which you can find here: https://pastebin.com/gwPH7dWx
I did get this problem after install, since it seems that the process runs fine but just doesn't bind any interface/port.
_kea 7362 0.0 0.2 67096 21040 ? Ssl Mar29 0:01 /usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
lsof -Pni | grep -i kea
kea-dhcp4 837 _kea 15u IPv4 16691 0t0 UDP 172.XX.XX.5:67
I did get this problem after install, since it seems that the process runs fine but just doesn't bind any interface/port.
_kea 7362 0.0 0.2 67096 21040 ? Ssl Mar29 0:01 /usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
lsof -Pni | grep -i kea
kea-dhcp4 837 _kea 15u IPv4 16691 0t0 UDP 172.XX.XX.5:67
Andreas Hasenack
Mar 30, 2023, 8:50:05 AM3/30/23
to
Hi,
It worked fine here, it's listening on port 547:
# lsof -Pni | grep -i kea
kea-ctrl- 927 _kea 7u IPv4 18481 0t0 TCP
127.0.0.1:8000 (LISTEN)
kea-dhcp- 1044 _kea 13u IPv4 18925 0t0 UDP 127.0.0.1:53001
kea-dhcp6 3641 _kea 15u IPv6 26542 0t0 UDP
[fe80::216:3eff:fe48:3567]:547
kea-dhcp6 3641 _kea 16u IPv6 26545 0t0 UDP [ff02::1:2]:547
Did you include the <anstractions/openssl> line in the kea-dhcp6
profile by any chance?
>
# lsof -Pni | grep -i kea
kea-ctrl- 927 _kea 7u IPv4 18481 0t0 TCP
127.0.0.1:8000 (LISTEN)
kea-dhcp- 1044 _kea 13u IPv4 18925 0t0 UDP 127.0.0.1:53001
kea-dhcp6 3641 _kea 15u IPv6 26542 0t0 UDP
[fe80::216:3eff:fe48:3567]:547
kea-dhcp6 3641 _kea 16u IPv6 26545 0t0 UDP [ff02::1:2]:547
Did you include the <anstractions/openssl> line in the kea-dhcp6
profile by any chance?
>
Markus Viitamäki
Mar 30, 2023, 9:00:04 AM3/30/23
to
Wait a second..
It works for me now also, but the only thing I have changed is the changes from your apparmor MR in #1033640.
I feel stupid now, but the problem seems to be fixed by the apparmor change..
It works for me now also, but the only thing I have changed is the changes from your apparmor MR in #1033640.
I feel stupid now, but the problem seems to be fixed by the apparmor change..
lsof -Pni | grep -i kea
kea-dhcp4 21119 _kea 15u IPv4 1214014 0t0 UDP 172.XX.XX.5:67
kea-dhcp6 22424 _kea 15u IPv6 1334939 0t0 UDP [2a0e:XXXX:XXXX:XXXX::5]:547
kea-dhcp6 22424 _kea 16u IPv6 1334941 0t0 UDP [fe80::250:56ff:fe96:dfb3]:547
kea-dhcp6 22424 _kea 17u IPv6 1334944 0t0 UDP [ff02::1:2]:547
It serves clients correctly now, so I am happy. But confused..
kea-dhcp6 22424 _kea 15u IPv6 1334939 0t0 UDP [2a0e:XXXX:XXXX:XXXX::5]:547
kea-dhcp6 22424 _kea 16u IPv6 1334941 0t0 UDP [fe80::250:56ff:fe96:dfb3]:547
kea-dhcp6 22424 _kea 17u IPv6 1334944 0t0 UDP [ff02::1:2]:547
It serves clients correctly now, so I am happy. But confused..
Andreas Hasenack
Mar 30, 2023, 9:00:05 AM3/30/23
to
Hi,
On Thu, Mar 30, 2023 at 9:50 AM Markus Viitamäki <mar...@viitamaki.net> wrote:
>
> Wait a second..
>
> It works for me now also, but the only thing I have changed is the changes from your apparmor MR in #1033640.
> I feel stupid now, but the problem seems to be fixed by the apparmor change..
>
> lsof -Pni | grep -i kea
> kea-dhcp4 21119 _kea 15u IPv4 1214014 0t0 UDP 172.XX.XX.5:67
> kea-dhcp6 22424 _kea 15u IPv6 1334939 0t0 UDP [2a0e:XXXX:XXXX:XXXX::5]:547
> kea-dhcp6 22424 _kea 16u IPv6 1334941 0t0 UDP [fe80::250:56ff:fe96:dfb3]:547
> kea-dhcp6 22424 _kea 17u IPv6 1334944 0t0 UDP [ff02::1:2]:547
>
> It serves clients correctly now, so I am happy. But confused..
The apparmor change included a whole abstraction now, and not just a
rule to allow a certain protocol, so one of these other rules might
have done it. Or maybe you didn't spot the apparmor DENIED message
before in the logs, or it was not shown due to throttling.
Please keep an eye on it, as there are periodic jobs run by the
servers (kea-lfc comes to mind), and the dhcp6 daemon wasn't as tested
with apparmor as the dhcp4 one.
On Thu, Mar 30, 2023 at 9:50 AM Markus Viitamäki <mar...@viitamaki.net> wrote:
>
> Wait a second..
>
> It works for me now also, but the only thing I have changed is the changes from your apparmor MR in #1033640.
> I feel stupid now, but the problem seems to be fixed by the apparmor change..
>
> lsof -Pni | grep -i kea
> kea-dhcp4 21119 _kea 15u IPv4 1214014 0t0 UDP 172.XX.XX.5:67
> kea-dhcp6 22424 _kea 15u IPv6 1334939 0t0 UDP [2a0e:XXXX:XXXX:XXXX::5]:547
> kea-dhcp6 22424 _kea 16u IPv6 1334941 0t0 UDP [fe80::250:56ff:fe96:dfb3]:547
> kea-dhcp6 22424 _kea 17u IPv6 1334944 0t0 UDP [ff02::1:2]:547
>
> It serves clients correctly now, so I am happy. But confused..
rule to allow a certain protocol, so one of these other rules might
have done it. Or maybe you didn't spot the apparmor DENIED message
before in the logs, or it was not shown due to throttling.
Please keep an eye on it, as there are periodic jobs run by the
servers (kea-lfc comes to mind), and the dhcp6 daemon wasn't as tested
with apparmor as the dhcp4 one.
0 new messages