Bug#1022969: isc-dhcp-client: dhcp6 client failing to renew the IPv6 address upon T1 expiry.

[souradeep]

Package: isc-dhcp-client
Version: 4.4.1-2+deb10u1
Severity: normal

Dear Maintainer,


* What led up to the situation?
Change the date to more than that of T1 and then systemctl restart networking.service.
* What exactly did you do (or not do) that was effective (or
ineffective)?
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0d:3a:7a:1e:a5 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65521 numtxqueues 64 numrxqueues 64 gso_max_size 62780 gso_max_segs 65535
inet 10.0.0.5/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2404:f800:8000:122::4/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::20d:3aff:fe7a:1ea5/64 scope link
valid_lft forever preferred_lft forever

* What was the outcome of this action?
As a result, the IPv6 network communication of these VMs is problematic, causing business problems
* What outcome did you expect instead?
Renewal of the IPv6 address.



-- System Information:
Debian Release: 10.13
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-21-cloud-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages isc-dhcp-client depends on:
ii debianutils 4.8.6.1
ii iproute2 4.20.0-2+deb10u1
ii libc6 2.28-10+deb10u1
ii libdns-export1104 1:9.11.5.P4+dfsg-5.1+deb10u7
ii libisc-export1100 1:9.11.5.P4+dfsg-5.1+deb10u7

Versions of packages isc-dhcp-client recommends:
pn isc-dhcp-common <none>

Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd <none>
pn isc-dhcp-client-ddns <none>
pn resolvconf <none>

-- Configuration Files:
/etc/dhcp/dhclient.conf changed:
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
timeout 300;


-- no debconf information

[Bastian Blank]

Control: tags -1 moreinfo

Hi souradeep

Please provide us with a bit more information:
- What is the environment you are running in?
- How to actually test this problem?
- What does the log show?
- Is the current stable Debian affected?

Regards,
Bastian

--
Bastian Blank
Berater
Telefon: +49 2166 9901-194
E-Mail: bastia...@credativ.de
credativ GmbH, HRB Mönchengladbach 12080, USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, James Mark McGowan
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz

[Bastian Blank]

Hi Souradeep

Please fix your quoting style. TOFU is not appropriate for technical
discussions. Stuff is easily missed this way, as you showed by already
ignoring at least one of my four questions.

On Thu, Nov 03, 2022 at 05:57:53AM +0000, Souradeep Chakrabarti wrote:
> > - What does the log show?

> If we have both ipv4 and ipv6 as global ip address on interface eth0, and with renewal time
> set to MAX (in this case DHCP server sending 0 for both T1 and T2 ).
>
> RCV: | | | X-- Preferred lifetime 8640000.
> RCV: | | | X-- Max lifetime 17280000.

Sadly none of my systems shows this messages. So where do they come
from?

Please show complete logs, unaltered.

> > - How to actually test this problem?

> Now if we change the date to 100 days, and do a restart of networking service,
> we can see ipv6 global address has got deprecated.
>
> root@ipv6vm4:/var/lib/dhcp# date --set "2024/02/10"
> Sat Feb 10 00:00:00 UTC 2024
> root@ipv6vm4:/var/lib/dhcp# systemctl restart networking.service
> root@ipv6vm4:/var/lib/dhcp# ip a show

> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

> link/ether 60:45:bd:a7:35:11 brd ff:ff:ff:ff:ff:ff
> inet 172.21.0.7/24 brd 172.21.0.255 scope global eth0
> valid_lft forever preferred_lft forever
> inet6 ace:cab:deca:1234::7/128 scope global deprecated
> valid_lft forever preferred_lft 0sec
> inet6 fe80::6245:bdff:fea7:3511/64 scope link
> valid_lft forever preferred_lft forever
>
> By looking at the journal log, I can see following the address is depreferred.
> Please let me know, if you need any other info.

I can't reproduce this on my current Azure test environment:

| # date
| Thu Nov 3 07:41:59 UTC 2022
| # ip -6 addr show eth0
| 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
| inet6 fd36:16f1:35c0:1::5/128 scope global
| valid_lft forever preferred_lft forever
| inet6 fe80::6245:bdff:fe92:85f2/64 scope link
| valid_lft forever preferred_lft forever
| # date --set "2024/02/10"
| Sat Feb 10 00:00:00 UTC 2024
| # systemctl restart networking
| # ip -6 addr show eth0
| 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
| inet6 fd36:16f1:35c0:1::5/128 scope global tentative
| valid_lft forever preferred_lft forever
| inet6 fe80::6245:bdff:fe92:85f2/64 scope link
| valid_lft forever preferred_lft forever

> > - What is the environment you are running in?

> OS version Debian 10 available in Azure market place. Test was done using a Azure VM.

Okay. I'm using the latest available image version 0.20221102.1187 and
also the earlier 0.20220911.1135.

> > - Is the current stable Debian affected?

You missed that one.

[Bastian Blank]

Hi Souradeep

On Thu, Nov 03, 2022 at 08:53:38AM +0100, Bastian Blank wrote:
> > Now if we change the date to 100 days, and do a restart of networking service,
> > we can see ipv6 global address has got deprecated.
> > root@ipv6vm4:/var/lib/dhcp# date --set "2024/02/10"
> > Sat Feb 10 00:00:00 UTC 2024

> > root@ipv6vm4:/var/lib/dhcp# ip a show

> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> > link/ether 60:45:bd:a7:35:11 brd ff:ff:ff:ff:ff:ff

> > inet6 ace:cab:deca:1234::7/128 scope global deprecated
> > valid_lft forever preferred_lft 0sec
> >

> > By looking at the journal log, I can see following the address is depreferred.
> > Please let me know, if you need any other info.

Deprecating an address is correct behaviour, you just advanced the time
past the address' maximum life time. But in normal circumstances this
would have been renewed by now or replaced with a different address.

With the network config as shipped in the Azure images up to Debian 11,
I can't get it to do that. The code do deprecate addresses (by running
the script with DEPREF6) only runs from a timer, and that timeout is
scheduled with select(2) and not directly affected by the date change.

So new question: How do you configure the network on this instance?
Please show complete contents of:
- /etc/network/interfaces
- /etc/network/interfaces.d
- /run/network/interfaces.d

There exists also a debug script, which logs all hook calls. For that
please modify /etc/dhcp/debug and set RUN to yes. After the next try,
you'll find a file /tmp/dhclient-script.debug, please show the contents.

[Bastian Blank]

Hi Souradeep

Thanks. I found the problem. It's burried in the unrelated copy of the
dhclient-script.

It never set's a lifetime for a renewed address. So as soon as one
expired it will never reset the lifetime.

The upstream script just replaces the complete address entry.

[Bastian Blank]

Control: severity -1 serious

Moin

This bug breaks any DHCPv6 use, as it never resets the lifetime of
existing addresses on rebind. This makes it not really useful for IPv6,
depending on settings of outside control. Let's set the severity
correctly as broken or mostly so.

Not completely minimal and not yet properly tested patch:

diff --git a/debian/dhclient-script.linux b/debian/dhclient-script.linux
index f9b734a..e0133b7 100644
--- a/debian/dhclient-script.linux
+++ b/debian/dhclient-script.linux
@@ -393,10 +393,11 @@ case "$reason" in
;;

BOUND6|RENEW6|REBIND6)
- if [ "${new_ip6_address}" ]; then
+ if [ "${new_ip6_address}" ] && [ "${new_ip6_prefixlen}" ]; then
# set leased IP
- ip -6 addr add ${new_ip6_address} \
- dev ${interface} scope global
+ ip -6 addr replace ${new_ip6_address}/${new_ip6_prefixlen} \
+ dev ${interface} scope global valid_lft ${new_max_life} \
+ preferred_lft ${new_preferred_life}
fi

# update /etc/resolv.conf
@@ -409,19 +410,23 @@ case "$reason" in
;;

DEPREF6)
+ if [ -z "${cur_ip6_prefixlen}" ]; then
+ exit_with_hooks 2
+ fi
+
# set preferred lifetime of leased IP to 0
- ip -6 addr change ${cur_ip6_address} \
+ ip -6 addr change ${cur_ip6_address}/${cur_ip6_prefixlen} \
dev ${interface} scope global preferred_lft 0

;;

EXPIRE6|RELEASE6|STOP6)
- if [ -z "${old_ip6_address}" ]; then
+ if [ -z "${old_ip6_address}" ] || [ -z "${old_ip6_prefixlen}" ]; then
exit_with_hooks 2
fi

# delete leased IP
- ip -6 addr del ${old_ip6_address} \
+ ip -6 addr del ${old_ip6_address}/${old_ip6_prefixlen} \
dev ${interface}

;;

I intend to fix that from oldstable up.

Regards,
Bastian

--
Vulcans do not approve of violence.
-- Spock, "Journey to Babel", stardate 3842.4