Ubuntu
isc-kea package

apparmor prevents kea launch

Bug #2064791 reported by Philipp
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-kea (Ubuntu)
New
Undecided
Unassigned

Bug Description

Dear Sir or Madam,

during installation of kea-2.4 (kea-dhcp4, kea-dhcp6 and kea-ctrl-agent) some profiles for apparmor are installed/created as well.

Unfortunately these profiles prevent kea services to start when for example MySQL as backend is configured.
Config snippet from kea-dhcp4.conf:
      "hosts-database": {
        "type": "mysql",
        "name": "kea",
        "user": "kea",
        "password": "password",
        "host": "",
        "port": 3306
    },

Error message from kea-dhcp4-server:
ERROR [kea-dhcp4.dhcp4.125444634970560] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /etc/kea/kea-dhcp4.conf, reason: Unable to open database: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)
ERROR [kea-dhcp4.dhcp4.125444634970560] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/etc/kea/kea-dhcp4.conf': Unable to open database: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)

Message from dmesg:
[ 685.201719] audit: type=1400 audit(1714811351.219:113): apparmor="DENIED" operation="connect" class="file" info="Failed name lookup - disconnected path" error=-13 profile="kea-dhcp4" name="run/mysqld/mysqld.sock" pid=2887 comm="kea-dhcp4" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=110

As you can see, kea can't connect to mysql through the socket, since apparmor is preventing it.

There is a similar issue with using the kea-ctrl-agent with the other services.

In your installed apparmor profiles you specifically allow the socket /run/kea/kea4-ctrl-socket
profile snippet:
  # Control sockets
  # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both
  # locations
  owner /{tmp,run/kea}/kea4-ctrl-socket w,
  owner /{tmp,run/kea}/kea4-ctrl-socket.lock rwk,

Naming it anything else prevents the server to start as well.

It's really time-consuming and nerve racking to debug this, since the issue with apparmor is not directly apparently.

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: kea-dhcp4-server 2.4.1-3build3
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
ApportVersion: 2.28.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Sat May 4 10:33:20 2024
ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
SourcePackage: isc-kea
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.kea.kea-dhcp4.conf: [modified]
mtime.conffile..etc.kea.kea-dhcp4.conf: 2024-05-04T10:28:43.848349

Revision history for this message
Philipp (philipp-bender) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.