(Dapper, Hardy) can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied

I can confirm this bug, and it might be related with Bug #33968.

I saw the same messages, these are caused by starting dhcp3 twice or more.

This can happen, if dhcp3 doesn't get stopped after ifdown, so ifup starts a second process. Can you try the fix for Bug #33968 and check if this helps?

Still happens after the fixes for Bug #33968. After restarting the interface manually, the messages disappear. Could be a permission problem, see Bug #40753.

Fixed locally, will upload after flight-7 freeze.

 dhcp3 (3.0.3-6ubuntu7) dapper; urgency=low
 .
   * debian/patches/deroot-client.dpatch: Fixed major thinko in lease file
     handling: dhclient was unable to update the leases file after it
     daemonized, which meant that 'sudo dhclient ethX' worked fine, but
     obtained leases at boot time were never written if the first attempt timed
     out. Now make sure that the lease file is always writable by forked
     instances, too. Closes: LP#39249 (and should also mitigate #33968).
   * Add debian/patches/dhcpd.conf-subnet-examples.dpatch: Add 'option
     subnet-mask' to example dhcpd.conf. Closes: LP#26661

Sorry, Martin, but I still have the 'permission denied' messages:

May 6 11:30:14 localhost dhclient: DHCPREQUEST on eth1 to 10.175.239.29 port 67
May 6 11:30:14 localhost dhclient: DHCPACK from 10.175.239.29
May 6 11:30:14 localhost dhclient: can't create /var/lib/dhcp3/dhclient.eth1.leases: Permission denied
May 6 11:30:14 localhost dhclient: bound to 84.122.157.239 -- renewal in 1781 seconds.

I've changed the status from 'Fix Released' to 'Confirmed', because I still have the problem after upgrading.

Mmmm... Curious. Today (May 7) the problem is gone! I'll change the status to 'Fix Released' again, and I'll observe the behavior in the future days.

I've identified a case where this can occur and be repeated. It seems when you configure to use dhclient, later switch to static IP, and reset the network interface, dhclient keeps running.

Setup: 6.06 was installed with server CD and dhcp client was selected for use on the installation network. Dhcpd was installed as part of setup along with bind9 and many other packages. Server was moved to new network (coincidentally with the same network: 192.168.1.0/255.255.255.0). dhcpd was set to start on boot (no other dhcp server on the new network). The network information was changed to static and the interface was restarted with /etc/init.d/networking restart. dhclient continued to run and according to the log attempted to use the address from the old network: 192.168.1.107. Many logged entries to that affect (no success reported). Eventually the error on the bug was logged.

Workaround: reboot after changing from dhcp to static so that the static ip address was the only one the server attempted to use. The entry in dhcp.leases for 192.168.1.107 was then removed manually. The bug seems to have affected named on the server as that logged: "deleting interface 192.168.1.10" just before the 192.168.1.107 address was accepted by the dhcp server.

Details: I know the .107 address was the one used on the first network and subsequently was being attempted to be used by dhclient on the server because the MAC address in the leases file on both networks is that of the server's network card.

Suggestions: I think the problem is that the dhclient daemon is not stopped while running the "/etc/init.d/networking restart" network script (or in the ifupdown suite that it uses) when it is no longer used, ie when switching to static.

Hi,

The same messages with up to date Edgy Knot 3 (17-09).
Sep 17 08:19:29 T42 dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied

Johan

Martin, i can reproduce this issue all the way from dapper to feisty.

Can we please address it?

Fabio

I'm seeing this on feisty too, issue hasn't happened with earlier Ubuntu distros for me.

Never saw this here, but I'll try with Steve Johnson's recipe.

I just tried Steve's theory of dhclient not being stopped when doing ifdown. dhclient is properly stopped (tested on current Feisty). Fabio, you said that you could reproduce this, can you please paste a recipe here?

dhcp3-server init script has these lines:

                chown dhcpd:dhcpd /var/lib/dhcp3 /var/lib/dhcp3/dhcpd.leases
                if [ -e /var/lib/dhcp3/dhcpd.leases~ ]; then
                    chown dhcpd:dhcpd /var/lib/dhcp3/dhcpd.leases~
                fi

However if you don't have dhcp3-server installed /var/lib/dhcp3 permissions are following:

$ ls -ld /var/lib/dhcp3
drwxr-xr-x 2 root root 4096 2007-05-01 11:37 /var/lib/dhcp3

This prevents dhclient to update leases file after dropping the privileges.

Proposed fix attached.

Oops. dhclient runs as user dhcp and dhcpd as user dhcpd. Both should be able to write to /var/lib/dhcp3 ...

I have probably the same problem in gutsy. Look:
First sth like that:

Dec 3 09:22:05 OSIEDLE dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 2
Dec 3 09:22:07 OSIEDLE dhclient: No DHCPOFFERS received.
Dec 3 09:22:07 OSIEDLE dhclient: No working leases in persistent database - sleeping.
Dec 3 09:27:22 OSIEDLE dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 5
Dec 3 09:27:27 OSIEDLE dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 13
Dec 3 09:27:40 OSIEDLE dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 7
Dec 3 09:27:47 OSIEDLE dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6
Dec 3 09:27:53 OSIEDLE dhclient: No DHCPOFFERS received.
Dec 3 09:27:53 OSIEDLE dhclient: No working leases in persistent database - sleeping.
Dec 3 09:33:55 OSIEDLE dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 4
Dec 3 09:33:55 OSIEDLE dhclient: DHCPOFFER from 192.168.0.2
Dec 3 09:33:55 OSIEDLE dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67
Dec 3 09:33:56 OSIEDLE dhclient: DHCPACK from 192.168.0.2
Dec 3 09:33:56 OSIEDLE dhclient: can't create /var/lib/dhcp3/dhclient.eth1.leases: Permission denied
Dec 3 09:33:56 OSIEDLE dhclient: bound to 192.168.0.235 -- renewal in 9511 seconds.

And after a lot of sth like that situation router are not working. Could you know how fix it?

I'm also still getting this with Gutsy Server

log file:-
Jan 4 18:51:54 brown dhclient: DHCPREQUEST on eth0 to 192.168.0.1 port 67
Jan 4 18:51:54 brown dhclient: DHCPACK from 192.168.0.1
Jan 4 18:51:54 brown dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied
Jan 4 18:51:54 brown dhclient: bound to 192.168.0.2 -- renewal in 293 seconds.

root@brown:/etc# ls -lsa /var/lib/dhcp3/
total 8
4 drwxr-xr-x 2 root root 4096 2007-11-30 22:11 .
4 drwxr-xr-x 30 root root 4096 2008-01-04 17:25 ..
0 -rw-r--r-- 1 root root 0 2007-11-30 22:11 dhclient.leases

Both dhcp server and dhcp client need to write to their leases files and to be able to create new files in the leases directory. My log file references file dhclient.eth0.leases, not the dhclient.leases file that already exists in the folder. The difference in name may be due to the system having 2 network cards. I'm not running a dhcp server, but could that also require multiple leases files.

Would it be sensible to add user dhcp to group dhcpd and vice-versa. Then setting the directory group to either dhcp or dhcpd and enabling group-write would allow both daemons to create files in it.

No, but I will leave above paragraph in.

2 different daemons running under 2 different users doing 2 different (if related jobs) should really be using 2 different /var/lib directories, each owned by the associated user and group.

Files created when root also need their ownership tweaking.

SOLVED! Or at least it was solved for me. I compared the problem box with another box also running Ubuntu. In the end, what I did was to create the file /var/lib/dhcp3/dhclient.eth0.leases on the problem box. The file was missing and the syslog was complaining that the file couldn't be created, so I created it. Then 'chown dhcp dhclient.eth0.leases' to give it the correct ownership. After that, everything works! Hope that helps someone. Sorry for crossposting, I put this in another thread somewhere, but this problem was driving me nuts until I fixed it.

Hello,

I got the same problem with Hardy Heron Server 64b, with the same observation :
  Apr 29 15:16:21 betula dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied

By curiosity, I removed the offending dhclient.eth0.leases file and chmod 777 the /var/lib/dhcp3/ directory to see what will happen :
et voilà, a new file appeared within some minutes :
  -rw-r--r-- 1 dhcp dhcp 443 2008-04-29 15:21 dhclient.eth0.leases

I restored the dhcp3 directory rights; the problem seems gone away

  Apr 29 15:41:55 betula dhclient: DHCPREQUEST of <null address> on eth0 to 193.190.117.244 port 67
  Apr 29 15:41:55 betula dhclient: DHCPACK of 193.190.117.210 from 193.190.117.244
  Apr 29 15:41:55 betula dhclient: bound to 193.190.117.210 -- renewal in 248 seconds.

Regards,

Alain

Just to say that I see the same problem on two newly installed Hardy Heron x86_64 servers.

May 8 09:39:43 server1 dhclient: DHCPACK of 10.10.10.10 from 10.10.10.1
May 8 09:39:43 server1 dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied
May 8 09:39:43 server1 dhclient: bound to 10.10.10.10 -- renewal in 140 seconds.

May 8 09:39:00 cia dhclient: DHCPACK of 10.10.10.11 from 10.10.10.1
May 8 09:39:00 cia dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied
May 8 09:39:00 cia dhclient: bound to 10.10.10.11 -- renewal in 118 seconds.

The process runs with uid dhcp and the /var/lib/dhcp3/ has :
# ls -alh /var/lib/dhcp3/
total 8.0K
drwxr-xr-x 2 root root 4.0K 2008-05-06 14:27 .
drwxr-xr-x 23 root root 4.0K 2008-05-07 19:46 ..
-rw-r--r-- 1 root root 0 2008-05-06 14:27 dhclient.leases

I just cant see that the process ever would be able to write to that dir :)

I chown to dhcp and the "error" messages in my logs goes away (Im happy).

Edward

Same for me on hardy, although I cannot be sure anymore if it was a hardy install from the start or a dapper upgrade.
dhcp 4110 0.0 0.0 2436 784 ? S<s 10:16 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp3/dhclient.eth1.leases eth1

# ls -la /var/lib/dhcp3/
total 8
drwxr-xr-x 2 root root 4096 2008-05-29 16:17 .
drwxr-xr-x 28 root root 4096 2008-05-29 16:30 ..
-rw-r--r-- 1 root root 0 2008-05-29 16:17 dhclient.leases

Jun 2 17:31:29 maestro dhclient: DHCPREQUEST of <null address> on eth1 to 192.168.1.1 port 67
Jun 2 17:31:29 maestro dhclient: DHCPACK of 192.168.1.2 from 192.168.1.1
Jun 2 17:31:29 maestro dhclient: can't create /var/lib/dhcp3/dhclient.eth1.leases: Permission denied
Jun 2 17:31:29 maestro dhclient: bound to 192.168.1.2 -- renewal in 11733 seconds.

(192.168.1.2 is "maestro" and 192.168.1.1 is the dhcp server)

Seeing this on a new 8.04 Server install. Given Martin said it needs info so long ago I'm changing it back to confirmed in the hope there's since been enough info. Here's mine; it's just got eth0 and lo interfaces.

    $ cd /var/lib/dhcp3
    $ ls -la
    total 8
k drwxr-xr-x 2 root root 4096 2008-04-30 23:30 .
    drwxr-xr-x 24 root root 4096 2008-05-27 16:40 ..
    -rw-r--r-- 1 root root 0 2008-04-30 23:30 dhclient.leases
    $
    $ p=`pidof dhclient3`
    $ ps lww $p
    F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
    1 101 4014 1 18 -2 2340 820 - S<s ? 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
    $
    $ sudo cat /proc/$p/status
    Name: dhclient3
    State: S (sleeping)
    Tgid: 4014
    Pid: 4014
    PPid: 1
    TracerPid: 0
    Uid: 101 101 101 101
    Gid: 102 102 102 102
    FDSize: 32
    Groups:
    VmPeak: 2344 kB
    ...
    $
    $ getent passwd 101
    dhcp:x:101:102::/nonexistent:/bin/false
    $ getent group 102
    dhcp:x:102:
    $

dhcp3-3.0.6.dfsg/debian/dhcp3-client.postinst creates dhclient.leases without any embedded interface name:

    if [ ! -e /var/lib/dhcp3/dhclient.leases ]; then
        if test -e /var/lib/dhcp/dhclient.leases; then
            cp /var/lib/dhcp/dhclient.leases /var/lib/dhcp3/dhclient.leases
        else
            touch /var/lib/dhcp3/dhclient.leases
        fi
    fi

dhcp3-3.0.6.dfsg/debian/dhcp3-client.postrm doesn't handle removing dhclient.eth0.leases on a purge:

        # Remove lease database
        rm -f /var/lib/dhcp3/dhclient.leases*

ifconfig(8) only lists eth0 and lo interfaces.

I can't spot what's starting dhclient3 for an interface, e.g. eth0, but whatever it is that's doing so and is passing those `dhclient.$iface.*' parameters shown above is the cause of the problem. And it also looks like the source debian/* files need to know this can now happen, for installation and purging.

This bug was fixed in the package dhcp3 - 3.1.1-1ubuntu1

---------------
dhcp3 (3.1.1-1ubuntu1) intrepid; urgency=low

  * Merge from debian unstable. Remaining Ubuntu changes:
    - debian/control, debian/dhcp3-server.init.d: LSB init script.
      (Debian #486508)
    - Deroot server (Debian #308832)
      + debian/patches/droppriv.dpatch, deroot-server.dpatch: Code changes.
      + debian/control: Build-depend on libcap-dev.
      + debian/dhcp3-server.post{inst,rm}: Create/remove dhcpd system user.
      + debian/dhcp3-server.init.d: Create paths with appropriate permissions
        for dhcpd system user access.
    - Send hostname to DHCP server by default (LP #10239, Debian #151820):
      + debian/patches/dynamic-hostname.dpatch: Add support for a new string
        type 'h' which behaves like 't' except that '<hostname>' is changed to
        the current hostname. Change 'host-name' DHCP option type from 't' to 'h'.
      + debian/dhclient.conf: Enable send-hostname by default.
    - debian/rules: Remove client/scripts/debian on clean again.
      (Debian #486514)
    - dhclient-onetry-call-clientscript.dpatch: Call 'dhclient-script FAIL'
      when failing to get an address also when operating in oneshot mode (-1).
      This fixes avahi-autoipd invocation through dhcdbd. (Debian #486520)
    - debian/dhcp3-server.init.d, debian/dhcp3-server.postinst: Do not install
      unnecessary rc.d symlinks for levels 0 and 6, for faster shutdown.
      (Debian #486518)
    - debian/dhclient-script.linux: Do not clobber old search/domain values if
      we didn't get any from the DHCP response. (Debian #486535)
    - debian/patches/dhcpd.conf-subnet-examples.dpatch: Give an example for
      subnet-mask in dhcpd.conf. (LP #26661)
    - dhclient-more-debug.dpatch: Show the requested/offered client IP in log
      output, for better debugging. (LP #35265, Debian #486611)
    - debian/dhclient-script.linux: Wait for /etc/resolv.conf to become writable.
    - revert-next-server.dpatch: Revert the need of the next-server option in
      dhcpd.conf so it points to the own IP again for tftp if the option is not
      set. (Patch by Oliver Grawert; disputed upstream)
    - debian/dhcp3-server.init.d: Allow LTSP to override default configuration
      in /etc/ltsp/dhcpd.conf. Point that out in a header comment in
      debian/dhcpd.conf. (Ubuntu specific)
    - debian/dhcp3-server.config: Drop debconf question to medium. (Ubuntu
      specific)
  * Drop obsolete Ubuntu changes:
    - debian/dhclient.conf: Get the interface-mtu parameter again. Previous
      Ubuntu versions ignored it because of broken old DHCP servers which hand
      out the wrong value. (LP#61989) However, this breaks correct and
      deliberately sent non-default values, which is a bigger pain. If this is
      still an issue, a better fix is to discard unplausibly low values only.
    - Drop the client derooting patch. It is very intrusive, never offered true
      protection (susceptible to $PATH injection and other bypasses), and is a
      constant source of bugs. (LP: #39249)
    - Drop the pm-utils hook for stopping/starting dhcp3-server on
      suspend/resume. This was ne...

In hardy 8.04.1-server with all patches the bug allready exists.

>>Aug  5 13:02:35 video-c-00012 dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied.

I have reopened this bug.

8.04-1-server isn't patched

I know, but it is fixed in intrepid now.

But this *should be fixed* in an LTS release also!

Why no fix in 8.04 which is LTS ?
Must I open a new bug-report?

Opening Hardy task. Indeed the bug is still there.

However, I didn't fix it in Hardy yet because so far I was unable to reproduce it. In Intrepid we made some radical packaging changes which would fix that bug, but applying those to Hardy is not acceptable for a stable release update. I still could reproduce it in dapper, and fixed the major cases when it happened (see comment 5).

Hi Martin, I saw this on a fresh 8.04 install and try to give some detail, see https://bugs.launchpad.net/ubuntu/+source/dhcp3/+bug/39249/comments/24 above.

Annoying bug still present at fresh Hardy-server installation!

Easily fixed by changing ownership of /var/lib/dhcp3 to 'dhcp'.

I am having the exact same problem with a fresh install of 9.04. Everything worked fine for me with 8.04.3...

I have 2 NICs - one facing the world and one for embedded linux development - eth1

I installed dhcp3-server

So I have configured eth1 as:
martin@adserver2:/var/run$ ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:01:03:dd:97:fd
          inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
          inet6 addr: fe80::201:3ff:fedd:97fd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B) TX bytes:9624 (9.6 KB)
          Interrupt:22 Base address:0xef80

Next, I edited the file /etc/dhcp3/dhcpd.conf and added this at the end:

subnet 10.0.0.0 netmask 255.0.0.0 {
range 10.0.0.20 10.0.0.30;
host tsboard{
}
}

In 8.04, the command:
sudo dhcpd3 -d eth1 would then bring up dhcp on that interface and all was good.

In 9.04, the same command results in:
martin@adserver2:/var/run$ sudo dhcpd3 -d eth1
[sudo] password for martin:
Internet Systems Consortium DHCP Server V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
WARNING: Host declarations are global. They are not limited to the scope you declared them in.
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 0 leases to leases file.
Listening on LPF/eth1/00:01:03:dd:97:fd/10/8
Sending on LPF/eth1/00:01:03:dd:97:fd/10/8
Sending on Socket/fallback/fallback-net
Can't create PID file /var/run/dhcpd.pid: Permission denied.

I have absolutely no idea what to do...

Any thoughts? Thanks.
Martin.

I'm having the exact same problem.

Did you find a solution?

Just issue
chown -R dhcp /var/lib/dhcp3
It solved the problem for me.

I just noticed this on a Hardy server installation while investigating a network outage. It's apparently unrelated, since this bug has been appearing at least a week (according to syslog), while problems only cropped up today.

I have dhcp3-client version 3.0.6.dfsg-1ubuntu9.1 installed.

Syslog entries:
====
Mar 14 13:12:13 style dhclient: DHCPREQUEST of <null address> on eth0 to 128.174.252.4 port 67
Mar 14 13:12:13 style dhclient: DHCPACK of 128.174.236.247 from 128.174.252.4
Mar 14 13:12:13 style dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied
Mar 14 13:12:13 style dhclient: bound to 128.174.236.247 -- renewal in 42886 seconds.
====

====
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp
====
$ cat /etc/dhcp3/dhclient.conf
request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, ntp-servers;
====
$ ls -ld /var/lib/dhcp3/
drwxr-xr-x 2 root root 4096 2009-10-05 18:18 /var/lib/dhcp3/
$ ls -l /var/lib/dhcp3/
total 0
-rw-r--r-- 1 root root 0 2009-10-05 18:18 dhclient.leases
====

I'm not going to try to reproduce this, because this is a production system and attempts might be disruptive to users. I'm happy to provide more information on request.

I think this bug can closed.
Or is there other objection?