MAAS

dhcpd sometimes says "Can't create new lease file: Permission denied"

Bug #1184914 reported by Jeroen T. Vermeulen
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
MAAS
Invalid
Undecided
Unassigned
maas (Ubuntu)
Fix Committed
Undecided
Julian Edwards

Bug Description

I don't think we ever quite figured this out. It doesn't seem to do any immediate harm, and the leases file still seems to get rewritten during startup as you'd expect, but obviously it's ugly and a potential harbinger of problems in the real world.

The error may be related to the change in isc-dhcpd's permissions and ownership assumptions after Precise, and the changes we made in response to that.

Related branches

lp:~julian-edwards/maas/packaging-trusty-fix-apparmor-for-dhcp
Jeroen T. Vermeulen (community): Approve
Diff: 36 lines (+16/-3)
2 files modified
debian/changelog (+12/-3)
debian/maas-dhcp.apparmor (+4/-0)
Revision history for this message
Julian Edwards (julian-edwards) wrote :

This needs more investigation so we have details on what conditions make it happen.

Changed in maas:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for MAAS because there has been no activity for 60 days.]

Changed in maas:
status: Incomplete → Expired
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I see this all the time:

root@atlas:~# grep dhcpd /var/log/syslog|grep -v DHCP
Sep 8 07:56:54 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 09:04:27 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 10:59:04 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 12:49:18 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 13:57:24 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 15:00:21 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 16:02:56 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 17:17:27 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 18:36:27 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 19:37:46 atlas dhcpd: Can't create new lease file: Permission denied
Sep 8 20:45:15 atlas dhcpd: Can't create new lease file: Permission denied

dhcpd runs as user "dhcpd":
dhcpd 64226 0.0 0.0 26304 7352 ? Ss Sep05 0:03 /usr/sbin/dhcpd -user dhcpd -group dhcpd -f -q -4 -pf /run/maas/dhcp/dhcpd.pid -cf /etc/maas/dhcpd.conf -lf /var/lib/maas/dhcp/dhcpd.leases eth0

The /var/lib/maas/dhcp directory is owned by root, so dhcpd cannot create new files in there:

root@atlas:~# ls -la /var/lib/maas/dhcp -d
drwxr-xr-x 2 root root 4096 Sep 5 19:12 /var/lib/maas/dhcp

The lease file is owned by root, but maybe dhcp starts off as root, opens it, and then drops privileges.

Changed in maas:
status: Expired → New
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This with maas 1.6.1+bzr2550-0ubuntu1~ppa2 on trusty.

Andreas Hasenack (ahasenack)
tags: added: cloud-installer landscape
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Was this a clean install? Was this an upgrade?

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [Bug 1184914] Re: dhcpd sometimes says "Can't create new lease file: Permission denied"

On Mon, Sep 8, 2014 at 7:00 PM, Andres Rodriguez <email address hidden>
wrote:

> Was this a clean install? Was this an upgrade?
>

Clean install done on Sep 5th, 2014.

Revision history for this message
Julian Edwards (julian-edwards) wrote :

Definitely a packaging bug so I'll reassign to the right task.

Changed in maas:
status: New → Invalid
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Are you running any isc-dhcp server from PPA or even apparmor?

Revision history for this message
Jeroen T. Vermeulen (jtv) wrote :

Could this be bug 1186662? The main packaging branch has a workaround for that which is worth a try.

It's a matter of adding this line to /etc/apparmor.d/dhcpd.d/maas:

    capability dac_override,

...and then reloading the apparmor config.

Revision history for this message
Julian Edwards (julian-edwards) wrote :

That looks like it indeed. We can work around it with that dac_override for now, but it looks like a fix is needed in dhcpd itself, let's watch and see.

Julian Edwards (julian-edwards)
Changed in maas (Ubuntu):
status: New → In Progress
assignee: nobody → Julian Edwards (julian-edwards)
Julian Edwards (julian-edwards)
Changed in maas (Ubuntu):
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.