isc-dhcp-server apparmor profile should have include ".d"

Bug #1049177 reported by Scott Moser on 2012-09-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Scott Moser
Stéphane Graber
Scott Moser
maas (Ubuntu)
Scott Moser
Scott Moser

Bug Description

/etc/apparmor.d/usr.sbin.dhcpd currently has:
  # Eucalyptus
  /{,var/}run/eucalyptus/net/ r,
  /{,var/}run/eucalyptus/net/** r,
  /{,var/}run/eucalyptus/net/*.pid lrw,
  /{,var/}run/eucalyptus/net/*.leases* lrw,
  /{,var/}run/eucalyptus/net/*.trace lrw,

    #include <local/usr.sbin.dhcpd>

The MAAS project is looking to use isc-dhcp-server almost exactly like eucalyptus did, and as a result would need some changes to this profile. In speaking with jdstrand [1], he suggested that "#include <isc-dhcpd.d>" was the preferred way to enable this.

[test case]
Just make sure the apparmor profile gets updated and doesn't fail to load. Proper testing will have to be done once the mass change lands.

[regression potential]
Was tested on quantal and it's already widely used apparmor syntax, so the worst I can think of is that the line just won't work and won't include the profile once it lands in maas.


ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: isc-dhcp-server 4.2.4-1ubuntu7
ProcVersionSignature: User Name 3.5.0-13.14-generic 3.5.3
Uname: Linux 3.5.0-13-generic x86_64
ApportVersion: 2.5.1-0ubuntu7
Architecture: amd64
Date: Tue Sep 11 15:01:45 2012

Ec2AMI: ami-00000148
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable

 PATH=(custom, no user)
SourcePackage: isc-dhcp
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.dhcp.dhcpd.conf: 2012-09-07T14:46:55.587373

Related branches

Scott Moser (smoser) wrote :
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Scott Moser (smoser)
importance: Undecided → Medium
status: New → In Progress
Scott Moser (smoser) wrote :

Copying from Eucalyptus, and given my changes in the linked branch here, maas packaging will write a file in /etc/apparmor.d/dhcp.d/maas with content like:
# Maas
/{,var/}run/maas/net/ r,
/{,var/}run/maas/net/** r,
/{,var/}run/maas/net/*.pid lrw,
/{,var/}run/maas/net/*.leases* lrw,
/{,var/}run/maas/net/*.trace lrw,

(or whatever seems reasonable for maas).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu8

isc-dhcp (4.2.4-1ubuntu8) quantal; urgency=low

  [ Scott Moser ]
  * debian/apparmor-profile.dhcpd: use include directory to enable
    other packages to re-use isc-dhcp-server. (LP: #1049177)

  [ Stéphane Graber ]
  * Re-introduce the wait_for_rw code in dhclient-script which got lost
    in the last merge, this code is there for the few rare systems that
    aren't using resolvconf and don't have /etc mounted read/write by the
    time dhclient-script is called.
  * Update onetry_retry_after_initial_success to disable the onetry variable
    early enough to actually prevent dhclient from exiting. (LP: #974284)
 -- Stephane Graber <email address hidden> Wed, 12 Sep 2012 17:30:26 -0400

Changed in isc-dhcp (Ubuntu):
status: In Progress → Fix Released
tags: added: rls-q-incoming
Scott Moser (smoser) on 2012-09-13
Changed in maas (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Scott Moser (smoser)
Changed in isc-dhcp (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
importance: High → Medium
Stéphane Graber (stgraber) wrote :

Committed the same fix to my local isc-dhcp SRU branch, this will be pushed to proposed later this week.

Changed in isc-dhcp (Ubuntu Precise):
status: Triaged → In Progress
assignee: nobody → Stéphane Graber (stgraber)
James Page (james-page) on 2012-09-19
tags: removed: rls-q-incoming
Changed in maas (Ubuntu Quantal):
status: In Progress → Fix Committed
description: updated
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package maas - 0.1+bzr1223+dfsg-0ubuntu1

maas (0.1+bzr1223+dfsg-0ubuntu1) quantal; urgency=low

  * New upstream release. (LP: #1062518)

  [ Julian Edwards ]
  * Split packaging of 'maas' into maas-{region,cluster}-controller
    - debian/control: Update accordingly.
    - debian/*.install: Move files accordingly
    - debian/*.{postinst,postrm,preinst}: Move files accordingly.
  * Ensure isc-dhcp-server is disabled when installing maas-dhcp.
  * Ensure maas-dns creates the maas user before trying to chown files.
  * Make maas-cluster-controller autoconfigure itself when upgrading from the
    old maas package. (LP: #1059416)
  * Add missing prerm file for maas-cluster-controller so that .pyc files
    are cleaned up. (LP: #1059973)

  [ Raphaël Badin ]
  * Install in /etc/maas and symlink to
  * debian/maas.postinst: Create rabbitmq celery user/vhost.
  * debian/maas.postinst: Update BROKER_URL in
  * Use as the local celery
    configuration file for the cluster worker.
  * debian/maas-region-controller.maas-region-celery.upstart: Add region
    worker upstart script.
  * Rename cluster worker upstart script into
  * maas-cluster-controller.maas-celery.upstart: use "celeryconfig_cluster"
    as the Celery config module.
  * debian/maas-common.install: Install
  * debian/maas-cluster-controller.install: Install
  * debian/maas-region-controller.install: Install
  * Split celery config into cluster and region configs.
  * Add region celeryd upstart config.

  [ Jeroen Vermeulen ]
  * Make non-world readable.
  * Make non-world readable.
  * Set root:maas ownership of local cluster config only *after*
    the maas user/group have been created

  [ Andres Rodriguez ]
  * debian/maas.postinst:
    - Always restart apache2.
    - Handle upgrades for new upstream release.
    - Handle upgrades for celery rabbitmq worker.
  * Add binary package to install client tool.
    - debian/extras/maas-cli: Add binary.
    - debian/maas-cli.install: Add. Install maascli and apiclient.
    - debian/control: Add binary package.
  * debian/control:
    - Depends on freeipmi-tools instead of ipmitool.
    - Conflicts/Replaces on maas for python-maas-client.
    - Depends on python-netifaces, python-lxml.
  * Add python-maas-client binary package:
    - debian/python-maas-client.install: Add. Install 'apiclient' python module.
    - debian/control: Add package. python-django-maas and maas-cli now
      Depend on it.
  * debian/rules: Install maas-dhcp-server upstart job.
  * debian/maas.postrm: Remove celery worker rabbitmq user and host.
  * debian/extras/99-maas-sudoers: Add for maas-dhcp-server upstart job
    instead of isc-dhcp-server (LP: #1055951)
  * debian/maas-region-controller.postinst: Cleanup upgrade rules.
  * debian/maas-cl...


Changed in maas (Ubuntu Quantal):
status: Fix Committed → Fix Released

Hello Scott, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in isc-dhcp (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Andres Rodriguez (andreserl) wrote :

Hi Clint,

I have verified this as working in Precise. Marking verification done!


tags: added: verification-done
removed: verification-needed
ali veli (kharpet) on 2013-01-13
Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released
Andres Rodriguez (andreserl) wrote :

Hi Ali,

I'm changing the status of this bug back to Fix Committed as the fix has not yet been released to precise. The fix still sits in precise-proposed, which is not part of precise-updates.

Thank you!

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Released → New
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.6

isc-dhcp (4.1.ESV-R4-0ubuntu5.6) precise-proposed; urgency=low

  [ Scott Moser ]
  * debian/apparmor-profile.dhcpd: use include directory to enable
    other packages to re-use isc-dhcp-server. (LP: #1049177)

  [ Stéphane Graber ]
  * Update onetry_retry_after_initial_success to disable the onetry variable
    early enough to actually prevent dhclient from exiting. (LP: #974284)
  * Update droppriv patch to also call initgroups() (LP: #727837)
 -- Stephane Graber <email address hidden> Tue, 18 Sep 2012 10:34:10 -0400

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Changed in maas (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers