apparmor prevents DHCP from starting with IPoIB interface
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
isc-dhcp (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# apt-cache policy isc-dhcp-server
isc-dhcp-server:
Installed: 4.4.1-2ubuntu6
Candidate: 4.4.1-2ubuntu6
Version table:
*** 4.4.1-2ubuntu6 500
500 http://
100 /var/lib/
I expect isc-dhcp-server to start.
It does not because apparmor blocks something related to having an ib_ipoib interface present.
I have infiniband interfaces using IPoIB. This prevents DHCP from starting because apparmor DENIES something.
ip addr list:
1: lo: <LOOPBACK,
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0f0: <BROADCAST,
link/ether 1c:c1:de:e6:b4:08 brd ff:ff:ff:ff:ff:ff
inet 130.166.47.2/24 brd 130.166.47.255 scope global enp3s0f0
valid_lft forever preferred_lft forever
inet 130.166.47.1/24 brd 130.166.47.255 scope global secondary enp3s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:
valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,
link/ether 1c:c1:de:e6:b4:0a brd ff:ff:ff:ff:ff:ff
inet 10.47.0.2/16 brd 10.47.255.255 scope global enp3s0f1
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:
valid_lft forever preferred_lft forever
4: enp4s0f0: <BROADCAST,
link/ether 1c:c1:de:e6:b4:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.47.2/24 brd 10.0.47.255 scope global enp4s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:
valid_lft forever preferred_lft forever
5: enp4s0f1: <BROADCAST,
link/ether 1c:c1:de:e6:b4:02 brd ff:ff:ff:ff:ff:ff
inet 130.166.240.19/29 brd 130.166.240.23 scope global enp4s0f1
valid_lft forever preferred_lft forever
inet 130.166.240.18/29 brd 130.166.240.23 scope global secondary enp4s0f1
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:
valid_lft forever preferred_lft forever
8: ibs1: <BROADCAST,
link/infiniband 80:00:02:
inet 192.168.47.2/24 brd 192.168.47.255 scope global ibs1
valid_lft forever preferred_lft forever
inet6 fe80::202:
valid_lft forever preferred_lft forever
9: ibs1d1: <BROADCAST,
link/infiniband 80:00:02:
# service isc-dhcp-server start
# tail /var/log/syslog
Feb 6 05:26:50 firewalla systemd[1]: Started ISC DHCP IPv4 server.
Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla sh[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla sh[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla sh[2513]: All rights reserved.
Feb 6 05:26:50 firewalla sh[2513]: For info, please visit https:/
Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved.
Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https:/
Feb 6 05:26:50 firewalla kernel: [ 1098.134784] audit: type=1400 audit(158096681
Feb 6 05:26:50 firewalla kernel: [ 1098.134926] audit: type=1400 audit(158096681
Feb 6 05:26:50 firewalla dhcpd[2513]: Config file: /etc/dhcp/
Feb 6 05:26:50 firewalla sh[2513]: Config file: /etc/dhcp/
Feb 6 05:26:50 firewalla sh[2513]: Database file: /var/lib/
Feb 6 05:26:50 firewalla sh[2513]: PID file: /run/dhcp-
Feb 6 05:26:50 firewalla dhcpd[2513]: Database file: /var/lib/
Feb 6 05:26:50 firewalla dhcpd[2513]: PID file: /run/dhcp-
Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 deleted host decls to leases file.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 new dynamic host decls to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https:/
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 deleted host decls to leases file.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 13 leases to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 new dynamic host decls to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 13 leases to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Open a socket for LPF: Permission denied
Feb 6 05:26:50 firewalla sh[2513]: Open a socket for LPF: Permission denied
Feb 6 05:26:50 firewalla sh[2513]: If you think you have received this message due to a bug rather
Feb 6 05:26:50 firewalla sh[2513]: than a configuration issue please read the section on submitting
Feb 6 05:26:50 firewalla sh[2513]: bugs on either our web page at www.isc.org or in the README file
Feb 6 05:26:50 firewalla sh[2513]: before submitting a bug. These pages explain the proper
Feb 6 05:26:50 firewalla sh[2513]: process and the information we find helpful for debugging.
Feb 6 05:26:50 firewalla sh[2513]: exiting.
Feb 6 05:26:50 firewalla dhcpd[2513]:
Feb 6 05:26:50 firewalla dhcpd[2513]: If you think you have received this message due to a bug rather
Feb 6 05:26:50 firewalla dhcpd[2513]: than a configuration issue please read the section on submitting
Feb 6 05:26:50 firewalla dhcpd[2513]: bugs on either our web page at www.isc.org or in the README file
Feb 6 05:26:50 firewalla dhcpd[2513]: before submitting a bug. These pages explain the proper
Feb 6 05:26:50 firewalla dhcpd[2513]: process and the information we find helpful for debugging.
Feb 6 05:26:50 firewalla dhcpd[2513]:
Feb 6 05:26:50 firewalla dhcpd[2513]: exiting.
Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-
Feb 6 05:26:50 firewalla kernel: [ 1098.167716] audit: type=1400 audit(158096681
Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-
#dmseg
[ 1225.764932] audit: type=1400 audit(158096693
[ 1225.765050] audit: type=1400 audit(158096693
[ 1225.863847] audit: type=1400 audit(158096693
If I remove the ib_ipoib kernel module it will start just fine.
What do I have to do to properly fix this short of getting rid of apparmor?
Can you try adding the following to /etc/apparmor. d/local/ usr.sbin. dhcpd:
network packet dgram,
And then running
sudo apparmor_parser -rT /etc/apparmor. d/usr.sbin. dhcpd
And see if restart dhcpd then works?