dhcpd cannot write /var/run/dhcpd.pid

Bug #985417 reported by raerek
136
This bug affects 30 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Low
Stéphane Graber
Quantal
Undecided
Unassigned

Bug Description

Description: Ubuntu precise (development branch)
Release: 12.04
---

isc-dhcp-server:
  Telepítve: 4.1.ESV-R4-0ubuntu5
  Jelölt: 4.1.ESV-R4-0ubuntu5
  Verziótáblázat:
 *** 4.1.ESV-R4-0ubuntu5 0
        500 http://de.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status
---
when starting dhcpd the following can be observed in syslog:

Apr 19 08:09:09 u3 dhcpd: Internet Systems Consortium DHCP Server 4.1-ESV-R4
Apr 19 08:09:09 u3 dhcpd: Copyright 2004-2011 Internet Systems Consortium.
Apr 19 08:09:09 u3 dhcpd: All rights reserved.
Apr 19 08:09:09 u3 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr 19 08:09:09 u3 dhcpd: Internet Systems Consortium DHCP Server 4.1-ESV-R4
Apr 19 08:09:09 u3 dhcpd: Copyright 2004-2011 Internet Systems Consortium.
Apr 19 08:09:09 u3 dhcpd: All rights reserved.
Apr 19 08:09:09 u3 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr 19 08:09:09 u3 dhcpd: Wrote 0 leases to leases file.
Apr 19 08:09:09 u3 dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: isc-dhcp-server 4.1.ESV-R4-0ubuntu5
ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
Uname: Linux 3.2.0-23-generic x86_64
ApportVersion: 2.0.1-0ubuntu4
Architecture: amd64
Date: Thu Apr 19 08:09:16 2012
DhServerLeases:

InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Beta amd64 (20120417)
SourcePackage: isc-dhcp
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.dhcp.dhcpd.conf: 2012-04-19T08:09:04.598083

----
[impact]
Actually create the pid file in the directory that's created by the upstart job, instead of having dhcpd try to create it in /run and fail miserably (though the server would start regardless).

[test case]
1) Install isc-dhcp-server on an Ubuntu 12.04 system
2) Update /etc/dhcp/dhcpd.conf to list a valid subnet (ideally, do the same with /etc/dhcp/dhcpd6.conf)
3) sudo stop isc-dhcp-server ; sudo start isc-dhcp-server (if also doing IPv6, then do the same for isc-dhcp-server6)
4) Check that /run/dhcp-server/dhcpd.pid exists and contains a valid pid (same for dhcpd6.pid if testing IPv6)
5) Check /var/log/syslog for any pid-related error message

[regression potential]
Can't see anything, the upstart job has always been creating the pid path and set the ownership, so even on a system where these would be broken, the init job would be broken already.

Revision history for this message
raerek (raerek) wrote :
Revision history for this message
raerek (raerek) wrote :
Revision history for this message
raerek (raerek) wrote :

Oops, wrong place for my last comment:) Sorry.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I don't see any apparmor denials in your kern.log and this line is in your apparmor profile:
/{,var/}run/{,dhcp-server/}dhcpd{,6}.pid w,

which allows writes to:
/var/run/dhcpd.pid

This does not seem to be an apparmor problem.

Revision history for this message
raerek (raerek) wrote :

I don't think so eighter, but the problem still exists.
And the automated statement "UpgradeStatus: No upgrade log present (probably fresh install)" is true as well: I did not have the time to mess up anything:) The only file I changed on the complete new system is the attached dhcpd.conf.

Revision history for this message
PaulSchulz (paulschulz) wrote :

My fix below for IPv4 (new /etc/init/isc-dhcp-server.conf)

My take on the problem is:
- Not a apparmor issue.
- The permissions on /var/run is 755, so writable by root only.
- dhcpd tries to write it's pid file after it has dropped root permissions.
- Existing method to get around this
  (from looking at the current /etc/init/isc-dhcp-server.conf upstart file)
  is to create an dhcp-server directory and enable the ownership/permissions on that.
- The upstart conf script is broken and doesn't do this properly.
   - It only creates this directory and sets these permissions on 'restart'(?)
   - It doesn't tell 'dhcpd where is should write it's pid, which defaults to /var/run/dhcpd.pid.

Also: /var/run is being migrated to /run, so I have included that change.

See the attache file for my rework of the upstart script which appears to work for me.
I can start, stop, restart with appropriate messages if I try to start a running service, or stop a stopped service.

Revision history for this message
PaulSchulz (paulschulz) wrote :

I am now getting the following apparmor message.

apparmor="DENIED" operation="open" parent=31445 profile="/usr/sbin/dhcpd" name="/run/dhcp-server/dhcpd.pid" pid=31446 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=121 ouid=121

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed
Revision history for this message
Wladimir Mutel (mwg) wrote :

Having the same messages on my systems which have dhcpd installed.
Don't know if it is very dangerous or not.

Revision history for this message
Jamie Fifield (jamie-fifield) wrote :

I had this issue as well. Fixed it with paulschulz's suggestion of adding the "-pf /run/dhcp-server/dhcpd.pid" command line option into /etc/init/isc-dhcp-server.conf.

Revision history for this message
Jamie Fifield (jamie-fifield) wrote :

FYI, I also added read access to the PID file in the apparmor profile.

Revision history for this message
Daniel Griswold (daniel-griswoldcomputing) wrote :

also affects isc-dhcp-server-ldap 4.1.ESV-R4-0ubuntu5

same work-around of -pf switch corrects.

Revision history for this message
Barry Warsaw (barry) wrote :

I just encountered the same problem. I did two things to work around this:

% cd /etc
% bzr diff
=== modified file 'apparmor.d/usr.sbin.dhcpd'
--- apparmor.d/usr.sbin.dhcpd 2012-05-18 01:12:29 +0000
+++ apparmor.d/usr.sbin.dhcpd 2012-05-19 21:10:55 +0000
@@ -32,7 +32,7 @@
   /var/lib/dhcp/dhcpd{,6}.leases* lrw,
   /var/log/ r,
   /var/log/** rw,
- /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid w,
+ /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,

   # LTSP. See:
   # http://www.ltsp.org/~sbalneav/LTSPManual.html

=== modified file 'dhcp/dhcpd.conf'
--- dhcp/dhcpd.conf 2012-05-19 21:01:43 +0000
+++ dhcp/dhcpd.conf 2012-05-19 21:09:07 +0000
@@ -31,7 +31,7 @@
 # have to hack syslog.conf to complete the redirection).
 log-facility local7;

-pid-file-name "/var/run/dhcp-server/dhcpd.pid";
+pid-file-name "/run/dhcp-server/dhcpd.pid";

 subnet xxx.xxx.xxx.0 netmask 255.255.255.0 {
     option routers xxx.xxx.xxx.xxx;

I honestly don't know whether this is the *right* thing to do, but it works for me (please let me know if I'm opening massive vulnerabilities :).

I think there are possibly two bugs here. The first would be that the default pid file for dhcpd puts it in a location that isn't writable. The second is that even after relocating the pid file, the apparmor setting doesn't allow for reading the pid file.

Drain (mandriano82)
description: updated
Revision history for this message
Maurício Severich (mseverich) wrote :

I change /etc/default/isc-dhcp-server to work around
INTERFACES="-pf /var/run/dhcp-server/dhcpd.pid eth0"

That works for both v4 and v6 scripts.

Changed in isc-dhcp (Ubuntu):
status: Confirmed → Fix Released
Changed in isc-dhcp (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Stéphane Graber (stgraber)
description: updated
Changed in isc-dhcp (Ubuntu Precise):
importance: Undecided → Low
description: updated
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Varga, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in isc-dhcp (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Gabe Cornman (z-iabe-b) wrote :

I was affected by this bug today. Installing the -proposed fix was the solution to my problem as well. Thank you!

Revision history for this message
Stéphane Graber (stgraber) wrote :

Based on Gabe's comment, marking verification-done

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu Oneiric):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.1

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.1) precise-proposed; urgency=low

  * Set -pf option for both isc-dhcp-server and isc-dhcp-server6 so they
    create their pid files in a path that's actually writable. (LP: #985417)
  * Also allow read access to the pid file in the apparmor profile,
    otherwise only the initial start succeeds. (LP: #1005062)
  * On upgrade from dhcp3-server, move /etc/default/dhcp3-server to
    /etc/default/isc-dhcp-server. (LP: #1003971)
  * On upgrade from dhcp3-relay, remove /etc/default/dhcp3-relay.
    (LP: #1005547)
  * Try to preseed isc-dhcp-relay with the values from
    /etc/default/dhcp3-relay. (LP: #1005547)
 -- Stephane Graber <email address hidden> Sun, 27 May 2012 20:41:13 -0400

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hello Varga, or anyone else affected,

Accepted isc-dhcp into oneiric-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in isc-dhcp (Ubuntu Oneiric):
status: Confirmed → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The Oneiric package in -proposed got superseded by a security update, and needs to be re-uploaded.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in isc-dhcp (Ubuntu Oneiric):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers