isc-dhcp-server fails to renew lease file
- Trusty (14.04)
- Bug #1186662
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
isc-dhcp (Ubuntu) |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Trusty |
Triaged
|
High
|
Unassigned |
Bug Description
After raring upgrade, the dhcp server fails to renew lease file when it tries to (about every hour).
The syslog says:
dhcpd: Can't create new lease file: Permission denied
It looks like a permission problem, because
# chown -R dhcpd:dhcpd /var/lib/dhcp
the above command temporarily solves the issue, until dhcpd is restarted: at that time, the ownership of the directory and the lease file is set back to root:root.
CVE References
Launchpad Janitor (janitor) wrote : | #1 |
Changed in isc-dhcp (Ubuntu): | |
status: | New → Confirmed |
Michael Bienia (geser) wrote : | #2 |
The problem is how dhcpd's implements privilege seperation. It doesn't work well with AppArmor and kernel (hard)link protection.
dhcpd expects to be able to write the leases file and create new files in /var/lib/dhcp when rotating the leases file hourly.
As dhcpd is run as user dhcpd, the directory and the files there belonged to dhcpd:dhcpd in the past till it caused a problem with AppArmor (see bug #1028526). As a fix for this the directory and the files belong now root:root and dhcpd can start but not rotate the leases file as user dhcpd anymore (current bug).
Trying to just set dhcpd as owner for /var/lib/dhcp doesn't work as then the kernel hardlink protection triggers when dhcpd tries to hardlink dhcpd.leases (owned by root) to dhcpd.leases~ when rotating the leases file as user dhcpd. Setting dhcpd as the owner of the leases file too, doesn't work either [1] as we are then back where we started.
1: It doesn't work when it belongs dhcpd:dhcpd when the dhcpd get started, but it works when the leases file belongs root when dhcpd gets started and *after* dhcpd got started chowned manually back to dhcpd.
The proper fix is to have dhcpd open the leases file as user dhcpd during start and not root and having /var/lib/dhcp/ and the leases file belong to dhcpd:dhcpd.
Changed in isc-dhcp (Ubuntu): | |
status: | Confirmed → Triaged |
assignee: | nobody → Michael Bienia (geser) |
Changed in isc-dhcp (Ubuntu): | |
assignee: | Michael Bienia (geser) → Stéphane Graber (stgraber) |
Ubuntu Uefi User (ubuntuuefiuser) wrote : | #3 |
Will just adding:
sleep 5
chown dhcpd:dhcpd /var/lib/dhcp -R
to the upstart script work?
Philipp Noack (philipp-noack-b) wrote : | #4 |
The problem persists in saucy.
atimonin (atimonin) wrote : | #5 |
Also have this problem.
Description: Ubuntu 13.10
Release: 13.10
Codename: saucy
Jasper Knockaert (jasper-f) wrote : | #6 |
The problem persists in trusty.
Thiago Martins (martinx) wrote : | #7 |
I can confirm that this problem persists in Trusty.
Aleksey Sanin (aleksey-l) wrote : | #8 |
+1 in Trusty. Sounds like the fix for bug #1028526 needs to be reverted and app_armor fixed instead.
Ian McMichael (ian-sigma-uk) wrote : | #9 |
Rather annoyingly, this still seems to be present in 14.04 LTS after all these years! The following seems to fix it (at least until the isc-dhcp-server package gets updated):
- Stop the DHCP server (service isc-dhcp-server stop)
- chown -R dhcpd:dhcpd /var/lib/dhcp
- Edit /etc/init/
# The leases files need to be root:root even when dropping privileges
[ -e /var/lib/
chown root:root /var/lib/dhcp /var/lib/
if [ -e /var/lib/
chown root:root /var/lib/
fi
- Edit /etc/apparmor.
# Allow lease file updates
capability dac_override,
- Reload AppArmor profiles (service apparmor reload)
- Restart DHCPd (service isc-dhcp-server start)
Hopefully everything will work now. Why can these changes not be made in the official package?
Ben Bird (bbird) wrote : | #10 |
Using the above fix by ian-sigma-uk triggered apparmor bug #1308761, for me.
Martin Jackson (mhjacks) wrote : | #11 |
I am running 14.04 as well.
I set my DHCP servers to aa-complain mode. On my secondary (failover) partner, the dhcpd.leases file is owned root:root, even after changing the root:root ownerships to dhcpd:dhcpd in isc-dhcp-
I was getting some peculiar address changing behaviors, so I set the split in my failvover conf to 255. This seems to be working, but I find it far from ideal.
Jamie Strandboge (jdstrand) wrote : | #12 |
We want to avoid using 'capability dac_override' in the apparmor profile if we can, so the fix in comment #9 is not appropriate for inclusion in Ubuntu.
Jamie Strandboge (jdstrand) wrote : | #13 |
As Michael said, this needs a code change to dchpd to open the files correctly.
atimonin (atimonin) wrote : | #14 |
I've created a bug-report in www.isc.org:
Your ticket has been assigned an ID of [ISC-Bugs #36978].
Brian Conry (bconry) wrote : | #15 |
Can someone please confirm my understanding of this issue?
a) Ubuntu has configured dhcpd to drop root privileges
b) Ubuntu has added logic to dhcpd.conf to force the ownership of dhcpd.leases to root:root
c) Ubuntu is managing the ownership (and permissions?) of the directory in which dhcpd.leases lives, keeping it as root:root
We at ISC are not really clear what we're supposed to do with this.
Thanks,
Brian Conry
ISC Support
Brian Conry (bconry) wrote : | #16 |
On my second re-read of this thread I made my spot check and noticed
"
The proper fix is to have dhcpd open the leases file as user dhcpd during start and not root and having /var/lib/dhcp/ and the leases file belong to dhcpd:dhcpd.
"
which implies (correctly) that dhcpd opens dhcpd.leases before dropping privileges, and also implies that maybe the ownership shennanigans are due to dhcpd's failure to open the leases file as the non-privileged user.
This is done because, as things are currently structured, dhcpd initiates the failover relationships (which requires data from the dhcpd.leases file) at the same time as it opens the listening sockets (which requires privileges in the default configuration).
There may also be other information dependencies that I haven't noticed yet.
We're evaluating our options at this point.
It will be helpful to know if the forcing of ownership to root:root of the files and directory are being done as an attempt to cope with dhcpd's behavior or if that is construed as a feature and the desired state.
Robert Sander (gurubert) wrote : | #17 |
Workaround from http://
sudo setfacl -dm u:dhcpd:rwx /var/lib/dhcp
sudo setfacl -m u:dhcpd:rwx /var/lib/dhcp
DigiAngel (jlay) wrote : | #18 |
And continuing to see this:
Feb 27 05:43:17 gateway dhcpd: Can't create new lease file: Permission denied
Feb 27 05:43:17 gateway kernel: [ 4703.128481] type=1400 audit(142504099
tags: | added: trusty |
Launchpad Janitor (janitor) wrote : | #19 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in isc-dhcp (Ubuntu Trusty): | |
status: | New → Confirmed |
Jasper Knockaert (jasper-f) wrote : | #20 |
Is there a relation with https:/
Christopher Nighswonger (cnighswonger) wrote : | #21 |
@bconry: What is the latest on this bug?
tags: | added: saucy |
HansLambermont (hans-lambermont) wrote : | #22 |
This issue persists in 14.04.2 LTS
Jared Fernandez (jared-fernandez) wrote : | #23 |
Issue persists in 15.04 Vivid
tags: | added: vivid |
Changed in isc-dhcp (Ubuntu): | |
importance: | Undecided → High |
Changed in isc-dhcp (Ubuntu Trusty): | |
importance: | Undecided → High |
Simon McNair (simonmcnair) wrote : | #24 |
This is still ongoing.
I've tried
- /etc/init/
# The leases files need to be root:root even when dropping privileges
[ -e /var/lib/
#SM 2015-05-08 chown root:root /var/lib/dhcp /var/lib/
chown dhcpd:dhcpd /var/lib/dhcp /var/lib/
if [ -e /var/lib/
#SM 2015-05-08 chown root:root /var/lib/
echo "Chown DHCPD to fix brokenness"
chown dhcpd:dhcpd /var/lib/
fi
- /etc/init.
...
start)
# SM 2015-08-05 chown dhcpd /var/lib/dhcp/*
...
restart | force-reload)
$0 stop
$0 start
if [ "$?" != "0" ]; then
fi
#SM 1015-05-08
;;
...
-.) Apparmor in to complain mode
mv /etc/apparmor.
-.)/lib/
# SM 2015-05-08 chown root:root /var/lib/dhcp /var/lib/
chown dhcpd:dhcpd /var/lib/dhcp /var/lib/
followed by systemctl daemon-reload
and modifying systemd finally broke it:
systemctl status isc-dhcp-
● isc-dhcp-
Loaded: error (Reason: Invalid argument)
Active: active (running) since Fri 2015-05-08 09:42:02 BST; 14min ago
Docs: man:dhcpd(8)
Main PID: 14253 (dhcpd)
CGroup: /system.
└─14253 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-
May 08 09:42:02 here dhcpd[14253]: Server starting service.
May 08 09:42:02 here sh[14253]: Listening on LPF/eth0/
May 08 09:42:02 here sh[14253]: Sending on LPF/eth0/
May 08 09:42:02 here sh[14253]: Sending on Socket/
May 08 09:42:32 here systemd[1]: [/lib/systemd/
May 08 09:42:32 here systemd[1]: isc-dhcp-
May 08 09:43:04 here systemd[1]: [/lib/systemd/
May 08 09:43:04 here systemd[1]: isc-dhcp-
May 08 09:46:58 here systemd[1]: [/lib/systemd/
May 08 09:46:58 here systemd[1]: isc-dhcp-
root@here:
PLEASE can someone tell me how this has persisted since 2013 ?!?!?!
Ian McMichael (ian-sigma-uk) wrote : | #25 |
I've given up with my solution in #9 as it did not work. I'm still using 14.04 LTS systems and now employ the following fix instead:
service isc-dhcp-server stop
setfacl -dm u:dhcpd:rwx /var/lib/dhcp
setfacl -m u:dhcpd:rwx /var/lib/dhcp
service isc-dhcp-server start
Note: For this to work you must have acl support on the root filesystem (assuming that's where /var/lib/dhcp lives on your configuration). This is a matter of adding the "acl" option to the mount line in /etc/fstab.
I have been running this for a couple of months now and it seems to do the trick on several servers.
Hope it helps someone?
tags: | added: canonical-bootstack |
Anton Cohen (antoncohen) wrote : | #26 |
This was fixed in Fedora 18 in 2012, works with SELinux, same version of dhcp-server (4.2.4) as trusty. Maybe a similar method can be used with AppArmor?
https:/
http://
Seth Arnold (seth-arnold) wrote : | #27 |
Nice find Anton; in the little I had inspected the code, I thought it would be solved by moving the db open until after the privileges had been dropped, but that would have significantly complicated the error handling for broken configurations/
This might still require the CAP_CHOWN capability in the AppArmor profile, but at least this would be squashed.
Linus Nilsson (linusnilsson) wrote : | #28 |
I'm running Ubuntu Server 14.04.2 LTS and have the same problem.
After I installed the acl-package I'm now using the solution suggested by Ian McMichael and it is working.
John Center (john-center) wrote : | #29 |
We're having the same problem running dhcpd under trusty. As a workaround, if we make the file attribute changes in #25, is this the only thing that needs to be done? Can we also change chown root:root to dhcpd:dhcpd for /var/lib/dhcp/* in isc-dhcp-
Thanks.
-John
no!chance (ralf-fehlau) wrote : | #30 |
This bug exists since 2 years ... I am sure this will never been fixed in ubuntu. ... since you switch to another distro!
Falk (andreas-mockel) wrote : | #31 |
Any status on this?
I am pushing a cluster into production with this bug.
Is the "only" way to fix this by using acl'a as Ian McMichael suggested?
service isc-dhcp-server stop
setfacl -dm u:dhcpd:rwx /var/lib/dhcp
setfacl -m u:dhcpd:rwx /var/lib/dhcp
service isc-dhcp-server start
No official fix out there?
--
Regards Falk
John Center (john-center) wrote : | #32 |
There are a number of things that need to be addressed with the isc-dhcp-server package. I think I've worked through most of the issues, based on items here & ones I've researched; maybe the maintainer or someone else could review this?
1) /etc/default/
diff -Nru /etc/default/
--- /etc/default/
+++ isc-dhcpd-
@@ -7,10 +7,13 @@
#
# Path to dhcpd's config file (default: /etc/dhcp/
-#DHCPD_
+DHCPD_
+
+# Path to dhcpd's leases file (default: /var/lib/
+DHCPD_
# Path to dhcpd's PID file (default: /var/run/
-#DHCPD_
+DHCPD_
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
@@ -18,4 +21,4 @@
2) /etc/init/
diff -Nru /etc/init/
--- /etc/init/
+++ isc-dhcpd-
@@ -13,22 +13,17 @@
fi
. /etc/default/
- if [ -f /etc/ltsp/
- CONFIG_
- else
- CONFIG_
- fi
- if [ ! -f $CONFIG_FILE ]; then
- echo "$CONFIG_FILE does not exist! - Aborting..."
- echo "Please create and configure $CONFIG_FILE to fix the problem."
+ if [ ! -f $DHCPD_CONF ]; then
+ echo "$DHCPD_CONF does not exist! - Aborting..."
+ echo "Please create and configure $DHCPD_CONF to fix the problem."
stop
exit 0
fi
- if ! dhcpd -user dhcpd -group dhcpd -t -q -4 -cf $CONFIG_FILE > /dev/null 2>&1; then
+ if ! dhcpd -user dhcpd -group dhcpd -t -q -4 -cf $DHCPD_CONF > /dev/null 2>&1; then
echo "dhcpd self-test failed. Please fix the config file."
echo "The error was: "
- dhcpd -user dhcpd -group dhcpd -t -4 -cf $CONFIG_FILE
+ dhcpd -user dhcpd -group dhcpd -t -4 -cf $DHCPD_CONF
stop
exit 0
fi
@@ -36,12 +31,6 @@
respawn
script
- if [ -f /etc/ltsp/
- CONFIG_
- else
- CONFIG_
- fi
-
. /etc/default/
# Allow dhcp server to write lease and pid file as 'dhcpd' user
@@ -50,10 +39,8 @@
# The leases files need to be root:root even when dropping privileges
[ -e /var/lib/
- chown root:root /var/l...
tags: | added: patch |
wdeurholt (wdeurholt) wrote : | #33 |
I am on Ubuntu 14.04.3 LTS Server.
Bug as described is present.
Solution in #25 works, but still is a workaround.
For the record: Bug was first mentioned 2 years and (neatly) 4 months ago now.
That is amazing.
Changed in isc-dhcp (Ubuntu): | |
assignee: | Stéphane Graber (stgraber) → nobody |
Ro (robert-markula) wrote : | #34 |
Following up on comment #14, this bug (ISC-Bugs #36978) seems to have been fixed in ISC DHCP upstream version 4.3.2 [1]:
" - Enhance the PARANOIA patch to include fchown() the lease file to
allow it to be manipulated after the server does a chown().
Thanks to Jiri Popelka at Red Hat for the patch.
[ISC-Bugs #36978]
"
[1] https:/
Skeletor (skeletor99-deactivatedaccount) wrote : | #35 |
Can this please be fixed in Trusty? Seems pretty essential to have a working DHCP server in an LTS release.
tags: | added: wily |
Changed in isc-dhcp (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
Launchpad Janitor (janitor) wrote : | #36 |
This bug was fixed in the package isc-dhcp - 4.3.3-5ubuntu1
---------------
isc-dhcp (4.3.3-5ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Apparmor profiles for dhclient and dhcpd.
- Create user/group dhcpd.
- Create /etc/dhcp/
- Sanitize environment in dhclient-
- Wait for /etc/resolv.conf to be writable in dhclient-
- If /etc/ltsp/
- Add an 'option subnet-mask' example to config.
- Increase the timeout to 300 seconds for dhclient.conf (following the
default added by dhclient-
- Apport hook for isc-dhcp-client and isc-dhcp-server.
- Upstart jobs for isc-dhcp-server, isc-dhcp-server6, isc-dhcp-relay and
isc-
- Separate default file for isc-dhcp-relay6.
- Drop isc-dhcp-
- Remaining Ubuntu patches:
+ dhclient-
+ revert-next-server.
+ multi-ip-
+ dhclient-
+ onetry_
+ dhcp-getifaddrs
+ dhcp-lpf-ib.patch
+ dhcp-improved-
+ dhcp-gpxe-cid.patch
+ dhcp-improved-
+ CVE-2015-8605.patch
* debian/
* debian/
for dhclient, dhcpd, omshell and dhcrelay since omapip now requires it.
* debian/
the permissions handling in paranoia mode is now done correctly so that
dhcpd can rotate them. (LP: #1186662)
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 13 Jan 2016 15:41:45 -0500
Changed in isc-dhcp (Ubuntu): | |
status: | Triaged → Fix Released |
Jamie Strandboge (jdstrand) wrote : | #37 |
I came across this bug myself and decided to take a closer look. On trusty, as mentioned, we need the extra PARANOIA patch fro 4.3.3. This will chown the lease file to dhcpd:dhcpd so that afterwards rotation works. I backported a very minimal patch for this. However, the upstart job needed to be adjusted to have this instead:
...
# The leases files need to be root:dhcpd for dropping privileges
[ -e /var/lib/
chown root:dhcpd /var/lib/dhcp /var/lib/
chmod 775 /var/lib/dhcp
chmod 664 /var/lib/
...
'capability chown' needs to be added to the apparmor profile. This allows root to open the file in /var/lib/dhcp without capability dac_override or capability fowner, allows the fchown of the lease file to dhcpd:dhcpd, then allows the dhcpd user to manage the leases and leases~ files. I have test packages in https:/
I didn't look at xenial very closely, but it doesn't seem to need the root:dhcpd setup. Upstream must have reordered priv dropping and the fchown, etc for this to work. While it would be possible to backport these changes to trusty, I prefer the minimal patch and change to the upstart job in the ppa for a stable release update.
Changed in isc-dhcp (Ubuntu Trusty): | |
status: | Confirmed → Triaged |
Jamie Strandboge (jdstrand) wrote : | #38 |
- isc-dhcp_4.2.4-7ubuntu12.5~jdstrand1.debdiff Edit (6.6 KiB, text/plain)
Since the debdiff in the ppa goes back to the last trusty-security update, here is the debdiff of what is in the ppa.
Rob Whyte (fudge) wrote : | #39 |
After installing Xenial server last week I had problems from the get go with isc-dhcp-server and client. As it is my gateway I have had a great deal of trouble. Your suggestions in comment 37 seem to address them, am waiting to see if my next ISP dhcp renewal leaves me disconnected again. Effected packages for me are 4.4.4-5ubuntu7 and 4.4.4-5ubuntu8.
Jamie Strandboge (jdstrand) wrote : | #40 |
Rob, the dhcp server issue is bug #1543794 and should be fixed in 4.4.4-5ubuntu9.
Jamie Strandboge (jdstrand) wrote : | #41 |
The changes in 4.4.4-5ubuntu9 on xenial are essentially the same as what I put in the ppa for trusty in terms of the directory permissions (note, trusty also updates the PARANOIA patch which xenial already had). Can trusty users comment on if the ppa packages for trusty fixes the issues for you?
Juri Haberland (haberland) wrote : | #42 |
Yes, it seems to fix it, but there is a upgrade-problem:
...
Mar 1 21:52:16 server kernel: [177627.390088] init: isc-dhcp-server main process (1218) killed by TERM signal
Mar 1 21:52:20 server dhcpd: Internet Systems Consortium DHCP Server 4.2.4
Mar 1 21:52:20 server dhcpd: Copyright 2004-2012 Internet Systems Consortium.
Mar 1 21:52:20 server dhcpd: All rights reserved.
Mar 1 21:52:20 server dhcpd: For info, please visit https:/
Mar 1 21:52:20 server dhcpd: Internet Systems Consortium DHCP Server 4.2.4
Mar 1 21:52:20 server dhcpd: Copyright 2004-2012 Internet Systems Consortium.
Mar 1 21:52:20 server dhcpd: All rights reserved.
Mar 1 21:52:20 server dhcpd: For info, please visit https:/
Mar 1 21:52:20 server kernel: [177631.988612] type=1400 audit(145686554
Mar 1 21:52:20 server dhcpd: Can't chown new lease file: Operation not permitted
Mar 1 21:52:20 server kernel: [177631.989335] init: isc-dhcp-server main process (6043) terminated with status 1
Mar 1 21:52:20 server kernel: [177631.989343] init: isc-dhcp-server main process ended, respawning
...
and so on, until:
Mar 1 21:52:21 server kernel: [177632.161456] init: isc-dhcp-server respawning too fast, stopped
Mar 1 21:52:21 server kernel: [177632.248030] type=1400 audit(145686554
Mar 1 21:52:22 server kernel: [177633.172803] type=1400 audit(145686554
Mar 1 21:52:22 server kernel: [177633.172970] type=1400 audit(145686554
Mar 1 21:52:22 server kernel: [177633.173109] type=1400 audit(145686554
From now on "service isc-dhcp-server start" starts the DHCP server and all seems well. I have currently no idea what's going wrong.
This happend on two servers running Trusty.
padarjohn (john-meissen) wrote : | #43 |
Has this been pushed as an update for trusty? I'm running 14.04.4 LTS and have isc-dhcp-server 4.2.4-7ubuntu12.4, and I don't see anything else available from the repos.
Juri Haberland (haberland) wrote : | #44 |
No, I just tested a proposed update from Jamie Strandboge's PPA.
See comment #37 and #41.
Jamie Strandboge (jdstrand) wrote : | #45 |
For other reasons, I had to move the packages to https:/
MoD (lluna-nova) wrote : | #46 |
Is the update problem resolved?
MoD (lluna-nova) wrote : | #47 |
Apparently so.
Rob Traders (rob-traderspit) wrote : | #48 |
I'm fighting since 14.04 LTS with this lease file issue. The fixes provided in the release of isc-dhcp-server 4.3.3-5ubuntu12 does not fix the behaviour in 16.04 LTS (xenial) for me. The reason is the configuration of apparmaor for the binary /usr/sbin/dhcpd, which prevent the manipulation of the leases file. I tried to fix the capabilities, but can't find a solution. The settings "capability dac_override" has no effect.
Temporary I disabled apparmor interception for isc-dhcpd-server by symlinking to disable folder.
# ln -s /etc/apparmor.
and restartet the dhcpd. This solves the problem, but it let the dhcpd be unprotected by apparmor.
To fix it finaly, please provide a working /etc/apparmor.
Sven (5-launmhpad-t) wrote : | #49 |
Bug still present in Ubuntu 14.04.4 TLS.
Emmanuel Proust (eproust) wrote : | #50 |
Bug still present in Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic x86_64) with version 4.3.3-5ubuntu12.1 of isc-dhcp.
I'll try Rob Traders's fix, but I'm very surprise that Ubuntu leave non fixed such a bug for two years !!
The idea could be to move to another distro with a more efficient fixes delay.
Emmanuel Proust (eproust) wrote : | #51 |
Rob Traders's fix does not work for me at all.
For memory it was : "Temporary I disabled apparmor interception for isc-dhcpd-server by symlinking to disable folder.
# ln -s /etc/apparmor.
and restartet the dhcpd. This solves the problem, but it let the dhcpd be unprotected by apparmor."
Steve Langasek (vorlon) wrote : | #52 |
The /etc/apparmor.
/var/
So there should be no issue with manipulation of the leases file.
The systemd unit in 16.04 also includes a 'chown' command to ensure the right ownership of the leases file, so there should be no need for any dac override.
Are you somehow running an Ubuntu 16.04 system with upstart as the init instead of systemd? This is what the user in https:/
Christian Reis (kiko) wrote : | #53 |
I don't think this bug still happens with 16.04 LTS. Can anyone who is seeing it reproduce from a from-scratch install? There could be an issue with upgrades, if people are actually still seeing this.
Emmanuel Proust (eproust) wrote : | #54 |
No my system is using systemd.
dpkg -l|grep systemd gives me an answer :
ii libpam-
ii libsystemd0:amd64 229-4ubuntu7 amd64 systemd utility library
ii systemd 229-4ubuntu7 amd64 system and service manager
ii systemd-sysv 229-4ubuntu7 amd64 system and service manager - SysV links
dpkg -l|grep upstart doesn't
Christian Reis (kiko) wrote : | #55 |
Thanks, understood. Now is this is a fresh install or an upgrade, eproust?
Emmanuel Proust (eproust) wrote : | #56 |
Hi kiko,
It a fresh install of Lubuntu 16.04 xenial.
Linux vlubfs1 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Jared Fernandez (jared-fernandez) wrote : | #57 |
I'm also still seeing this on 16.04 LTS with systemd. This is an upgrade, not a fresh install.
Aug 26 12:30:52 Host sh[4059]: Can't open /var/lib/
Aug 26 12:30:52 Host dhcpd[4059]: Copyright 2004-2015 Internet Systems Consortium.
Aug 26 12:30:52 Host kernel: [ 55.961181] audit: type=1400 audit(147223985
Aug 26 12:30:52 Host dhcpd[4059]: All rights reserved.
Aug 26 12:30:52 Host dhcpd[4059]: For info, please visit https:/
Aug 26 12:30:52 Host dhcpd[4059]: Can't open /var/lib/
Aug 26 12:30:52 Host dhcpd[4059]:
Aug 26 12:30:52 Host dhcpd[4059]: If you think you have received this message due to a bug rather
Aug 26 12:30:52 Host dhcpd[4059]: than a configuration issue please read the section on submitting
Aug 26 12:30:52 Host dhcpd[4059]: bugs on either our web page at www.isc.org or in the README file
Aug 26 12:30:52 Host dhcpd[4059]: before submitting a bug. These pages explain the proper
Aug 26 12:30:52 Host dhcpd[4059]: process and the information we find helpful for debugging..
Aug 26 12:30:52 Host dhcpd[4059]:
Aug 26 12:30:52 Host dhcpd[4059]: exiting.
Aug 26 12:30:52 Host systemd[1]: isc-dhcp-
Aug 26 12:30:52 Host systemd[1]: isc-dhcp-
Aug 26 12:30:52 Host systemd[1]: isc-dhcp-
tags: | added: xenial |
Jared Fernandez (jared-fernandez) wrote : | #58 |
One thing I've noticed that may be of interest is that this only occurs for me now during boot up. If manually started with the command "sudo systemctl start isc-dhcp-
Emsi (trash1-z) wrote : | #59 |
I got the same on 16.04 after upgrading from 15.10.
It really sucks nobody can fix it for so many years.
Use Slackware guys.
Emsi (trash1-z) wrote : | #60 |
For the record:
The proper fix for me was to make sure that /etc/apparmor.
capability chown,
along:
capability net_bind_service,
capability net_raw,
capability setgid,
capability setuid,
For some reason it was not there after upgrade.
Emmanuel Proust (eproust) wrote : | #61 |
Hi,
Yes it really sucks !
For many of us, if we use Ubuntu it is for the ease of use, so moving to another Linux distro (with probably a lot of other bugs and less ease of use) is not a solution.
If I would accept to lose the ease of use, so I would move to a BSD (OpenBSD for the security) ;-)
Please devs, fix this on Ubuntu !
Steve Langasek (vorlon) wrote : Re: [Bug 1186662] Re: isc-dhcp-server fails to renew lease file | #62 |
On Wed, Sep 07, 2016 at 12:45:04PM -0000, Emsi wrote:
> For the record:
> The proper fix for me was to make sure that /etc/apparmor.
> capability chown,
> along:
> capability net_bind_service,
> capability net_raw,
> capability setgid,
> capability setuid,
> For some reason it was not there after upgrade.
This is a conffile belonging to the isc-dhcp-server package. If this line
was missing, presumably you had a modified /etc/apparmor.
file before upgrade, and kept your version on upgrade rather than installing
the version from the new package. Do you have an
/etc/apparmor.
to see what differences there are between those two files, and replace your
modified profile with the stock one so that you don't run into upgrade
problems in the future.
Emmanuel Proust (eproust) wrote : | #63 |
Just checked, I have the five capability lines (below) in the /etc/apparmor.
capability chown,
capability net_bind_service,
capability net_raw,
capability setgid,
capability setuid,
Ready to try any proposed fix...
Steve Langasek (vorlon) wrote : | #64 |
eproust, since yours was a fresh install the cause of your problem is unlikely to be the same. But you may want to install the debsums package and check whether any of the files on your system differ from the ones in the package:
$ sudo apt install debsums
$ debsums -e isc-dhcp-server
You may also want to check that your systemd unit is the expected one, by running the following command and attaching the resulting file:
systemctl show isc-dhcp-server > isc-dhcp-
Emmanuel Proust (eproust) wrote : | #65 |
- isc-dhcp-server-systemctl.txt Edit (4.7 KiB, text/plain)
# debsums -e isc-dhcp-server
/etc/init.
/etc/dhcp/
/etc/logcheck/
/etc/init/
/etc/apparmor.
/etc/init/
Steve Langasek (vorlon) wrote : | #66 |
Ok, your 'systemctl show' output matches the default by all relevant measures, and the only modified conffile is the expected one (your dhcpd config). So I'm afraid this brings us no closer to understanding why this fails for some people and not for others.
Emmanuel Proust (eproust) wrote : | #67 |
Bad news...
Seth Arnold (seth-arnold) wrote : | #68 |
eproust, could you run dmesg | grep DENIED to see if there are AppArmor denials blocking your server?
Thanks
Emmanuel Proust (eproust) wrote : | #69 |
Hi set-arnold,
Done a dmesg | grep DENIED
No result.
Emmanuel Proust (eproust) wrote : | #70 |
I use the isc-dhcp as a closed/restricted dhcp using the deny unknown-clients; directive.
Please could someone confirm that ALL leases should be listed in /var/lib/
Tomorrow I will test on site my isc-dhcp using :
- the current configuration with clients I will be able to manage,
- an open configuration (removing the unknown-clients; directive.
Emmanuel Proust (eproust) wrote : | #71 |
Double checked with several devices connected with static leases.
Nothing else than the following content in my dhcpd.leases file...
cat /var/lib/
gives :
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.3.3
server-duid "\000\001\
Dominik (domfi) wrote : | #72 |
It seems to me, that the leases file is created as root after startup and then the user of the processs changes to dhcp or whatever. I have to approve this yet.
Kind regards.
> Am 07.09.2016 um 23:46 schrieb Steve Langasek <email address hidden>:
>
> Ok, your 'systemctl show' output matches the default by all relevant
> measures, and the only modified conffile is the expected one (your dhcpd
> config). So I'm afraid this brings us no closer to understanding why
> this fails for some people and not for others.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> isc-dhcp-server fails to renew lease file
>
> Status in isc-dhcp package in Ubuntu:
> Fix Released
> Status in isc-dhcp source package in Trusty:
> Triaged
>
> Bug description:
> After raring upgrade, the dhcp server fails to renew lease file when
> it tries to (about every hour).
>
> The syslog says:
> dhcpd: Can't create new lease file: Permission denied
>
> It looks like a permission problem, because
>
> # chown -R dhcpd:dhcpd /var/lib/dhcp
>
> the above command temporarily solves the issue, until dhcpd is
> restarted: at that time, the ownership of the directory and the lease
> file is set back to root:root.
>
> To manage notifications about this bug go to:
> https:/
Steve Langasek (vorlon) wrote : | #73 |
On Thu, Sep 29, 2016 at 08:46:59PM -0000, Dominik wrote:
> It seems to me, that the leases file is created as root after startup and
> then the user of the processs changes to dhcp or whatever.
The systemd unit for isc-dhcp-server very explicitly sets the permissions on
/var/lib/
ever started.
Dominik (domfi) wrote : | #74 |
Sorry. My description was for Xenial and there is no systemd in Xenial (previous LTS, should be fixed there too IMO).
Dominik (domfi) wrote : | #75 |
Brr... s/Xenial/Trusty/ Sorry again.
Emmanuel Proust (eproust) wrote : | #76 |
Hi all,
Soon 4 years and still no fix for this issue !
I would like to know any suggestion to make this fixed :
- any Canonical contact to explain that the linux community is used to say that Microsoft is very slow to fix bugs...
- any famous community site to inform ubuntu users that such an issue still affects 3 LTS versions (12.04 / 14.04 / 16.04) and it is just a shame.
- ?
I regret a lot to write such comments but I noticed that nothing happens.
Emmanuel Proust (eproust) wrote : | #77 |
Hi,
Not seen your message on the launchpad topic.
I would prefer reply on the topic so that the whole subscribers will be
able to read it.
As a summary : Slackware is not an option for me.
I would choose a more professional distro like Opensuse if I had to replace
*buntu. But my first choice would be that *buntu evolve to be become a
professional and reliable distro.
Cheers
Le 7 sept. 2016 9:26 AM, "Emsi" <email address hidden> a écrit :
> I got the same on 16.04 after upgrading from 15.10.
> It really sucks nobody can fix it for so many years.
> Use Slackware guys.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> isc-dhcp-server fails to renew lease file
>
> To manage notifications about this bug go to:
> https:/
> 1186662/
>
Paul Henderson (harryhendo) wrote : | #78 |
Yes, I share your frustration. However, the workaround to change the
permissions of the /var/lib/dhcp directory to dhcpd:dhcpd is working for
me. We shouldn't need a workaround, but at least there is one available.
On 2017-04-30 06:54, Emmanuel Proust wrote:
> Hi all,
>
> Soon 4 years and still no fix for this issue !
>
> I would like to know any suggestion to make this fixed :
>
> - any Canonical contact to explain that the linux community is used to
> say that Microsoft is very slow to fix bugs...
>
> - any famous community site to inform ubuntu users that such an issue
> still affects 3 LTS versions (12.04 / 14.04 / 16.04) and it is just a
> shame.
>
> - ?
>
> I regret a lot to write such comments but I noticed that nothing
> happens.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> isc-dhcp-server fails to renew lease file
>
> Status in isc-dhcp package in Ubuntu:
> Fix Released
> Status in isc-dhcp source package in Trusty:
> Triaged
>
> Bug description:
> After raring upgrade, the dhcp server fails to renew lease file when
> it tries to (about every hour).
>
> The syslog says:
> dhcpd: Can't create new lease file: Permission denied
>
> It looks like a permission problem, because
>
> # chown -R dhcpd:dhcpd /var/lib/dhcp
>
> the above command temporarily solves the issue, until dhcpd is
> restarted: at that time, the ownership of the directory and the lease
> file is set back to root:root.
>
> To manage notifications about this bug go to:
> https:/
Gaétan QUENTIN (gaetan-quentin) wrote : | #79 |
ubuntu 17.10 32 bits: the same
Nov 17 22:02:45 nas dhclient[736]: can't create /var/lib/
drwxr-xr-x 1 root root 44 déc. 13 2016 .
drwxr-xr-x 1 root root 738 juil. 16 18:11 ..
-rw-r--r-- 1 root root 1094 nov. 17 22:02 dhclient.
and there is no dhcp user account:
root@nas:/etc# grep -i dhcp /etc/passwd /etc/group
root@nas:/etc#
Seth Arnold (seth-arnold) wrote : | #80 |
Gaétan, a read-only filesystem could happen either from a drastic IO error or because the environment is configured to not provide one. I suggest asking on IRC or http://
Thanks
Status changed to 'Confirmed' because the bug affects multiple users.