Problem with abandoned leases
David W. Hankins
David_Hankins at isc.org
Fri Mar 10 22:38:41 UTC 2006
Noticed this just today...got buried under the rest.
On Thu, Jan 19, 2006 at 08:48:35AM +1100, Bradley Baetz wrote:
> We've recently upgraded from 3.0.3b3 to 3.0.4b2, and are having some
I don't think your upgrade is related. At least I'm not sure how it
> The problem is that the lease found for the uid is the abandoned one.
Which means either the lease was DECLINEd by someone, or the ping-check
succeeded (probable if the client rebooting returns to BOUND state but
transmits messages as though in INIT state...that is, it is bound to
the address it previously had, but is broadcasting a DISCOVER).
> Then 2 minutes later the system reboots again. Its a dumb cable modem,
> and doesn't send a suggested IP, so we go through the whole thing again,
> with a new IP each time. And eventually this CM has all the IPs allocated
> to it and noone else can get online...
Nice. So it just takes one abandoned entry for this client to get it
to soak up all the leases.
> Any thoughts on what should be happening to stop this from occurring?
A few things.
1) Ping-check shouldn't ping ACTIVE leases. We know these kinds of
clients exist, and this ping-check is a sanity-check device anyway
not a really necessary component of the server.
2) The code around where you identified should be changed; the loops
that find client-id'd or hardware-id'd leases should themselves
omit leases that are ABANDONEd and look for the next one rather
than pull the first lease blindly.
3) I don't recall there being a lot of guidance in the failover draft
over what to do with ABANDONED leases, except the state engine where
it is suggested ABANDONED->RESET->FREE might occur (RESET implying
administrator intervention on a primary only). Without failover,
we treat ABANDONED leases as 'last resort FREE', that is they are
allocated as normal, but only if no more free leases exist. A
similar approach is not unreasonable if we limit it to a single
server, make it a primary-only behaviour. But it's more worthwhile
in a failover environment, I think, to proactively schedule a time
to RESET these leases so the pools can be balanced.
I think this behaviour should probably be substantively tuned. I
think a server operating in partner-down should be allowed to draw
from abandoned leases as a last resort. All that kind of thing. I
suspect the document is terse here to try and be as conservative as
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-users