[Kea-users] problem after upgrade from kea 261

Sat Dec 14 17:19:03 UTC 2024

Hi Darren,

Yes, i compile it. But only with make. In the repo i didn´t find 
keacrtl, so i build it from the source.
kea-dhcp4,kea-dhcp-ddns and kea-ctrl-agent are from the debian packages, 
published from isc. You are right, it looks like a problem with 
apparmor. Journalctl found many deny like this: Dez 14 17:26:10 figge-vm 
kernel: audit: type=1400 audit(1734193570.893:13453): apparmor="DENIED" 
operation="mknod" profile="kea-ctrl-agent" 
name="/run/kea/logger_lockfile" pid=78908 comm="kea-ctrl-agent" 
requested_mask="c" denied_mask="c" fsuid=115 ouid=115 aa-status say: 
root at figge-vm:/inst# aa-status apparmor module is loaded. 35 profiles 
are loaded. 33 profiles are in enforce mode. /usr/bin/evince 
/usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper 
/usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper 
/usr/bin/lxc-start /usr/bin/man 
/usr/lib/NetworkManager/nm-dhcp-client.action 
/usr/lib/NetworkManager/nm-dhcp-helper 
/usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf 
/usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party 
/{,usr/}sbin/dhclient kea-ctrl-agent kea-dhcp-ddns kea-dhcp4 kea-dhcp6 
kea-lfc ..... Kea Profils are from November 2023. After a restart, 
kea-ctrl-agent and kea-dhcp-ddns run, but the dhcp servers not, apparmor 
say deny. regards Ralf  Am 14.12.2024 um 12:33 schrieb Darren Ankney:
> Hi Ralf,
>
> It seems that you compiled from source as I see you using keactrl to
> start the processes?  It also appears that you are root from your
> prompt.  One thing you can try is to execute the commands manually
> that keactrl shows being executed:
>
> /sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
> /sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
> /sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
>
> But, I encourage you to check apparmor as I suspect that apparmor is
> tripping you up.  Debian 12 does not use plain text logs, so here is
> how you might check for apparmor problems (as root):
>
> journalctl -xe | grep audit | grep DENIED
>
> There are certainly specific switches to get journalctl to find
> exactly what you are after, but the above should work.
>
> A good source of information about apparmor:
> https://wiki.debian.org/AppArmor/HowToUse
>
> Thank you,
> Darren Ankney
>
> On Sat, Dec 14, 2024 at 3:33 AM Ralf Figge via Kea-users
> <kea-users at lists.isc.org> wrote:
>> Hello,
>> i use Debian 12. KEA 2.61 has run very well. I wanted to test some new
>> featues from 2.7.5, so i has make an update ..
>> After the update, i become follwing errors:
>>
>> root at figge-vm:/inst# keactrl version
>> keactrl: 2.7.5-git
>> kea-dhcp4: 2.7.5
>> kea-dhcp6: 2.7.5
>> kea-dhcp-ddns: 2.7.5
>> kea-ctrl-agent: 2.7.5
>> root at figge-vm:/inst# keactrl start
>> INFO/keactrl: Starting /sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
>> INFO/keactrl: Starting /sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
>> INFO/keactrl: Starting /sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
>> root at figge-vm:/inst# Unable to use interprocess sync lockfile
>> (Permission denied): /var/run/kea/logger_lockfile
>> Unable to use interprocess sync lockfile (Permission denied):
>> /var/run/kea/logger_lockfile
>> Unable to use interprocess sync lockfile (Permission denied):
>> /var/run/kea/logger_lockfile
>> kea-dhcp4: Fatal error during start up: Unable to open PID file
>> '/var/run/kea/kea-dhcp4.kea-dhcp4.pid' for write
>> Unable to use interprocess sync lockfile (Permission denied):
>> /var/run/kea/logger_lockfile
>> Unable to use interprocess sync lockfile (Permission denied):
>> /var/run/kea/logger_lockfile
>> Service failed: Launch failed: Unable to open PID file
>> '/var/run/kea/kea-dhcp-ddns.kea-dhcp-ddns.pid' for write
>> Unable to use interprocess sync lockfile (Permission denied):
>> /var/run/kea/logger_lockfile
>> Service failed: Launch failed: Unable to open PID file
>> '/var/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid' for write
>>
>> Have somebody has an idea, what is going  wrong with this update ?
>> Starting over keactrl and systemctl does not work.
>>
>> Regards
>> Ralf
>> --
>> ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information.
>>
>> To unsubscribe visithttps://lists.isc.org/mailman/listinfo/kea-users.
>>
>> Kea-users mailing list
>> Kea-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20241214/9ec113c8/attachment.htm>