Ubuntu
isc-dhcp package

Apparmor results in denying operation mknod for isc-dhcp-server

Bug #776945 reported by koolhead17
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Invalid
Medium
Ubuntu Server

Bug Description

Binary package hint: isc-dhcp-server

I have isc-dhcp-server installed , i have configured the needed /etc/dhcpd.conf file but when i try to execute

#dhcpd

it results in
can`t create PID file /var/run/dhcpd.pid :Permission denied.

My syslog suggests me apparmor is denying the operation.

#tail -f /var/log/syslog
May 3 23:31:26 natty kernel: [ 354.126130] type=1400 audit(1304490686.397:10): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/dhcpd" name="/var/run/dhcpd.pid" pid=1116 comm="dhcpd" requested_mask="c" denied_mask="c" fsuid=105 ouid=105

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. By default, isc-dhcp-server's dhcpd will use /var/run/dhcp-server/dhcpd.pid, and this is allowed by the AppArmor profile. /etc/dhcpd.conf is also a non-default (though common outside of Ubuntu) location for the configuration file, so it appears you are using non-default configuration options (and therefore either need to adjust the AppArmor profile, or your configuration). Can you attach your /etc/dhcpd.conf file?

Changed in isc-dhcp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
tags: added: apparmor
Revision history for this message
koolhead17 (koolhead17) wrote :

Hi Jamie,
Apology but i think this is not a bug, as i reported earlier.

The dhcpd.conf is being written by cobbler and that is why i was getting the Apparmor error.
Maybe we need to write a policy in Apparmor to allow the writing of /etc/cobbler/dhcp.template to /etc/dhcpd.conf :)

Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → New
Dave Walker (davewalker)
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
Dave Walker (davewalker)
tags: added: server-o-rs
Changed in isc-dhcp (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

The permission error is due to the fact that dhcpd is being started with no arguments and attempting to create the .pid file in a directory it does not have access to. If instead, it is started as 'dhcpd -pf /var/run/dhcp-server/dhcpd.pid' it will succeed in creating its pid file and reading its default configuration /etc/dhcpd.conf (regardless of how dhcpd.conf was generated). The isc-dhcp-server init script takes care of these details and ensures the daemon is being started with the correct defaults (which also use /etc/dhcp/dhcpd.conf instead of /etc/dhcpd.conf)

Furthermore, the location of the Cobbler generated dhcpd.conf appears to not even be configurable anymore (since natty, at least). Instead, cobbler contains logic to determine where to put this based on distro and relies on distro supplied init scripts to the rest:

/usr/lib/python2.7/dist-packages/cobbler/utils.py:

def dhcpconf_location(api):
    version = api.os_version
    if version[0] in [ "redhat", "centos" ] and version[1] < 6:
        return "/etc/dhcpd.conf"
    elif version[0] in [ "fedora" ] and version[1] < 11:
        return "/etc/dhcpd.conf"
    else:
        return "/etc/dhcp/dhcpd.conf"

Changed in isc-dhcp (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
koppor (olly) wrote :

I have the issue with last week's isc-dhcp-server, ubuntu 12.04 LTS.

That package uses /var/run/dhcpd.run and does NOT use the sub-directory /var/run/dhcp-server (as claimed by Jamie Strandboge (jdstrand)).

The solution for me was to add a symbolic link (as root):
ln -s /var/run/dhcp-server/dhcpd.pid /var/run/dhcpd.pid
Now everything works fine!

Revision history for this message
Wolfgang Fahl (wf-bitplan) wrote :

My network configuration fails on the same pro problem and the symbolic link
ln -s /var/run/dhcp-server/dhcpd.pid /var/run/dhcpd.pid

workaround does not work for me.

I consider this bug *very* severe. I can't use any network features without runing a manual fix afer *every* single boot
I am mostly using Windows 7 now so this a follow up of bug #1 of Ubuntu!

Revision history for this message
Wolfgang Fahl (wf-bitplan) wrote :

The comment above saying that dhcp should be started correctly put me on the track
I had to change /etc/init.d/isc-dhcp-server script
changing DHCPDPID to /var/run/dhcp3-server/dhcpd.pid

from /var/run/dpcpd.pid

/var/run can not be written to from the daemon user

Revision history for this message
koppor (olly) wrote :

Wolfgang, which version of Ubuntu are you using? At a fresh install of Ubuntu 12.04 LTS (without the transitional dhcp3-server package installed) the directory /var/run/dhcp3-server/ does not exist.

For you, instead of patching the isc-dhcp-server script,
ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid
should have done the trick.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.