[temporarily SOLVED] DHCP & apparmor issue

[christian]

Few days ago, I noticed on my Zentyal 2.2 platform, some DHCP related updates (Ubuntu updates)
I applied changes. So far so good 

Yesterday, I had to reboot my Zentyal server in order to check some problem another user was facing and I was not able to reproduce it.
Once Zentyal restarted, DHCP module couldn't start with error message in syslog:

Code: [Select]

Jun  2 18:09:58 igws kernel: [6247703.193717] type=1505 audit(1370189397.778:46):  operation="profile_replace" pid=17051 name="/usr/sbin/dhcpd3"
Jun  2 18:09:58 igws init: ebox.dhcpd3 main process (17899) killed by TERM signal
Jun  2 18:09:58 igws dhcpd: Warning: subnet 192.168.10.0/24 overlaps subnet 192.168.10.0/24
Jun  2 18:09:58 igws dhcpd: Wrote 0 deleted host decls to leases file.
Jun  2 18:09:58 igws dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun  2 18:09:58 igws dhcpd: Wrote 70 leases to leases file.
Jun  2 18:09:58 igws dhcpd: Open a socket for LPF: Permission denied
Jun  2 18:09:58 igws init: ebox.dhcpd3 main process (17084) terminated with status 1
Jun  2 18:09:58 igws init: ebox.dhcpd3 main process ended, respawning

Search in Zentyal forum quickly showed that similar errors occurred in the past:
ticket
topic

So for the time being, I've disabled apparmor for dhcpd

Code: [Select]

sudo ln -s /etc/apparmor.d/usr.sbin.dhcpd3 /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd3
but I'm curious to know if I'm the only one facing this issue or not.

[Javier Amor Garcia]

Hello Christian,

I think you're affected by this upstream bug https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1107686

As you see there were already apparmor changes in upstream to fix it but in some circumstances the problem contineus to be triggered.

Maybe you could told them your configuration?. 

[christian]

Sure, what do you want to know ?

FYI, I pretty obviously went to same page and applied proposed fix (add "network packet raw,") but:
- it didn't work (although I may have made some typos as I did it very quickly)
- when I looked again at this file, my modifications where gone... I don't know why

[christian]

- when I looked again at this file, my modifications where gone... I don't know why

Because of a previous chat I had, I thought  apparmor was not directly overwritten by Zentyal but looking further, I notice this file:

/usr/share/zentyal/stubs/dhcp/apparmor-dhcpd.profiles.mas

which doesn't contain "network packet raw,"  so no wonder why changes I applied were not taken in account 

1 - my changes were don at the wrong place 
2 - please Zentyal update your .mas file to include "network packet raw," if my understanding is correct

[christian]

I can confirm that editing /usr/share/zentyal/stubs/dhcp/apparmor-dhcp.profiles.mas in order to add "network packet raw," (temporarily) solves the issue.

[Javier Amor Garcia]

Thanks for taking time for working on this.

I have made the pull request for the changes in the apparmor file: https://github.com/Zentyal/zentyal/pull/387

[meiser]

Could you also fix it in version 2.2? I ran into the same issue.

[christian]

I'm running 2.2 and what I describe works for 2.2 (I don't know about 3.0 but II guess this is just the same)

[Sam Graf]

3.0 may be unaffected. My test machine is working normally after updates and reboot.

[innocenti_jr]

I can confirm that editing /usr/share/zentyal/stubs/dhcp/apparmor-dhcp.profiles.mas in order to add "network packet raw," (temporarily) solves the issue.

I ran into the  same issue and adding this line solved it. So please fix this for v2.2, too.

[Javier Amor Garcia]

2.2 pull request -> https://github.com/Zentyal/zentyal/pull/388

[Javier Amor Garcia]

3.0 may be unaffected. My test machine is working normally after updates and reboot.

Yes, mine is unaffected and I see the 'network raw' line in the base dhcpd apparmor file, which is untouched in 3.0 . In 2.2 I have checked both the error and the fix.

The failure was reported to me also in 3.0. I will ask that person to make sure it was 3.0 and not 2.2

[Javier Amor Garcia]

I have talked with him and it was not 3.0

3.0 seems unaffected, so I have closed its pull request

[christian]

Thank you for dealing with this while you in the middle of freezing 3.2 code 

[innocenti_jr]

Thanks for fixing it and kudos to Christian!