Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: christian on June 03, 2013, 07:02:54 am

Title: [temporarily SOLVED] DHCP & apparmor issue
Post by: christian on June 03, 2013, 07:02:54 am
Few days ago, I noticed on my Zentyal 2.2 platform, some DHCP related updates (Ubuntu updates)
I applied changes. So far so good  :)

Yesterday, I had to reboot my Zentyal server in order to check some problem another user was facing and I was not able to reproduce it.
Once Zentyal restarted, DHCP module couldn't start with error message in syslog:

Code: [Select]
Jun  2 18:09:58 igws kernel: [6247703.193717] type=1505 audit(1370189397.778:46):  operation="profile_replace" pid=17051 name="/usr/sbin/dhcpd3"
Jun  2 18:09:58 igws init: ebox.dhcpd3 main process (17899) killed by TERM signal
Jun  2 18:09:58 igws dhcpd: Warning: subnet 192.168.10.0/24 overlaps subnet 192.168.10.0/24
Jun  2 18:09:58 igws dhcpd: Wrote 0 deleted host decls to leases file.
Jun  2 18:09:58 igws dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun  2 18:09:58 igws dhcpd: Wrote 70 leases to leases file.
Jun  2 18:09:58 igws dhcpd: Open a socket for LPF: Permission denied
Jun  2 18:09:58 igws init: ebox.dhcpd3 main process (17084) terminated with status 1
Jun  2 18:09:58 igws init: ebox.dhcpd3 main process ended, respawning

Search in Zentyal forum quickly showed that similar errors occurred in the past:
ticket (http://trac.zentyal.org/ticket/1898)
topic (http://forum.zentyal.org/index.php/topic,4886.msg20191.html#msg20191)

So for the time being, I've disabled apparmor for dhcpd
Code: [Select]
sudo ln -s /etc/apparmor.d/usr.sbin.dhcpd3 /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd3

but I'm curious to know if I'm the only one facing this issue or not.
Title: Re: DHCP & apparmor issue
Post by: Javier Amor Garcia on June 03, 2013, 09:39:36 am
Hello Christian,

I think you're affected by this upstream bug https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1107686

As you see there were already apparmor changes in upstream to fix it but in some circumstances the problem contineus to be triggered.

Maybe you could told them your configuration?. 
Title: Re: DHCP & apparmor issue
Post by: christian on June 03, 2013, 09:51:21 am
Sure, what do you want to know ?

FYI, I pretty obviously went to same page and applied proposed fix (add "network packet raw,") but:
- it didn't work (although I may have made some typos as I did it very quickly)
- when I looked again at this file, my modifications where gone... I don't know why
Title: Re: DHCP & apparmor issue
Post by: christian on June 03, 2013, 11:21:40 am
- when I looked again at this file, my modifications where gone... I don't know why

Because of a previous chat I had, I thought  apparmor was not directly overwritten by Zentyal but looking further, I notice this file:
Quote
/usr/share/zentyal/stubs/dhcp/apparmor-dhcpd.profiles.mas
which doesn't contain "network packet raw,"  so no wonder why changes I applied were not taken in account  ::)

1 - my changes were don at the wrong place  :-[
2 - please Zentyal update your .mas file to include "network packet raw," if my understanding is correct
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: christian on June 03, 2013, 02:39:34 pm
I can confirm that editing /usr/share/zentyal/stubs/dhcp/apparmor-dhcp.profiles.mas in order to add "network packet raw," (temporarily) solves the issue.
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: Javier Amor Garcia on June 03, 2013, 04:32:54 pm
Thanks for taking time for working on this.

I have made the pull request for the changes in the apparmor file: https://github.com/Zentyal/zentyal/pull/387
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: meiser on June 03, 2013, 08:20:39 pm
Could you also fix it in version 2.2? I ran into the same issue.
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: christian on June 03, 2013, 09:48:22 pm
I'm running 2.2 and what I describe works for 2.2 (I don't know about 3.0 but II guess this is just the same)
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: Sam Graf on June 03, 2013, 10:11:36 pm
3.0 may be unaffected. My test machine is working normally after updates and reboot.
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: innocenti_jr on June 04, 2013, 08:02:09 am
I can confirm that editing /usr/share/zentyal/stubs/dhcp/apparmor-dhcp.profiles.mas in order to add "network packet raw," (temporarily) solves the issue.
I ran into the  same issue and adding this line solved it. So please fix this for v2.2, too.
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: Javier Amor Garcia on June 04, 2013, 08:30:47 am
2.2 pull request -> https://github.com/Zentyal/zentyal/pull/388
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: Javier Amor Garcia on June 04, 2013, 08:32:51 am
3.0 may be unaffected. My test machine is working normally after updates and reboot.

Yes, mine is unaffected and I see the 'network raw' line in the base dhcpd apparmor file, which is untouched in 3.0 . In 2.2 I have checked both the error and the fix.

The failure was reported to me also in 3.0. I will ask that person to make sure it was 3.0 and not 2.2
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: Javier Amor Garcia on June 04, 2013, 08:58:27 am
I have talked with him and it was not 3.0

3.0 seems unaffected, so I have closed its pull request
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: christian on June 04, 2013, 09:02:10 am
Thank you for dealing with this while you in the middle of freezing 3.2 code  ;)
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: innocenti_jr on June 04, 2013, 09:13:47 am
Thanks for fixing it and kudos to Christian!
Title: Re: [temporarily SOLVED] DHCP & apparmor issue
Post by: Escorpiom on June 05, 2013, 07:40:28 am
My Zentyal 2.2.9 server was also afected by this bug.
Replacing the video card needed a reboot, after that dhcp was not starting with the same error as Christian reported earlier.
Fixed it by adding the lines in the .mas file, dhcp service is starting fine now. 

Cheers.