summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-12-31 07:28:57 +0100
committerGitHub <noreply@github.com>2023-12-31 07:28:57 +0100
commit2286b8600da6c631b17e1d5b9b341843e50f9abf (patch)
treee2032793be5a755c0e2c1c1317948ff6d244f30a
parent14dc8a8962f0a52107913423a750f36ed8e45160 (diff)
parent3192095a197ae8d74690ab5c676e6a5fabae7fae (diff)
downloadvyos-1x-2286b8600da6c631b17e1d5b9b341843e50f9abf.tar.gz
vyos-1x-2286b8600da6c631b17e1d5b9b341843e50f9abf.zip
Merge pull request #2696 from indrajitr/kea-lfc-fix
dhcp: T3316: Adjust kea lease files' location and permissions
-rw-r--r--debian/vyos-1x.postinst8
-rwxr-xr-xsrc/conf_mode/dhcp_server.py25
-rwxr-xr-xsrc/conf_mode/dhcpv6_server.py17
-rwxr-xr-xsrc/op_mode/clear_dhcp_lease.py3
-rwxr-xr-xsrc/op_mode/dhcp.py9
5 files changed, 38 insertions, 24 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index f7ebec8bc..74fd229b4 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -109,10 +109,10 @@ if ! grep -q '^hostsd' /etc/group; then
addgroup --quiet --system hostsd
fi
-# add dhcpd user for dhcp-server
-if ! grep -q '^dhcpd' /etc/passwd; then
- adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
- adduser --quiet dhcpd hostsd
+# Add _kea user for kea-dhcp{4,6}-server to vyattacfg
+# The user should exist via kea-common installed as transitive dependency
+if grep -q '^_kea' /etc/passwd; then
+ adduser --quiet _kea vyattacfg
fi
# ensure the proxy user has a proper shell
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py
index c1308cda7..7ebc560ba 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/dhcp_server.py
@@ -27,9 +27,10 @@ from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_search_args
+from vyos.utils.file import chmod_775
+from vyos.utils.file import makedir
from vyos.utils.file import write_file
from vyos.utils.process import call
-from vyos.utils.process import run
from vyos.utils.network import is_subnet_connected
from vyos.utils.network import is_addr_assigned
from vyos import ConfigError
@@ -39,8 +40,9 @@ airbag.enable()
ctrl_config_file = '/run/kea/kea-ctrl-agent.conf'
ctrl_socket = '/run/kea/dhcp4-ctrl-socket'
config_file = '/run/kea/kea-dhcp4.conf'
-lease_file = '/config/dhcp4.leases'
+lease_file = '/config/dhcp/dhcp4-leases.csv'
systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf'
+user_group = '_kea'
ca_cert_file = '/run/kea/kea-failover-ca.pem'
cert_file = '/run/kea/kea-failover.pem'
@@ -308,8 +310,15 @@ def generate(dhcp):
dhcp['lease_file'] = lease_file
dhcp['machine'] = os.uname().machine
+ # Create directory for lease file if necessary
+ lease_dir = os.path.dirname(lease_file)
+ if not os.path.isdir(lease_dir):
+ makedir(lease_dir, group='vyattacfg')
+ chmod_775(lease_dir)
+
+ # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way
if not os.path.exists(lease_file):
- write_file(lease_file, '', user='_kea', group='vyattacfg', mode=0o755)
+ write_file(lease_file, '', user=user_group, group=user_group, mode=0o644)
for f in [cert_file, cert_key_file, ca_cert_file]:
if os.path.exists(f):
@@ -320,8 +329,8 @@ def generate(dhcp):
cert_name = dhcp['failover']['certificate']
cert_data = dhcp['pki']['certificate'][cert_name]['certificate']
key_data = dhcp['pki']['certificate'][cert_name]['private']['key']
- write_file(cert_file, wrap_certificate(cert_data), user='_kea', mode=0o600)
- write_file(cert_key_file, wrap_private_key(key_data), user='_kea', mode=0o600)
+ write_file(cert_file, wrap_certificate(cert_data), user=user_group, mode=0o600)
+ write_file(cert_key_file, wrap_private_key(key_data), user=user_group, mode=0o600)
dhcp['failover']['cert_file'] = cert_file
dhcp['failover']['cert_key_file'] = cert_key_file
@@ -329,14 +338,14 @@ def generate(dhcp):
if 'ca_certificate' in dhcp['failover']:
ca_cert_name = dhcp['failover']['ca_certificate']
ca_cert_data = dhcp['pki']['ca'][ca_cert_name]['certificate']
- write_file(ca_cert_file, wrap_certificate(ca_cert_data), user='_kea', mode=0o600)
+ write_file(ca_cert_file, wrap_certificate(ca_cert_data), user=user_group, mode=0o600)
dhcp['failover']['ca_cert_file'] = ca_cert_file
render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp)
- render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp)
- render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp)
+ render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp, user=user_group, group=user_group)
+ render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp, user=user_group, group=user_group)
return None
diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py
index f9da3d84a..9cc57dbcf 100755
--- a/src/conf_mode/dhcpv6_server.py
+++ b/src/conf_mode/dhcpv6_server.py
@@ -22,8 +22,9 @@ from sys import exit
from vyos.config import Config
from vyos.template import render
-from vyos.template import is_ipv6
from vyos.utils.process import call
+from vyos.utils.file import chmod_775
+from vyos.utils.file import makedir
from vyos.utils.file import write_file
from vyos.utils.dict import dict_search
from vyos.utils.network import is_subnet_connected
@@ -33,7 +34,8 @@ airbag.enable()
config_file = '/run/kea/kea-dhcp6.conf'
ctrl_socket = '/run/kea/dhcp6-ctrl-socket'
-lease_file = '/config/dhcp6.leases'
+lease_file = '/config/dhcp/dhcp6-leases.csv'
+user_group = '_kea'
def get_config(config=None):
if config:
@@ -182,10 +184,17 @@ def generate(dhcpv6):
dhcpv6['lease_file'] = lease_file
dhcpv6['machine'] = os.uname().machine
+ # Create directory for lease file if necessary
+ lease_dir = os.path.dirname(lease_file)
+ if not os.path.isdir(lease_dir):
+ makedir(lease_dir, group='vyattacfg')
+ chmod_775(lease_dir)
+
+ # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way
if not os.path.exists(lease_file):
- write_file(lease_file, '', user='_kea', group='vyattacfg', mode=0o755)
+ write_file(lease_file, '', user=user_group, group=user_group, mode=0o644)
- render(config_file, 'dhcp-server/kea-dhcp6.conf.j2', dhcpv6)
+ render(config_file, 'dhcp-server/kea-dhcp6.conf.j2', dhcpv6, user=user_group, group=user_group)
return None
def apply(dhcpv6):
diff --git a/src/op_mode/clear_dhcp_lease.py b/src/op_mode/clear_dhcp_lease.py
index 2c95a2b08..7d4b47104 100755
--- a/src/op_mode/clear_dhcp_lease.py
+++ b/src/op_mode/clear_dhcp_lease.py
@@ -28,7 +28,7 @@ from vyos.utils.commit import commit_in_progress
config = ConfigTreeQuery()
base = ['service', 'dhcp-server']
-lease_file = '/config/dhcp4.leases'
+lease_file = '/config/dhcp/dhcp4-leases.csv'
def del_lease_ip(address):
@@ -52,7 +52,6 @@ def is_ip_in_leases(address):
Return True if address found in the lease file
"""
leases = kea_parse_leases(lease_file)
- lease_ips = []
for lease in leases:
if address == lease['address']:
return True
diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py
index a9271ea79..02f4d5bbb 100755
--- a/src/op_mode/dhcp.py
+++ b/src/op_mode/dhcp.py
@@ -31,9 +31,6 @@ from vyos.configquery import ConfigTreeQuery
from vyos.kea import kea_get_active_config
from vyos.kea import kea_get_pool_from_subnet_id
from vyos.kea import kea_parse_leases
-from vyos.utils.dict import dict_search
-from vyos.utils.file import read_file
-from vyos.utils.process import cmd
from vyos.utils.process import is_systemd_service_running
time_string = "%a %b %d %H:%M:%S %Z %Y"
@@ -79,8 +76,8 @@ def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[], orig
Get DHCP server leases
:return list
"""
- lease_file = '/config/dhcp6.leases' if family == 'inet6' else '/config/dhcp4.leases'
- data = []
+ inet_suffix = '6' if family == 'inet6' else '4'
+ lease_file = f'/config/dhcp/dhcp{inet_suffix}-leases.csv'
leases = kea_parse_leases(lease_file)
if pool is None:
@@ -88,9 +85,9 @@ def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[], orig
else:
pool = [pool]
- inet_suffix = '6' if family == 'inet6' else '4'
active_config = kea_get_active_config(inet_suffix)
+ data = []
for lease in leases:
data_lease = {}
data_lease['ip'] = lease['address']