diff options
author | Christian Breunig <christian@breunig.cc> | 2023-12-31 07:28:57 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-31 07:28:57 +0100 |
commit | 2286b8600da6c631b17e1d5b9b341843e50f9abf (patch) | |
tree | e2032793be5a755c0e2c1c1317948ff6d244f30a | |
parent | 14dc8a8962f0a52107913423a750f36ed8e45160 (diff) | |
parent | 3192095a197ae8d74690ab5c676e6a5fabae7fae (diff) | |
download | vyos-1x-2286b8600da6c631b17e1d5b9b341843e50f9abf.tar.gz vyos-1x-2286b8600da6c631b17e1d5b9b341843e50f9abf.zip |
Merge pull request #2696 from indrajitr/kea-lfc-fix
dhcp: T3316: Adjust kea lease files' location and permissions
-rw-r--r-- | debian/vyos-1x.postinst | 8 | ||||
-rwxr-xr-x | src/conf_mode/dhcp_server.py | 25 | ||||
-rwxr-xr-x | src/conf_mode/dhcpv6_server.py | 17 | ||||
-rwxr-xr-x | src/op_mode/clear_dhcp_lease.py | 3 | ||||
-rwxr-xr-x | src/op_mode/dhcp.py | 9 |
5 files changed, 38 insertions, 24 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index f7ebec8bc..74fd229b4 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -109,10 +109,10 @@ if ! grep -q '^hostsd' /etc/group; then addgroup --quiet --system hostsd fi -# add dhcpd user for dhcp-server -if ! grep -q '^dhcpd' /etc/passwd; then - adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd - adduser --quiet dhcpd hostsd +# Add _kea user for kea-dhcp{4,6}-server to vyattacfg +# The user should exist via kea-common installed as transitive dependency +if grep -q '^_kea' /etc/passwd; then + adduser --quiet _kea vyattacfg fi # ensure the proxy user has a proper shell diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index c1308cda7..7ebc560ba 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -27,9 +27,10 @@ from vyos.pki import wrap_private_key from vyos.template import render from vyos.utils.dict import dict_search from vyos.utils.dict import dict_search_args +from vyos.utils.file import chmod_775 +from vyos.utils.file import makedir from vyos.utils.file import write_file from vyos.utils.process import call -from vyos.utils.process import run from vyos.utils.network import is_subnet_connected from vyos.utils.network import is_addr_assigned from vyos import ConfigError @@ -39,8 +40,9 @@ airbag.enable() ctrl_config_file = '/run/kea/kea-ctrl-agent.conf' ctrl_socket = '/run/kea/dhcp4-ctrl-socket' config_file = '/run/kea/kea-dhcp4.conf' -lease_file = '/config/dhcp4.leases' +lease_file = '/config/dhcp/dhcp4-leases.csv' systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf' +user_group = '_kea' ca_cert_file = '/run/kea/kea-failover-ca.pem' cert_file = '/run/kea/kea-failover.pem' @@ -308,8 +310,15 @@ def generate(dhcp): dhcp['lease_file'] = lease_file dhcp['machine'] = os.uname().machine + # Create directory for lease file if necessary + lease_dir = os.path.dirname(lease_file) + if not os.path.isdir(lease_dir): + makedir(lease_dir, group='vyattacfg') + chmod_775(lease_dir) + + # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way if not os.path.exists(lease_file): - write_file(lease_file, '', user='_kea', group='vyattacfg', mode=0o755) + write_file(lease_file, '', user=user_group, group=user_group, mode=0o644) for f in [cert_file, cert_key_file, ca_cert_file]: if os.path.exists(f): @@ -320,8 +329,8 @@ def generate(dhcp): cert_name = dhcp['failover']['certificate'] cert_data = dhcp['pki']['certificate'][cert_name]['certificate'] key_data = dhcp['pki']['certificate'][cert_name]['private']['key'] - write_file(cert_file, wrap_certificate(cert_data), user='_kea', mode=0o600) - write_file(cert_key_file, wrap_private_key(key_data), user='_kea', mode=0o600) + write_file(cert_file, wrap_certificate(cert_data), user=user_group, mode=0o600) + write_file(cert_key_file, wrap_private_key(key_data), user=user_group, mode=0o600) dhcp['failover']['cert_file'] = cert_file dhcp['failover']['cert_key_file'] = cert_key_file @@ -329,14 +338,14 @@ def generate(dhcp): if 'ca_certificate' in dhcp['failover']: ca_cert_name = dhcp['failover']['ca_certificate'] ca_cert_data = dhcp['pki']['ca'][ca_cert_name]['certificate'] - write_file(ca_cert_file, wrap_certificate(ca_cert_data), user='_kea', mode=0o600) + write_file(ca_cert_file, wrap_certificate(ca_cert_data), user=user_group, mode=0o600) dhcp['failover']['ca_cert_file'] = ca_cert_file render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp) - render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp) - render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp) + render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp, user=user_group, group=user_group) + render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp, user=user_group, group=user_group) return None diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index f9da3d84a..9cc57dbcf 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -22,8 +22,9 @@ from sys import exit from vyos.config import Config from vyos.template import render -from vyos.template import is_ipv6 from vyos.utils.process import call +from vyos.utils.file import chmod_775 +from vyos.utils.file import makedir from vyos.utils.file import write_file from vyos.utils.dict import dict_search from vyos.utils.network import is_subnet_connected @@ -33,7 +34,8 @@ airbag.enable() config_file = '/run/kea/kea-dhcp6.conf' ctrl_socket = '/run/kea/dhcp6-ctrl-socket' -lease_file = '/config/dhcp6.leases' +lease_file = '/config/dhcp/dhcp6-leases.csv' +user_group = '_kea' def get_config(config=None): if config: @@ -182,10 +184,17 @@ def generate(dhcpv6): dhcpv6['lease_file'] = lease_file dhcpv6['machine'] = os.uname().machine + # Create directory for lease file if necessary + lease_dir = os.path.dirname(lease_file) + if not os.path.isdir(lease_dir): + makedir(lease_dir, group='vyattacfg') + chmod_775(lease_dir) + + # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way if not os.path.exists(lease_file): - write_file(lease_file, '', user='_kea', group='vyattacfg', mode=0o755) + write_file(lease_file, '', user=user_group, group=user_group, mode=0o644) - render(config_file, 'dhcp-server/kea-dhcp6.conf.j2', dhcpv6) + render(config_file, 'dhcp-server/kea-dhcp6.conf.j2', dhcpv6, user=user_group, group=user_group) return None def apply(dhcpv6): diff --git a/src/op_mode/clear_dhcp_lease.py b/src/op_mode/clear_dhcp_lease.py index 2c95a2b08..7d4b47104 100755 --- a/src/op_mode/clear_dhcp_lease.py +++ b/src/op_mode/clear_dhcp_lease.py @@ -28,7 +28,7 @@ from vyos.utils.commit import commit_in_progress config = ConfigTreeQuery() base = ['service', 'dhcp-server'] -lease_file = '/config/dhcp4.leases' +lease_file = '/config/dhcp/dhcp4-leases.csv' def del_lease_ip(address): @@ -52,7 +52,6 @@ def is_ip_in_leases(address): Return True if address found in the lease file """ leases = kea_parse_leases(lease_file) - lease_ips = [] for lease in leases: if address == lease['address']: return True diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index a9271ea79..02f4d5bbb 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -31,9 +31,6 @@ from vyos.configquery import ConfigTreeQuery from vyos.kea import kea_get_active_config from vyos.kea import kea_get_pool_from_subnet_id from vyos.kea import kea_parse_leases -from vyos.utils.dict import dict_search -from vyos.utils.file import read_file -from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running time_string = "%a %b %d %H:%M:%S %Z %Y" @@ -79,8 +76,8 @@ def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[], orig Get DHCP server leases :return list """ - lease_file = '/config/dhcp6.leases' if family == 'inet6' else '/config/dhcp4.leases' - data = [] + inet_suffix = '6' if family == 'inet6' else '4' + lease_file = f'/config/dhcp/dhcp{inet_suffix}-leases.csv' leases = kea_parse_leases(lease_file) if pool is None: @@ -88,9 +85,9 @@ def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[], orig else: pool = [pool] - inet_suffix = '6' if family == 'inet6' else '4' active_config = kea_get_active_config(inet_suffix) + data = [] for lease in leases: data_lease = {} data_lease['ip'] = lease['address'] |