Control: tags -1 + moreinfo Hello Francesco,
El 15/01/23 a las 11:53, Francesco Poli (wintermute) escribió: > Package: isc-dhcp-client > Version: 4.4.3-P1-1.1 > Severity: important > > Hello and thanks for maintaining ISC DHCP in Debian! > Thanks for your bug report! > After upgrading packages ('isc-dhcp-client' itself or other libraries), > it may happen that > > # checkrestart > > (from the 'debian-goodies' package) tells me that an instance of dhclient > should be restarted. > > One option is bringing down the corresponding network interface and then > bringing it up again: > > # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE > > This works (well, used to work, see below...), but has some drawbacks: > it leaves the box briefly without network, if all goes well; if something > goes wrong, it leaves the box without network, until something else is > done to fix the issue (and it could be troublesome, if you are > administering the box through an SSH session from a distant remote host...); > it may cut existing network connections down; and so forth... > > A long time ago, I found what seems to be a better strategy. > First of all, figure out the exact command line for dhclient: > > # ps aux | grep dhclien[t] > root 738 0.0 0.0 5868 3604 ? Ss 09:37 0:00 > /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf > /var/lib/dhcp/dhclient.enp0s25.leases -I -df > /var/lib/dhcp/dhclient6.enp0s25.leases enp0s25 > > Then, stop dhclient without releasing the current lease (as documented in > the dhclient(8) man page): > > # /sbin/dhclient -x -pf /run/dhclient.enp0s25.pid > > Finally start dhclient again with the previously found command line: > > # /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf > /var/lib/dhcp/dhclient.enp0s25.leases -I -df > /var/lib/dhcp/dhclient6.enp0s25.leases enp0s25 > > This used to work without any network down-time, looked more failsafe and > even quicker. > > > Unfortunately, this second strategy no longer seems to work. > When I issue the dhclient command with the "-x" option, nothing happens > and dhclient goes on running. > > I noticed the following line in /var/log/kern.log : > > 2023-01-15T11:29:18.045334+01:00 $HOSTNAME kernel: [ 6692.708089] audit: > type=1400 audit(1673778558.040:25): apparmor="DENIED" operation="signal" > profile="/{,usr/}sbin/dhclient" pid=7192 comm="dhclient" > requested_mask="send" denied_mask="send" signal=term peer="unconfined" I am not able to reproduce this with my current setup. I can successfully run dhclient -x and it stops the related process. Anyway, could you please test the attached patch? > > It seems to me that the AppArmor configuration in > /etc/apparmor.d/sbin.dhclient > is preventing the "-x" option from having any useful effect. > > I am not familiar with AppArmor, but I think that this operation should > be somehow possible, otherwise the AppArmor configuration makes the "-x" > option (almost) completely useless. > > Moreover, even the first strategy (ifdown/ifup) now seems to fail to > work perfectly. After issueing the following command: > > # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE ... Do you see the same apparmor DENIED messages? Cheers, -- Santiago
--- /var/tmp/sbin.dhclient 2023-01-16 14:23:17.981285558 +0100 +++ /etc/apparmor.d/sbin.dhclient 2023-01-16 14:25:04.975623364 +0100 @@ -70,6 +70,9 @@ /usr/lib/NetworkManager/nm-dhcp-helper Pxrm, signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper, + # https://bugs.debian.org/1028962 + signal (send) set=("term") peer=unconfined, + # Site-specific additions and overrides. See local/README for details. #include <local/sbin.dhclient> }
signature.asc
Description: PGP signature