Control: tags -1 + moreinfo Hello Francesco,
El 15/01/23 a las 11:53, Francesco Poli (wintermute) escribió:
> Package: isc-dhcp-client
> Version: 4.4.3-P1-1.1
> Severity: important
>
> Hello and thanks for maintaining ISC DHCP in Debian!
>
Thanks for your bug report!
> After upgrading packages ('isc-dhcp-client' itself or other libraries),
> it may happen that
>
> # checkrestart
>
> (from the 'debian-goodies' package) tells me that an instance of dhclient
> should be restarted.
>
> One option is bringing down the corresponding network interface and then
> bringing it up again:
>
> # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
>
> This works (well, used to work, see below...), but has some drawbacks:
> it leaves the box briefly without network, if all goes well; if something
> goes wrong, it leaves the box without network, until something else is
> done to fix the issue (and it could be troublesome, if you are
> administering the box through an SSH session from a distant remote host...);
> it may cut existing network connections down; and so forth...
>
> A long time ago, I found what seems to be a better strategy.
> First of all, figure out the exact command line for dhclient:
>
> # ps aux | grep dhclien[t]
> root 738 0.0 0.0 5868 3604 ? Ss 09:37 0:00
> /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
> /var/lib/dhcp/dhclient.enp0s25.leases -I -df
> /var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
>
> Then, stop dhclient without releasing the current lease (as documented in
> the dhclient(8) man page):
>
> # /sbin/dhclient -x -pf /run/dhclient.enp0s25.pid
>
> Finally start dhclient again with the previously found command line:
>
> # /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
> /var/lib/dhcp/dhclient.enp0s25.leases -I -df
> /var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
>
> This used to work without any network down-time, looked more failsafe and
> even quicker.
>
>
> Unfortunately, this second strategy no longer seems to work.
> When I issue the dhclient command with the "-x" option, nothing happens
> and dhclient goes on running.
>
> I noticed the following line in /var/log/kern.log :
>
> 2023-01-15T11:29:18.045334+01:00 $HOSTNAME kernel: [ 6692.708089] audit:
> type=1400 audit(1673778558.040:25): apparmor="DENIED" operation="signal"
> profile="/{,usr/}sbin/dhclient" pid=7192 comm="dhclient"
> requested_mask="send" denied_mask="send" signal=term peer="unconfined"
I am not able to reproduce this with my current setup. I can
successfully run dhclient -x and it stops the related process.
Anyway, could you please test the attached patch?
>
> It seems to me that the AppArmor configuration in
> /etc/apparmor.d/sbin.dhclient
> is preventing the "-x" option from having any useful effect.
>
> I am not familiar with AppArmor, but I think that this operation should
> be somehow possible, otherwise the AppArmor configuration makes the "-x"
> option (almost) completely useless.
>
> Moreover, even the first strategy (ifdown/ifup) now seems to fail to
> work perfectly. After issueing the following command:
>
> # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
...
Do you see the same apparmor DENIED messages?
Cheers,
-- Santiago
--- /var/tmp/sbin.dhclient 2023-01-16 14:23:17.981285558 +0100 +++ /etc/apparmor.d/sbin.dhclient 2023-01-16 14:25:04.975623364 +0100 @@ -70,6 +70,9 @@ /usr/lib/NetworkManager/nm-dhcp-helper Pxrm, signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper, + # https://bugs.debian.org/1028962 + signal (send) set=("term") peer=unconfined, + # Site-specific additions and overrides. See local/README for details. #include <local/sbin.dhclient> }
signature.asc
Description: PGP signature
