Hi Ralf,
If you install from packages instead of compiling, you are not
intended to use keactl, but rather systemd service files (which are
included) to control the processes. See here:
https://kb.isc.org/docs/isc-kea-packages#managing-kea-services
Thank you,
Darren Ankney
On Sat, Dec 14, 2024 at 12:19 PM Ralf Figge via Kea-users
<kea-users@lists.isc.org> wrote:
>
> Hi Darren,
>
> Yes, i compile it. But only with make. In the repo i didn´t find keacrtl, so
> i build it from the source.
> kea-dhcp4,kea-dhcp-ddns and kea-ctrl-agent are from the debian packages,
> published from isc. You are right, it looks like a problem with apparmor.
> Journalctl found many deny like this: Dez 14 17:26:10 figge-vm kernel: audit:
> type=1400 audit(1734193570.893:13453): apparmor="DENIED" operation="mknod"
> profile="kea-ctrl-agent" name="/run/kea/logger_lockfile" pid=78908
> comm="kea-ctrl-agent" requested_mask="c" denied_mask="c" fsuid=115 ouid=115
> aa-status say: root@figge-vm:/inst# aa-status apparmor module is loaded. 35
> profiles are loaded. 33 profiles are in enforce mode. /usr/bin/evince
> /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper
> /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper
> /usr/bin/lxc-start /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action
> /usr/lib/NetworkManager/nm-dhcp-helper
> /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf
> /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party
> /{,usr/}sbin/dhclient kea-ctrl-agent kea-dhcp-ddns kea-dhcp4 kea-dhcp6
> kea-lfc ..... Kea Profils are from November 2023. After a restart,
> kea-ctrl-agent and kea-dhcp-ddns run, but the dhcp servers not, apparmor say
> deny. regards Ralf Am 14.12.2024 um 12:33 schrieb Darren Ankney:
>
> Hi Ralf,
>
> It seems that you compiled from source as I see you using keactrl to
> start the processes? It also appears that you are root from your
> prompt. One thing you can try is to execute the commands manually
> that keactrl shows being executed:
>
> /sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
> /sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
> /sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
>
> But, I encourage you to check apparmor as I suspect that apparmor is
> tripping you up. Debian 12 does not use plain text logs, so here is
> how you might check for apparmor problems (as root):
>
> journalctl -xe | grep audit | grep DENIED
>
> There are certainly specific switches to get journalctl to find
> exactly what you are after, but the above should work.
>
> A good source of information about apparmor:
> https://wiki.debian.org/AppArmor/HowToUse
>
> Thank you,
> Darren Ankney
>
> On Sat, Dec 14, 2024 at 3:33 AM Ralf Figge via Kea-users
> <kea-users@lists.isc.org> wrote:
>
> Hello,
> i use Debian 12. KEA 2.61 has run very well. I wanted to test some new
> featues from 2.7.5, so i has make an update ..
> After the update, i become follwing errors:
>
> root@figge-vm:/inst# keactrl version
> keactrl: 2.7.5-git
> kea-dhcp4: 2.7.5
> kea-dhcp6: 2.7.5
> kea-dhcp-ddns: 2.7.5
> kea-ctrl-agent: 2.7.5
> root@figge-vm:/inst# keactrl start
> INFO/keactrl: Starting /sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
> INFO/keactrl: Starting /sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
> INFO/keactrl: Starting /sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
> root@figge-vm:/inst# Unable to use interprocess sync lockfile
> (Permission denied): /var/run/kea/logger_lockfile
> Unable to use interprocess sync lockfile (Permission denied):
> /var/run/kea/logger_lockfile
> Unable to use interprocess sync lockfile (Permission denied):
> /var/run/kea/logger_lockfile
> kea-dhcp4: Fatal error during start up: Unable to open PID file
> '/var/run/kea/kea-dhcp4.kea-dhcp4.pid' for write
> Unable to use interprocess sync lockfile (Permission denied):
> /var/run/kea/logger_lockfile
> Unable to use interprocess sync lockfile (Permission denied):
> /var/run/kea/logger_lockfile
> Service failed: Launch failed: Unable to open PID file
> '/var/run/kea/kea-dhcp-ddns.kea-dhcp-ddns.pid' for write
> Unable to use interprocess sync lockfile (Permission denied):
> /var/run/kea/logger_lockfile
> Service failed: Launch failed: Unable to open PID file
> '/var/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid' for write
>
> Have somebody has an idea, what is going wrong with this update ?
> Starting over keactrl and systemctl does not work.
>
> Regards
> Ralf
> --
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
>
> --
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
