Hi Ben,
Thanks for the clarification. I did some additional testing today and can
now provide complete examples of what I’m seeing.
Environment details:
1.
Debian 12
2.
Kea installed from official ISC packages (isc-kea-admin, isc-kea-dhcp4,
etc.)
3.
kea-shell located at /usr/sbin/kea-shell
4.
kea-shell --help shows support for HTTP, authentication and Control
Agent parameters, including:
-
--host
-
--port
-
--service
-
--auth-user
-
--auth-password-file
The issue is that kea-shell appears to ignore these parameters at runtime.
Examples:
1.
This command hangs indefinitely and produces no output until I press
Ctrl-C:
echo '{ "command": "list-commands" }' | \
kea-shell --host 127.0.0.1 --port 8000 \
--auth-user xxx \
--auth-password-file /etc/kea/kea-api-password \
--service dhcp4
2.
This also hangs with no output:
kea-shell --host 127.0.0.1 --port 8000 \
--service dhcp4 \
list-commands
3.
Even running the simplest possible HTTP-based invocation results in the
same hanging behavior.
In contrast, using curl with the same Control Agent, host/port and
authentication works perfectly. For example:
curl -u xxx:"$(cat /etc/kea/kea-api-password)" \
-H "Content-Type: application/json" \
-X POST \
-d '{ "command": "version-get", "service": [ "dhcp4" ] }' \
http://127.0.0.1:8000/
returns the expected JSON response immediately.
This leads me to wonder:
1.
Is it expected behavior that kea-shell ignores HTTP/authentication
parameters in the ISC Debian packages?
2.
Should kea-shell be able to communicate with an authenticated Control
Agent, or is this a known limitation?
3.
Is kea-shell still supposed to use the UNIX control socket even when
HTTP parameters are explicitly provided?
Any clarification would be appreciated.
Thanks again for the guidance.
Oliver
El vie, 5 dic 2025 a las 22:15, Ben Scott (<[email protected]>) escribió:
> Hello,
>
> On 12/5/25 07:01, Oliver wrote:
> > kea-shell --auth-user ... lease4-del ...
>
> That above, of course, not a valid kea-shell command. It is *part*
> of a command. The parts you omitted are likely necessary for us to
> understand what is going on. By all means, substitute placeholders for
> things like passwords and names and such, but please provide complete
> information. We cannot diagnose a partial command. We need to know all
> the kea-shell options you used, and the API content you fed into it.
>
> A complete invocation of kea-shell, with HTTP authentication, is
> generally going to look something like this (all one line):
>
> echo ' "ip-address": "192.0.2.202" ' | kea-shell --service dhcp4
> --auth-user bscott --auth-pass drowssap
>
> > I also noticed that the Control Agent rejects attempts to use absolute
> > paths (e.g., /run/kea/kea4-ctrl-socket) with the error:> “invalid
> path specified, supported path is /etc/kea”
> > so I cannot use explicit absolute socket paths.
>
> Well, you can use absolute paths, but they are restricted to the
> directory acceptable for the type of file in question. These and other
> restrictions were introduced in Kea 2.6.3, 2.7.8, and 3.0.0, in an
> effort to harden Kea against abuse. The acceptable directories are set
> at build time, but can be overridden with environment variables. See
> the release notes for more information.
>
> For example, see the following page, starting at item #32:
>
>
> https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-3.0.0
>
> Hope this helps,
>
> -- Ben
>
> --
> Any opinions expressed in this message are those of the author alone.
> All information is provided without warranty of any kind.
>
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> [email protected]
> <https://lists.isc.org/mailman/listinfo/[email protected]>
>
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
[email protected]
