On Thu, Sep 20, 2012 at 11:33:33PM +0000, Brian Candler wrote:
> (2) I need to restart dhcpd, and indeed it is running, but the
> administration->services page shows
>
> dhcpd (expected status) stopped (actual status) running
>
> with no action buttons next to it. Clearly I cannot use the usual initscript
> because, for example, DHCPDARGS is set to empty string in
> /etc/sysconfig/dhcpd
So I went through the code to work out why "Expected Status" is Stopped.
# /usr/local/pf/bin/pfcmd config get services.dhcpd
services.dhcpd=|enabled|enabled;disabled|toggle
# /usr/local/pf/bin/pfcmd service pf status
service|shouldBeStarted|pid
named|0|7310
dhcpd|0|7319
snort|0|0
suricata|0|0
radiusd|0|7328
httpd|1|8890 8889 8888 8887 8880 8879 8873 8048 7426 7335 7079 6800 6264 6263
6261
snmptrapd|1|7337
pfdetect|0|0
pfredirect|0|0
pfsetvlan|1|7351
pfdhcplistener|1|7350
pfmon|1|7352
Tracing this back through
html/admin/administration/services.php
bin/pfcmd # service()
lib/pf/services.pm # pf::services::service_list() for
services_which_should_be_started
} elsif ( $service eq "dhcpd" ) {
push @finalServiceList, $service
if ( (is_inline_enforcement_enabled() ||
is_vlan_enforcement_enabled())
&& isenabled($Config{'services'}{'dhcpd'}) );
lib/pf/config.pm # is_vlan_enforcement_enabled()
# cache hit
return $cache_vlan_enforcement_enabled if
(defined($cache_vlan_enforcement_enabled));
Hmm.. we don't like caches, so I did /etc/init.d/packetfence restart but
that didn't help.
foreach my $interface (@internal_nets) {
my $device = "interface " . $interface->tag("int");
if (defined($Config{$device}{'enforcement'}) &&
$Config{$device}{'enforcement'} eq $IF_ENFORCEMENT_VLAN) {
# cache the answer for future access
$cache_vlan_enforcement_enabled = $TRUE;
return $TRUE;
}
}
Oh right, here's the problem:
# /usr/local/pf/bin/pfcmd config get interface.eth0.enforcement
interface.eth0.enforcement=||vlan;inline|toggle
# cat conf/pf.conf
[interface eth0]
ip=X.X.X.14
type=internal,management
mask=255.255.255.224
enforcement=
...
It turns out in the GUI, eth0 had
Type: internal *and* management selected
Enforcement: "only if type internal"
So the problem is that the default "only if type internal" does not work if
you select internal *and* something else. I set it to "VLAN" and now the
daemons are controllable. Phew!
Anyway, next problem: dhcpd doesn't start.
# /usr/local/pf/bin/pfcmd service dhcpd start
Checking configuration sanity...
...
No subnet declaration for eth0 (X.X.X.14).
** Ignoring requests on eth0. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface eth0 is attached. **
Not configured to listen on any interfaces!
...
exiting.
That's correct. I don't want dhcpd to be a DHCP server on the subnet to which
it is directly connected (a dedicated server subnet); I only want it to
serve DHCP for the remote registration/isolation subnets.
/usr/local/pf/var/conf/dhcpd.conf contains:
-----
# This file is generated from a template at /usr/local/pf/conf/dhcpd.conf
# Any changes made to this file will be lost on restart
# dhcpd configuration
# This file is manipulated on PacketFence's startup before being given to dhcpd
authoritative;
ddns-update-style none;
ignore client-updates;
subnet 10.2.254.0 netmask 255.255.255.0 {
option routers 10.2.254.1;
option subnet-mask 255.255.255.0;
option domain-name "vlan-isolation.example.com";
option domain-name-servers X.X.X.14;
range 10.2.254.10 10.2.254.250;
default-lease-time 30;
max-lease-time 30;
}
subnet 10.2.255.0 netmask 255.255.255.0 {
option routers 10.2.255.1;
option subnet-mask 255.255.255.0;
option domain-name "vlan-registration.example.com";
option domain-name-servers X.X.X.14;
range 10.2.255.10 10.2.255.250;
default-lease-time 30;
max-lease-time 30;
}
-----
But dhcpd.conf(5) says:
For every subnet which will be served, and for every subnet to which
the dhcp server is connected, there must be one subnet declaration,
which tells dhcpd how to recognize that an address is on that subnet.
A subnet declaration is required for each subnet even if no addresses
will be dynamically allocated on that subnet.
I cannot see a way in lib/pf/services/dhcpd.pm where the %%networks%% can
be extended to include a network without providing DHCP service on it.
So I have extended the template conf/dhcpd.conf
subnet X.X.X.0 netmask 255.255.255.224 {
}
and now dhcpd is happy.
I am left wondering if (a) I am being extremely dense, or (b) PacketFence is
not really expected to be used out-of-the-box for enforcement on routed
subnets.
Anyway, if these are considered genuine issues then I'm happy to raise
proper tickets for them, although it won't be for a few days as I'm really
pressed to get this PF installation running.
Also, would you also be interested in a (long) FAQ entry on how to get
Packet Fence up and running for routed enforcement?
Regards,
Brian.
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
