Bug#1028962: isc-dhcp-client: -x option no longer works (looks like apparmor configuration prevents it from having any effect)
Control: tags -1 + unreproducible On Mon, 16 Jan 2023 14:28:05 +0100 Santiago Ruano Rincón wrote: [...] > I am not able to reproduce this with my current setup. Nor am I! :-o > I can successfully run dhclient -x and it stops the related process. I tried again today and now I can also use the "-x" option and the "ifdown" command, as well, without any unexpected behavior. That's really awkward. What's different in my box, with respect to yesterday?!? There have been other package upgrades, of course, but no one looks related to AppArmor or to isc-dhcp-client. There has been a poweroff and a boot (well, actually, two of them, if I recall correctly), but we are talking about Debian GNU/Linux here, not about That Other Operating System™ that needs to be rebooted for each and every little trifle!;-) Hence I would be a little surprised, if it turned out that the reboot helped... What else could have changed the result? > > Anyway, could you please test the attached patch? Thanks for preparing the patch, but I am not going to test it for the time being, since I am currently unable to reproduce the bug... [...] > > Moreover, even the first strategy (ifdown/ifup) now seems to fail to > > work perfectly. After issueing the following command: > > > > # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE > ... > > Do you see the same apparmor DENIED messages? Yes, I saw the same AppArmor error message in /var/log/kern.log, when I tried ifdown yesterday. Somehow everything seems to work flawlessly today. Hence, I am tagging this bug report as 'unreproducible' and leaving the 'moreinfo' tag. If I don't come back with additional information for some time, please feel free to close the bug report. And many thanks for your prompt and kind reply! Bye.:-) -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpOiLCsblQOQ.pgp Description: PGP signature
Bug#1028962: isc-dhcp-client: -x option no longer works (looks like apparmor configuration prevents it from having any effect)
Control: tags -1 + moreinfo
Hello Francesco,
El 15/01/23 a las 11:53, Francesco Poli (wintermute) escribió:
> Package: isc-dhcp-client
> Version: 4.4.3-P1-1.1
> Severity: important
>
> Hello and thanks for maintaining ISC DHCP in Debian!
>
Thanks for your bug report!
> After upgrading packages ('isc-dhcp-client' itself or other libraries),
> it may happen that
>
> # checkrestart
>
> (from the 'debian-goodies' package) tells me that an instance of dhclient
> should be restarted.
>
> One option is bringing down the corresponding network interface and then
> bringing it up again:
>
> # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
>
> This works (well, used to work, see below...), but has some drawbacks:
> it leaves the box briefly without network, if all goes well; if something
> goes wrong, it leaves the box without network, until something else is
> done to fix the issue (and it could be troublesome, if you are
> administering the box through an SSH session from a distant remote host...);
> it may cut existing network connections down; and so forth...
>
> A long time ago, I found what seems to be a better strategy.
> First of all, figure out the exact command line for dhclient:
>
> # ps aux | grep dhclien[t]
> root 738 0.0 0.0 5868 3604 ?Ss 09:37 0:00
> /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
> /var/lib/dhcp/dhclient.enp0s25.leases -I -df
> /var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
>
> Then, stop dhclient without releasing the current lease (as documented in
> the dhclient(8) man page):
>
> # /sbin/dhclient -x -pf /run/dhclient.enp0s25.pid
>
> Finally start dhclient again with the previously found command line:
>
> # /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
> /var/lib/dhcp/dhclient.enp0s25.leases -I -df
> /var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
>
> This used to work without any network down-time, looked more failsafe and
> even quicker.
>
>
> Unfortunately, this second strategy no longer seems to work.
> When I issue the dhclient command with the "-x" option, nothing happens
> and dhclient goes on running.
>
> I noticed the following line in /var/log/kern.log :
>
> 2023-01-15T11:29:18.045334+01:00 $HOSTNAME kernel: [ 6692.708089] audit:
> type=1400 audit(1673778558.040:25): apparmor="DENIED" operation="signal"
> profile="/{,usr/}sbin/dhclient" pid=7192 comm="dhclient"
> requested_mask="send" denied_mask="send" signal=term peer="unconfined"
I am not able to reproduce this with my current setup. I can
successfully run dhclient -x and it stops the related process.
Anyway, could you please test the attached patch?
>
> It seems to me that the AppArmor configuration in
> /etc/apparmor.d/sbin.dhclient
> is preventing the "-x" option from having any useful effect.
>
> I am not familiar with AppArmor, but I think that this operation should
> be somehow possible, otherwise the AppArmor configuration makes the "-x"
> option (almost) completely useless.
>
> Moreover, even the first strategy (ifdown/ifup) now seems to fail to
> work perfectly. After issueing the following command:
>
> # ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
...
Do you see the same apparmor DENIED messages?
Cheers,
-- Santiago
--- /var/tmp/sbin.dhclient 2023-01-16 14:23:17.981285558 +0100
+++ /etc/apparmor.d/sbin.dhclient 2023-01-16 14:25:04.975623364 +0100
@@ -70,6 +70,9 @@
/usr/lib/NetworkManager/nm-dhcp-helper Pxrm,
signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
+ # https://bugs.debian.org/1028962
+ signal (send) set=("term") peer=unconfined,
+
# Site-specific additions and overrides. See local/README for details.
#include
}
signature.asc
Description: PGP signature
Bug#1028962: isc-dhcp-client: -x option no longer works (looks like apparmor configuration prevents it from having any effect)
Package: isc-dhcp-client
Version: 4.4.3-P1-1.1
Severity: important
Hello and thanks for maintaining ISC DHCP in Debian!
After upgrading packages ('isc-dhcp-client' itself or other libraries),
it may happen that
# checkrestart
(from the 'debian-goodies' package) tells me that an instance of dhclient
should be restarted.
One option is bringing down the corresponding network interface and then
bringing it up again:
# ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
This works (well, used to work, see below...), but has some drawbacks:
it leaves the box briefly without network, if all goes well; if something
goes wrong, it leaves the box without network, until something else is
done to fix the issue (and it could be troublesome, if you are
administering the box through an SSH session from a distant remote host...);
it may cut existing network connections down; and so forth...
A long time ago, I found what seems to be a better strategy.
First of all, figure out the exact command line for dhclient:
# ps aux | grep dhclien[t]
root 738 0.0 0.0 5868 3604 ?Ss 09:37 0:00
/sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
/var/lib/dhcp/dhclient.enp0s25.leases -I -df
/var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
Then, stop dhclient without releasing the current lease (as documented in
the dhclient(8) man page):
# /sbin/dhclient -x -pf /run/dhclient.enp0s25.pid
Finally start dhclient again with the previously found command line:
# /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
/var/lib/dhcp/dhclient.enp0s25.leases -I -df
/var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
This used to work without any network down-time, looked more failsafe and
even quicker.
Unfortunately, this second strategy no longer seems to work.
When I issue the dhclient command with the "-x" option, nothing happens
and dhclient goes on running.
I noticed the following line in /var/log/kern.log :
2023-01-15T11:29:18.045334+01:00 $HOSTNAME kernel: [ 6692.708089] audit:
type=1400 audit(1673778558.040:25): apparmor="DENIED" operation="signal"
profile="/{,usr/}sbin/dhclient" pid=7192 comm="dhclient" requested_mask="send"
denied_mask="send" signal=term peer="unconfined"
It seems to me that the AppArmor configuration in /etc/apparmor.d/sbin.dhclient
is preventing the "-x" option from having any useful effect.
I am not familiar with AppArmor, but I think that this operation should
be somehow possible, otherwise the AppArmor configuration makes the "-x"
option (almost) completely useless.
Moreover, even the first strategy (ifdown/ifup) now seems to fail to
work perfectly. After issueing the following command:
# ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
I see that two dhclient istances are running (the previously existing
one, and a new one). And I see the same error in /var/log/kern.log .
Hence, I have to manually kill the previous instance:
# kill -TERM $OLD_DHCLIENT_PID
All this seems to be extremely annoying and inconvenient.
Please note that I set severity "important" for this bug report,
but one could even claim that this is "grave". Especially taking
into account that ifdown does not stop the running DHCP client...
Please fix the AppArmor configuration or suggest an alternative strategy
to stop the DHCP client without releasing the current lease.
And anyway, please fix the package, so that ifdown works correctly!
Bye and thanks for your time and dedication!
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-6-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-client depends on:
ii debianutils 5.7-0.4
ii iproute2 6.1.0-1
ii libc62.36-8
Versions of packages isc-dhcp-client recommends:
ii isc-dhcp-common 4.4.3-P1-1.1
Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd
pn isc-dhcp-client-ddns
pn resolvconf
-- no debconf information
