Re: [Kea-users] kea docker
Michael, I don't believe you can do a layer 2 broadcast out of the Docker network since it's routed internally. If you change the network mode on your Kea container to host mode, you might get some speed improvement (however small) and broadcast should work (it does in my testing). Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:0ea0a02e-61c1-4c21-b642-c7456a5f8a38] From: Kea-users on behalf of mtint hpc Sent: Thursday, August 24, 2023 8:40 AM To: kea-users@lists.isc.org Subject: [Kea-users] kea docker CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi All, I am new to Kea and Docker. Looking to replace existing DHCP service + IPAM from Efficient IP to docker based DHCP server running Kea + phpIPAM. See many guides on how to do this – This seemed to be good - https://github.com/xjasonlyu/docker-kea-dhcp4/tree/master. Env I have is secured and is not connect to the internet directly, and I have downloaded deb files manually and install it. I assume that should do the trick and since I have new to docker also I need a test env to test this. My desktop which is Ubuntu is running the docker and I assume the only way to test this is to create few docker containers and request IP from kea DHCP. I know this is going out of scope, but can container setup to use DHCP and will kea DHCP server broadcast outside the docker network? Kind Regards, Michael -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan,
Sounds good! That should be all... I'd just test by first trying a simple cURL
to the control agent, maybe. It shouldn't complain about an unknown cert; if it
does, then there's clearly an issue. I also ran into issues where, for some
unknown reason, my certificates weren't validating against the CA... so
checking that is maybe worth it, if the cURL test fails. But if that was the
case, I'd expect heartbeats between the two servers to be failing as well.
Good luck to you with your changes.
Eric Graham
DevOps Specialist
Direct: 605.990.1859
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:644cffd4-1051-44e1-91fc-5e4271301454]
From: Stefan G. Weichinger
Sent: Friday, June 30, 2023 11:23 AM
To: Eric Graham ; kea-users@lists.isc.org
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork
and dhcp4 gets lost
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Am 30.06.23 um 17:53 schrieb Eric Graham:
> Stefan,
>
> I've been down this road and the short answer is to not bother trying to
> use the various options to skip certificate verification. Those settings
> don't do what you (I) think they do, and it's easier to just make the
> certs work.
>
> When you generate the certificates under your CA, add the IP address of
> each server as an IP SAN. For example, given a key, CA, and CSR, this is
> how I make a certificate:
>
> *HOSTNAME='1.2.3.4'*
> *openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt
> -CAkey cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN
> -extfile <(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}")*
> *
> *
> In my case, I only care to make the certificate work for IP address, so
> you'll need to adjust the various options (obviously). When you're done,
> use the *-print* option to openssl on *${HOSTNAME}.crt* to double check
> that the SAN is added.
>
> Then, double-double check that the CA is imported on both Kea servers,
> the Stork server, and since you mentioned Docker - also inside any
> containerized version of the aforementioned.
>
> Again, I don't change any of the verification settings, nor any of the
> certificates except the ones that I created for Kea to use. Hope this helps.
Thanks for pointing this out. My certs were done like:
openssl req -nodes -newkey rsa:2048 -keyout server_adc1.key -out
server_adc1.csr -subj
"/C=some/ST=some/L=there/O=ISC-Kea/OU=adc1/CN=adc1/emailAddress=a...@my.tld"
so I have no IP SAN, right (grepped that command from a gist on github
and modified it).
I wanted to get it right with FQDNs in there etc ...
I will give your approach a try next week or so, currently on the train
and not touching anything anymore today.
How to double-double-check the CA import? I added it to
/usr/local/share/ca-certificates/ and ran update-ca-certificates , so
the ca.crt should be in the system's keystore.
Is that enough to make stork trust it?
I assume so as I didn't find a specific setting/variable to define a TLS
CA for the stork-agent.
So it's very likely that adding that IP SAN to the cert fixes things.
I will see next week ;-)
Thanks, have a nice weekend.
Stefan
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan,
I've been down this road and the short answer is to not bother trying to use
the various options to skip certificate verification. Those settings don't do
what you (I) think they do, and it's easier to just make the certs work.
When you generate the certificates under your CA, add the IP address of each
server as an IP SAN. For example, given a key, CA, and CSR, this is how I make
a certificate:
HOSTNAME='1.2.3.4'
openssl x509 -req -sha512 -days 365 -in ${HOSTNAME}.csr -CA ca.crt -CAkey
cakey.pem -CAcreateserial -out ${HOSTNAME}.crt -extensions SAN -extfile
<(printf "[SAN]\nsubjectAltName=IP:${HOSTNAME}")
In my case, I only care to make the certificate work for IP address, so you'll
need to adjust the various options (obviously). When you're done, use the
-print option to openssl on ${HOSTNAME}.crt to double check that the SAN is
added.
Then, double-double check that the CA is imported on both Kea servers, the
Stork server, and since you mentioned Docker - also inside any containerized
version of the aforementioned.
Again, I don't change any of the verification settings, nor any of the
certificates except the ones that I created for Kea to use. Hope this helps.
Eric Graham
DevOps Specialist
Direct: 605.990.1859
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:5d14fe52-b13e-4292-9ba3-9e7c1ad07c1c]
From: Kea-users on behalf of Stefan G.
Weichinger
Sent: Friday, June 30, 2023 6:13 AM
To: kea-users@lists.isc.org
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork
and dhcp4 gets lost
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Am 30.06.23 um 12:16 schrieb Stefan G. Weichinger:
>
> After some more restarting and re-registering currently stork looks good.
>
> I assume currently the stork-agents talk to the kea-ctrl-agents
> unencrypted ... I am not 100% sure yet.
Tested flipping this:
kea-ctrl-agent.conf:"cert-required": false
to true
When doing this, the stork-agent has issues trusting the cert:
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"
level="error" msg="Problem fetching stats from Kea: Post
\"https://10.0.0.231:8000/\": remote error: tls: unknown certificate
authority\nproblem sending POST to
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem
getting stats from
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"
file=" promkeaexporter.go:841 "
Jun 30 13:07:30 adc1 stork-agent[759628]: time="2023-06-30 13:07:30"
level="error" msg="Some errors were encountered while collecting stats
from Kea: Post \"https://10.0.0.231:8000/\": remote error: tls: unknown
certificate authority\nproblem sending POST to
https://10.0.0.231:8000/\nisc.org/stork/agent.(*HTTPClient).Call\n\t/builds/isc-projects/stork/backend/agent/caclient.go:105\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:876\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594\nproblem
getting stats from
Kea\nisc.org/stork/agent.(*PromKeaExporter).sendCommandToKeaCA\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:878\nisc.org/stork/agent.(*PromKeaExporter).collectStats\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:838\nisc.org/stork/agent.(*PromKeaExporter).statsCollectorLoop\n\t/builds/isc-projects/stork/backend/agent/promkeaexporter.go:710\nruntime.goexit\n\t/builds/isc-projects/stork/tools/golang/go/src/runtime/asm_amd64.s:1594"
file=" promkeaexporter.go:712 "
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
My deployments have a single CA that's used as trust-anchor on both machines, and then the certificates are signed by the CA. The CA is further added to the systems' trust stores. I haven't tried what you're doing (sorry). Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:ff23e65c-e61f-497c-bea5-91f13f197392] From: Stefan G. Weichinger Sent: Thursday, June 29, 2023 9:04 AM To: Eric Graham ; kea-users@lists.isc.org Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 29.06.23 um 15:34 schrieb Eric Graham: > Stefan, > > I think so, but I'm not sure if it's best practice to share that > certificate with Kea since you'd need to open up permissions a little > and allow Kea to read the private key. If you have no qualms with that > note, then it's probably worth an attempt, at least. Since Kea shouldn't > be running as root, you may need to change group ownership of the certs > or use fACLs. I could copy them over to /var/lib/kea and adjust things. Prepared that already As far as I understand the CAs have to be placed "cross-wise": server1 has to use ca_server2.pem as trust-anchor server2 has to use ca_server1.pem as trust-anchor Right? I haven't started editing things yet, can't risk downtime while people are working there. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan, I think so, but I'm not sure if it's best practice to share that certificate with Kea since you'd need to open up permissions a little and allow Kea to read the private key. If you have no qualms with that note, then it's probably worth an attempt, at least. Since Kea shouldn't be running as root, you may need to change group ownership of the certs or use fACLs. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:5b21c730-a772-4f63-a022-cd498fb2bc5e] From: Kea-users on behalf of Stefan G. Weichinger Sent: Thursday, June 29, 2023 3:02 AM To: kea-users@lists.isc.org Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 28.06.23 um 09:28 schrieb Stefan G. Weichinger: > Am 27.06.23 um 17:17 schrieb Eric Graham: >> Stefan, >> >> Make sure that when you change the password, you also change it in >> Stork and in the HA hook config on each daemon of each server. >> >> I am not aware of documentation from ISC for generating certificates, > > this: > > https://github.com/isc-projects/kea/blob/master/src/lib/asiolink/testutils/ca/doc.txt > > ? The two Kea-Servers are also samba-AD-DCs : so they have their own AD-related TLS-certs here: # ls -l /var/lib/samba/private/tls insgesamt 12 -rw-r--r-- 1 root root 2074 30. Nov 2022 ca.pem -rw-r--r-- 1 root root 2078 30. Nov 2022 cert.pem -rw--- 1 root root 3243 30. Nov 2022 key.pem May I "simply" use these for kea as well? I assume so ... -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Stork configuration
Control agent logs would be able to help narrow down the issue. Make sure the Stork agent has the correct credentials if using BASIC auth on the control agent. If you're doing anything with containers or security, be sure that Stork can see the command line of the Kea control agent in the process list, and can read the Stork control agent config. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:0e3e7624-9071-456c-bf4b-359428963181] From: Kea-users on behalf of DDFR | Ronald Blaas Sent: Wednesday, June 28, 2023 10:01 AM To: kea-users@lists.isc.org Subject: [Kea-users] Stork configuration CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi all, I am trying to setup isc-stork but I am unable to get the app (isc-kea) visible in stork. I have isc-kea up and running (with isc-kea-ctrl-agent) So I installed isc-stork-server and isc-stork-agent (on the same machine) I can see the client in stork server but Kea Apps are not being displayed. What did I forget ? Regards, -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan, Make sure that when you change the password, you also change it in Stork and in the HA hook config on each daemon of each server. I am not aware of documentation from ISC for generating certificates, but here is an article I found that should get you started: https://node-security.com/posts/openssl-creating-a-ca/ You will want to make a CA in this case, and not just self-signed certificates. Make sure if you make the certificates for IP and not hostname, that you add the IP to the SAN field of the certificates. Here's an article from Red Hat about trusting the CA on each host: https://www.redhat.com/sysadmin/ca-certificates-cli Even if you're not in Red Hat-land, it'll get you started. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:2e6a83d9-9c45-41bc-86d4-fdd91ce6a9f1] From: Stefan G. Weichinger Sent: Tuesday, June 27, 2023 2:57 AM To: Eric Graham ; kea-users@lists.isc.org Cc: Darren Ankney Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 23.06.23 um 17:34 schrieb Eric Graham: > Stefan, > > Please be aware that you posted a password in your control agent config. > I strongly recommend replacing it. > > You may prefer to put the socket in /var. Cleaning of /tmp is > distro-dependent behavior. You'll need to make that change (to the > socket path) in the control agent and DHCP configs on both servers. > Stork will pick up the change automatically (without any config > changes), but the agent may need a restart, as well as all Kea services. Changed the socket path, we'll see if that improves stability. Changing the password didn't work yet, I had to roll back. I'll try that again later. I have basic-auth in place, but no TLS enabled yet. This might be the time to add this also, although the 2 machines run in a rather protected environment. It's just better, and state of the art, to use TLS ... Any pointers to the kea-docs how to generate working certs? I assume they could be rather dummy style ... thanks, regards, Stefan -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan,
Please be aware that you posted a password in your control agent config. I
strongly recommend replacing it.
You may prefer to put the socket in /var. Cleaning of /tmp is distro-dependent
behavior. You'll need to make that change (to the socket path) in the control
agent and DHCP configs on both servers. Stork will pick up the change
automatically (without any config changes), but the agent may need a restart,
as well as all Kea services.
Eric Graham
DevOps Specialist
Direct: 605.990.1859
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:17380953-0d73-4ca6-97ae-ed624e23c4b6]
From: Kea-users on behalf of Darren Ankney
Sent: Friday, June 23, 2023 6:01 AM
To: kea-users@lists.isc.org
Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork
and dhcp4 gets lost
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Hi Stefan,
I imagine your socket file is being removed during routine OS cleaning
of /tmp/ I would not store it there in production (I do often do that
in testing, however). If the socket file gets removed, Kea will not
recreate it until a restart.
Thank you,
Darren Ankney
On Fri, Jun 23, 2023 at 4:21 AM Stefan G. Weichinger wrote:
>
> Am 22.06.23 um 19:35 schrieb Eric Graham:
> > Check the permissions of the control socket on your server:
> >
> > * Confirm that the Kea control agent can read it * Confirm that
> > SELinux is not denying the attempt
>
> Eric, thanks for your help.
>
> If it works most of the time ... why wouldn't the permissions be OK then?
>
> OK:
>
> root@adc1:/etc/kea# ls -l /tmp/kea4*
> srwxr-xr-x 1 _kea _kea 0 22. Jun 07:35 /tmp/kea4-ctrl-socket
> -rw--- 1 _kea _kea 0 22. Jun 07:35 /tmp/kea4-ctrl-socket.lock
>
>
> root@adc2:/etc/kea# ls -l /tmp/kea4*
> srwxr-xr-x 1 _kea _kea 0 17. Mai 08:18 /tmp/kea4-ctrl-socket
> -rw--- 1 _kea _kea 0 17. Mai 08:18 /tmp/kea4-ctrl-socket.lock
>
> SElinux: don't know how to check that right now ...
>
>
> > Your control agent on the other server isn't configured to connect to
> > the socket for dhcp4 on your primary server, correct?
>
> As far as I understand, no.
>
> I add the whole file just to be safe here:
>
> root@adc1:/etc/kea# cat kea-ctrl-agent.conf
> // This is a basic configuration for the Kea Control Agent.
> //
> // This is just a very basic configuration. Kea comes with large suite
> (over 30)
> // of configuration examples and extensive Kea User's Guide. Please refer to
> // those materials to get better understanding of what this software is
> able to
> // do. Comments in this configuration file sometimes refer to sections
> for more
> // details. These are section numbers in Kea User's Guide. The version
> matching
> // your software should come with your Kea package, but it is also available
> // in ISC's Knowledgebase (https://kea.readthedocs.io; the direct link for
> // the stable version is https://kea.readthedocs.io/).
> //
> // This configuration file contains only Control Agent's configuration.
> // If configurations for other Kea services are also included in this
> file they
> // are ignored by the Control Agent.
> {
>
> // This is a basic configuration for the Kea Control Agent.
> // RESTful interface to be available at http://127.0.0.1:8000/
> "Control-agent": {
> "http-host": "10.0.0.231",
> // If enabling HA and multi-threading, the 8000 port is used by the HA
> // hook library http listener. When using HA hook library with
> // multi-threading to function, make sure the port used by dedicated
> // listener is different (e.g. 8001) than the one used by CA. Note
> // the commands should still be sent via CA. The dedicated listener
> // is specifically for HA updates only.
> "http-port": 8000,
>
> "authentication": {
> "type": "basic",
> "realm": "kea-control-agent",
> "clients": [
> {
> "user": "admin",
> "password": "X-dEldmfRz"
> } ]
> },
>
> // Specify location of the files to which the Control Agent
> // should connect to forward commands to the DHCPv4, DHCPv6
> // and D2 servers via unix domain sockets.
> "control-sockets": {
> "dhcp4": {
> "socket-type": "unix",
> "socket-name": "/tmp/kea4-ctrl-socket"
> }
> #"dhcp6":
Re: [Kea-users] hooks libraries failed to validate
Hi Darren, No, Kea itself does not get recompiled. This is part of the benefit of the hooks system. Kea source / SOs need to be present to link to, but only the hook needs to be recompiled. This is why you can distribute the premium hooks as standalone packages, instead of distributing a version of Kea for every combination of hooks. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:6b2a08dc-f0d8-4382-b8eb-bb9a5bd4f0b4] From: Kea-users on behalf of Darren Ankney Sent: Friday, June 23, 2023 6:22 AM To: kea-users@lists.isc.org Subject: Re: [Kea-users] hooks libraries failed to validate CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi all, I must admit, I've never built a custom hook before, but wouldn't you need to make this part of the Kea source tree (as described for the premium hooks: https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#installing-hook-packages) and recompile Kea with the hook? The developer's guide may be useful as well: https://reports.kea.isc.org/dev_guide/ On Thu, Jun 22, 2023 at 10:31 AM Eric Graham mailto:eric.gra...@vantagepnt.com>> wrote: Ronald, That error is a catch-all for essentially any reason your hook isn't working cleanly. Maybe you're missing a function or have some other (syntactically valid) error. Also make sure that the permissions on the SO are correct, and that it's linking correctly if you didn't compile on the server. Can you provide us a minimal (non)working example? Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:188e7f8d0c233a801ca1] From: Kea-users mailto:kea-users-boun...@lists.isc.org>> on behalf of DDFR | Ronald Blaas mailto:ronald.bl...@ddfr.nl>> Sent: Thursday, June 22, 2023 7:43 AM To: kea-users@lists.isc.org<mailto:kea-users@lists.isc.org> mailto:kea-users@lists.isc.org>> Subject: [Kea-users] hooks libraries failed to validate CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi all, Breaking my head over here. Can't seem to figure out what I am missing here. Trying to create a custom hook. Using https://reports.kea.isc.org/dev_guide/df/d46/hooksdgDevelopersGuide.html#hooksdgTutorial as an example. So I have created 5 files (version.cc / library_common.h / load_unload.cc / pkt_receive.cc / pkt_send.cc) compiled it g++ -I /usr/include/kea -L /usr/lib -fpic -shared -o test_hook.so load_unload.cc pkt_receive4.cc pkt_send.cc version.cc -lkea-dhcpsrv -lkea-dhcp++ -lkea-hooks -lkea-log -lkea-util -lkea-exceptions mv the "test_hook.so" to the Hooks dir for kea. Edited the config file to include the hook. But after restart of kea-dhcp4 services I see this error (and kea does not start) Jun 22 14:42:29 dhcp1 kea-dhcp4[81922]: 2023-06-22 14:42:29.237 ERROR [kea-dhcp4.dhcp4/81922.140261235613312] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/etc/kea/kea-dhcp4.conf': hooks libraries failed to validate - library or libraries in error are: /usr/lib/x86_64-linux-gnu/kea/hooks/test_hook.so (/etc/kea/kea-dhcp4.conf:25:5) So where did I go wrong? Regards -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org<mailto:Kea-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Check the permissions of the control socket on your server: * Confirm that the Kea control agent can read it * Confirm that SELinux is not denying the attempt Your control agent on the other server isn't configured to connect to the socket for dhcp4 on your primary server, correct? Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:fa418b8e-e445-4e50-adc4-29ffc34b9590] From: Stefan G. Weichinger Sent: Thursday, June 22, 2023 12:18 PM To: Eric Graham ; kea-users@lists.isc.org Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 22.06.23 um 16:35 schrieb Eric Graham: > Stefan, > > What version of Stork are you using? I saw a similar issue > <https://gitlab.isc.org/isc-projects/stork/-/issues/792> in 1.7. 1.10.0 > Do your Kea control agent logs show any issues during the event? Didn't find the time today to browse the logs. the problematic server adc1 logs something after the event in stork. stork displays 2023-06-20 20:01:23 daemon [2] dhcp4 is unreachable kea-debug.log: 2023-06-20 20:00:54.374 CEST INFO [kea-dhcp4.commands/664.140016487107008] COMMAND_RECEIVED Received command 'subnet4-list' 2023-06-20 20:00:54.679 CEST INFO [kea-dhcp4.commands/664.140016487107008] COMMAND_RECEIVED Received command 'ha-heartbeat' 2023-06-20 20:02:04.789 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_STATE_TRANSITION server transitions from HOT-STANDBY to WAITING state, partner state is PARTNER-DOWN 2023-06-20 20:02:04.790 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_LEASE_UPDATES_DISABLED lease updates will not be sent to the partner while in WAITING state 2023-06-20 20:02:04.790 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_LOCAL_DHCP_DISABLE local DHCP service is disabled while the adc1 is in the WAITING state 2023-06-20 20:02:04.790 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_STATE_TRANSITION server transitions from WAITING to SYNCING state, partner state is PARTNER-DOWN 2023-06-20 20:02:04.790 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_LEASE_UPDATES_DISABLED lease updates will not be sent to the partner while in SYNCING state 2023-06-20 20:02:04.790 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_SYNC_START starting lease database synchronization with adc2 2023-06-20 20:02:04.807 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_LEASES_SYNC_LEASE_PAGE_RECEIVED received 118 leases from adc2 2023-06-20 20:02:04.809 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_SYNC_SUCCESSFUL lease database synchronization with adc2 completed successfully in 19.611 ms 2023-06-20 20:02:04.809 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_STATE_TRANSITION server transitions from SYNCING to READY state, partner state is PARTNER-DOWN 2023-06-20 20:02:04.810 CEST INFO [kea-dhcp4.ha-hooks/664.140016487107008] HA_LEASE_UPDATES_DISABLED lease updates will not be sent to the partner while in READY state 2023-06-20 20:06:51.205 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup 2023-06-20 20:06:51.206 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path 2023-06-20 21:06:52.202 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup 2023-06-20 21:06:52.203 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path 2023-06-20 22:06:52.466 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup 2023-06-20 22:06:52.467 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path 2023-06-20 23:06:53.457 CEST INFO [kea-dhcp4.dhcpsrv/664.140016487107008] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup The other server only says: 2023-06-20 20:01:04.701 CEST WARN [kea-dhcp4.ha-hooks/291908.140125778662080] HA_HEARTBEAT_FAILED heartbeat to adc1 (http://10.0.0.231:8000/) failed: unable to forward command to the dhcp4 service
Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost
Stefan,
What version of Stork are you using? I saw a similar
issue<https://gitlab.isc.org/isc-projects/stork/-/issues/792> in 1.7.
Do your Kea control agent logs show any issues during the event?
Eric Graham
DevOps Specialist
Direct: 605.990.1859
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:f6860e1c-74e6-4e1e-baef-95ec5de2c3bd]
From: Kea-users on behalf of Stefan G.
Weichinger
Sent: Thursday, June 22, 2023 12:55 AM
To: kea-users@lists.isc.org
Subject: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and
dhcp4 gets lost
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
We see this in the stork events every few days:
2023-06-20 20:01:23 daemon [2] dhcp4 is unreachable
2023-06-20 20:01:07 Communication with daemon [2] dhcp4 of app
kea@10.0.0.231 failed
After a restart of both dhcp4 and stork-agent on that adc1-server things
work again.
I will have to check the logs in more detail, sure.
2 things:
1) we collect the prometheus metrics from stork and visualize them in
Grafana.
storkserver_auth_unreachable_machine_total{instance=~"$instance"}
is always 0, even when the mentioned events are seen and I would assume
that one of 2 machines should be marked unreachable. Right?
2) it's not solving the problem at the root, but I consider setting up
some external monitoring to detect this outage and let the monitoring
restart the daemons ...
I use monit (https://mmonit.com/wiki/Monit/ConfigurationExamples) for
such things, and think of letting it do http-API-calls to isc-kea to
check things.
Right approach?
thanks, Stefan
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] hooks libraries failed to validate
Ronald, That error is a catch-all for essentially any reason your hook isn't working cleanly. Maybe you're missing a function or have some other (syntactically valid) error. Also make sure that the permissions on the SO are correct, and that it's linking correctly if you didn't compile on the server. Can you provide us a minimal (non)working example? Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:d4e325f3-ed8e-4cfb-9e6c-7b3cc9b4a6c3] From: Kea-users on behalf of DDFR | Ronald Blaas Sent: Thursday, June 22, 2023 7:43 AM To: kea-users@lists.isc.org Subject: [Kea-users] hooks libraries failed to validate CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi all, Breaking my head over here. Can't seem to figure out what I am missing here. Trying to create a custom hook. Using https://reports.kea.isc.org/dev_guide/df/d46/hooksdgDevelopersGuide.html#hooksdgTutorial as an example. So I have created 5 files (version.cc / library_common.h / load_unload.cc / pkt_receive.cc / pkt_send.cc) compiled it g++ -I /usr/include/kea -L /usr/lib -fpic -shared -o test_hook.so load_unload.cc pkt_receive4.cc pkt_send.cc version.cc -lkea-dhcpsrv -lkea-dhcp++ -lkea-hooks -lkea-log -lkea-util -lkea-exceptions mv the "test_hook.so" to the Hooks dir for kea. Edited the config file to include the hook. But after restart of kea-dhcp4 services I see this error (and kea does not start) Jun 22 14:42:29 dhcp1 kea-dhcp4[81922]: 2023-06-22 14:42:29.237 ERROR [kea-dhcp4.dhcp4/81922.140261235613312] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/etc/kea/kea-dhcp4.conf': hooks libraries failed to validate - library or libraries in error are: /usr/lib/x86_64-linux-gnu/kea/hooks/test_hook.so (/etc/kea/kea-dhcp4.conf:25:5) So where did I go wrong? Regards -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Using option82 (isc-kea)
Ronald, There is another way to log these if you're willing to write some code or a script. The run_script hook (https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#run-script-run-script-support-for-external-hook-scripts) takes the path of an executable to run, and then passes it information about packets received through environment variables. Option 82 is one of the few that is passed to the program, so writing something to log it is fairly straightforward. Otherwise, writing a fully featured hook to log the option data is very possible, if you can't afford the legal logging hook. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:590a2152-6a12-4370-a2d4-82e7f99bdab0] From: Kea-users on behalf of Darren Ankney Sent: Tuesday, June 20, 2023 4:36 AM To: DDFR | Ronald Blaas Cc: kea-users@lists.isc.org Subject: Re: [Kea-users] Using option82 (isc-kea) CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi Ronald, There are two ways to log this. 1) log kea-dhcp4.packets at debug severity. I'm not exactly sure what level option 82 begins to appear but I believe it to be 50+ 2) Use the forensic logging hook: https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#legal-log-forensic-logging Thank you, Darren Ankney On Mon, Jun 19, 2023 at 8:02 AM DDFR | Ronald Blaas wrote: > > Hi all, > > I have been searching and searching but could not find an answer to satisfy > my needs. > > I am new in using kea-dhcp. > I have a working setup using reservations with option 82 (circuit id). > But What I would like is that I can see the circuit-id in plain text in the > log file and lease file. > > How do I accomplish this? > > I am using Ubuntu 22.04 with the repository from cloudsmith.io > > Any insight is appriciated > > Regards, > > Ron > -- > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Unable to see usage of pool
Is the libdhcp_stat_cmds hook library loaded? Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:54fa7606-dec2-4602-83d9-05dd68ef0641] From: Kea-users on behalf of fiala...@fd.cvut.cz Sent: Monday, January 16, 2023 6:53 AM To: Kea-users@lists.isc.org Subject: [Kea-users] Unable to see usage of pool CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Hi, I would like to ask you if don't know why I am not able to see the actual usage of DHCP pool in Stork 1.8. I have KEA in version 2.2. DHCP lease minimal 2 addresses.I have already tried restart stork server and agent. I will be glad to suggest a solution to this issue. Kind regards Martin Fiala -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Load-Balancing Network issue between Relay and Kea
a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/communication_state.cc#L617-L625 [15]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_service.cc#L1757-L1758 [16]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_service.cc#L1793-L1794 [17]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/communication_state.cc#L274 [18]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_config_parser.cc#L180-L181 [19]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_config.cc#L166 [20]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/communication_state.cc#L652 [21]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_impl.cc#L104 [22]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_config_parser.cc#L184-L185 [23]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_service.cc#L1097 [24]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_service.cc#L1799 [25]: https://gitlab.isc.org/isc-projects/kea/-/blob/c4c53a0168ffa385c387ba685ac16e5544feaad4/src/hooks/dhcp/high_availability/ha_service.cc#L1081-L1106 Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:446fdf61-044d-49d2-a820-4da231cbe5e1] From: Kea-users on behalf of Kevin P. Fleming Sent: Monday, January 9, 2023 12:38 PM To: kea-users@lists.isc.org Subject: Re: [Kea-users] Load-Balancing Network issue between Relay and Kea CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. On Mon, Jan 9, 2023, at 11:54, Veronique Lefebure wrote: Very interesting thread. Mathias, you wrote "Expected behaviour: Kea 2 sees the unacked clients of Kea 1 and sets Kea 1 in partner-down state and handles all requests.", but, If there is no traffic between DHCP clients and Kea1, then the value of max-unacked-clients on server1 cannot increase anyway, right ? In other words, Kea2 cannot "see" anything ? It can 'see', because it *also* saw all of the client requests and knows which ones it expected to be handled by Kea1 (as noted earlier in the thread it even emits a log message indicating this). Forgive my presumption, but I assumed that 'max-unacked-clients' would be a counter of 'unacked clients' which belong to a Kea server *other than this one*. I don't immediately know how counting the number of clients *this server* has not acked would be useful, although I won't be surprised to learn that it is useful to someone. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Load-Balancing Network issue between Relay and Kea
CCing the list.. sorry. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:16f20d06-c1b9-49c2-80f4-06819b01d04a] From: Eric Graham Sent: Wednesday, January 4, 2023 4:13 PM To: Kevin P. Fleming Subject: Re: [Kea-users] Load-Balancing Network issue between Relay and Kea You're right. There's a table of values against which the DUID (if IPv6) is hashed. The result % number of servers is used as an index pointing to the server that will process the packet. https://gitlab.isc.org/isc-projects/kea/-/blob/46dc8d276efda1a240f0c05580bdcba62ae5a6c7/src/hooks/dhcp/high_availability/query_filter.cc#L416-L446 Even though the Kea load balancing algorithm (as well as the DHCPd load balancing algorithm) is not exactly RFC compliant, this part seems to be. See RFC 3074 § 6. I have encountered this same issue when one server cannot communicate. For me, it was partially caused by my socket type being wrong. However, I found the load balancing behavior to be sufficiently finnicky that I have standardized on hot-standby. With the size deployments I deal with, load balancing provides marginal performance improvement at the cost of issues like this and more complicated configuration. Additionally, having a RADIUS backend made this issue even worse. Load balancing + RADIUS = a bad time. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:611bb96b-af22-42ae-9890-37d6469ab42b] From: Kea-users on behalf of Kevin P. Fleming Sent: Wednesday, January 4, 2023 3:59 PM To: kea-users@lists.isc.org Subject: Re: [Kea-users] Load-Balancing Network issue between Relay and Kea CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. On Wed, Jan 4, 2023, at 15:54, Simon wrote: > Kevin P. Fleming wrote: > >> If 'max-unacked-clients' isn't sufficient to address this, then this leaves >> a fairly large opening in the Kea high-availability story, as any network >> disruption which causes a server to no longer receive discovery packets from >> clients, but otherwise receives all expected network traffic, won't be >> noticed except by the clients! This concerns me, as (like other users here) >> my Kea servers receive all client traffic via DHCP relays, and >> misconfiguration of the relay such that it only relays to one server and not >> both will result in half of my clients not getting DHCP service at all. > > Surely, if you misconfigure a relay agent in that way, around half your > clients will initially be unable to renew their leases, but eventually > will get serviced by the available server once their active lease has > expired ? That would mean the clients would drop their network config > momentarily before setting up a new one - meaning that active > connections would drop, but new ones would connect just fine once the > new settings are in place. That's why I posted; I don't really know! If the server receiving the client requests is not in partner-down state, based on my understanding of the Kea ARM section on HA it will not respond to those requests. That certainly seems to be the case while the lease is still active; once the lease has expired I'm not sure what will happen. In my network with Kea in load-balancing mode, there seems to be some sort of algorithm involved even for DHCP DISCOVER, where only one of the two servers responds with DHCP OFFER even though they are both running in a normal state. It has been my assumption (untested) up to this point that Kea is using the client's identifier (MAC address, DUID, etc.) to choose one or the other of the active servers to respond to that DISCOVER. If that's true, and both servers are in normal operation (neither is in partner-down), then that algorithm would continue telling the second server to *not* respond to requests from that client because it believes the other server will do so... even if the other server is not receiving the client's requests. To summarize, that's what I assumed (against untested) 'max-unacked-clients' is for; if the second server assumes the first server will respond to those clients, but it does not (no leases are offered to them), it could notice the situation and decide that the first server is unhealthy or partitioned and force it into a 'down' state. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Co
Re: [Kea-users] Kea System Requirements
Running compiled Kea 2.2 in a Docker container that had one CPU and 500MB of memory, in a VM that had 4 vCPUs and 4GB of memory, allowed me to reach 1,700 lps with 3% drops using dhcperf on a second VM on the same host (and memfile backend). I'd recommend that as bare minimum specs. In production I would recommend much higher, to be safe. It really depends on your environment, hooks, other services running on the system, etc. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:cf310f7d-3f51-46e2-ac27-1114f49b9a73] From: Kea-users on behalf of JT ISC Sent: Tuesday, January 3, 2023 7:20 PM To: kea-users@lists.isc.org Subject: [Kea-users] Kea System Requirements CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. What are the system requirements for Kea? 4 GB RAM and 100GB HD adequate? Thanks -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea MySQL & Advanced Features Requirements
Last time I used the RPMs from their repository (1.8), MariaDB was baked in. I'd assume it to be so today. It's a pretty commonly used feature. I would make a VM, set up that repo, and then run kea-dhcp4 -W to show what features are enabled. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:cf2ae7ea-8147-4b9a-a56c-7c537d290f25] From: Kea-users on behalf of JT ISC Sent: Tuesday, January 3, 2023 7:28 PM To: kea-users@lists.isc.org Subject: [Kea-users] Kea MySQL & Advanced Features Requirements CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. I have a question regarding Kea with MySQL and other advanced features. Is the only way to get most of the features of Kea, such as MySQL features and other advanced features, is to build/install from source, correct? The pre-built Kea packages don't allow MySQL and the other advanced features, correct? Thanks! -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Monitoring a Kea cluster
Dan,
Would you be wlling to dump your iptables filter and nat tables before and
after the restart and take a diff? Are you using firewalld on top of iptables,
by chance? I've been running into issues with my firewall completely breaking
when switching the backend of firewalld from nftables to iptables, but I
suspect that's an entirely different issue.
I do want to add that the article Stefan linked does mention that the network
being "up" varies in definition. I know that I have needed to write retries
into some of my own services that require that target, because the network
might be "up" and DNS still might not resolve, pings fail, etc.
Eric Graham
DevOps Specialist
Direct: 605.990.1859
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:84533300-07c9-4b03-bc38-f6466c9a8866]
From: Kea-users on behalf of Dan Oachs
Sent: Tuesday, January 3, 2023 9:25 AM
To: Stefan G. Weichinger
Cc: kea-users@lists.isc.org
Subject: Re: [Kea-users] Monitoring a Kea cluster
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
I have noticed something similar with our Kea servers.
Running Kea 2.0.3 on Rocky Linux 8.7
After a server reboot dhcpv6 is running but not handing out leases. There is
some issue with the way things start up and the firewall blocking packets. My
current workaround is to add a few lines in /etc/rc.local to stop ip6tables,
restart kea-dhcp6, then start ip6tables.
I'm sure there is a correct way to fix this, but the workaround is functional
for me at the moment.
--Dan
On Tue, Jan 3, 2023 at 2:20 AM Stefan G. Weichinger
mailto:li...@xunil.at>> wrote:
Am 27.12.22 um 12:46 schrieb Darren Ankney:
> In any case, I’d be concerned why it was running but not answering
> requests more-so than I would be about how to monitor it using actual
> DHCP. I vaguely remember having some trouble with Kea and systemd
> startup ordering (ie: it started up before the server’s IP was on the
> interface). Setting After=network.target took care of it.
We saw the behavior again yesterday: no DHCP leases after a reboot until
we restarted kea.
In the service file there are these lines:
Wants=network-online.target
After=network-online.target
After=time-sync.target
https://systemd.io/NETWORK_ONLINE/ gives some information about these
targets ... "network-online.target" should fit better .. but doesn't
seem to be enough.
We use raw sockets for kea, but the server listens on multiple
vlan-interfaces:
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "enp0s31f6", "enp0s31f6.101",
"enp0s31f6.102", "enp0s31f6.103", "enp0s31f6.200" ],
"dhcp-socket-type": "raw"
},
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org<mailto:Kea-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Monitoring a Kea cluster
One way to monitor is with Stork. It won't alert you, but it does have an API that collects events such as failure to communicate with a daemon using the Kea control agent, or HA state changed. One can poll that API and emit alerts based on the interesting events. Stork agents also have Prometheus built in, so you can have your Prometheus server send alerts on some conditions. For example, alert if a subnet is 80% full, 20% lower than average, has only been decreasing in count for x minutes, etc. (disclaimer, I haven't done this yet). I would be much more comfortable with an actual DHCP client, though, like Darren described. One could use dhcperf, or something like scapy. But I am also interested in a better monitoring solution. Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:773adccf-ba4e-4d90-9339-40e19fa5a1af] From: Kea-users on behalf of Stefan G. Weichinger Sent: Tuesday, December 27, 2022 12:10 AM To: kea-users@lists.isc.org Subject: [Kea-users] Monitoring a Kea cluster CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. As I upgraded my isc-kea cluster to Debian 11.6 last week and rebooted the 2 nodes we noticed that initially there were no DHCP-leases offered until I restarted the isc-kea-dhcp4 service (on the primary node of the cluster). Maybe a one time issue, I don't know. - In consequence I´d like to monitor the DHCP-services somehow. I don't run a "real" monitoring like Nagios or Icinga at that site, but use "monit" for basic monitoring ... I added a check to monitor the isc-kea-dhcp4 service itself: does it run, does it behave, if not, restart it. And I added a check to monitor the timestamp of the leases file: if not changed for N minutes, alert me. That is very basic and not even fully OK IMO: the leases file gets rotated ... etc etc I browsed for a check tool and found "dhcping". So far I wasn't able to get a working reply out of that tool :-( ... How do you monitor Kea, are there any recommended ways of doing that? -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Stork API Key
With TLS and a restrictive firewall, safe enough for most environments I'd say. But, as always, it depends on your threat model and setup. Apologies for not bringing up the Stork agent, I had forgotten that was necessary when I wrote my email. Glad you caught it. Eric Graham DevOps Specialist Main: 605.995.1777 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:2278fb69-68dc-4580-8881-424cc400dc1e] Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls | Springfield | Charlotte From: Kea-users on behalf of Stefan G. Weichinger Sent: Friday, December 16, 2022 7:36 AM To: kea-users@lists.isc.org Subject: Re: [Kea-users] Stork API Key CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 15.12.22 um 17:10 schrieb Stefan G. Weichinger: > while the example (home user .. so maybe not that safe) at > > https://kea.readthedocs.io/en/kea-2.2.0/arm/config-templates.html > > does not contain that "authentication" block (and that's where I copied > from). Successfully added basic authentication to my 2-node-cluster: * added authentication to the control-agents * added that info to the peers in the kea-config * added the creds to the stork agents Looks good now. Yes, basic auth is not super safe, but AFAIK safe enough in this environment. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Stork API Key
Thanks, Rick, for the clarification. I dug into the code to double check that
HTTP basic auth is not used.
The API spec is here:
https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/api/users-paths.yaml#L1-L33
If basic auth were in use, there would be a security section as described here:
https://swagger.io/docs/specification/authentication/basic-authentication/
Here is the code that authenticates the user for the /session endpoint:
https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/restservice/users.go#L54-L68
A use of the middleware to ensure the user is logged in before continuing the
request:
https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/restservice/middleware.go#L269-L281
In summary, the user provides a username (treated as an email if it contains
'@' or a username otherwise) and a password, which maps to their identity. The
password is hashed with PostgreSQL's crypt function and stored. That identity
is tied to the session token, which are passed to the server in the session
cookie upon any (authenticated) request and checked for equality and validity
(+ expiration) in the database. Basic auth is not checked.
Eric Graham
DevOps Specialist
Main: 605.995.1777
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:1bf5a212-703c-4706-9ce6-12d3f154e5c9]
Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls |
Springfield | Charlotte
From: Frey, Rick E
Sent: Thursday, December 15, 2022 9:22 AM
To: Stefan G. Weichinger ; Eric Graham
; kea-users@lists.isc.org
Subject: Re: [Kea-users] Stork API Key
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Questions are venturing out of scope for Kea/Stork and are more with general
HTTP but will make a stab at getting you pointed in right direction.
In your second call, you are attempting to use HTTP basic authentication
(--user arg to curl) instead of sending the session cookie. As mentioned
earlier in thread, Stork uses sessions for authentication where expiration is
currently hard coded to 24 hours. The session cookie is provided with your
successful call to /api/sessions and was stored in your cookie jar file
“cookie.txt” with the sample curl command you provided. In your tests using
curl for second call, you just need to omit the username arg and tell curl to
use the cookie jar you specified in login post.
Example login (stores session cookie in cookie jar “cookie.txt”):
curl -X 'POST' 'http://10.0.0.230:8080/api/sessions' -H 'accept:
application/json' -H 'Content-Type: application/json' -d '{
"useremail": "sgw",
"userpassword": "yourpassword"
}' -c cookie.txt
Example API call using previous acquired session cookie stored in cookie jar:
curl -X 'GET' 'http://10.0.0.230:8080/api/subnets' -H 'accept:
application/json' -b cookie.txt
From: Kea-users on behalf of Stefan G.
Weichinger
Date: Thursday, December 15, 2022 at 7:46 AM
To: Eric Graham , kea-users@lists.isc.org
Subject: Re: [Kea-users] Stork API Key
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
Am 14.12.22 um 17:22 schrieb Eric Graham:
> I haven't used that platform before, so I don't know for sure, but you
> might find it easier to authenticate for each query, depending on how
> frequent they are.
Trying to figure out these calls now.
curl -k -c cookie.txt -X POST -H 'Content-Type: application/json'
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.230%3A8080%2Fapi%2Fsessionsdata=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957637806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=8x8b7ul2tLF5rrRI5ZibhOuCNRJmHjgoCNk%2Bj%2BOaj5k%3Dreserved=0
-d '{"useremail": "sgw",
"userpassword": "nCNKR"}'
returns an OK cookie.txt that in turn also can be used for API calls.
-
But I fail with something like:
curl -X GET -H 'Content-Type: application/json' --user
"sgw:nCNKR"
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F10.0.0.230%3A8080%2Fapi%2Fusersdata=05%7C01%7Crick.frey%40windstream.com%7Cbbd393496bb846fdd18e08dadea2c5a7%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638067087957637806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=7TzgD5V2k3CR1iNoomF0b4l33dMNllCT3LxG8qInW%2FQ%3Dreserved=0
Shouldn't that work also? Maybe I have a stupid mistake,
Re: [Kea-users] Stork API Key
I haven't used that platform before, so I don't know for sure, but you might find it easier to authenticate for each query, depending on how frequent they are. Or you could do it once every, say, 12 hours, and share the cookie between all the components making queries. Is that possible? Eric Graham DevOps Specialist Main: 605.995.1777 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:674d1fde-d7ed-4fab-8b89-f9882c2027b4] Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls | Springfield | Charlotte From: Stefan G. Weichinger Sent: Wednesday, December 14, 2022 3:07 AM To: Eric Graham ; kea-users@lists.isc.org Subject: Re: [Kea-users] Stork API Key CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 13.12.22 um 16:54 schrieb Eric Graham: > Looks like it times out after the default of 24 hours, but can be > renewed if you authenticate again. > > Defined here: > https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/database/session/session_manager.go#L23 > > <https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/database/session/session_manager.go#L23> > > Default defined here: > https://pkg.go.dev/github.com/alexedwards/scs/v2#SessionManager > <https://pkg.go.dev/github.com/alexedwards/scs/v2#SessionManager> phew, looks scary ;-) I wonder how I would handle this: I'd like to set up a workflow within n8n (https://n8n.io) that uses the API calls for various queries. So I assume I'd have to set up a separate task to retrieve that key every day? just asking in preparation, thanks, Stefan -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Hook Development - Rust
I wrote a basic hook in C++, which showed me how to link to what I needed. I used that knowledge to dig into making a Rust PoC, which can be found here: https://github.com/vps-eric/Kea-Rust-Base Given the complexity involved, I'm considering settling for C++; whether I make a hook to call my actual Rust hook, as Scott so kindly suggested, or skip Rust altogether, I am not yet sure. For now, the run-script hook calling my existing Rust program is good enough. Eric Graham DevOps Specialist Main: 605.995.1777 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:409297b0-f25b-4710-8efc-fe453aefe4f1] Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls | Springfield | Charlotte From: Kea-users on behalf of Eric Graham Sent: Friday, December 9, 2022 10:14 AM To: Darren Ankney ; kea-users@lists.isc.org Subject: Re: [Kea-users] Hook Development - Rust That's a good idea. At the very least, I can confirm whether the hook is expected to load if only implementing version(). According to the docs, I believe it to be so, but there's a lot there and I may be mistaken. I'll see what comes of it and post back here for future readers. If you or anyone else have more suggestions for now, please don't hesitate to share them. I can always work on the C++ PoC and the Rust hook at the same time. From: Kea-users on behalf of Darren Ankney Sent: Friday, December 9, 2022 10:06 AM To: kea-users@lists.isc.org Subject: Re: [Kea-users] Hook Development - Rust CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. maybe if you develop a simple hook that does something very simple in c++ it will become more obvious how to do the same in Rust? On Fri, Dec 9, 2022 at 11:01 AM Eric Graham wrote: > > Thanks for the link! I have gone through that page and the instructions are > thorough. There are projects like CXX (https://cxx.rs/) that help with the > Rust <--> C++ stuff, but to be honest, I am new to Rust (Python is one I'm > more familiar with, but I am not interested in writing the hook in Python at > this stage - speed > https://stackoverflow.com/questions/801657/is-python-faster-and-lighter-than-c > and type safety). I assume something is wrong with how I'm linking against > Kea, but I don't know. Unfortunately, the debug log during hook loading is > not terribly helpful. I am confident it's possible, though. > > > > > From: Darren Ankney > Sent: Friday, December 9, 2022 9:49 AM > To: Eric Graham > Cc: kea-users@lists.isc.org > Subject: Re: [Kea-users] Hook Development - Rust > > Apologies if you've already found this guide, but here is a link to > the hook developers guide: > > https://reports.kea.isc.org/dev_guide/df/d46/hooksdgDevelopersGuide.html > > I'm not super familiar with rust myself (though I have played around > with it) but you can't just include header files that were meant for > 'c' or 'c++' right? At least from what little i've done, it didn't > seem so... it seemed they had their own API and an application to > search user created extensions for such. The developer's guide I > linked says it should be possible to create hooks in other languages. > They mention Python. I'd say Rust is way closer to C++ the Python > is... so it should be possible? > > On Fri, Dec 9, 2022 at 10:32 AM Eric Graham > wrote: > > > > Hi Darren, > > > > Thanks for the link! I actually have already done so, but for a few reasons > > (I believe it is slower than a hook, and it's limited) I would prefer to > > write a "native" one. > > > > I sure wish it would have been implemented differently, as something like > > gRPC + protobuf! > > > > > > > > From: Darren Ankney > > Sent: Thursday, December 8, 2022 7:34 PM > > To: kea-users@lists.isc.org > > Subject: Re: [Kea-users] Hook Development - Rust > > > > If nothing else, perhaps you could make use of the run_script hook: > > https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#run-script-run-script-support-for-external-hook-scripts > > You could probably write the "script" in whatever language you want, > > including rust, or at least that's the way I interpret it. > > > > On Thu, Dec 8, 2022 at 2:16 PM Eric Graham > > wrote: > > > > > > Hello! First time using this / any mailing list, so critiques welcome. > > > > > > I am looking into the possibility of writing a Rust hook. I understand > > > that using C++ is likely the simplest alternative, but Rust is attractive > >
Re: [Kea-users] Stork API Key
Looks like it times out after the default of 24 hours, but can be renewed if
you authenticate again.
Defined here:
https://gitlab.isc.org/isc-projects/stork/-/blob/aa1036c20dd32eaeaa9675b329d8b704dbeeb718/backend/server/database/session/session_manager.go#L23
Default defined here:
https://pkg.go.dev/github.com/alexedwards/scs/v2#SessionManager
Eric Graham
DevOps Specialist
Main: 605.995.1777
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:0f13ce25-3560-468c-bb93-d2addb327210]
Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls |
Springfield | Charlotte
From: Kea-users on behalf of Stefan G.
Weichinger
Sent: Tuesday, December 13, 2022 2:26 AM
To: kea-users@lists.isc.org
Subject: Re: [Kea-users] Stork API Key
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Am 12.12.22 um 16:39 schrieb Eric Graham:
> Hi Stefan,
>
> As far as I am aware, there's no token. Send a POST to /sessions and use
> the "session" cookie to authenticate, as so:
>
> ➜ curl -k -c cookie.txt -X POST -H 'Content-Type: application/json'
> https://127.68.45.99/api/sessions -d '{"useremail": "admin",
> "userpassword": "your password here"}'
> {"email":"admin@yourdomain.local","groups":[1],"id":2,"lastname":"Admin","login":"admin","name":"Test
> Admin"}
>
> ➜ cat cookie.txt
> # Netscape HTTP Cookie File
> # https://curl.se/docs/http-cookies.html
> # This file was generated by libcurl! Edit at your own risk.
>
> #HttpOnly_10.0.7.11 FALSE / FALSE 1670945665 session
> jWZUnuCYYhs6seDTKpliwnp4eIWHIA1ObVi_Ior_YYLk
>
> ➜ curl -k -X GET -H 'Content-Type: application/json' -b cookie.txt
> https://127.68.45.99/api/users
> {"items":[{"email":"admin@yourdomain.local","groups":[1],"id":2,"lastname":"Admin","login":"admin","name":"Test
> Admin"}],"total":1}
>
>
Great, works here ... does that cookie have a lifetime, does it time out ?
thanks
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCPv6 relay and ff05::1:3
Hi Joe,
I realize you're having a specific issue, but for others and also to help
troubleshoot, here's how I configure dhcrelay on Almalinux 8:
---
1. Install dhcp-relay
2. Copy /lib/systemd/system/dhcrelay.service to
/etc/systemd/system/dhcrelay6.service
3. Edit the service with systemctl edit dhcrelay6.service:
* [Service]
ExecStart=
ExecStart=/sbin/dhcrelay -d --no-pid -6 -l $YOUR_IFACE_FACING_CLIENTS -u
$YOUR_IFACE_FACING_KEA
1. Reload the systemd daemon and (re)start the dhcrelay service.
For the Kea side, can you show your config, and logs? Inside my shared networks
list, I have the following, emphasis on the "relay" object:
---
{
"name": "Dummy DHCPv6",
"valid-lifetime": 600,
"relay": {
"ip-addresses": [ "ff05::1:3" ]
},
"option-data": [
{ "name": "domain-search", "data": "your-domain.internal" }
],
"subnet6": [
{
"subnet": "2001:db8::/40",
"pools": [
{ "pool": "2001:db8::f - 2001:db8::fffe" }
],
"pd-pools": [
{
"prefix": "2001:db8:100::",
"prefix-len": 40,
"delegated-len": 56
}
]
}
]
}
Eric Graham
DevOps Specialist
Main: 605.995.1777
eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com>
[cid:1524c423-e517-4064-b2dd-48795c13b27e]
Mitchell | Portland | Colorado Springs | San Antonio | Sioux Falls |
Springfield | Charlotte
From: Kea-users on behalf of Joe Botha
Sent: Monday, December 12, 2022 8:54 AM
To: kea-users@lists.isc.org
Subject: [Kea-users] DHCPv6 relay and ff05::1:3
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Hi
Busy setting up a dhcpv6 server and relay, using Kea 2.2 and ISC dhcrelay 4.4.1.
Kea DHCPv6 server listens on:
udp6 ff02::1:2 port 547
but ISC dhcrelay sends to:
ff05::1:3 port 547
I can’t seem to tell kea to listen on ff05::1:3, and I can’t seem to tell
dhcrelay to send to ff02::1:2.
Am I missing something?
--
Swimmingly,
Joe
swimgeek.com/blog +27 82 562 6167 instagram.com/joe.swimgeek
"...all progress depends on the unreasonable man.”
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Stork API Key
Hi Stefan,
As far as I am aware, there's no token. Send a POST to /sessions and use the
"session" cookie to authenticate, as so:
➜ curl -k -c cookie.txt -X POST -H 'Content-Type: application/json'
https://127.68.45.99/api/sessions -d '{"useremail": "admin", "userpassword":
"your password here"}'
{"email":"admin@yourdomain.local","groups":[1],"id":2,"lastname":"Admin","login":"admin","name":"Test
Admin"}
➜ cat cookie.txt
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_10.0.7.11 FALSE / FALSE 1670945665 session
jWZUnuCYYhs6seDTKpliwnp4eIWHIA1ObVi_Ior_YYLk
➜ curl -k -X GET -H 'Content-Type: application/json' -b cookie.txt
https://127.68.45.99/api/users
{"items":[{"email":"admin@yourdomain.local","groups":[1],"id":2,"lastname":"Admin","login":"admin","name":"Test
Admin"}],"total":1}
From: Kea-users on behalf of Stefan G.
Weichinger
Sent: Monday, December 12, 2022 12:05 AM
To: kea-users@lists.isc.org
Subject: [Kea-users] Stork API Key
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Starting to think of using the Stork API
https://stork.readthedocs.io/en/latest/backend-api.html
browsing the mentioned docs on my Stork server but I can't figure out
how to generate an API Key to authenticate ... could someone point me at
someone howto?
thanks, Stefan
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] ipv6 being ignored
Hi Alan,
What does Kea have in the DHCPv6 log for this request? It may help to increase
verbosity. Since this is subnet id 11, I assume you have other subnets that are
already configured and working; is this accurate?
From: Kea-users on behalf of Alan Batie
Sent: Friday, December 9, 2022 11:23 AM
To: kea-users@lists.isc.org
Subject: [Kea-users] ipv6 being ignored
CAUTION: This email originated outside the organization. Do not click any links
or attachments unless you have verified the sender.
Looking for suggestions - tshark shows forwarded dhcpv6 requests being
received, however they're being ignored:
User Datagram Protocol, Src Port: 547, Dst Port: 547
Source Port: 547
Destination Port: 547
Length: 341
Checksum: 0x712b [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 0.0 seconds]
[Time since previous frame: 0.0 seconds]
UDP payload (333 bytes)
DHCPv6
Message type: Relay-forw (12)
Hopcount: 1
Link address: 2607:f678:1fff:1031::1
Peer address: fe80::4a77:46ff:fef9:5bb0
Relay Message
Option: Relay Message (9)
Length: 260
DHCPv6
Message type: Relay-forw (12)
Hopcount: 0
Link address: ::
Peer address: fe80::4a77:46ff:fef9:5bb0
Relay Message
Option: Relay Message (9)
Length: 107
DHCPv6
Message type: Solicit (1)
Transaction ID: 0xf37d54
Elapsed time
Option: Elapsed time (8)
Length: 2
Elapsed time: 655350ms
Option Request
Option: Option Request (6)
Length: 30
Requested Option code: Vendor-specific
Information (17)
Requested Option code: SIP Server Domain Name
List (21)
Requested Option code: SIP Servers IPv6 Address
List (22)
Requested Option code: DNS recursive name
server (23)
Requested Option code: Domain Search List (24)
Requested Option code: Simple Network Time
Protocol Server (31)
Requested Option code: NTP Server (56)
Requested Option code: Dual-Stack Lite AFTR
Name (64)
Requested Option code: Prefix Exclude (67)
Requested Option code: SOL_MAX_RT (82)
Requested Option code: INF_MAX_RT (83)
Requested Option code: S46 MAP-E Container (94)
Requested Option code: S46 MAP-T Container (95)
Requested Option code: S46 Lightweight 4over6
Container (96)
Requested Option code: Server unicast (12)
...
Relevant configuration:
"Dhcp6": {
"interfaces-config": {
"interfaces": [ "ens160/2607:f678::16:91" ],
},
...
"subnet6": [
...
{
"id": 11,
"subnet": "2607:f678:1fff:1031::/64",
"pools": [
{
"pool": "2607:f678:1fff:1031::1000 - 2607:f678:1fff:1031::1fff"
}
],
"pd-pools": [
{
# Customer lan delegated prefixes
"prefix": "2607:f678:2000::",
"prefix-len": 36,
"delegated-len": 60,
}
],
"relay": {
"ip-addresses": [ "2607:f678:1fff:1031::1" ]
}
}
kea is actually listening:
netstat -plan | grep :547
udp6 0 0 2607:f678::16:91:547:::*
18503/kea-dhcp6
udp6 0 0 fe80::250:56ff:fe99:547 :::*
18503/kea-dhcp6
udp6 0 0 ff02::1:2:547 :::*
18503/kea-dhcp6
--
ALAN BATIE
Senior Systems Engineer
541-754-7325
alan.ba...@peakinternet.com
www.peakinternet.com
PEAK Internet Logo
Empowering people and improving quality of life.
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Hook Development - Rust
That's a good idea. At the very least, I can confirm whether the hook is expected to load if only implementing version(). According to the docs, I believe it to be so, but there's a lot there and I may be mistaken. I'll see what comes of it and post back here for future readers. If you or anyone else have more suggestions for now, please don't hesitate to share them. I can always work on the C++ PoC and the Rust hook at the same time. From: Kea-users on behalf of Darren Ankney Sent: Friday, December 9, 2022 10:06 AM To: kea-users@lists.isc.org Subject: Re: [Kea-users] Hook Development - Rust CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. maybe if you develop a simple hook that does something very simple in c++ it will become more obvious how to do the same in Rust? On Fri, Dec 9, 2022 at 11:01 AM Eric Graham wrote: > > Thanks for the link! I have gone through that page and the instructions are > thorough. There are projects like CXX (https://cxx.rs/) that help with the > Rust <--> C++ stuff, but to be honest, I am new to Rust (Python is one I'm > more familiar with, but I am not interested in writing the hook in Python at > this stage - speed > https://stackoverflow.com/questions/801657/is-python-faster-and-lighter-than-c > and type safety). I assume something is wrong with how I'm linking against > Kea, but I don't know. Unfortunately, the debug log during hook loading is > not terribly helpful. I am confident it's possible, though. > > > > > From: Darren Ankney > Sent: Friday, December 9, 2022 9:49 AM > To: Eric Graham > Cc: kea-users@lists.isc.org > Subject: Re: [Kea-users] Hook Development - Rust > > Apologies if you've already found this guide, but here is a link to > the hook developers guide: > > https://reports.kea.isc.org/dev_guide/df/d46/hooksdgDevelopersGuide.html > > I'm not super familiar with rust myself (though I have played around > with it) but you can't just include header files that were meant for > 'c' or 'c++' right? At least from what little i've done, it didn't > seem so... it seemed they had their own API and an application to > search user created extensions for such. The developer's guide I > linked says it should be possible to create hooks in other languages. > They mention Python. I'd say Rust is way closer to C++ the Python > is... so it should be possible? > > On Fri, Dec 9, 2022 at 10:32 AM Eric Graham > wrote: > > > > Hi Darren, > > > > Thanks for the link! I actually have already done so, but for a few reasons > > (I believe it is slower than a hook, and it's limited) I would prefer to > > write a "native" one. > > > > I sure wish it would have been implemented differently, as something like > > gRPC + protobuf! > > > > > > > > From: Darren Ankney > > Sent: Thursday, December 8, 2022 7:34 PM > > To: kea-users@lists.isc.org > > Subject: Re: [Kea-users] Hook Development - Rust > > > > If nothing else, perhaps you could make use of the run_script hook: > > https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#run-script-run-script-support-for-external-hook-scripts > > You could probably write the "script" in whatever language you want, > > including rust, or at least that's the way I interpret it. > > > > On Thu, Dec 8, 2022 at 2:16 PM Eric Graham > > wrote: > > > > > > Hello! First time using this / any mailing list, so critiques welcome. > > > > > > I am looking into the possibility of writing a Rust hook. I understand > > > that using C++ is likely the simplest alternative, but Rust is attractive > > > for its memory safety and speed. I have not had luck finding any Kea hook > > > in Rust to use as a starting point. The C FFI is a complicating factor. > > > In fact, I have not had luck getting a very basic PoC to register with > > > Kea, just implementing version(). Does anyone know of a hook even > > > partially implemented in Rust, or have interest in doing so? > > > > > > Thank you, > > > Eric > > > > > > If this email belongs in the dev list, please correct me. Thanks. > > > This message is intended solely for the use of the individual and entity > > > to whom it is addressed and may contain information that is privileged, > > > confidential, and exempt from disclosure under applicable state and > > > federal laws. If you are not the addressee or are not authorized to > > >
Re: [Kea-users] Hook Development - Rust
Thanks for the link! I have gone through that page and the instructions are thorough. There are projects like CXX (https://cxx.rs/) that help with the Rust <--> C++ stuff, but to be honest, I am new to Rust (Python is one I'm more familiar with, but I am not interested in writing the hook in Python at this stage - speed https://stackoverflow.com/questions/801657/is-python-faster-and-lighter-than-c and type safety). I assume something is wrong with how I'm linking against Kea, but I don't know. Unfortunately, the debug log during hook loading is not terribly helpful. I am confident it's possible, though. From: Darren Ankney Sent: Friday, December 9, 2022 9:49 AM To: Eric Graham Cc: kea-users@lists.isc.org Subject: Re: [Kea-users] Hook Development - Rust Apologies if you've already found this guide, but here is a link to the hook developers guide: https://reports.kea.isc.org/dev_guide/df/d46/hooksdgDevelopersGuide.html I'm not super familiar with rust myself (though I have played around with it) but you can't just include header files that were meant for 'c' or 'c++' right? At least from what little i've done, it didn't seem so... it seemed they had their own API and an application to search user created extensions for such. The developer's guide I linked says it should be possible to create hooks in other languages. They mention Python. I'd say Rust is way closer to C++ the Python is... so it should be possible? On Fri, Dec 9, 2022 at 10:32 AM Eric Graham wrote: > > Hi Darren, > > Thanks for the link! I actually have already done so, but for a few reasons > (I believe it is slower than a hook, and it's limited) I would prefer to > write a "native" one. > > I sure wish it would have been implemented differently, as something like > gRPC + protobuf! > > > > From: Darren Ankney > Sent: Thursday, December 8, 2022 7:34 PM > To: kea-users@lists.isc.org > Subject: Re: [Kea-users] Hook Development - Rust > > If nothing else, perhaps you could make use of the run_script hook: > https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#run-script-run-script-support-for-external-hook-scripts > You could probably write the "script" in whatever language you want, > including rust, or at least that's the way I interpret it. > > On Thu, Dec 8, 2022 at 2:16 PM Eric Graham wrote: > > > > Hello! First time using this / any mailing list, so critiques welcome. > > > > I am looking into the possibility of writing a Rust hook. I understand that > > using C++ is likely the simplest alternative, but Rust is attractive for > > its memory safety and speed. I have not had luck finding any Kea hook in > > Rust to use as a starting point. The C FFI is a complicating factor. In > > fact, I have not had luck getting a very basic PoC to register with Kea, > > just implementing version(). Does anyone know of a hook even partially > > implemented in Rust, or have interest in doing so? > > > > Thank you, > > Eric > > > > If this email belongs in the dev list, please correct me. Thanks. > > This message is intended solely for the use of the individual and entity to > > whom it is addressed and may contain information that is privileged, > > confidential, and exempt from disclosure under applicable state and federal > > laws. If you are not the addressee or are not authorized to receive for the > > intended addressee you are hereby notified that you may not use, copy, > > distribute, or disclose to anyone this message or the information contained > > herein. If you have received this message in error, immediately advise the > > sender by reply email and destroy this message. > > -- > > ISC funds the development of this software with paid support subscriptions. > > Contact us at https://www.isc.org/contact/ for more information. > > > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > > > Kea-users mailing list > > Kea-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/kea-users > > -- > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Hook Development - Rust
Hi Darren, Thanks for the link! I actually have already done so, but for a few reasons (I believe it is slower than a hook, and it's limited<https://gitlab.isc.org/isc-projects/kea/-/issues/2622>) I would prefer to write a "native" one. I sure wish it would have been implemented differently<https://github.com/mozilla/application-services/issues/612>, as something like gRPC + protobuf! From: Darren Ankney Sent: Thursday, December 8, 2022 7:34 PM To: kea-users@lists.isc.org Subject: Re: [Kea-users] Hook Development - Rust If nothing else, perhaps you could make use of the run_script hook: https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#run-script-run-script-support-for-external-hook-scripts You could probably write the "script" in whatever language you want, including rust, or at least that's the way I interpret it. On Thu, Dec 8, 2022 at 2:16 PM Eric Graham wrote: > > Hello! First time using this / any mailing list, so critiques welcome. > > I am looking into the possibility of writing a Rust hook. I understand that > using C++ is likely the simplest alternative, but Rust is attractive for its > memory safety and speed. I have not had luck finding any Kea hook in Rust to > use as a starting point. The C FFI is a complicating factor. In fact, I have > not had luck getting a very basic PoC to register with Kea, just implementing > version(). Does anyone know of a hook even partially implemented in Rust, or > have interest in doing so? > > Thank you, > Eric > > If this email belongs in the dev list, please correct me. Thanks. > This message is intended solely for the use of the individual and entity to > whom it is addressed and may contain information that is privileged, > confidential, and exempt from disclosure under applicable state and federal > laws. If you are not the addressee or are not authorized to receive for the > intended addressee you are hereby notified that you may not use, copy, > distribute, or disclose to anyone this message or the information contained > herein. If you have received this message in error, immediately advise the > sender by reply email and destroy this message. > -- > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
[Kea-users] Hook Development - Rust
Hello! First time using this / any mailing list, so critiques welcome. I am looking into the possibility of writing a Rust hook. I understand that using C++ is likely the simplest alternative, but Rust is attractive for its memory safety and speed. I have not had luck finding any Kea hook in Rust to use as a starting point. The C FFI is a complicating factor. In fact, I have not had luck getting a very basic PoC to register with Kea, just implementing version(). Does anyone know of a hook even partially implemented in Rust, or have interest in doing so? Thank you, Eric If this email belongs in the dev list, please correct me. Thanks. This message is intended solely for the use of the individual and entity to whom it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable state and federal laws. If you are not the addressee or are not authorized to receive for the intended addressee you are hereby notified that you may not use, copy, distribute, or disclose to anyone this message or the information contained herein. If you have received this message in error, immediately advise the sender by reply email and destroy this message. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
