Can you try adding the following to /etc/apparmor.d/local/usr.sbin.dhcpd: network packet dgram,
And then running sudo apparmor_parser -rT /etc/apparmor.d/usr.sbin.dhcpd And see if restart dhcpd then works? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1862112 Title: apparmor prevents DHCP from starting with IPoIB interface Status in isc-dhcp package in Ubuntu: New Bug description: # lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 # apt-cache policy isc-dhcp-server isc-dhcp-server: Installed: 4.4.1-2ubuntu6 Candidate: 4.4.1-2ubuntu6 Version table: *** 4.4.1-2ubuntu6 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status I expect isc-dhcp-server to start. It does not because apparmor blocks something related to having an ib_ipoib interface present. I have infiniband interfaces using IPoIB. This prevents DHCP from starting because apparmor DENIES something. ip addr list: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 1c:c1:de:e6:b4:08 brd ff:ff:ff:ff:ff:ff inet 130.166.47.2/24 brd 130.166.47.255 scope global enp3s0f0 valid_lft forever preferred_lft forever inet 130.166.47.1/24 brd 130.166.47.255 scope global secondary enp3s0f0 valid_lft forever preferred_lft forever inet6 fe80::1ec1:deff:fee6:b408/64 scope link valid_lft forever preferred_lft forever 3: enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 1c:c1:de:e6:b4:0a brd ff:ff:ff:ff:ff:ff inet 10.47.0.2/16 brd 10.47.255.255 scope global enp3s0f1 valid_lft forever preferred_lft forever inet6 fe80::1ec1:deff:fee6:b40a/64 scope link valid_lft forever preferred_lft forever 4: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 1c:c1:de:e6:b4:00 brd ff:ff:ff:ff:ff:ff inet 10.0.47.2/24 brd 10.0.47.255 scope global enp4s0f0 valid_lft forever preferred_lft forever inet6 fe80::1ec1:deff:fee6:b400/64 scope link valid_lft forever preferred_lft forever 5: enp4s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 1c:c1:de:e6:b4:02 brd ff:ff:ff:ff:ff:ff inet 130.166.240.19/29 brd 130.166.240.23 scope global enp4s0f1 valid_lft forever preferred_lft forever inet 130.166.240.18/29 brd 130.166.240.23 scope global secondary enp4s0f1 valid_lft forever preferred_lft forever inet6 fe80::1ec1:deff:fee6:b402/64 scope link valid_lft forever preferred_lft forever 8: ibs1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc fq_codel state UP group default qlen 256 link/infiniband 80:00:02:0a:fe:80:00:00:00:00:00:00:00:02:c9:03:00:0f:45:ef brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff inet 192.168.47.2/24 brd 192.168.47.255 scope global ibs1 valid_lft forever preferred_lft forever inet6 fe80::202:c903:f:45ef/64 scope link valid_lft forever preferred_lft forever 9: ibs1d1: <BROADCAST,MULTICAST> mtu 4092 qdisc noop state DOWN group default qlen 256 link/infiniband 80:00:02:0b:fe:80:00:00:00:00:00:00:00:02:c9:03:00:0f:45:f0 brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff # service isc-dhcp-server start # tail /var/log/syslog Feb 6 05:26:50 firewalla systemd[1]: Started ISC DHCP IPv4 server. Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1 Feb 6 05:26:50 firewalla sh[2513]: Internet Systems Consortium DHCP Server 4.4.1 Feb 6 05:26:50 firewalla sh[2513]: Copyright 2004-2018 Internet Systems Consortium. Feb 6 05:26:50 firewalla sh[2513]: All rights reserved. Feb 6 05:26:50 firewalla sh[2513]: For info, please visit https://www.isc.org/software/dhcp/ Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium. Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved. Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https://www.isc.org/software/dhcp/ Feb 6 05:26:50 firewalla kernel: [ 1098.134784] audit: type=1400 audit(1580966810.775:62): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2513 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 6 05:26:50 firewalla kernel: [ 1098.134926] audit: type=1400 audit(1580966810.775:63): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2513 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 6 05:26:50 firewalla dhcpd[2513]: Config file: /etc/dhcp/dhcpd.conf Feb 6 05:26:50 firewalla sh[2513]: Config file: /etc/dhcp/dhcpd.conf Feb 6 05:26:50 firewalla sh[2513]: Database file: /var/lib/dhcp/dhcpd.leases Feb 6 05:26:50 firewalla sh[2513]: PID file: /run/dhcp-server/dhcpd.pid Feb 6 05:26:50 firewalla dhcpd[2513]: Database file: /var/lib/dhcp/dhcpd.leases Feb 6 05:26:50 firewalla dhcpd[2513]: PID file: /run/dhcp-server/dhcpd.pid Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1 Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium. Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved. Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 deleted host decls to leases file. Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 new dynamic host decls to leases file. Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https://www.isc.org/software/dhcp/ Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 deleted host decls to leases file. Feb 6 05:26:50 firewalla sh[2513]: Wrote 13 leases to leases file. Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 new dynamic host decls to leases file. Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 13 leases to leases file. Feb 6 05:26:50 firewalla dhcpd[2513]: Open a socket for LPF: Permission denied Feb 6 05:26:50 firewalla sh[2513]: Open a socket for LPF: Permission denied Feb 6 05:26:50 firewalla sh[2513]: If you think you have received this message due to a bug rather Feb 6 05:26:50 firewalla sh[2513]: than a configuration issue please read the section on submitting Feb 6 05:26:50 firewalla sh[2513]: bugs on either our web page at www.isc.org or in the README file Feb 6 05:26:50 firewalla sh[2513]: before submitting a bug. These pages explain the proper Feb 6 05:26:50 firewalla sh[2513]: process and the information we find helpful for debugging. Feb 6 05:26:50 firewalla sh[2513]: exiting. Feb 6 05:26:50 firewalla dhcpd[2513]: Feb 6 05:26:50 firewalla dhcpd[2513]: If you think you have received this message due to a bug rather Feb 6 05:26:50 firewalla dhcpd[2513]: than a configuration issue please read the section on submitting Feb 6 05:26:50 firewalla dhcpd[2513]: bugs on either our web page at www.isc.org or in the README file Feb 6 05:26:50 firewalla dhcpd[2513]: before submitting a bug. These pages explain the proper Feb 6 05:26:50 firewalla dhcpd[2513]: process and the information we find helpful for debugging. Feb 6 05:26:50 firewalla dhcpd[2513]: Feb 6 05:26:50 firewalla dhcpd[2513]: exiting. Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-server.service: Main process exited, code=exited, status=1/FAILURE Feb 6 05:26:50 firewalla kernel: [ 1098.167716] audit: type=1400 audit(1580966810.807:64): apparmor="DENIED" operation="create" profile="/usr/sbin/dhcpd" pid=2513 comm="dhcpd" family="packet" sock_type="dgram" protocol=8 requested_mask="create" denied_mask="create" Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-server.service: Failed with result 'exit-code'. #dmseg [ 1225.764932] audit: type=1400 audit(1580966938.403:67): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2722 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1225.765050] audit: type=1400 audit(1580966938.403:68): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2722 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1225.863847] audit: type=1400 audit(1580966938.503:69): apparmor="DENIED" operation="create" profile="/usr/sbin/dhcpd" pid=2722 comm="dhcpd" family="packet" sock_type="dgram" protocol=8 requested_mask="create" denied_mask="create" If I remove the ib_ipoib kernel module it will start just fine. What do I have to do to properly fix this short of getting rid of apparmor? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1862112/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
