It looks like your apparmor pattern is slightly wrong.
In the following, the asterisk (*) does not allow for the slash (/)
character:
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient*.pid lrw,
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient*.lease* lrw,
(See docs about globbing here:
https://manpages.debian.org/wheezy/apparmor/apparmor.d.5.en.html#Globbing
and see that just one asterisk clearly says: "* → can substitute for any
number of characters, excepting '/'".)
It should be two asterisks (**) instead:
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient**.pid lrw,
debian/apparmor/sbin.dhclient: /{,var/}run/dhclient**.lease* lrw,
(Same doc as above: "** → can substitute for any number of characters,
including '/'")
Then I think that the PID files will be created as expected. Somehow,
the IPv4 one is created for me. Not too sure why. However, the IPv6
fails with:
> 2025-04-20T09:09:05.152724-07:00 monster kernel: audit: type=1400
> audit(1745165345.150:762):
> apparmor="DENIED" operation="mknod" class="file" profile="/usr/sbin/dhcpd"
> name="/run/dhcp-server6/dhcpd6.pid" pid=218742 comm="dhcpd" requested_mask="c"
> denied_mask="c" fsuid=0 ouid=0
which means that apparmore prevented the creation (mknod) of the file
(class="file"). It is not a user issue, since fsuid and ouid are set to
0 (root).
Now, looking at the actual file, I found this line:
/{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,
which doesn't match what I've seen in the Ubuntu source for 24.04...
Either way, that one misses the IPv6 folder. It should be:
/{,var/}run/{,dhcp-server/,dhcp-server6/}dhcpd{,6}.pid rw,
to work properly with IPv6 which explains why the IPv4 worked but not
the IPv6.
Ah. I see that new definition in this file:
debian/apparmor/usr.sbin.dhcpd
Okay. So you can ignore the '*' vs '**' comment above. Just add the
",dhcp-server6" to that file and we should be good on that end.
---
As a side note:
Since you do not specify a Type=... in your .service files, it defaults to
"simple".
https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#Type=
As such, the PID file is not necessary and is actually considered
obsolete.
> Note that PID files should be avoided in modern projects
https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#PIDFile=
But I would imagine that you need to support many distros, many that are
still not using systemctl. In that case, it makes sense to continue to
support that thing even though on Debian/Ubuntu it could just be
completely removed.
---
Another note, which I think is of importance, is the fact that the
filename is supposedly editable in the default file. But then you do not
use that folder. Because of apparmor, it is likely to fail "badly" if
the user attempts to save the PID file somewhere else. But for that, I
would warn the user and explain that they either have to turn off
apparmor, edit the isc-dhcp apparmor file, or make sure the destination
is allowed (like /var/lib/dhcp/... which is already allowed).
So I would suggest to use the variable in:
exec dhcpd ... -4 -pf $DHCPDv4_PID ...
exec dhcpd ... -6 -pf $DHCPDv6_PID ...
Either that or remove the variable from the default (/etc/default/isc-
dhcp-server).
---
Thank you.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1448657
Title:
isc-dhcp-server: Can't create PID file /run/dhcp-server/dhcpd.pid:
Permission denied
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1448657/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
