[Bug 1862112] Re: apparmor prevents DHCP from starting with IPoIB interface
jwiegley
1862112 at bugs.launchpad.net
Thu Feb 6 17:11:56 UTC 2020
That is what I wound up doing and it does fix it. I think this is
probably the right fix to apply if an infiniband oriented package is
installed.
Thank you
Jeff
-------- Original message --------
From: Alex Murray <alex.murray at canonical.com>
Date: 2/5/20 10:05 PM (GMT-08:00)
To: "Wiegley, Jeffrey" <jeffw at csun.edu>
Subject: [Bug 1862112] Re: apparmor prevents DHCP from starting with IPoIB interface
Can you try adding the following to
/etc/apparmor.d/local/usr.sbin.dhcpd:
network packet dgram,
And then running
sudo apparmor_parser -rT /etc/apparmor.d/usr.sbin.dhcpd
And see if restart dhcpd then works?
--
You received this bug notification because you are subscribed to the bug
report.
https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_bugs_1862112&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=Kvxh5JXpDbKTVNG1gV8U_iMFoaecUvSYdkPknona5ro&e=
Title:
apparmor prevents DHCP from starting with IPoIB interface
Status in isc-dhcp package in Ubuntu:
New
Bug description:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# apt-cache policy isc-dhcp-server
isc-dhcp-server:
Installed: 4.4.1-2ubuntu6
Candidate: 4.4.1-2ubuntu6
Version table:
*** 4.4.1-2ubuntu6 500
500 https://urldefense.proofpoint.com/v2/url?u=http-3A__archive.ubuntu.com_ubuntu&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=VC3Y2qI_dr8o73-hJGd2zy5oO4J38KEDR2WN2mM4xlY&e= focal/main amd64 Packages
100 /var/lib/dpkg/status
I expect isc-dhcp-server to start.
It does not because apparmor blocks something related to having an ib_ipoib interface present.
I have infiniband interfaces using IPoIB. This prevents DHCP from
starting because apparmor DENIES something.
ip addr list:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1_8&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=m11FfzGOBnJGPouqDNVb5QMmJEwqkbyDTn1t__Qa82Q&e= scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:08 brd ff:ff:ff:ff:ff:ff
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.47.2_24&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=g4DXpKPFlmax5-WQs9lMFwoM49czZhjXFVq5tm74N84&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.47.255&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=PLAvZtbDKdnbPK-o5dk0-70-Jy9jO0lnRLpXqCfC7HM&e= scope global enp3s0f0
valid_lft forever preferred_lft forever
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.47.1_24&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=vmzwByY2Ybv96nB5pQf40HxUSx7FycTc6vyeIIETyqA&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.47.255&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=PLAvZtbDKdnbPK-o5dk0-70-Jy9jO0lnRLpXqCfC7HM&e= scope global secondary enp3s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b408/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:0a brd ff:ff:ff:ff:ff:ff
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__10.47.0.2_16&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=KhLa7XC1xCCzDqIl0Zpen5ukid-U1FyLqTodGhK6CLo&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__10.47.255.255&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=s_oX1PUuRNBn_Ky1mqB3lSFsnm-mDJ8JfQP81bUazLw&e= scope global enp3s0f1
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b40a/64 scope link
valid_lft forever preferred_lft forever
4: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:00 brd ff:ff:ff:ff:ff:ff
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__10.0.47.2_24&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=Qv4wPgOax16jGp4PcpzMEm2BiNqKmSaeC2jUhjRWbiU&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__10.0.47.255&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=vq6tFlKE97VFYgvAdBkpUyNLFWVd_kfvH5N_GfWTUv8&e= scope global enp4s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b400/64 scope link
valid_lft forever preferred_lft forever
5: enp4s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:02 brd ff:ff:ff:ff:ff:ff
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.240.19_29&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=c0qBRM1Igzlzu-sJ7vli-bCEI6QGinhXwX7gRY_1UK8&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.240.23&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=zkDA9a4F2KBV-TDIoWG0Ll3iuZeIZELYiAEt0787ALY&e= scope global enp4s0f1
valid_lft forever preferred_lft forever
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.240.18_29&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=gqQGi-IF2bSJfnQITjdYWDLty9TGU8zesueBvRiDN9k&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__130.166.240.23&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=zkDA9a4F2KBV-TDIoWG0Ll3iuZeIZELYiAEt0787ALY&e= scope global secondary enp4s0f1
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b402/64 scope link
valid_lft forever preferred_lft forever
8: ibs1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc fq_codel state UP group default qlen 256
link/infiniband 80:00:02:0a:fe:80:00:00:00:00:00:00:00:02:c9:03:00:0f:45:ef brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
inet https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.47.2_24&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=RzHhxszESZ60UiHQBwMVbx6vBALljWfSJ-B7q7mREVY&e= brd https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.47.255&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=KyebU7sC1LtgK1fhEJlBN_SfQEMdLpX3xv9R7sEkY1Q&e= scope global ibs1
valid_lft forever preferred_lft forever
inet6 fe80::202:c903:f:45ef/64 scope link
valid_lft forever preferred_lft forever
9: ibs1d1: <BROADCAST,MULTICAST> mtu 4092 qdisc noop state DOWN group default qlen 256
link/infiniband 80:00:02:0b:fe:80:00:00:00:00:00:00:00:02:c9:03:00:0f:45:f0 brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
# service isc-dhcp-server start
# tail /var/log/syslog
Feb 6 05:26:50 firewalla systemd[1]: Started ISC DHCP IPv4 server.
Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla sh[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla sh[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla sh[2513]: All rights reserved.
Feb 6 05:26:50 firewalla sh[2513]: For info, please visit https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_software_dhcp_&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=Vb21o7t9bE7JviHi7Z1xZJOMp3lyHTpUj3LJ4OrGtaQ&e=
Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved.
Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_software_dhcp_&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=Vb21o7t9bE7JviHi7Z1xZJOMp3lyHTpUj3LJ4OrGtaQ&e=
Feb 6 05:26:50 firewalla kernel: [ 1098.134784] audit: type=1400 audit(1580966810.775:62): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2513 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 6 05:26:50 firewalla kernel: [ 1098.134926] audit: type=1400 audit(1580966810.775:63): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2513 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 6 05:26:50 firewalla dhcpd[2513]: Config file: /etc/dhcp/dhcpd.conf
Feb 6 05:26:50 firewalla sh[2513]: Config file: /etc/dhcp/dhcpd.conf
Feb 6 05:26:50 firewalla sh[2513]: Database file: /var/lib/dhcp/dhcpd.leases
Feb 6 05:26:50 firewalla sh[2513]: PID file: /run/dhcp-server/https://urldefense.proofpoint.com/v2/url?u=http-3A__dhcpd.pid&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=wfAGvUMfnNV52MCe51_tupRz5Gb_4IDcYbDhlVndNqw&e=
Feb 6 05:26:50 firewalla dhcpd[2513]: Database file: /var/lib/dhcp/dhcpd.leases
Feb 6 05:26:50 firewalla dhcpd[2513]: PID file: /run/dhcp-server/https://urldefense.proofpoint.com/v2/url?u=http-3A__dhcpd.pid&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=wfAGvUMfnNV52MCe51_tupRz5Gb_4IDcYbDhlVndNqw&e=
Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 deleted host decls to leases file.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 new dynamic host decls to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_software_dhcp_&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=Vb21o7t9bE7JviHi7Z1xZJOMp3lyHTpUj3LJ4OrGtaQ&e=
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 deleted host decls to leases file.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 13 leases to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 new dynamic host decls to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 13 leases to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Open a socket for LPF: Permission denied
Feb 6 05:26:50 firewalla sh[2513]: Open a socket for LPF: Permission denied
Feb 6 05:26:50 firewalla sh[2513]: If you think you have received this message due to a bug rather
Feb 6 05:26:50 firewalla sh[2513]: than a configuration issue please read the section on submitting
Feb 6 05:26:50 firewalla sh[2513]: bugs on either our web page at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.isc.org&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=bNVKAequTMt44B8xLRcjlxDLosqPDCd6m-p8tvAwvm4&e= or in the README file
Feb 6 05:26:50 firewalla sh[2513]: before submitting a bug. These pages explain the proper
Feb 6 05:26:50 firewalla sh[2513]: process and the information we find helpful for debugging.
Feb 6 05:26:50 firewalla sh[2513]: exiting.
Feb 6 05:26:50 firewalla dhcpd[2513]:
Feb 6 05:26:50 firewalla dhcpd[2513]: If you think you have received this message due to a bug rather
Feb 6 05:26:50 firewalla dhcpd[2513]: than a configuration issue please read the section on submitting
Feb 6 05:26:50 firewalla dhcpd[2513]: bugs on either our web page at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.isc.org&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=bNVKAequTMt44B8xLRcjlxDLosqPDCd6m-p8tvAwvm4&e= or in the README file
Feb 6 05:26:50 firewalla dhcpd[2513]: before submitting a bug. These pages explain the proper
Feb 6 05:26:50 firewalla dhcpd[2513]: process and the information we find helpful for debugging.
Feb 6 05:26:50 firewalla dhcpd[2513]:
Feb 6 05:26:50 firewalla dhcpd[2513]: exiting.
Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-server.service: Main process exited, code=exited, status=1/FAILURE
Feb 6 05:26:50 firewalla kernel: [ 1098.167716] audit: type=1400 audit(1580966810.807:64): apparmor="DENIED" operation="create" profile="/usr/sbin/dhcpd" pid=2513 comm="dhcpd" family="packet" sock_type="dgram" protocol=8 requested_mask="create" denied_mask="create"
Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-server.service: Failed with result 'exit-code'.
#dmseg
[ 1225.764932] audit: type=1400 audit(1580966938.403:67): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2722 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1225.765050] audit: type=1400 audit(1580966938.403:68): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2722 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1225.863847] audit: type=1400 audit(1580966938.503:69): apparmor="DENIED" operation="create" profile="/usr/sbin/dhcpd" pid=2722 comm="dhcpd" family="packet" sock_type="dgram" protocol=8 requested_mask="create" denied_mask="create"
If I remove the ib_ipoib kernel module it will start just fine.
What do I have to do to properly fix this short of getting rid of
apparmor?
To manage notifications about this bug go to:
https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_ubuntu_-2Bsource_isc-2Ddhcp_-2Bbug_1862112_-2Bsubscriptions&d=DwIFaQ&c=Oo8bPJf7k7r_cPTz1JF7vEiFxvFRfQtp-j14fFwh71U&r=T1ybgm4nItaI5o0vJf9K6Q&m=ipga33mzCLL8AeSYun0O8yR3hSm5kSxgfSQ6SZ--LfU&s=6Cuh99duY6vhPKU25lV3LwhihkKRvROBGFPPRQNVNi0&e=
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1862112
Title:
apparmor prevents DHCP from starting with IPoIB interface
Status in isc-dhcp package in Ubuntu:
New
Bug description:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# apt-cache policy isc-dhcp-server
isc-dhcp-server:
Installed: 4.4.1-2ubuntu6
Candidate: 4.4.1-2ubuntu6
Version table:
*** 4.4.1-2ubuntu6 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
I expect isc-dhcp-server to start.
It does not because apparmor blocks something related to having an ib_ipoib interface present.
I have infiniband interfaces using IPoIB. This prevents DHCP from
starting because apparmor DENIES something.
ip addr list:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:08 brd ff:ff:ff:ff:ff:ff
inet 130.166.47.2/24 brd 130.166.47.255 scope global enp3s0f0
valid_lft forever preferred_lft forever
inet 130.166.47.1/24 brd 130.166.47.255 scope global secondary enp3s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b408/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:0a brd ff:ff:ff:ff:ff:ff
inet 10.47.0.2/16 brd 10.47.255.255 scope global enp3s0f1
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b40a/64 scope link
valid_lft forever preferred_lft forever
4: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.47.2/24 brd 10.0.47.255 scope global enp4s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b400/64 scope link
valid_lft forever preferred_lft forever
5: enp4s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 1c:c1:de:e6:b4:02 brd ff:ff:ff:ff:ff:ff
inet 130.166.240.19/29 brd 130.166.240.23 scope global enp4s0f1
valid_lft forever preferred_lft forever
inet 130.166.240.18/29 brd 130.166.240.23 scope global secondary enp4s0f1
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee6:b402/64 scope link
valid_lft forever preferred_lft forever
8: ibs1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc fq_codel state UP group default qlen 256
link/infiniband 80:00:02:0a:fe:80:00:00:00:00:00:00:00:02:c9:03:00:0f:45:ef brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
inet 192.168.47.2/24 brd 192.168.47.255 scope global ibs1
valid_lft forever preferred_lft forever
inet6 fe80::202:c903:f:45ef/64 scope link
valid_lft forever preferred_lft forever
9: ibs1d1: <BROADCAST,MULTICAST> mtu 4092 qdisc noop state DOWN group default qlen 256
link/infiniband 80:00:02:0b:fe:80:00:00:00:00:00:00:00:02:c9:03:00:0f:45:f0 brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff
# service isc-dhcp-server start
# tail /var/log/syslog
Feb 6 05:26:50 firewalla systemd[1]: Started ISC DHCP IPv4 server.
Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla sh[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla sh[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla sh[2513]: All rights reserved.
Feb 6 05:26:50 firewalla sh[2513]: For info, please visit https://www.isc.org/software/dhcp/
Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved.
Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https://www.isc.org/software/dhcp/
Feb 6 05:26:50 firewalla kernel: [ 1098.134784] audit: type=1400 audit(1580966810.775:62): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2513 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 6 05:26:50 firewalla kernel: [ 1098.134926] audit: type=1400 audit(1580966810.775:63): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2513 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 6 05:26:50 firewalla dhcpd[2513]: Config file: /etc/dhcp/dhcpd.conf
Feb 6 05:26:50 firewalla sh[2513]: Config file: /etc/dhcp/dhcpd.conf
Feb 6 05:26:50 firewalla sh[2513]: Database file: /var/lib/dhcp/dhcpd.leases
Feb 6 05:26:50 firewalla sh[2513]: PID file: /run/dhcp-server/dhcpd.pid
Feb 6 05:26:50 firewalla dhcpd[2513]: Database file: /var/lib/dhcp/dhcpd.leases
Feb 6 05:26:50 firewalla dhcpd[2513]: PID file: /run/dhcp-server/dhcpd.pid
Feb 6 05:26:50 firewalla dhcpd[2513]: Internet Systems Consortium DHCP Server 4.4.1
Feb 6 05:26:50 firewalla dhcpd[2513]: Copyright 2004-2018 Internet Systems Consortium.
Feb 6 05:26:50 firewalla dhcpd[2513]: All rights reserved.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 deleted host decls to leases file.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 0 new dynamic host decls to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: For info, please visit https://www.isc.org/software/dhcp/
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 deleted host decls to leases file.
Feb 6 05:26:50 firewalla sh[2513]: Wrote 13 leases to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 0 new dynamic host decls to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Wrote 13 leases to leases file.
Feb 6 05:26:50 firewalla dhcpd[2513]: Open a socket for LPF: Permission denied
Feb 6 05:26:50 firewalla sh[2513]: Open a socket for LPF: Permission denied
Feb 6 05:26:50 firewalla sh[2513]: If you think you have received this message due to a bug rather
Feb 6 05:26:50 firewalla sh[2513]: than a configuration issue please read the section on submitting
Feb 6 05:26:50 firewalla sh[2513]: bugs on either our web page at www.isc.org or in the README file
Feb 6 05:26:50 firewalla sh[2513]: before submitting a bug. These pages explain the proper
Feb 6 05:26:50 firewalla sh[2513]: process and the information we find helpful for debugging.
Feb 6 05:26:50 firewalla sh[2513]: exiting.
Feb 6 05:26:50 firewalla dhcpd[2513]:
Feb 6 05:26:50 firewalla dhcpd[2513]: If you think you have received this message due to a bug rather
Feb 6 05:26:50 firewalla dhcpd[2513]: than a configuration issue please read the section on submitting
Feb 6 05:26:50 firewalla dhcpd[2513]: bugs on either our web page at www.isc.org or in the README file
Feb 6 05:26:50 firewalla dhcpd[2513]: before submitting a bug. These pages explain the proper
Feb 6 05:26:50 firewalla dhcpd[2513]: process and the information we find helpful for debugging.
Feb 6 05:26:50 firewalla dhcpd[2513]:
Feb 6 05:26:50 firewalla dhcpd[2513]: exiting.
Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-server.service: Main process exited, code=exited, status=1/FAILURE
Feb 6 05:26:50 firewalla kernel: [ 1098.167716] audit: type=1400 audit(1580966810.807:64): apparmor="DENIED" operation="create" profile="/usr/sbin/dhcpd" pid=2513 comm="dhcpd" family="packet" sock_type="dgram" protocol=8 requested_mask="create" denied_mask="create"
Feb 6 05:26:50 firewalla systemd[1]: isc-dhcp-server.service: Failed with result 'exit-code'.
#dmseg
[ 1225.764932] audit: type=1400 audit(1580966938.403:67): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2722 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1225.765050] audit: type=1400 audit(1580966938.403:68): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=2722 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1225.863847] audit: type=1400 audit(1580966938.503:69): apparmor="DENIED" operation="create" profile="/usr/sbin/dhcpd" pid=2722 comm="dhcpd" family="packet" sock_type="dgram" protocol=8 requested_mask="create" denied_mask="create"
If I remove the ib_ipoib kernel module it will start just fine.
What do I have to do to properly fix this short of getting rid of
apparmor?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1862112/+subscriptions
More information about the foundations-bugs
mailing list