ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2024-03-27T18:24:20Zhttps://gitlab.isc.org/isc-projects/stork/-/issues/1337reservations without an IP do not show up in host reservations2024-03-27T18:24:20Zmichael balesreservations without an IP do not show up in host reservations---
name: reservations without an IP do not show up in host reservations
about: Create a report to help us improve
---
If you believe your bug report is a security issue (e.g. a packet that can kill the server), DO NOT
REPORT IT HERE. ...---
name: reservations without an IP do not show up in host reservations
about: Create a report to help us improve
---
If you believe your bug report is a security issue (e.g. a packet that can kill the server), DO NOT
REPORT IT HERE. Please use https://www.isc.org/community/report-bug/ instead or send mail to
security-office(at)isc(dot)org.
**Describe the bug**
Stork allows the creation of reservations with just a mac address and client class but the reservation does not show up in the host reservation list.
**To Reproduce**
Steps to reproduce the behavior:
1. Install BIND9, Kea, Stork (which versions?) and run them with the following configs: '...'
2. I do the following: ...
3. A device in my network does the following: ...
4. Kea/BIND9 server does the following: ...
5. Stork does the following: ...
**Expected behavior**
A clear and concise description of what you expected to happen:
The Stork is supposed to report/do A, but didn't or did B instead.
**Environment:**
- Kea version:
2.5.6
isc20240226130228 deb
linked with:
log4cplus 2.0.5
OpenSSL 3.0.2 15 Mar 2022
database:
MySQL backend 21.0, library 8.0.36
PostgreSQL backend 20.0, library 140011
Memfile backend 3.0
- Stork: 1.15.0
- OS: Ubuntu 22.04.4 LTS x86_64
- Kea: "hooks-libraries": [
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_stat_cmds.so"
},
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
},
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_pgsql_cb.so"
},
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_host_cmds.so"
}
**Additional Information**
logs from adding the reservation:
```
082 17:40:10.417 kea-dhcp4.commands COMMAND_SOCKET_CONNECTION_OPENED Opened socket 37 for incoming command connection
082 17:40:10.417 kea-dhcp4.commands COMMAND_SOCKET_READ Received 212 bytes over command socket 37
082 17:40:10.418 kea-dhcp4.commands COMMAND_RECEIVED Received command 'reservation-add'
082 17:40:10.418 kea-dhcp4.callouts HOOKS_CALLOUTS_BEGIN begin all callouts for hook $reservation_add
082 17:40:10.418 kea-dhcp4.host-cmds-hooks HOST_CMDS_RESERV_ADD reservation-add command called (parameters: { "reservation": { "client-classes": [ "known-clients-106" ], "hw-address": "C03EBA93B18D", "subnet-id": 3 } })
082 17:40:10.418 kea-dhcp4.database DATABASE_PGSQL_START_TRANSACTION starting a new PostgreSQL transaction
082 17:40:10.422 kea-dhcp4.database DATABASE_PGSQL_COMMIT committing to PostgreSQL database
082 17:40:10.423 kea-dhcp4.host-cmds-hooks HOST_CMDS_RESERV_ADD_SUCCESS reservation-add command success (parameters: { "reservation": { "client-classes": [ "known-clients-106" ], "hw-address": "C03EBA93B18D", "subnet-id": 3 } })
082 17:40:10.423 kea-dhcp4.callouts HOOKS_CALLOUT_CALLED hooks library with index 4 has called a callout on hook $reservation_add that has address 0x7ff4efd4e900 (callout duration: 5.567 ms)
082 17:40:10.423 kea-dhcp4.callouts HOOKS_CALLOUTS_COMPLETE completed callouts for hook $reservation_add (total callouts duration: 5.567 ms)
082 17:40:10.423 kea-dhcp4.commands COMMAND_SOCKET_WRITE Sent response of 38 bytes (0 bytes left to send) over command socket 37
082 17:40:10.423 kea-dhcp4.commands COMMAND_SOCKET_CONNECTION_CLOSED Closed socket 37 for existing command connection
```
after the reservation is added the reservation list in stork does not show the mac address or hostname
**Describe the solution you'd like*
Reservations without an assigned IP address should show the hostname and mac address in the reservation list.
**Additional context**
We use small DHCP pools of 20 or so addresses so handle mobile devices that are occasionally connected to the network. We managed this with isc-dhcpd previously by using global reservations with just a mac address. It looks like in isc-kea a mac address and a resource are required and my understanding is that a client class counts as a resource so the reservation should be valid. Instead of global reservations we are now using per subnet reservations.
**Funding its development**
Kea is run by ISC, which is a small non-profit organization without any government funding or any
permanent sponsorship organizations. Are you able and willing to participate financially in the
development costs?
Yes this is a possibility
**Participating in development**
Are you willing to participate in the feature development? ISC team always tries to make a feature
as generic as possible, so it can be used in wide variety of situations. That means the proposed
solution may be a bit different that you initially thought. Are you willing to take part in the
design discussions? Are you willing to test an unreleased engineering code?
Yes i am willing to participate in development.
**Contacting you**
How can ISC reach you to discuss this matter further? If you do not specify any means such as
e-mail, jabber id or a telephone, we may send you a message on github with questions when we have
them.1.17https://gitlab.isc.org/isc-projects/bind9/-/issues/4653Are Application-layer Loop DoS Attacks relevant for bind9?2024-03-25T05:26:23ZPetr MenšíkAre Application-layer Loop DoS Attacks relevant for bind9?A new document were shared to me from our security team:
<<redacted>>
They are mentioning DNS, but it seems to be not a problem for any well behaving DNS server. Have you seen this paper already? Do you have already some stance for desc...A new document were shared to me from our security team:
<<redacted>>
They are mentioning DNS, but it seems to be not a problem for any well behaving DNS server. Have you seen this paper already? Do you have already some stance for described attacks? To me it seems this should not affect any well behaving resolver or its client.
Have you already assessed this kind of attack, whether it is relevant on bind9 in any well configured instance?
Can you confirm whether this strange thing is known to be relevant or irelevant to bind9 versions?https://gitlab.isc.org/isc-projects/kea/-/issues/3307Changes for Kea 2.5.7 release2024-03-22T15:55:28ZMarcin GodzinaChanges for Kea 2.5.7 release
- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright years
- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright yearskea2.5.7Marcin GodzinaMarcin Godzina2024-03-27https://gitlab.isc.org/isc-projects/kea/-/issues/3306Changes for Kea 2.5.7 release2024-03-22T15:26:13ZMarcin GodzinaChanges for Kea 2.5.7 release
- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright years
- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright yearskea2.5.72024-03-27https://gitlab.isc.org/isc-projects/kea/-/issues/3305config test should also run poll after loading hooks2024-03-22T14:46:13ZRazvan Becheriuconfig test should also run poll after loading hooksthe fix in https://gitlab.isc.org/isc-projects/kea/-/issues/2692 does not consider testing the configuration when using -T as command line parameterthe fix in https://gitlab.isc.org/isc-projects/kea/-/issues/2692 does not consider testing the configuration when using -T as command line parameterhttps://gitlab.isc.org/isc-projects/kea/-/issues/3304bump up lib versions for 2.5.72024-03-22T14:53:31ZRazvan Becheriubump up lib versions for 2.5.7kea2.5.7Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/stork/-/issues/1336Stork-Server is confused by multiple Kea DHCP versions installed2024-03-26T11:25:44ZCarsten StrotmannStork-Server is confused by multiple Kea DHCP versions installed---
name: Bug report
about: Create a report to help us improve
---
**Describe the bug**
Stork-Server (or Stork-Agent) is confused by multiple Kea-DHCP versions installed on the same machine and displays inconsistent version number.
On...---
name: Bug report
about: Create a report to help us improve
---
**Describe the bug**
Stork-Server (or Stork-Agent) is confused by multiple Kea-DHCP versions installed on the same machine and displays inconsistent version number.
On my (testing) system, I have the OS delivered Kea-DHCP (version 2.4.1 from Fedora 39) as well as a Kea-DHCP version (2.5.6 installed from source). The Version 2.4.1 is "in path" (/usr/bin:/usr/sbin) but not running, whereas 2.5.6 is not "in path" (/opt/kea/sbin), but "is" running.
Stork does display both versions numbers:
![Stork-Kea-Version-Number02.png](/uploads/9b5291671228bdb67c5c6c799278fe59/Stork-Kea-Version-Number02.png)
![Stork-Kea-Version-Number01.png](/uploads/ad42cf27202a4f5a91463da2ef91a88b/Stork-Kea-Version-Number01.png)
**To Reproduce** Steps to reproduce the behavior:
1. two different versions of Kea DHCP, Stork Agent and Stork Server
2. check the Kea Version numbers in the Stork Web-UI
**Expected behavior**
Show the running Kea-DHCP version number all the time.https://gitlab.isc.org/isc-projects/kea/-/issues/3303db-delay with reservations database "imagines" database connection2024-03-22T21:44:42ZMarcin Godzinadb-delay with reservations database "imagines" database connectionAfter kea#3300 fix, there is still a problem left:
When using the reservations database, Kea detects that there is no database and states that it is the first of 5 retries.
Then reports `database connection lost` and immediately reports ...After kea#3300 fix, there is still a problem left:
When using the reservations database, Kea detects that there is no database and states that it is the first of 5 retries.
Then reports `database connection lost` and immediately reports `database connection recovered.` (line 35 in log) (but the database is shut down) and proceeds like it has a database (so it serves traffic, etc.)
reproducable on v4, v6, MySQL and postgr
[kea-dhcp4.conf](/uploads/8ab1eb9ca661f49dba54190969c1d532/kea-dhcp4.conf)
[kea.log](/uploads/1016f040cd96d876517feb57fe8e342b/kea.log)kea2.5.7Marcin GodzinaMarcin Godzinahttps://gitlab.isc.org/isc-projects/bind9/-/issues/4652query.c:10467: INSIST(namereln == dns_namereln_subdomain) failed, back trace2024-03-27T14:02:05ZOndřej Surýquery.c:10467: INSIST(namereln == dns_namereln_subdomain) failed, back trace### Summary
Server crash caused by external UDP queries.
### BIND versions affected
```
BIND 9.19.23-dev (Development Release) <id:b1ebd49>
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
bui...### Summary
Server crash caused by external UDP queries.
### BIND versions affected
```
BIND 9.19.23-dev (Development Release) <id:b1ebd49>
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
built by make with 'CC=' 'LD=' 'CFLAGS=-O0 -ggdb -Wno-deprecated-declarations -fno-omit-frame-pointer -fno-optimize-sibling-calls -mtune=alderlake -DISC_MEM_USE_INTERNAL_MALLOC=0 -DISC_MEM_TRACKLINES=1 -DISC_TRACK_PTHREADS_OBJECTS' 'LDFLAGS=' '--enable-developer' '--enable-warn-error' '--with-openssl' '--with-zlib' '--with-libxml2' '--with-json-c' '--with-readline' '--with-libidn2' '--disable-dnstap' '--with-libtool' '--without-make-clean'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with liburcu version: 0.15.0-pre
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /dev/null
rndc configuration: /usr/local/etc/rndc.conf
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
geoip-directory: /usr/share/GeoIP
```
9.18 is not affected with the same attack pattern.
### Preconditions and assumptions
None.
### Attacker's abilities
Ability to send queries to the server.
### Impact
Server crashes with assertion failure.
### Steps to reproduce
1. Run `bin/named/named -g -c /dev/null -p 12345`
2. Run 2x `dnsperf -d queryfile-example-10million-201202 -p 12345 -s 10.10.10.20 -t 20 -S 1 -e -D -b 16000`
3. Wait
### What is the current *bug* behavior?
Server crashes.
### What is the expected *correct* behavior?
Server doesn't crash.
### Relevant logs
```
21-Mar-2024 14:58:36.219 REFUSED unexpected RCODE resolving 'www.pressrepublicanevents.com/A/IN': 64.40.12.250#53
21-Mar-2024 14:58:36.227 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 2001:4860:4802:32::a#53
21-Mar-2024 14:58:36.259 DNS format error from 89.108.89.143#53 resolving 4kings.ru/MX for 10.10.10.106#36493: empty question section
21-Mar-2024 14:58:36.283 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 2001:4860:4802:34::a#53
21-Mar-2024 14:58:36.311 REFUSED unexpected RCODE resolving 'bioquimicasrl.com/A/IN': 209.244.0.3#53
21-Mar-2024 14:58:36.323 SERVFAIL unexpected RCODE resolving 'www.tom-morrow-land.com/AAAA/IN': 1.1.1.1#53
21-Mar-2024 14:58:36.327 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 216.239.36.10#53
21-Mar-2024 14:58:36.331 REFUSED unexpected RCODE resolving 'www.pressrepublicanevents.com/A/IN': 64.40.12.251#53
21-Mar-2024 14:58:36.331 query client=0x7fa869baf000 thread=0x7fa86cefd680(www.pressrepublicanevents.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.331 query client=0x7fa83b1a3400 thread=0x7fa85b3fe680(www.pressrepublicanevents.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.339 success resolving 'www.angrybirdsfree.net/AAAA' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.339 query client=0x7fa83b221400 thread=0x7fa85b3fe680(www.tom-morrow-land.com/AAAA): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.339 query client=0x7fa869a3e400 thread=0x7fa86cefd680(www.tom-morrow-land.com/AAAA): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.359 success resolving 'e1.mc658.mail.yahoo.com/AAAA' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.371 validating ksg07.harvard.edu/MX: no valid signature found
21-Mar-2024 14:58:36.371 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 216.239.38.10#53
21-Mar-2024 14:58:36.379 success resolving 'a-0.19-21098801.c0c0083.1518.19d4.3ea1.210.0.qfptcsf437v6s7kaak2qs267pq.avqs.mcafee.com/A' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.387 REFUSED unexpected RCODE resolving 'www.untwistedvortex.com/A/IN': 128.199.213.165#53
21-Mar-2024 14:58:36.387 query client=0x7fa869b1f000 thread=0x7fa86cefd680(www.untwistedvortex.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.387 query client=0x7fa83b2d7000 thread=0x7fa85b3fe680(www.untwistedvortex.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.403 query.c:10467: INSIST(namereln == dns_namereln_subdomain) failed
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4651Add Dual Queue Low Latency Networking Support (NQB)2024-03-22T08:48:50ZJason LivingoodAdd Dual Queue Low Latency Networking Support (NQB)### Description
Add Dual Queue Low Latency Networking Support (NQB)
Please consider adding server-side support for IETF Non-Queue-Building (NQB) Per Hop Behavior (PHB) as outlined in the IETF TSVWG RFCs 9330, 9331, 9332 and https://dat...### Description
Add Dual Queue Low Latency Networking Support (NQB)
Please consider adding server-side support for IETF Non-Queue-Building (NQB) Per Hop Behavior (PHB) as outlined in the IETF TSVWG RFCs 9330, 9331, 9332 and https://datatracker.ietf.org/doc/draft-ietf-tsvwg-nqb/. Specifically, I would like the recursive resolver to set DSCP-45 marking in all packets sent back to users (stub resolvers) in DNS responses. This will have the benefit of marking DNS responses as suitable for placement in the low latency queue at bottleneck links supporting dual queue (such as a CMTS or Cable Modem).
NQB marking enables latency-sensitive traffic like DNS lookups to be handled in a separate queue from classic traffic. The result is that, even when competing with significant other LAN or access network traffic from a user, that the NQB-marked traffic will get very low working latency (usually close to what is observed for idle latency).
Comcast has tested this on resolvers in the lab as part of our low latency field trial of L4S and NQB and found it meaningfully reduced Query Response Times (QRT) under normal working conditions.
Comcast is currently the world's first ISP trialing this in the field and anticipates it being available to millions of end users in 2024.
### Request
Enable a new configuration parameter in the server enabling a resolver operator to turn on NQB support. That specifically will mean setting DSCP value 45 in the packet header. This configuration can either cover recursive responses or all outbound traffic from the server (there should be no downside to this).
### Links / references
RFC 9330 https://www.rfc-editor.org/rfc/rfc9330.html
RFC 9331 https://www.rfc-editor.org/rfc/rfc9331.html
RFC 9332 https://www.rfc-editor.org/rfc/rfc9332.html
NQB PHB Draft https://datatracker.ietf.org/doc/draft-ietf-tsvwg-nqb/
Comcast explainer for app developers https://github.com/jlivingood/IETF-L4S-Deployment/blob/main/App-Developer-Guide.md
Comcast explainer for network operators https://github.com/jlivingood/IETF-L4S-Deployment/blob/main/Network-Config-Guide.md
Comcast field trial announcement https://corporate.comcast.com/stories/comcast-kicks-off-industrys-first-low-latency-docsis-field-trialshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4650dnssec-validation locks up server with 9.19.222024-03-26T21:39:49ZKlemen Mihevcdnssec-validation locks up server with 9.19.22Hi and thanks for filing an issue! It will be read with care by human beings.
It would be a tremendous help if you could follow these steps first:
- [x] Search the existing issues in GitLab (both open and closed) to see if your report m...Hi and thanks for filing an issue! It will be read with care by human beings.
It would be a tremendous help if you could follow these steps first:
- [x] Search the existing issues in GitLab (both open and closed) to see if your report might be a duplicate. We have a large database here and many issues have already been fixed in the latest versions!
- [x] Make sure this is **not** a support question. If you have specific trouble configuring or debugging your setup, please use the bind-users mailing list: https://lists.isc.org/mailman/listinfo/bind-users
- [x] You have read and understood the "out in the open" support policy: https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ . Even though it was written by the PowerDNS folks, we follow it as well!
Before continuing, **please select the appropriate issue template in the drop-down menu above, under the heading _Description_**.
i tried to use dnssec-validation (auto) with 9.19.22 and it makes server unresponsive. This didnt happen in 9.19.21. What happens is usually in first half an hour server starts to become unresponsive(LITTERALLY STUCK, need to kill -9) and cpu load rockets sky high without a reason (most i saw was 45% before i killed process manualy). This is not some high usage dns server, it serves for home domain and recursion on home network. There is nothing in the logs even with debug severity... Hopefully you can give me guidance how to help you resolve this issuehttps://gitlab.isc.org/isc-projects/kea/-/issues/3302Is Host Cache required for RADIUS?2024-03-28T16:15:48ZFrancis DupontIs Host Cache required for RADIUS?The Host Cache was designed for RADIUS in order to not perform an access/auth exchange with the RADIUS server for each query: when the query comes from an already seen client (same RADIUS idenfier) the answer from the RADIUS server is av...The Host Cache was designed for RADIUS in order to not perform an access/auth exchange with the RADIUS server for each query: when the query comes from an already seen client (same RADIUS idenfier) the answer from the RADIUS server is available from the host cache. This was critical when both were designed because the access/auth exchange was synchronous (i.e. blocking until the answer is received) and single threaded (i.e. blocking the whole DHCP service). Perhaps it is less true today but the host cache is in memory when RADIUS exchanges are over the network so far slower, and the Host Cache also handles negative answers so covers (excepting for the bug described in #3269) all cases.
The Host Cache has a second function for RADIUS: when the RADIUS server returns an address (vs a pool name which is translated into a client class name directly added to the query object) a host entry for this reserved address is inserted in the Host Cache. The idea is the host lookup will be able to find it. This is not essential: the host entry can be attached to the callout handle associated to the query and got back latter as the current code does for the [re]selected subnet.kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3301Add missing YANG nodes before the 2.6.0 release2024-03-21T15:03:05ZAndrei Pavelandrei@isc.orgAdd missing YANG nodes before the 2.6.0 releaseMissing YANG nodes:
- `ddns-conflict-resolution-mode`
- `retry-on-startup`Missing YANG nodes:
- `ddns-conflict-resolution-mode`
- `retry-on-startup`kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3300Database connection retry/delay causes infinite loop2024-03-22T14:22:46ZMarcin GodzinaDatabase connection retry/delay causes infinite loopThis MR that started it: https://gitlab.isc.org/isc-projects/kea/-/merge_requests/2238
db_retry_legallog and db_retry_reservation system tests are failing - Kea goes into an indefinite loop trying to reconnect to the database without de...This MR that started it: https://gitlab.isc.org/isc-projects/kea/-/merge_requests/2238
db_retry_legallog and db_retry_reservation system tests are failing - Kea goes into an indefinite loop trying to reconnect to the database without delay
(Failing Tests on Jenkins https://jenkins.aws.isc.org/job/kea-dev/job/tarball-system-tests/1168/)
A problem appears when retrying the connection to reservation or legallog db. At first glance, the lease db connection is unaffected.
Config to reproduce (of course, change paths. You do not have to change the DB setting - there should be no DB running to connect to)
[kea-dhcp4.conf](/uploads/72df474f98af62208baeeb6b618a4c54/kea-dhcp4.conf)
Part of the Log from the test
[kea__1_.log](/uploads/f4297c0cf1520f4cee7f6b9f6da0a0d3/kea__1_.log)kea2.5.7Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/3299Improve MT RADIUS unit tests2024-03-26T18:31:40ZAndrei Pavelandrei@isc.orgImprove MT RADIUS unit testsImprove RADIUS unit tests:
- no goal: write tests for session history: instead implement #414
- MT: see below
- async access added new ways to have a query to be dropped: add these cases
- find a way to detect accounting exchange te...Improve RADIUS unit tests:
- no goal: write tests for session history: instead implement #414
- MT: see below
- async access added new ways to have a query to be dropped: add these cases
- find a way to detect accounting exchange termination (e.g. a class counter of pending exchanges)
RADIUS could have more thorough MT unit tests:
- Start thread pool for accounting by calling the `dhcp*_srv_configured` callout. Currently it is only called for auth. Waiting for work to finish in accounting is not as trivial for auth. Auth uses the unparking for that. (see last general point)
- In both access and accounting, start a second thread pool that simulates the core Kea thread pool / DHCP clients.
- Convert more (all?) ST unit tests to MT. Currently there are only 4 MT unit tests: (v4 + v6) x (access + accounting).kea2.5.8https://gitlab.isc.org/isc-projects/bind9/-/issues/4649All TSAN-enabled builds fail in AWS-based GitLab CI jobs2024-03-25T13:45:40ZMichał KępieńAll TSAN-enabled builds fail in AWS-based GitLab CI jobs[Yesterday's mass-rebuild of Docker images][1] caused some update to be
pulled into `tsan-fedora-39-amd64` that does not play nicely with AWS
hosts because all TSAN-enabled builds now fail with an error message
like:
FATAL: ThreadSa...[Yesterday's mass-rebuild of Docker images][1] caused some update to be
pulled into `tsan-fedora-39-amd64` that does not play nicely with AWS
hosts because all TSAN-enabled builds now fail with an error message
like:
FATAL: ThreadSanitizer: unexpected memory mapping 0x7d00e0772000-0x7d00e0c00000
While it is not clear what exactly happened, here are two jobs that were
run in CI for the same commit:
- [2024-03-20 14:24, passed][2]
- [2024-03-20 16:41, failed][3]
The refreshed TSAN image was pushed to the container registry at 15:13.
The TSAN builds seemingly still work fine with the refreshed TSAN image
on our bare metal runners, which use older kernels. This is consistent
with similar reports found online:
https://stackoverflow.com/questions/77850769/fatal-threadsanitizer-unexpected-memory-mapping-when-running-on-linux-kernels
The simplest course of action is to apply the workaround mentioned in
the StackOverflow post above (`sysctl vm.mmap_rnd_bits=28`) and remove
it once the issue resolves itself as kernels and packages get updated
over time.
[1]: https://gitlab.isc.org/isc-projects/images/-/pipelines/168133
[2]: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4142725
[3]: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4143237April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/kea/-/issues/3298Make test utility class MemHostDataSource thread-safe2024-03-21T15:02:10ZAndrei Pavelandrei@isc.orgMake test utility class MemHostDataSource thread-safe`MemHostDataSource` is used in certain unit tests.
RADIUS MT unit tests required `MemHostDataSource` to be thread-safe, so the `TestHostCache` that derives it overrode all its methods and added a `lock_guard` to each.
To avoid this boi...`MemHostDataSource` is used in certain unit tests.
RADIUS MT unit tests required `MemHostDataSource` to be thread-safe, so the `TestHostCache` that derives it overrode all its methods and added a `lock_guard` to each.
To avoid this boilerplate code, ideally, `MemHostDataSource` should be made thread-safe itself.
This was not done at the time due to lack of time before the release.
When this is done, remember to remove the overridden methods from `TestHostCache`:
- `premium/src/hooks/dhcp/radius/tests/access_unittests.cc`
- `premium/src/hooks/dhcp/radius/tests/accounting_unittests.cc`
@fdupont says
> Note the mutex must be at most protected.backloghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4648pytest failure oraclelinux8 in rpz/tests_sh_rpz_dnsrps.py2024-03-21T12:09:20ZMark Andrewspytest failure oraclelinux8 in rpz/tests_sh_rpz_dnsrps.pyJob [#4143909](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4143909) failed for ecb043fc7b1a99a7e2ffb3d34974d16c00348471:
```
INTERNALERROR> File "/usr/local/lib/python3.6/site-packages/flaky/flaky_pytest_plugin.py", line 142, in...Job [#4143909](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4143909) failed for ecb043fc7b1a99a7e2ffb3d34974d16c00348471:
```
INTERNALERROR> File "/usr/local/lib/python3.6/site-packages/flaky/flaky_pytest_plugin.py", line 142, in _call_runtest_hook
INTERNALERROR> reraise = (runner.Exit,)
INTERNALERROR> AttributeError: module '_pytest.runner' has no attribute 'Exit'
INTERNALERROR> Traceback (most recent call last):
```https://gitlab.isc.org/isc-projects/kea/-/issues/3297Perfmon-Hook-Task-5 Add Event Stack Processing2024-03-28T20:25:49ZThomas MarkwalderPerfmon-Hook-Task-5 Add Event Stack ProcessingComplete Hook Task 5: Add Event Stack Processing - Process event stacks into MonitoredDuration updates, implement report timer, and alarm processing
See https://gitlab.isc.org/isc-projects/kea/-/wikis/Designs/performance-monitor#perfm...Complete Hook Task 5: Add Event Stack Processing - Process event stacks into MonitoredDuration updates, implement report timer, and alarm processing
See https://gitlab.isc.org/isc-projects/kea/-/wikis/Designs/performance-monitor#perfmon-hook-taskskea2.5.8Thomas MarkwalderThomas Markwalderhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/23kea-dhcp4 changes filesystem access permissions on log directory2024-03-28T14:59:24ZCarsten Strotmannkea-dhcp4 changes filesystem access permissions on log directory---
name: kea-dhcp4 changes filesystem access permissions on log directory
about: Create a report to help us improve
---
**Describe the bug**
Kea-DHCP4 changes the access permissions on the directory for logfiles in the logger stateme...---
name: kea-dhcp4 changes filesystem access permissions on log directory
about: Create a report to help us improve
---
**Describe the bug**
Kea-DHCP4 changes the access permissions on the directory for logfiles in the logger statement. It removes "read" and "execute/list" (r-x) permissions for "other"
**To Reproduce**
* Change the access permissions on the log directory so that all users/processes can read/list the log directory
* Restart Kea-DHCP
* List the access permissions on the log directory. The access permissions for "other" are removed
**Expected behavior**
Kea-DHCP4 (possible other Kea processes as well) will not touch the access permissions on the log directory
**Environment:**
- Kea version:
2.4.1
tarball
linked with:
log4cplus 1.2.0
OpenSSL 1.1.1k FIPS 25 Mar 2021
database:
MySQL backend 19.0, library 10.5.5
PostgreSQL backend 18.0, library 130011
Memfile backend 3.0
- Red Hat EL 8 x86_64 (ISC Open Source Packages)
**Additional Information**
Use case: Stork agent cannot read the Kea-DHCP4 logfile in the standard configuration (as delivered in the ISC provided open source RPM packages).
This issue have been found while trying to give the stork-agent access to the Kea-DHCP4 logfile.
**Workaround:**
Change the group ownership of the logfile to group name "kea", then change the systemd-unit for "isc-stork-agent" to start the stork-agent as group "kea".
```
[Service]
Group=kea
...
```
If the removal of the access permissions for "other" is to be expected (no bug), then I recommend to adjust the stork-agent systemd unit to have stork-agent started with permissions that allow access to the Kea log files.