ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2023-01-09T19:15:11Zhttps://gitlab.isc.org/isc-projects/keama-leases/-/issues/5Stashed agent options are discarded2023-01-09T19:15:11ZThomas MarkwalderStashed agent options are discardedISC DHCP can be configured with ```stash-agent-options true;```. This instructs the server to store agent options received from relayed clients on the lease as shown:
```
lease 178.16.1.100 {
starts 5 2020/08/07 18:16:31;
ends 5 20...ISC DHCP can be configured with ```stash-agent-options true;```. This instructs the server to store agent options received from relayed clients on the lease as shown:
```
lease 178.16.1.100 {
starts 5 2020/08/07 18:16:31;
ends 5 2020/08/07 18:21:31;
cltt 5 2020/08/07 18:16:31;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 08:00:27:25:d3:f4;
option agent.circuit-id "enp0s10"; <--- server stashed circuit id received as part of option 82
client-hostname "ISChclient1";
}
```
Currently these values are discarded. These values would have to be stored in Kea via the lease's user-context. It may be simplest just to site this as known issue. Kea sites interested in lease-query can probably live with a transition period. As clients return, the server would add the relay information to the lease.https://gitlab.isc.org/isc-projects/bind9/-/issues/3786DNS Broker - Refactor the outgoing DNS connection handling2023-11-02T17:05:06ZOndřej SurýDNS Broker - Refactor the outgoing DNS connection handlingThis is a meta-issue for refactoring the `dns_dispatch`, `dns_request` and `dns_resolver` to use hypothetical new unit `dns_broker` that will transparently handle the outgoing DNS connection handling including streaming DNS connection re...This is a meta-issue for refactoring the `dns_dispatch`, `dns_request` and `dns_resolver` to use hypothetical new unit `dns_broker` that will transparently handle the outgoing DNS connection handling including streaming DNS connection reuse.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3784BIND returns EDE-18 (Prohibited) although the query was not recursive2023-07-11T10:00:06ZThomas AmgartenBIND returns EDE-18 (Prohibited) although the query was not recursive### Summary
Querying an authoritative BIND-9.18.9 server with a **non-recursive** query, it returns EDE-18 (Prohibited), because "recursion" is enabled for some IP addresses.
### BIND version used
```
named -V
BIND 9.18.9 (Stable Rele...### Summary
Querying an authoritative BIND-9.18.9 server with a **non-recursive** query, it returns EDE-18 (Prohibited), because "recursion" is enabled for some IP addresses.
### BIND version used
```
named -V
BIND 9.18.9 (Stable Release) <id:e831507>
running on Linux x86_64 3.10.0-1062.4.3.el7.x86_64 #1 SMP Wed Nov 13 23:58:53 UTC 2019
built by make with '--prefix=/usr/local/bind-9.18.9' '--sysconfdir=/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--disable-doh'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.34.0
linked to libuv version: 1.34.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /chroot/bind/etc/named/named.conf
rndc configuration: /chroot/bind/etc/named/rndc.conf
DNSSEC root key: /chroot/bind/etc/named/bind.keys
nsupdate session key: /chroot/bind/var/run/named/session.key
named PID file: /chroot/bind/var/run/named/named.pid
named lock file: /chroot/bind/var/run/named/named.lock
```
### Steps to reproduce
Running BIND-9.18.9 as an authoritative server with recursion enabled only for the IPv4 and IPv6 loopback-interface:
```
acl RecurseAllow {
127.0.0.1/32;
::1;
};
options {
...
recursion yes;
allow-recursion { "RecurseAllow"; };
...
};
```
### What is the current *bug* behavior?
When querying this authoritative server with ``+norec`` for an authoritative domain, then I receive a Extended DNS Error "Prohobited" (Code 18):
```
$ dig @ns21.arcade.ch txt rc8.ch +nocookie +norec
; <<>> DiG 9.19.8 <<>> @ns21.arcade.ch txt rc8.ch +nocookie +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34443
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;rc8.ch. IN TXT
;; ANSWER SECTION:
rc8.ch. 1800 IN TXT "v=spf1 -all"
;; Query time: 24 msec
;; SERVER: 46.22.21.101#53(ns21.arcade.ch) (UDP)
;; WHEN: Mon Jan 09 13:48:53 CET 2023
;; MSG SIZE rcvd: 65
```
The debug output for this query looks like this:
```
09-Jan-2023 13:48:53.195 client: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852: UDP request
09-Jan-2023 13:48:53.195 client: debug 5: client @0x7faa3bccdf68 192.168.33.44#38852: using view '_default'
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852: request is not signed
09-Jan-2023 13:48:53.195 client: debug 1: client @0x7faa3bccdf68 192.168.33.44#38852: set ede: info-code 18 extra-text (null)
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852: recursion not available (allow-recursion did not match)
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852 (rc8.ch): query 'rc8.ch/TXT/IN' approved
09-Jan-2023 13:48:53.195 rate-limit: debug 99: client @0x7faa3bccdf68 192.168.33.44#38852 (rc8.ch): rrl=0x7faa5090e800, HAVECOOKIE=0, result=ISC_R_SUCCESS, fname=0x7faa3bc67a80(1), is_zone=1, RECURSIONOK=0, query.rpz_st=(nil)(0), RRL_CHECKED=0
09-Jan-2023 13:48:53.195 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#38852 (rc8.ch): reset client
```
When I completely disable recursion in the options-section, and re-query with the same question, then I got the answer without the EDE:
```
$ dig @ns21.arcade.ch txt rc8.ch +nocookie +norec
; <<>> DiG 9.19.8 <<>> @ns21.arcade.ch txt rc8.ch +nocookie +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6743
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;rc8.ch. IN TXT
;; ANSWER SECTION:
rc8.ch. 1800 IN TXT "v=spf1 -all"
;; Query time: 24 msec
;; SERVER: 46.22.21.101#53(ns21.arcade.ch) (UDP)
;; WHEN: Mon Jan 09 13:48:26 CET 2023
;; MSG SIZE rcvd: 59
```
The appropriate debug log looks like this:
```
09-Jan-2023 13:48:26.009 client: debug 3: clientmgr @0x7faa508a7180 attach: 2
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 (no-peer): allocate new client
09-Jan-2023 13:48:26.009 client: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609: UDP request
09-Jan-2023 13:48:26.009 client: debug 5: client @0x7faa3bccdf68 192.168.33.44#54609: using view '_default'
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609: request is not signed
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609: recursion not available (recursion not enabled for view)
09-Jan-2023 13:48:26.009 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609 (rc8.ch): query 'rc8.ch/TXT/IN' approved
09-Jan-2023 13:48:26.009 rate-limit: debug 99: client @0x7faa3bccdf68 192.168.33.44#54609 (rc8.ch): rrl=0x7faa5090fc00, HAVECOOKIE=0, result=ISC_R_SUCCESS, fname=0x7faa3bc67800(1), is_zone=1, RECURSIONOK=0, query.rpz_st=(nil)(0), RRL_CHECKED=0
09-Jan-2023 13:48:26.010 security: debug 3: client @0x7faa3bccdf68 192.168.33.44#54609 (rc8.ch): reset client
```
### What is the expected *correct* behavior?
When querying the authoritative server with ``+norec``, I expect that BIND returns the answer without EDE, because I asked not recursive (although recursion is enabled for some IP addresses, but not used in this case).
### Relevant configuration files
### Relevant logs and/or screenshots
### Possible fixeshttps://gitlab.isc.org/isc-projects/kea/-/issues/2708HA pool rebalancing2023-02-02T14:23:33ZTomek MrugalskiHA pool rebalancingThis idea is not new. It was recently brought up by @cathya in Porto (see [notes](https://pad.isc.org/p/porto2022-kea-features-for-stork#L58). The overall concept is to design and implement a mechanism similar to the one in ISC DHCP. Whe...This idea is not new. It was recently brought up by @cathya in Porto (see [notes](https://pad.isc.org/p/porto2022-kea-features-for-stork#L58). The overall concept is to design and implement a mechanism similar to the one in ISC DHCP. When there are two servers in load-balancing, it is possible that one of them will run out of addresses while the other one still has many.
Couple random comments:
- The pool rebalancing would somehow make both partners negotiate the pools and rebalance them.
- Using a hysteresis approach with high/low threshold would prevent the mechanism to go crazy when running out of addresses. We don't want it to go crazy when there's one or two addresses left.
- The pool dynamism would add extra complexity as the modified pool range would need to be stored somewhere that would survive crashes/reboots etc.
This requires a ~design. It's a complicated feature request with a high potential for endless tweaks, conflicting tuning requests etc.
We will do it one day, but this would require a lot of design, testing and tuning.outstandinghttps://gitlab.isc.org/isc-projects/stork/-/issues/935Ability to write Kea config (config-set + config-write)2023-11-07T11:29:01ZTomek MrugalskiAbility to write Kea config (config-set + config-write)Sooner or later, Stork will need the ability to write Kea's config file to disk. Couple scenarios where it would be handy:
- checkers now report issues. With config-write available, we could think about "fix it for me" button.
- we talk...Sooner or later, Stork will need the ability to write Kea's config file to disk. Couple scenarios where it would be handy:
- checkers now report issues. With config-write available, we could think about "fix it for me" button.
- we talked about HR migration from config file to DB.
- we talked about migrating subnet/shared networks from config file to CB.
- enabling higher logging levels for debugging
- many more...
There are many ways how to slice this, so ~design is needed for sure. Personally, I think this ticket should cover design phase and maybe code for the agent ability to do the write, but without any UI elements. A stepping stone for future work.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2706performance drop on mySQL 8 vs mySQL 5.7 (and mariadb, postgresql)2023-02-21T10:13:34ZMarcin Godzinaperformance drop on mySQL 8 vs mySQL 5.7 (and mariadb, postgresql)A massive performance drop (60-90%) is observed on MySQL 8 in comparison to MySQL 5.7 or other databases (MariaDB or PostgreSQL).
Both databases use out of the box configuration except of `innodb_flush_log_at_trx_commit=2` being added.
...A massive performance drop (60-90%) is observed on MySQL 8 in comparison to MySQL 5.7 or other databases (MariaDB or PostgreSQL).
Both databases use out of the box configuration except of `innodb_flush_log_at_trx_commit=2` being added.
But without this setting, we also have big performance difference.
~~I narrowed down the offending query~~ to `UPDATE schema_version` on our test setup
- on mysql 5.7 query is made about 1.6 times per 1k processed leases and takes about 224us
- on mysql 8 query is made about 229 times per 1k processed leases and takes about 30ms
Looks like most of the queries are slower.
on mysql 5.7 the longest query was 2s, and 95% of queries were 167us \
on mysql 8 the longest query was 2s, and 95% of queries were 31ms - thats huge
on mysql 8 INSERT INTO lease4 takes around 36ms \
on mysql 5.7 INSERT INTO lease4 takes around 214us
**MySQL 8** \
**229 query per 1k leases, 95percentile 30ms** (837 leases processed at 1500/s, drop rate 95%):
```
# Query 3: 0.06 QPS, 0.00x concurrency, ID 0x9D37850BFEFB2411FC8CD039CCABE4BB at byte 20172
# This item is included in the report because it matches --limit.
# Scores: V/M = 0.00
# Time range: 2023-01-09T09:55:16 to 2023-01-09T10:44:41
# Attribute pct total min max avg 95% stddev median
# ============ === ======= ======= ======= ======= ======= ======= =======
# Count 2 192
# Exec time 4 3s 10ms 37ms 18ms 30ms 6ms 13ms
# Lock time 2 2ms 0 57us 8us 12us 5us 7us
# Rows sent 0 0 0 0 0 0 0 0
# Rows examine 30 384 2 2 2 2 0 2
# Query size 0 9.98k 52 57 53.21 56.92 2.16 51.63
# String:
# Databases keatest
# Hosts localhost
# Users keatest
# Query_time distribution
# 1us
# 10us
# 100us
# 1ms
# 10ms ################################################################
# 100ms
# 1s
# 10s+
# Tables
# SHOW TABLE STATUS FROM `keatest` LIKE 'schema_version'\G
# SHOW CREATE TABLE `keatest`.`schema_version`\G
UPDATE schema_version
SET version = '3', minor = '0'\G
# Converted for EXPLAIN
# EXPLAIN /*!50100 PARTITIONS*/
select version = '3', minor = '0' from schema_version \G
```
**MySQL 5.7** \
**1.6 query per 1k leases, 95percentile 224us** (about 15k leases processed at 1500/s, drop rate 20%):
```
# Query 122: 1 QPS, 0.00x concurrency, ID 0x9D37850BFEFB2411FC8CD039CCABE4BB at byte 535872
# This item is included in the report because it matches --limit.
# Scores: V/M = 0.00
# Time range: 2023-01-09T10:35:48 to 2023-01-09T10:36:12
# Attribute pct total min max avg 95% stddev median
# ============ === ======= ======= ======= ======= ======= ======= =======
# Count 0 24
# Exec time 0 3ms 86us 242us 143us 224us 43us 131us
# Lock time 0 874us 21us 49us 36us 44us 7us 36us
# Rows sent 0 0 0 0 0 0 0 0
# Rows examine 0 48 2 2 2 2 0 2
# Query size 0 1.25k 52 57 53.21 56.92 2.16 51.63
# String:
# Databases keatest
# Hosts localhost
# Users keatest
# Query_time distribution
# 1us
# 10us #########
# 100us ################################################################
# 1ms
# 10ms
# 100ms
# 1s
# 10s+
# Tables
# SHOW TABLE STATUS FROM `keatest` LIKE 'schema_version'\G
# SHOW CREATE TABLE `keatest`.`schema_version`\G
UPDATE schema_version
SET version = '9', minor = '0'\G
# Converted for EXPLAIN
# EXPLAIN /*!50100 PARTITIONS*/
select version = '9', minor = '0' from schema_version \G
```
All queries performance log (using pt-query-digest) \
Please note that the test procedure drops and creates a database on test start, so there are queries from this procedure.
[mysql8-slow.log](/uploads/60e1c9a97f937ff46154fb2bb60d7f9e/mysql8-slow.log)
[mysql57-slow.log](/uploads/a631a22472242fc6aa4c3d010fcbd634/mysql57-slow.log)
[kea-config.txt](/uploads/7e3f27d2d3357dbabd8207e5efbea356/kea-config.txt)
[mysql8-slow-full_run.log](/uploads/12a155c852ab7a3c73d421cede1d0d15/mysql8-slow-full_run.log)
[mysql57-slow-full_run.log](/uploads/546d9c5ab49e815d02316a0c4aef55a8/mysql57-slow-full_run.log)kea2.3.5Marcin GodzinaMarcin Godzinahttps://gitlab.isc.org/isc-projects/kea/-/issues/2705host-cmds without databases2023-01-26T16:58:14ZTomek Mrugalskihost-cmds without databases`host-cmds` is one of the most popular hooks. It has one major limitation: it is not able to edit running configuration and it needs a database.
Modification of a config-file based configuration is rather easy technically. The reluctanc...`host-cmds` is one of the most popular hooks. It has one major limitation: it is not able to edit running configuration and it needs a database.
Modification of a config-file based configuration is rather easy technically. The reluctance to implement this was based on the grounds that the modified config has to be written (`config-write`) or the changes would be lost after restart/reconfiguration.
This was discussed in Porto and we decided this kind of functionality would be useful for Stork. We can mitigate the concern raised above by properly documenting it and perhaps returning something in the API response that config-write is highly recommended (but not mandatory - there are valid use cases where tweaking HR data is desired to be temporary).
This is a follow-up for `Stork roadmap and backlog` discussion in Porto.outstandinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3782Bind 9.18.10 build failed with openssl 1.1.1s2023-01-09T11:48:30ZBrian HenryBind 9.18.10 build failed with openssl 1.1.1s
```
./configure \
--build=x86_64-linux-gnu \
--host=x86_64-linux-gnu \
--enable-shared=yes \
--enable-static=no \
--enable-largefile \
--enable-full-report \
--enable-epoll \
--enable-doh \
--enable-dnstap \
--enable-geoip \
--with-open...
```
./configure \
--build=x86_64-linux-gnu \
--host=x86_64-linux-gnu \
--enable-shared=yes \
--enable-static=no \
--enable-largefile \
--enable-full-report \
--enable-epoll \
--enable-doh \
--enable-dnstap \
--enable-geoip \
--with-openssl=/usr/local/openssl-1.1.1 \
--with-libnghttp2 \
--with-libxml2 \
--with-zlib \
--with-libidn2 \
--with-readline=libedit \
--with-maxminddb=yes \
--prefix=/usr \
--libdir=/usr/lib64 \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/share/man && make V=1
```
Err:
```
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -D_FORTIFY_SOURCE=2 -include ../../config.h -I./include -I../../lib/dns/include -I../../lib/dns/include -I../../include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -Werror=vla -fno-strict-aliasing -fno-delete-null-pointer-checks -fdiagnostics-show-option -g -O2 -pthread -MT libdns_la-openssl_shim.lo -MD -MP -MF .deps/libdns_la-openssl_shim.Tpo -c openssl_shim.c -fPIC -DPIC -o .libs/libdns_la-openssl_shim.o
mv -f .deps/libdns_la-openssl_shim.Tpo .deps/libdns_la-openssl_shim.Plo
/bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -D_FORTIFY_SOURCE=2 -include ../../config.h -I./include -I../../lib/dns/include -I../../lib/dns/include -I../../include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -Werror=vla -fno-strict-aliasing -fno-delete-null-pointer-checks -fdiagnostics-show-option -g -O2 -pthread -MT libdns_la-openssldh_link.lo -MD -MP -MF .deps/libdns_la-openssldh_link.Tpo -c -o libdns_la-openssldh_link.lo `test -f 'openssldh_link.c' || echo './'`openssldh_link.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -D_FORTIFY_SOURCE=2 -include ../../config.h -I./include -I../../lib/dns/include -I../../lib/dns/include -I../../include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -Werror=vla -fno-strict-aliasing -fno-delete-null-pointer-checks -fdiagnostics-show-option -g -O2 -pthread -MT libdns_la-openssldh_link.lo -MD -MP -MF .deps/libdns_la-openssldh_link.Tpo -c openssldh_link.c -fPIC -DPIC -o .libs/libdns_la-openssldh_link.o
openssldh_link.c: In function ‘progress_cb’:
openssldh_link.c:334:18: error: implicit declaration of function ‘BN_GENCB_get_arg’; did you mean ‘BN_GENCB_set_old’? [-Werror=implicit-function-declaration]
334 | u.dptr = BN_GENCB_get_arg(cb);
| ^~~~~~~~~~~~~~~~
| BN_GENCB_set_old
openssldh_link.c:334:16: warning: assignment to ‘void *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
334 | u.dptr = BN_GENCB_get_arg(cb);
| ^
openssldh_link.c: In function ‘openssldh_generate’:
openssldh_link.c:453:22: error: implicit declaration of function ‘BN_GENCB_new’; did you mean ‘BN_GENCB_set’? [-Werror=implicit-function-declaration]
453 | cb = BN_GENCB_new();
| ^~~~~~~~~~~~
| BN_GENCB_set
openssldh_link.c:453:20: warning: assignment to ‘BN_GENCB *’ {aka ‘struct bn_gencb_st *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
453 | cb = BN_GENCB_new();
| ^
openssldh_link.c:579:17: error: implicit declaration of function ‘BN_GENCB_free’; did you mean ‘BN_GENCB_set’? [-Werror=implicit-function-declaration]
579 | BN_GENCB_free(cb);
| ^~~~~~~~~~~~~
| BN_GENCB_set
cc1: some warnings being treated as errors
make[4]: *** [libdns_la-openssldh_link.lo] Error 1
make[4]: Leaving directory `/tmp/tmp.WvxxYcdhLD/bind-9.18.10/lib/dns'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/tmp/tmp.WvxxYcdhLD/bind-9.18.10/lib/dns'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/tmp/tmp.WvxxYcdhLD/bind-9.18.10/lib'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/tmp.WvxxYcdhLD/bind-9.18.10'
make: *** [all] Error 2
```https://gitlab.isc.org/isc-projects/keama-leases/-/issues/4Tool crashes on lease entries that lack ends and/or starts2023-01-22T08:51:47ZThomas MarkwalderTool crashes on lease entries that lack ends and/or startsCrashes on lease files from failover peers that contain entries like this:
```
lease 178.16.2.1 {
binding state free;
}
```
The code dies because there is no value for ends or starts.
```
tmark@cserver dhcp2kea (main) $ ./runit.sh...Crashes on lease files from failover peers that contain entries like this:
```
lease 178.16.2.1 {
binding state free;
}
```
The code dies because there is no value for ends or starts.
```
tmark@cserver dhcp2kea (main) $ ./runit.sh "ends=0" "starts=0" -d /home/tmark/labs/var/isc_dhcp/tip/output/fo_secondary.leases
Traceback (most recent call last):
File "./dhcp2kea.py", line 317, in <module>
print(leases,file=f) # writing
File "./dhcp2kea.py", line 86, in __str__
max_life = (self.ver==4) and (v["ends"]-v["starts"]) or v["max-life"]
TypeError: unsupported operand type(s) for -: 'str' and 'str'
```
In reality it should simply discard all leases with binding state == free.
I've attached the lease file:
[fo_secondary.leases](/uploads/3123bffe7ca4d21358f50f8cb327cc59/fo_secondary.leases)https://gitlab.isc.org/isc-projects/kea/-/issues/2703unit tests failure with mysql 5.7.39 and freebsd 12.2023-01-26T16:10:46ZWlodzimierz Wencelunit tests failure with mysql 5.7.39 and freebsd 12.unit test failures:
* https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/lastCompletedBuild/testReport/(root)/MySqlConfigBackendDHCPv6Test/run_tests___freebsd_12_1_amd64___freebsd_12_1_amd64_results___globalOptions6WithServerTagsTes...unit test failures:
* https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/lastCompletedBuild/testReport/(root)/MySqlConfigBackendDHCPv6Test/run_tests___freebsd_12_1_amd64___freebsd_12_1_amd64_results___globalOptions6WithServerTagsTest/
* https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/lastCompletedBuild/testReport/(root)/MySqlConfigBackendDHCPv6Test/run_tests___freebsd_12_1_amd64___freebsd_12_1_amd64_results___globalOptions6WithServerTagsTest/
* https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/lastCompletedBuild/testReport/(root)/MySqlConfigBackendDHCPv6Test/run_tests___freebsd_12_1_amd64___freebsd_12_1_amd64_results___unassignedSubnet6Test/
```
19:27:28 MySQL:
19:27:28 MYSQL_VERSION: 5.7.39
19:27:28 MYSQL_CPPFLAGS: -I/usr/local/include/mysql
19:27:28 MYSQL_LIBS: -L/usr/local/lib/mysql -lmysqlclient -lpthread -lm -lrt -lexecinfo -lssl -lcrypto -lssl -lcrypto
```
test report: https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/957/testReport/
Most of systems we are using at the build farm are using mysql version 8 or higher. Except centos 7 (5.5.68) and ubuntu 18.04 (5.7.39) but tests are not failing there.backloghttps://gitlab.isc.org/isc-projects/keama-leases/-/issues/3Use lease-commands API to add leases directly to running Kea2023-01-05T12:20:29ZThomas MarkwalderUse lease-commands API to add leases directly to running KeaIf we extend this to allow it to use leaseX-add commands, it could be made to add leases directly to a running Kea. The add commands will try to match to a subnet-id if it is not supplied in the command arguments. This would allow us t...If we extend this to allow it to use leaseX-add commands, it could be made to add leases directly to a running Kea. The add commands will try to match to a subnet-id if it is not supplied in the command arguments. This would allow us to load leases into a running Kea regardless of where Kea is storing them (memfile, MySQL, PostgreSQL) and eliminates the need to rely on Memfile sanity checking to backfill subnet IDs. You could also use this to address adding leases to HA peers by sending the commands to all the peers.https://gitlab.isc.org/isc-projects/kea/-/issues/2701gss unit tests failures2023-02-15T18:08:08ZWlodzimierz Wencelgss unit tests failuresWe have some unit tests failures on non standard builds.
* Thread sanitiser: https://jenkins.aws.isc.org/job/kea-dev/job/ut-tsan/831/
* `CXXFLAGS = "-g3 -ggdb -O0 -fsanitize=thread -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SO...We have some unit tests failures on non standard builds.
* Thread sanitiser: https://jenkins.aws.isc.org/job/kea-dev/job/ut-tsan/831/
* `CXXFLAGS = "-g3 -ggdb -O0 -fsanitize=thread -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches"`
* list of failures: https://jenkins.aws.isc.org/job/kea-dev/job/ut-tsan/831/testReport/junit/(root)/
* undefined behaviour https://jenkins.aws.isc.org/job/kea-dev/job/ut-ubsan/423/
* `CXXFLAGS = "-g3 -ggdb -O0 -fsanitize=undefined -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches"`
* list of failures: https://jenkins.aws.isc.org/job/kea-dev/job/ut-ubsan/423/testReport/kea2.3.5https://gitlab.isc.org/isc-projects/stork/-/issues/932stork-install-agent.sh missing2024-03-27T10:50:22ZLarry G. Wapnitskystork-install-agent.sh missingJust installed stork server, and am unable to get the agent installed using the script:
```
# wget http://10.150.33.4:8080/stork-install-agent.sh
--2023-01-04 16:59:54-- http://10.150.33.4:8080/stork-install-agent.sh
Connecting to 10.1...Just installed stork server, and am unable to get the agent installed using the script:
```
# wget http://10.150.33.4:8080/stork-install-agent.sh
--2023-01-04 16:59:54-- http://10.150.33.4:8080/stork-install-agent.sh
Connecting to 10.150.33.4:8080... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2023-01-04 16:59:54 ERROR 500: Internal Server Error.
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2700HA Load-Balancing Network issue detection between Relay and Kea2023-01-26T15:22:15ZMathias AichingerHA Load-Balancing Network issue detection between Relay and KeaHi,
I have already tried to resolve this issue with the kea users community, but it seems not many are using HA Load Balancing.
I have the following problem.
Scenario:
Multiple DHCP-Relays at different sites with both KEA-Servers as DH...Hi,
I have already tried to resolve this issue with the kea users community, but it seems not many are using HA Load Balancing.
I have the following problem.
Scenario:
Multiple DHCP-Relays at different sites with both KEA-Servers as DHCP-Servers. Both servers are available and the load balancing shifts the requests between the two servers.
Incident: Because of a network issue Kea 1 is not available from the clients. The network connection between Kea 1 and Kea 2 still works, so no partner-down state.
Expected behaviour: Kea 2 sees the unacked clients of Kea 1 and sets Kea 1 in partner-down state and handles all requests.
Experienced behaviour: Kea 2 still reports HA_BUFFER4_RECEIVE_NOT_FOR_US and does not handle the requests. Unacked clients is not counted.
Is there a misunderstanding or configuration mistake on my side?
```
{
"library": "/usr/local/lib/kea//hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [
{
"this-server-name": "server2",
"mode": "load-balancing",
"heartbeat-delay": 10000,
"max-response-delay": 60000,
"max-ack-delay": 10000,
"max-unacked-clients": 1,
"delayed-updates-limit": 100,
"peers": [
{
"name": "server1",
"url": "http://192.168.248.1:8080/",
"role": "primary",
"auto-failover": true
},
{
"name": "server2",
"url": "http://192.168.248.2:8080/",
"role": "secondary",
"auto-failover": true
}
]
}
]
}
}
```
Thank you,
Mathiasbackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2699Kea Compilation Time Problem2023-01-26T15:17:19ZcaglarkarahanKea Compilation Time ProblemKea compilation time takes too long. I tried couple of things when running ./configure script to optimize/improve compilation time. I additionally try make with -j option to make it in parallel. My question is,
1. Is there any configure...Kea compilation time takes too long. I tried couple of things when running ./configure script to optimize/improve compilation time. I additionally try make with -j option to make it in parallel. My question is,
1. Is there any configure option to disable service like kea-dhcp6, ddns etc.? (I just want to consider dhcp4 service)
2. Will the disabling service options be helpful to improve compilation time?outstandinghttps://gitlab.isc.org/isc-projects/keama-leases/-/issues/2Extend leases lifetime2023-01-03T21:38:10ZTomek MrugalskiExtend leases lifetimeSometimes it's useful to extend lifetime of existing leases. Right now when experimenting with example files, all of the leases are expired.
An option to extend lease lifetime could be useful. Here's a proposal: `--extend-lease`, if spe...Sometimes it's useful to extend lifetime of existing leases. Right now when experimenting with example files, all of the leases are expired.
An option to extend lease lifetime could be useful. Here's a proposal: `--extend-lease`, if specified without any parameters, would extend the lease to now + valid_lifetime. If --extend-lease was specified with a parameter (timestamp), the leases would be extended to (specified timestamp) + valid_lifetime.https://gitlab.isc.org/isc-projects/keama-leases/-/issues/1Basic statistics, operation report2023-01-03T21:32:21ZTomek MrugalskiBasic statistics, operation reportWhen run without `-d` or `-v`, the dhcp2kea script is silent. It would be useful to print some statistics:
- number of leases parsed
- number of leases written
- the output filenameWhen run without `-d` or `-v`, the dhcp2kea script is silent. It would be useful to print some statistics:
- number of leases parsed
- number of leases written
- the output filenamehttps://gitlab.isc.org/isc-projects/kea/-/issues/2698iapd prefix not released in time for next advertise2023-07-31T14:10:43ZMarcin Godzinaiapd prefix not released in time for next advertiseOn jenkins, and on slow systems, Kea is unable to release prefix in time for incoming Solicit. \
The problem exists only when releasing prefix.
Problem observed on test: `tests/dhcp/v6/test_prefix_delegation.py::test_prefix_delegation_n...On jenkins, and on slow systems, Kea is unable to release prefix in time for incoming Solicit. \
The problem exists only when releasing prefix.
Problem observed on test: `tests/dhcp/v6/test_prefix_delegation.py::test_prefix_delegation_noprefixavail_release`
1. Test starts Kea
2. Forge sends Solicit with IA-PD and client id and waits for advertise with option 25.
3. Forge Sends Request with IA-PD and client id and waits for reply with option 26 in 25.
4. Forge second Solicit with IA-PD and client id and waits for advertise with option 25.
5. Forge sends Request with IA-PD and client id and waits for reply with option 26 in 25.
6. Both available prefixes are assigned
7. Forge third Solicit with IA-PD and client id and waits for advertise with no lease available.
8. Forge sends Release with client id and waits for reply with confirmation.
9. Forge fourth Solicit with IA-PD and client id and waits for advertise with option 26 in 25
On local VM test passes - Kea can release prefix in a timely manner.
On Jenkins and local VM with CPU slowed down to 2%, the test fails.
It looks like releasing prefix takes over 200ms after log message on slower machine.
Test run with failure:
https://jenkins.aws.isc.org/view/Kea-manual/job/kea-manual/job/tarball-system-tests/235/
Test run with introduced delay after release passes:
https://jenkins.aws.isc.org/view/Kea-manual/job/kea-manual/job/tarball-system-tests/234/
```
2022-12-22 23:00:12.726 DEBUG [kea-dhcp6.packets/2570743.140676907595328] DHCP6_RESPONSE_DATA responding with packet type 7 data is localAddr=[ff02::1:2]:547 remoteAddr=[fe80::21b:2cff:fe00:99]:546
msgtype=7(REPLY), transid=0xa596df
type=00001, len=00014: 00:01:00:01:63:a4:e1:76:00:1b:2c:00:00:99
type=00002, len=00014: 00:01:00:01:2b:37:9d:f8:86:32:67:b7:f6:87
type=00013, len=00041: Success(0) "Summary status for all processed IA_NAs"
type=00025(IA_PD), len=00063: iaid=36171, t1=0, t2=0,
options:
type=00013, len=00047: Success(0) "Lease released. Thank you, please come again."
No relays traversed.
(...)
2022-12-22 23:00:12.862 DEBUG [kea-dhcp6.dhcpsrv/2570743.140676915988032] DHCPSRV_CFGMGR_SUBNET6_IFACE selected subnet 3000::/64 for packet received over interface enp0s9
(...)
2022-12-22 23:00:12.862 WARN [kea-dhcp6.alloc-engine/2570743.140676915988032] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[00:01:00:01:63:a4:e1:76:00:1b:2c:00:00:99], tid=0xa596df: failed to allocate an IPv6 lease in the subnet 3000::/64, subnet-id 1, shared network (none)
```
[kea.log](/uploads/95e0d4cdcc89f28c008e545ccdb63061/kea.log)[kea-dhcp6.conf](/uploads/dbde869ba021c196bf52b92c18149ba0/kea-dhcp6.conf)[leases.csv](/uploads/3e14a6a860d8c28af5b9cac6a35d3daf/leases.csv)[test-steps.txt](/uploads/0b0093adeb71b819eb4e6f72add19f01/test-steps.txt)next-stable-2.6https://gitlab.isc.org/isc-projects/stork/-/issues/930Canonical prefix checker for PD pools2023-01-03T14:53:41ZSlawek FigielCanonical prefix checker for PD poolsWe should extend the config review checker that tests the canonical form of the subnet prefixes to support checking the prefixes and excluded prefixes of the PD pools.We should extend the config review checker that tests the canonical form of the subnet prefixes to support checking the prefixes and excluded prefixes of the PD pools.backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/929The subnets preserve in the database after removing the machine2023-01-03T14:52:10ZSlawek FigielThe subnets preserve in the database after removing the machineThe orphaned subnets are preserved in the database forever if no machines.
Steps to reproduce:
1. Authorize a machine
2. Wait for fetching state
3. Remove the machine
4. Go to: `http://localhost:8080/dhcp/subnets/`The orphaned subnets are preserved in the database forever if no machines.
Steps to reproduce:
1. Authorize a machine
2. Wait for fetching state
3. Remove the machine
4. Go to: `http://localhost:8080/dhcp/subnets/`backlog