Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2022-11-02T15:10:41Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/1942Refactor ClientClassDictionary to provide indexing2022-11-02T15:10:41ZMarcin SiodelskiRefactor ClientClassDictionary to provide indexingI would like to propose refactoring the `ClientClassDictionary` internals to support indexing classes by various parameters. Right now we index by class names and we have an ordered index. In #1836 we are adding a change which matches cl...I would like to propose refactoring the `ClientClassDictionary` internals to support indexing classes by various parameters. Right now we index by class names and we have an ordered index. In #1836 we are adding a change which matches classes with configured server identifiers. Without indexing, such matching is sub-optimal. Perhaps, if we migrate the class collection to multi index container we could easily add additional indexing if necessary.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1939Kea 1.8.2 configure fails when linking to static OpenSSL library2022-11-02T15:10:41ZGreg RabilKea 1.8.2 configure fails when linking to static OpenSSL libraryI am attempting to build a static Kea 1.8.2 binary on CentOS7. I have built a static version of OpenSSL 1.1.1k (./config no-shared). When running configure for Kea 1.8.2 and specifying the --with-openssl directive, it fails with the fo...I am attempting to build a static Kea 1.8.2 binary on CentOS7. I have built a static version of OpenSSL 1.1.1k (./config no-shared). When running configure for Kea 1.8.2 and specifying the --with-openssl directive, it fails with the following:
```
checking OS type... Linux
checking for sa_len in struct sockaddr... no
checking for usuable C++11 regex... no
checking for OpenSSL library... yes
checking OpenSSL version... OpenSSL 1.1.1k 25 Mar 2021
checking support of SHA-2... configure: error: missing EVP entry for SHA-2
```
Attached is the config.log file. [config.log](/uploads/68a099b66729e0f428375ce2fd77a95c/config.log)
As a work around, I am able to force it to configure properly by specifying LDFLAGS and LIBS:
`LDFLAGS="-L/opt/tmp/install/openssl/lib" LIBS="-lcrypto -lpthread"`
Note that this problem does not occur if OpenSSL is built with dynamic libraries.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1938prevent "(no branch, rebasing <branch>)" in the git commit message caused by ...2022-11-02T15:10:18ZAndrei Pavelandrei@isc.orgprevent "(no branch, rebasing <branch>)" in the git commit message caused by prepare-commit-msg```
git rebase <branch> # usually master or origin/master
# git stops on conflict
# conflict is resolved
git add <resolved_file>
git commit # <----- this right here is what is causing it
git rebase --continue
``````
git rebase <branch> # usually master or origin/master
# git stops on conflict
# conflict is resolved
git add <resolved_file>
git commit # <----- this right here is what is causing it
git rebase --continue
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1933Makefile cleanup: remove workaround for 11yo boost problem2022-11-02T15:10:20ZTomek MrugalskiMakefile cleanup: remove workaround for 11yo boost problemThere's a tradition that doesn't want to die. A long time ago someone added a work around for boost 1.40 problem. The referenced boost ticket was closed 11 years ago.
```
# Some versions of GCC warn about some versions of Boost regardin...There's a tradition that doesn't want to die. A long time ago someone added a work around for boost 1.40 problem. The referenced boost ticket was closed 11 years ago.
```
# Some versions of GCC warn about some versions of Boost regarding
# missing initializer for members in its posix_time.
# https://svn.boost.org/trac/boost/ticket/3477
# But older GCC compilers don't have the flag.
AM_CXXFLAGS += $(WARNING_NO_MISSING_FIELD_INITIALIZERS_CFLAG)
```
Bugs are not whisky... 11yo is bad.
It seems this was cleaned up in the core code, but not in premium.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1929`LibDHCP::packOptions4` code is incomplete2022-11-02T15:10:19ZFrancis Dupont`LibDHCP::packOptions4` code is incompleteMissing some `if (top)` or `if (!top)` in the code. Perhaps related to a report about duplicate options.Missing some `if (top)` or `if (!top)` in the code. Perhaps related to a report about duplicate options.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1919ZTP with KEA for Huawei switches2021-07-29T14:50:36ZBranka AndrijasevicZTP with KEA for Huawei switchesHi ISC Support,
In the context of using KEA DHCP for ZTP of Huawei Switches, we’re right now facing an issue within the implementation of RFC Compliance within KEA DHCP.
Based on the documentation of Huawei (see https://support.hu...Hi ISC Support,
In the context of using KEA DHCP for ZTP of Huawei Switches, we’re right now facing an issue within the implementation of RFC Compliance within KEA DHCP.
Based on the documentation of Huawei (see https://support.huawei.com/enterprise/en/doc/EDOC0100533703?section=j004) the Switch Firmware is relying on the overlapping Options 141 + 146 (see https://kea.readthedocs.io/en/latest/arm/dhcp4-srv.html#id2) which are conflicting in terms of DHCP Option Type.
We would therefore kindly ask ISC to review this issue, as it’s entirely blocking the introduction of ZTP / Autoconfiguration of Huawei Switches within our installation base.
In case no solution exists out of the box, we would further ask ISC to consider a compatibility option for allowing the override of standard RFC-ed options, see e.g. https://kea.readthedocs.io/en/latest/arm/dhcp4-srv.html#kea-dhcpv4-compatibility-configuration-parameters
Kind Regardsoutstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1914HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading sometimes fails2023-02-27T13:41:09ZAndrei Pavelandrei@isc.orgHAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading sometimes failsThis time it happened on distcheck on CentOS 8.
https://jenkins.aws.isc.org/job/kea-dev/job/distcheck/415/execution/node/136/log/?consoleFull
```
16:04:40 [ RUN ] HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading
16:04:...This time it happened on distcheck on CentOS 8.
https://jenkins.aws.isc.org/job/kea-dev/job/distcheck/415/execution/node/136/log/?consoleFull
```
16:04:40 [ RUN ] HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading
16:04:40 ../../../../../../../src/hooks/dhcp/high_availability/tests/ha_service_unittest.cc:1096: Failure
16:04:40 Expected equality of these values:
16:04:40 2
16:04:40 factory3_->getResponseCreator()->getReceivedRequests().size()
16:04:40 Which is: 1
16:04:40 ../../../../../../../src/hooks/dhcp/high_availability/tests/ha_service_unittest.cc:1102: Failure
16:04:40 Value of: update_request3
16:04:40 Actual: false
16:04:40 Expected: true
16:04:40 [ FAILED ] HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading (2 ms)
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1912update lib dns++ python tools2021-06-03T15:37:03ZFrancis Dupontupdate lib dns++ python tools#1880 showed that even they still work the python tools used for the dns++ library should be updated:
- src/lib/dns/gen-rdatacode.py complains about a not existing (BTW for a long time) file in a not existing (this point triggers the er...#1880 showed that even they still work the python tools used for the dns++ library should be updated:
- src/lib/dns/gen-rdatacode.py complains about a not existing (BTW for a long time) file in a not existing (this point triggers the error) src/lib/dns/python directory. IMHO the corresponding code is obsolete i.e. implements a feature which has not been used since a lot of years if it was used one day...
- src/lib/util/python/gen_wiredata.py triggers a warning with python3. I added a comment at the corresponding line of code.
The documentation should be updated too: for the first script it is in the s-rdatacode entry of the Makefile. The second is in a commented entry of the src/lib/dns/tests/testdata Makefile and requires to be called in the UTC timezone when timestamps are generated as for RRSIG or TKEY RRs (I used with success the TZ environment variable).outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1903Assess Kea vs. NIST 'Zero trust architecture'2022-11-02T15:10:17ZVicky Riskvicky@isc.orgAssess Kea vs. NIST 'Zero trust architecture'Kea was designed for deployment into a protected environment in a datacenter. Although we are gradually adding more security features, we should do an assessment of which of the NIST Zero Trust architecture requirements we meet and which...Kea was designed for deployment into a protected environment in a datacenter. Although we are gradually adding more security features, we should do an assessment of which of the NIST Zero Trust architecture requirements we meet and which we do not and document that.
https://www.nist.gov/publications/zero-trust-architecturebackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1868forensic logging: renewals are logged as assignments2022-11-02T15:10:19ZAndrei Pavelandrei@isc.orgforensic logging: renewals are logged as assignmentsFor `n` subsequent DHCPREQUESTs or DHCPv6_REQUESTSs:
| v | v | log |
| ------ | -- | ------------------------------------------------------ |
| 1.9.7 | v4 | 1 * `has been assigne...For `n` subsequent DHCPREQUESTs or DHCPv6_REQUESTSs:
| v | v | log |
| ------ | -- | ------------------------------------------------------ |
| 1.9.7 | v4 | 1 * `has been assigned` + (n - 1) * `has been renewed` |
| 1.9.7 | v6 | 1 * `has been assigned` |
| 1.9.8+ | v4 | n * `has been assigned` |
| 1.9.8+ | v6 | n * `has been assigned` |
The inconsistency of `n - 1` missing renewal messages in v6 has been fixed in 1.9.8. But they are now shown as assignments instead of renewals. I think the behavior in 1.9.7 for v4 is what we need now for both v4 and v6.
DHCPV6_RENEWs and subsequent DHCPV6_REQUESTs are both logged as `has been assigned`. The message type should not make a difference. The behavior in 1.9.7 where only the state of the lease was being taken into account seems better to me, and so they should both say `has been renewed`.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1867update example configs in ARM to not use auto-assigned subnet IDs2022-11-02T15:10:19ZVicky Riskvicky@isc.orgupdate example configs in ARM to not use auto-assigned subnet IDsapparently we don't want people to use the automatically assigned subnet IDs so
please update the examples in the arm to add subnet-ID parametersapparently we don't want people to use the automatically assigned subnet IDs so
please update the examples in the arm to add subnet-ID parametersbackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1859Coverity complains about some function return value not being checked2022-11-02T15:10:19ZRazvan BecheriuCoverity complains about some function return value not being checked```
/lib/dhcpsrv/alloc_engine.cc
void AllocEngine::reclaimLeaseInDatabase - Calling deleteLease without checking return value (as is done elsewhere 8 out of 9 times).
/src/hooks/dhcp/high_availability/ha_service.cc
HAService::asyncSyncL...```
/lib/dhcpsrv/alloc_engine.cc
void AllocEngine::reclaimLeaseInDatabase - Calling deleteLease without checking return value (as is done elsewhere 8 out of 9 times).
/src/hooks/dhcp/high_availability/ha_service.cc
HAService::asyncSyncLeasesInternal - Calling addLease without checking return value (as is done elsewhere 5 out of 6 times).
/src/lib/asiolink/tcp_socket.h
class TCPSocket isUsable
check_return: - Calling
this->socket_>receive(boost::asio::mutable_buffers_1(boost::asio::buffer(data, 2UL)), 2, ec) without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
socket_.receive(boost::asio::buffer(data, sizeof(data)),
boost::asio::socket_base::message_peek,
ec);
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1857possible illegal null de-reference in parser generated code2022-11-02T15:10:17ZRazvan Becheriupossible illegal null de-reference in parser generated code```
if ( YY_CURRENT_BUFFER )
{
/* Flush out information for old buffer. */
*(yy_c_buf_p) = (yy_hold_char);
YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
...```
if ( YY_CURRENT_BUFFER )
{
/* Flush out information for old buffer. */
*(yy_c_buf_p) = (yy_hold_char);
YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
}
CID 1398334 (#1 of 1): Dereference after null check (FORWARD_NULL)
6. var_deref_op: Dereferencing null pointer yy_buffer_stack.
YY_CURRENT_BUFFER_LVALUE = new_buffer;
yy_load_buffer_state( );
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1856possible out of bounds access in parser generated code2022-11-02T15:10:17ZRazvan Becheriupossible out of bounds access in parser generated code```
/// The user-facing name of this symbol.
std::string name () const YY_NOEXCEPT
{
1. negative_return_fn: Function this->kind() returns a negative number. [show details]
CID 1463896 (#1 of 1): Impr...```
/// The user-facing name of this symbol.
std::string name () const YY_NOEXCEPT
{
1. negative_return_fn: Function this->kind() returns a negative number. [show details]
CID 1463896 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
2. negative_returns: this->kind() is passed to a parameter that cannot be negative. [show details]
return XXXParser::symbol_name (this->kind ());
}
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1846sanity checks: v6 unit tests tweaks on macOS2021-10-20T10:16:05ZTomek Mrugalskisanity checks: v6 unit tests tweaks on macOSAs reported by @fdupont [here](https://gitlab.isc.org/isc-projects/kea/-/issues/1827#note_209771):
macOS 11.2.3 Xcode 12.4 I got twice on three attempts this error:
```
[ RUN ] RunScriptTest.lease6Recover
../../../../../../../src/h...As reported by @fdupont [here](https://gitlab.isc.org/isc-projects/kea/-/issues/1827#note_209771):
macOS 11.2.3 Xcode 12.4 I got twice on three attempts this error:
```
[ RUN ] RunScriptTest.lease6Recover
../../../../../../../src/hooks/dhcp/run_script/tests/run_script_unittests.cc:731: Failure
Expected: (time(__null)) < (now + 3), actual: 1619475859 vs 1619475859
timeout
[ FAILED ] RunScriptTest.lease6Recover (2355 ms)
```
and
```
[ RUN ] RunScriptTest.lease6Decline
../../../../../../../src/hooks/dhcp/run_script/tests/run_script_unittests.cc:731: Failure
Expected: (time(__null)) < (now + 3), actual: 1619520686 vs 1619520686
timeout
[ FAILED ] RunScriptTest.lease6Decline (2127 ms)
```
Two comments:
- NULL does not exist in C++: please change time(NULL) by time(0)
- the checkScriptResult code obviously requires some rewritesoutstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1843simpify shared libraries by removing versions2021-05-23T12:47:50ZGene Csimpify shared libraries by removing versionsA thought to run by you all. Remove library versioning from the build system.
I may well be missing something but it seems to me we can remove unneeded complexity.
From the perspective of a packager.
Since the shared libraries in kea a...A thought to run by you all. Remove library versioning from the build system.
I may well be missing something but it seems to me we can remove unneeded complexity.
From the perspective of a packager.
Since the shared libraries in kea are only used by kea itself, and packagers always build and package the entire kea suite, it would be cleaner / simpler to remove versioned shared libraries and simply have the freshly build un-versioned libraries.
There is no sensible way to have multiple binary versions installed anyway, so there is no value to having multiple versions of libraries as fart as I can tell. I never ever see more than the one version of any kea library installed - so see no point in having the versions (plus links) at all.
From developer perspective:
There can certainly be need to have multiple versions of binaries and their associated libs during dev and testing, but this can easily be managed in many ways for (run/test in the build tree, change root prefix of install, run in container, run in chroot etc etc). Anyway, this has to be happening now anyway with or without versioned shared libs
This would simplify the build toolkit quite a bit (its pretty complex as is already) and would also eliminate issues such as #1780 :)outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1841[ISC-support #17393] Feature request - Global v6 PD pools2022-11-02T17:18:51ZCathy Almond[ISC-support #17393] Feature request - Global v6 PD poolsCurrently it is possible to configure overlapping PD pools between v6 subnets (or even use the same exact PD pool entirely for all subnets).
This 'appears' to work OK. Our review of the situation however was that without more extensive...Currently it is possible to configure overlapping PD pools between v6 subnets (or even use the same exact PD pool entirely for all subnets).
This 'appears' to work OK. Our review of the situation however was that without more extensive testing and research, we couldn't say 'this is supported' because what we have here is something that is essentially a happy accident. It looks like it does probably work - but only because the check for whether a PD is already allocated, doesn't check the subnet ID!
The statistics on the other hand, are going to be very peculiar, because they'll have allocations for the same space coming from different subnets. They *might* work if the administrator does a manual combination of them across the subnets, but taken standalone, they won't make much sense.
This is a request for this feature to be tested, stats fixed, and to be properly supported. There is a customer/operational use-case for it explained in [Support Ticket #17393](https://support.isc.org/Ticket/Display.html?id=17393)backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1826kea lefts many subfolders and man pages in a system after make uninstall2023-06-19T13:54:49ZMichal Nowikowskikea lefts many subfolders and man pages in a system after make uninstallThis is a list of folders and files that were not deleted by make uninstall.
All these should be deleted.
```
$PREFIX/lib/kea
$PREFIX/lib/kea/hooks
$PREFIX/lib/python3.8
$PREFIX/lib/python3.8/site-packages
$PREFIX/lib/python3.8/site-pac...This is a list of folders and files that were not deleted by make uninstall.
All these should be deleted.
```
$PREFIX/lib/kea
$PREFIX/lib/kea/hooks
$PREFIX/lib/python3.8
$PREFIX/lib/python3.8/site-packages
$PREFIX/lib/python3.8/site-packages/kea
$PREFIX/lib/python3.8/site-packages/kea/__pycache__
$PREFIX/include/kea
$PREFIX/include/kea/dhcpsrv
$PREFIX/include/kea/dhcpsrv/parsers
$PREFIX/include/kea/process
$PREFIX/include/kea/cfgrpt
$PREFIX/include/kea/eval
$PREFIX/include/kea/dhcp_ddns
$PREFIX/include/kea/asiodns
$PREFIX/include/kea/stats
$PREFIX/include/kea/config
$PREFIX/include/kea/http
$PREFIX/include/kea/dhcp
$PREFIX/include/kea/hooks
$PREFIX/include/kea/config_backend
$PREFIX/include/kea/database
$PREFIX/include/kea/cc
$PREFIX/include/kea/asiolink
$PREFIX/include/kea/dns
$PREFIX/include/kea/cryptolink
$PREFIX/include/kea/log
$PREFIX/include/kea/log/interprocess
$PREFIX/include/kea/util
$PREFIX/include/kea/util/random
$PREFIX/include/kea/util/io
$PREFIX/include/kea/util/encode
$PREFIX/include/kea/exceptions
$PREFIX/share/man/man8/perfdhcp.8
$PREFIX/share/man/man8/kea-shell.8
$PREFIX/share/man/man8/kea-netconf.8
$PREFIX/share/man/man8/kea-lfc.8
$PREFIX/share/man/man8/kea-dhcp-ddns.8
$PREFIX/share/man/man8/kea-dhcp6.8
$PREFIX/share/man/man8/kea-dhcp4.8
$PREFIX/share/man/man8/kea-ctrl-agent.8
$PREFIX/share/man/man8/keactrl.8
$PREFIX/share/man/man8/kea-admin.8
$PREFIX/share/kea
$PREFIX/share/kea/scripts
$PREFIX/share/kea/scripts/cql
$PREFIX/share/kea/scripts/pgsql
$PREFIX/share/kea/scripts/mysql
$PREFIX/var/run/kea
$PREFIX/var/lib/kea
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1810kea behaviour when 'cache-threshold' and 'cache-max-age' are used together2022-11-02T15:10:18ZWlodzimierz Wencelkea behaviour when 'cache-threshold' and 'cache-max-age' are used togetherin section `8.2.29. Lease Caching` of ARM both `cache-threshold` and `cache-max-age` are described. But there is no statement that user should not use both of those parameters on the same level (e.g subent). In practice Kea will accept c...in section `8.2.29. Lease Caching` of ARM both `cache-threshold` and `cache-max-age` are described. But there is no statement that user should not use both of those parameters on the same level (e.g subent). In practice Kea will accept config whit both of those parameters and the one that will generate shorter cache time will be used.
Ways to solve this:
* kea should return configuration error when both of those parameters are used
* update documentationbackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1803Inheritance for DHCPv6 options to work like DHCPv4 (shared network vs global HR)2021-05-13T15:09:49ZVicky Riskvicky@isc.orgInheritance for DHCPv6 options to work like DHCPv4 (shared network vs global HR)**Problem**
DHCP options for host reservations in a backend database can be specified by “shared-network-name” to override a global host reservation, however this does not appear to work for V6.
**Desired Solution**
V6 options for share...**Problem**
DHCP options for host reservations in a backend database can be specified by “shared-network-name” to override a global host reservation, however this does not appear to work for V6.
**Desired Solution**
V6 options for shared network name should override any definition that may be present in the global host reservation, as is currently the case for v4.
I tried to find related issues - possibly #39, #1253 might be relatedoutstanding