Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2023-02-27T13:41:09Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/1914HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading sometimes fails2023-02-27T13:41:09ZAndrei Pavelandrei@isc.orgHAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading sometimes failsThis time it happened on distcheck on CentOS 8.
https://jenkins.aws.isc.org/job/kea-dev/job/distcheck/415/execution/node/136/log/?consoleFull
```
16:04:40 [ RUN ] HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading
16:04:...This time it happened on distcheck on CentOS 8.
https://jenkins.aws.isc.org/job/kea-dev/job/distcheck/415/execution/node/136/log/?consoleFull
```
16:04:40 [ RUN ] HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading
16:04:40 ../../../../../../../src/hooks/dhcp/high_availability/tests/ha_service_unittest.cc:1096: Failure
16:04:40 Expected equality of these values:
16:04:40 2
16:04:40 factory3_->getResponseCreator()->getReceivedRequests().size()
16:04:40 Which is: 1
16:04:40 ../../../../../../../src/hooks/dhcp/high_availability/tests/ha_service_unittest.cc:1102: Failure
16:04:40 Value of: update_request3
16:04:40 Actual: false
16:04:40 Expected: true
16:04:40 [ FAILED ] HAServiceTest.sendSuccessfulUpdatesAuthorizedMultiThreading (2 ms)
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1912update lib dns++ python tools2021-06-03T15:37:03ZFrancis Dupontupdate lib dns++ python tools#1880 showed that even they still work the python tools used for the dns++ library should be updated:
- src/lib/dns/gen-rdatacode.py complains about a not existing (BTW for a long time) file in a not existing (this point triggers the er...#1880 showed that even they still work the python tools used for the dns++ library should be updated:
- src/lib/dns/gen-rdatacode.py complains about a not existing (BTW for a long time) file in a not existing (this point triggers the error) src/lib/dns/python directory. IMHO the corresponding code is obsolete i.e. implements a feature which has not been used since a lot of years if it was used one day...
- src/lib/util/python/gen_wiredata.py triggers a warning with python3. I added a comment at the corresponding line of code.
The documentation should be updated too: for the first script it is in the s-rdatacode entry of the Makefile. The second is in a commented entry of the src/lib/dns/tests/testdata Makefile and requires to be called in the UTC timezone when timestamps are generated as for RRSIG or TKEY RRs (I used with success the TZ environment variable).outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1903Assess Kea vs. NIST 'Zero trust architecture'2022-11-02T15:10:17ZVicky Riskvicky@isc.orgAssess Kea vs. NIST 'Zero trust architecture'Kea was designed for deployment into a protected environment in a datacenter. Although we are gradually adding more security features, we should do an assessment of which of the NIST Zero Trust architecture requirements we meet and which...Kea was designed for deployment into a protected environment in a datacenter. Although we are gradually adding more security features, we should do an assessment of which of the NIST Zero Trust architecture requirements we meet and which we do not and document that.
https://www.nist.gov/publications/zero-trust-architecturebackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1869Design relay daemon in Kea2022-05-24T22:43:14ZTomek MrugalskiDesign relay daemon in KeaAs of June 2021, Kea provides the DHCP server functionality, with relay agent and client functionalities missing. The client likely never going to happen, but with relay there is some possibility. At this time, we would love to get some...As of June 2021, Kea provides the DHCP server functionality, with relay agent and client functionalities missing. The client likely never going to happen, but with relay there is some possibility. At this time, we would love to get some feedback from potential users and customers who are interested in the relay functionality. Please post your thoughts here.
In particular, details about your deployment use cases are most useful. Most people assume that the relay functionality is provided by hardware routers and switches and there's very limited need for software relay. Counter-arguments for this reasoning would be much appreciated.
Steps necessary:
- [ ] decide if there's a need for software relay
- [ ] write down requirements
- [ ] architecture design
- [ ] implement skeleton code
- [ ] implement relay functionality for v4
- [ ] implement relay functionality for v6outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1868forensic logging: renewals are logged as assignments2022-11-02T15:10:19ZAndrei Pavelandrei@isc.orgforensic logging: renewals are logged as assignmentsFor `n` subsequent DHCPREQUESTs or DHCPv6_REQUESTSs:
| v | v | log |
| ------ | -- | ------------------------------------------------------ |
| 1.9.7 | v4 | 1 * `has been assigne...For `n` subsequent DHCPREQUESTs or DHCPv6_REQUESTSs:
| v | v | log |
| ------ | -- | ------------------------------------------------------ |
| 1.9.7 | v4 | 1 * `has been assigned` + (n - 1) * `has been renewed` |
| 1.9.7 | v6 | 1 * `has been assigned` |
| 1.9.8+ | v4 | n * `has been assigned` |
| 1.9.8+ | v6 | n * `has been assigned` |
The inconsistency of `n - 1` missing renewal messages in v6 has been fixed in 1.9.8. But they are now shown as assignments instead of renewals. I think the behavior in 1.9.7 for v4 is what we need now for both v4 and v6.
DHCPV6_RENEWs and subsequent DHCPV6_REQUESTs are both logged as `has been assigned`. The message type should not make a difference. The behavior in 1.9.7 where only the state of the lease was being taken into account seems better to me, and so they should both say `has been renewed`.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1867update example configs in ARM to not use auto-assigned subnet IDs2022-11-02T15:10:19ZVicky Riskvicky@isc.orgupdate example configs in ARM to not use auto-assigned subnet IDsapparently we don't want people to use the automatically assigned subnet IDs so
please update the examples in the arm to add subnet-ID parametersapparently we don't want people to use the automatically assigned subnet IDs so
please update the examples in the arm to add subnet-ID parametersbackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1857possible illegal null de-reference in parser generated code2022-11-02T15:10:17ZRazvan Becheriupossible illegal null de-reference in parser generated code```
if ( YY_CURRENT_BUFFER )
{
/* Flush out information for old buffer. */
*(yy_c_buf_p) = (yy_hold_char);
YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
...```
if ( YY_CURRENT_BUFFER )
{
/* Flush out information for old buffer. */
*(yy_c_buf_p) = (yy_hold_char);
YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
}
CID 1398334 (#1 of 1): Dereference after null check (FORWARD_NULL)
6. var_deref_op: Dereferencing null pointer yy_buffer_stack.
YY_CURRENT_BUFFER_LVALUE = new_buffer;
yy_load_buffer_state( );
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1856possible out of bounds access in parser generated code2022-11-02T15:10:17ZRazvan Becheriupossible out of bounds access in parser generated code```
/// The user-facing name of this symbol.
std::string name () const YY_NOEXCEPT
{
1. negative_return_fn: Function this->kind() returns a negative number. [show details]
CID 1463896 (#1 of 1): Impr...```
/// The user-facing name of this symbol.
std::string name () const YY_NOEXCEPT
{
1. negative_return_fn: Function this->kind() returns a negative number. [show details]
CID 1463896 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
2. negative_returns: this->kind() is passed to a parameter that cannot be negative. [show details]
return XXXParser::symbol_name (this->kind ());
}
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1843simpify shared libraries by removing versions2021-05-23T12:47:50ZGene Csimpify shared libraries by removing versionsA thought to run by you all. Remove library versioning from the build system.
I may well be missing something but it seems to me we can remove unneeded complexity.
From the perspective of a packager.
Since the shared libraries in kea a...A thought to run by you all. Remove library versioning from the build system.
I may well be missing something but it seems to me we can remove unneeded complexity.
From the perspective of a packager.
Since the shared libraries in kea are only used by kea itself, and packagers always build and package the entire kea suite, it would be cleaner / simpler to remove versioned shared libraries and simply have the freshly build un-versioned libraries.
There is no sensible way to have multiple binary versions installed anyway, so there is no value to having multiple versions of libraries as fart as I can tell. I never ever see more than the one version of any kea library installed - so see no point in having the versions (plus links) at all.
From developer perspective:
There can certainly be need to have multiple versions of binaries and their associated libs during dev and testing, but this can easily be managed in many ways for (run/test in the build tree, change root prefix of install, run in container, run in chroot etc etc). Anyway, this has to be happening now anyway with or without versioned shared libs
This would simplify the build toolkit quite a bit (its pretty complex as is already) and would also eliminate issues such as #1780 :)outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1826kea lefts many subfolders and man pages in a system after make uninstall2023-06-19T13:54:49ZMichal Nowikowskikea lefts many subfolders and man pages in a system after make uninstallThis is a list of folders and files that were not deleted by make uninstall.
All these should be deleted.
```
$PREFIX/lib/kea
$PREFIX/lib/kea/hooks
$PREFIX/lib/python3.8
$PREFIX/lib/python3.8/site-packages
$PREFIX/lib/python3.8/site-pac...This is a list of folders and files that were not deleted by make uninstall.
All these should be deleted.
```
$PREFIX/lib/kea
$PREFIX/lib/kea/hooks
$PREFIX/lib/python3.8
$PREFIX/lib/python3.8/site-packages
$PREFIX/lib/python3.8/site-packages/kea
$PREFIX/lib/python3.8/site-packages/kea/__pycache__
$PREFIX/include/kea
$PREFIX/include/kea/dhcpsrv
$PREFIX/include/kea/dhcpsrv/parsers
$PREFIX/include/kea/process
$PREFIX/include/kea/cfgrpt
$PREFIX/include/kea/eval
$PREFIX/include/kea/dhcp_ddns
$PREFIX/include/kea/asiodns
$PREFIX/include/kea/stats
$PREFIX/include/kea/config
$PREFIX/include/kea/http
$PREFIX/include/kea/dhcp
$PREFIX/include/kea/hooks
$PREFIX/include/kea/config_backend
$PREFIX/include/kea/database
$PREFIX/include/kea/cc
$PREFIX/include/kea/asiolink
$PREFIX/include/kea/dns
$PREFIX/include/kea/cryptolink
$PREFIX/include/kea/log
$PREFIX/include/kea/log/interprocess
$PREFIX/include/kea/util
$PREFIX/include/kea/util/random
$PREFIX/include/kea/util/io
$PREFIX/include/kea/util/encode
$PREFIX/include/kea/exceptions
$PREFIX/share/man/man8/perfdhcp.8
$PREFIX/share/man/man8/kea-shell.8
$PREFIX/share/man/man8/kea-netconf.8
$PREFIX/share/man/man8/kea-lfc.8
$PREFIX/share/man/man8/kea-dhcp-ddns.8
$PREFIX/share/man/man8/kea-dhcp6.8
$PREFIX/share/man/man8/kea-dhcp4.8
$PREFIX/share/man/man8/kea-ctrl-agent.8
$PREFIX/share/man/man8/keactrl.8
$PREFIX/share/man/man8/kea-admin.8
$PREFIX/share/kea
$PREFIX/share/kea/scripts
$PREFIX/share/kea/scripts/cql
$PREFIX/share/kea/scripts/pgsql
$PREFIX/share/kea/scripts/mysql
$PREFIX/var/run/kea
$PREFIX/var/lib/kea
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1810kea behaviour when 'cache-threshold' and 'cache-max-age' are used together2022-11-02T15:10:18ZWlodzimierz Wencelkea behaviour when 'cache-threshold' and 'cache-max-age' are used togetherin section `8.2.29. Lease Caching` of ARM both `cache-threshold` and `cache-max-age` are described. But there is no statement that user should not use both of those parameters on the same level (e.g subent). In practice Kea will accept c...in section `8.2.29. Lease Caching` of ARM both `cache-threshold` and `cache-max-age` are described. But there is no statement that user should not use both of those parameters on the same level (e.g subent). In practice Kea will accept config whit both of those parameters and the one that will generate shorter cache time will be used.
Ways to solve this:
* kea should return configuration error when both of those parameters are used
* update documentationbackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1803Inheritance for DHCPv6 options to work like DHCPv4 (shared network vs global HR)2021-05-13T15:09:49ZVicky Riskvicky@isc.orgInheritance for DHCPv6 options to work like DHCPv4 (shared network vs global HR)**Problem**
DHCP options for host reservations in a backend database can be specified by “shared-network-name” to override a global host reservation, however this does not appear to work for V6.
**Desired Solution**
V6 options for share...**Problem**
DHCP options for host reservations in a backend database can be specified by “shared-network-name” to override a global host reservation, however this does not appear to work for V6.
**Desired Solution**
V6 options for shared network name should override any definition that may be present in the global host reservation, as is currently the case for v4.
I tried to find related issues - possibly #39, #1253 might be relatedoutstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1802Allow multiple levels of nested sub-options in custom option space2022-09-14T08:26:49ZVicky Riskvicky@isc.orgAllow multiple levels of nested sub-options in custom option space**Problem**
A single level of sub options can be specified in custom option definition “spaces”, however multiple levels of nesting are not supported. For example, option 125.<4491>.123.1 + 2, or option 125.1.1, or CableLabs V6 options ...**Problem**
A single level of sub options can be specified in custom option definition “spaces”, however multiple levels of nesting are not supported. For example, option 125.<4491>.123.1 + 2, or option 125.1.1, or CableLabs V6 options 17.<4491>.2170 + 2171.
Sub option 2171 (CL_OPTION_CCCV6) is particularly difficult because it has its own 9 sub options that are normally under V4 Option 122.
**Desired Solution**
The custom option spaces allow the definition of multiple levels of nesting.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1801Durable DDNS update queue (Persistence Manager for D2)2023-06-08T19:48:37ZVicky Riskvicky@isc.orgDurable DDNS update queue (Persistence Manager for D2)**Problem**
The DDNS update queue in the D2 process is not durable and queued requests may be lost if the process is stopped or crashes. The retry mechanism is non configurable, making two more attempts 100ms apart if the target DNS ser...**Problem**
The DDNS update queue in the D2 process is not durable and queued requests may be lost if the process is stopped or crashes. The retry mechanism is non configurable, making two more attempts 100ms apart if the target DNS server cannot be reached.
**Desired Solution**
- [ ] A durable queue persists pending updates between restarts and crashes.
- [ ] A new configuration parameter is used to set the number of seconds that the D2 process waits for a response before retrying the DNS update.
- [ ] An additional configuration parameter is used to limit the number of times that D2 process tries to send the DNS update.
This may be covered in the design of a Persistence Manager in [this wiki document](https://gitlab.isc.org/isc-projects/kea/-/wikis/designs/ddns-design#addendum-persistencemgr-design-point8).backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1800possible race on lease_update_backlog_2021-04-15T15:31:05ZRazvan Becheriupossible race on lease_update_backlog_I am not sure if this can happen when calling HAService::communicationRecoveryHandler (main thread) which calls lease_update_backlog_.clear() and HAService::asyncSendLeaseUpdates (processing threads) which calls lease_update_backlog_.pus...I am not sure if this can happen when calling HAService::communicationRecoveryHandler (main thread) which calls lease_update_backlog_.clear() and HAService::asyncSendLeaseUpdates (processing threads) which calls lease_update_backlog_.push(...).
Main thread also calls HAService::asyncSendLeaseUpdatesFromBacklog which does lease_update_backlog_.pop() which can race with processing threads but can only end up postponing the exit from HAService::asyncSendLeaseUpdatesFromBacklog (maybe forever)?
The race might not be possible because of different transition states but it is not obvious from the code. A state diagram might be useful.
To note that operations on lease_update_backlog_ are thread safe.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1799HAServiceTest.sendSuccessfulUpdates6MultiThreading randomly fails2023-02-27T13:40:26ZFrancis DupontHAServiceTest.sendSuccessfulUpdates6MultiThreading randomly failsCopied from the last occurrence but as far as I can remember it was the same the previous time:
```
[ RUN ] HAServiceTest.sendSuccessfulUpdates6MultiThreading
ha_service_unittest.cc:1447: Failure
Expected equality of these values:
...Copied from the last occurrence but as far as I can remember it was the same the previous time:
```
[ RUN ] HAServiceTest.sendSuccessfulUpdates6MultiThreading
ha_service_unittest.cc:1447: Failure
Expected equality of these values:
1
factory3_->getResponseCreator()->getReceivedRequests().size()
Which is: 0
ha_service_unittest.cc:1454: Failure
Value of: update_request3
Actual: false
Expected: true
[ FAILED ] HAServiceTest.sendSuccessfulUpdates6MultiThreading (2 ms)
```
System macOS Big Sur 11.2.3 Xcode 12.4 with master or close to master code - nothing special for the configuration.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1797create smart pointer for parking lot - RAII handling of parking/unparking/drop2023-08-20T18:48:51ZRazvan Becheriucreate smart pointer for parking lot - RAII handling of parking/unparking/dropAny parking lot needs to either be parked and unparked or dropped.
To achieve this we need a smart pointer (to reuse the reference count), but also the following functionality:
ready() - mark that the processing of the hook point was s...Any parking lot needs to either be parked and unparked or dropped.
To achieve this we need a smart pointer (to reuse the reference count), but also the following functionality:
ready() - mark that the processing of the hook point was successful (only if the drop flag has not been set)
the destructor should check if the ready flag has been set
the constructor should set an internal dirty flag which can only be cleared by calling ready()
this is similar to the MySql/PgSql transactions.
each destructor should check if the dirty flag has been cleared. if the flag has not been cleared for the current instance, set the drop flag.
if any of the instances has not been able to clear the dirty flag resulting in the drop flag to be set, will result in dropping the packet.
```
ParkingLot {
...
bool drop_; // initialized to false on constructor
};
ParkingLotPtr : public boost::shared_ptr<ParkingLot> {
private:
ParkingLotPtr(const ParkingLotPtr&);
const ParkingLotPtr operator=(const ParkingLotPtr&);
bool dirty_;
ParkingLotPtr() : dirty_(true) {
}
~ParkingLotPtr() {
if (dirty_) {
get()->drop_ = true;
}
if (get()->drop_ && use_count() == 1) {
// drop packet
} else if (use_count() == 1) {
// ready to unpark
}
}
void ready() {
if (!get->drop_) {
dirty_ = false;
}
}
}
```
hook point:
```
{
...
ParkingLotPtr& parking_lot = callout_handle.getParkingLotPtr();
...
parking_lot->ready();
}
```
This way we can guarantee that the handling of the parking lot is always handled, and all exceptions in any hook point will drop the packet. The only thing that needs to be done by every hook point is to mark the ready flag before exiting.
This is similar to reference/dereference, but the reference count is handled by the base smart pointer.
Each hook library that creates/accesses the parking log must call getParkingLotPtr() which will generate a new ParkingLotPtr that needs to call ready before exiting scope (should be the last operation in the hook point).
We might need to protect the dirty and drop flags to be MT ready.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1796disabling lease cache using cache cache-threshold value2023-03-28T07:57:32ZWlodzimierz Wenceldisabling lease cache using cache cache-threshold valueAccording to ARM (section 8.2.29. Lease Caching) setting `cache-threshold` to 0. or less, or 1. or more will disable feature
```
if the cache-threshold is configured and is between 0. and 1. it expresses the percentage of the lease valid...According to ARM (section 8.2.29. Lease Caching) setting `cache-threshold` to 0. or less, or 1. or more will disable feature
```
if the cache-threshold is configured and is between 0. and 1. it expresses the percentage of the lease valid lifetime which is allowed for the lease age. Values below and including 0. and values greater than 1. disable the lease cache feature.
```
But instead Kea returns configuration error in both cases:
```
ERROR [kea-dhcp6.dhcp6/20974.139963599241728] DHCP6_CONFIG_LOAD_FAIL configuration error using file: /home/wlodek/installed/git/etc/kea/kea-dhcp6.conf, reason: subnet configuration failed: cache-threshold: 1 is invalid, it must be greater than 0.0 and less than 1.0
ERROR [kea-dhcp6.dhcp6/20974.139963599241728] DHCP6_INIT_FAIL failed to initialize Kea server: configuration error using file '/home/wlodek/installed/git/etc/kea/kea-dhcp6.conf': subnet configuration failed: cache-threshold: 1 is invalid, it must be greater than 0.0 and less than 1.0
```
```
ERROR [kea-dhcp6.dhcp6/27470.139959572206080] DHCP6_CONFIG_LOAD_FAIL configuration error using file: /home/wlodek/installed/git/etc/kea/kea-dhcp6.conf, reason: subnet configuration failed: cache-threshold: 0 is invalid, it must be greater than 0.0 and less than 1.0
ERROR [kea-dhcp6.dhcp6/27470.139959572206080] DHCP6_INIT_FAIL failed to initialize Kea server: configuration error using file '/home/wlodek/installed/git/etc/kea/kea-dhcp6.conf': subnet configuration failed: cache-threshold: 0 is invalid, it must be greater than 0.0 and less than 1.0
```
Two solutions:
* changing doc
* changing code
While making this decision please keep in mind that there is second parameter "cache-max-age" and when this is set to 0 feature is actually disabledbackloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1794TLS shutdown2022-05-30T11:29:08ZFrancis DupontTLS shutdownRelated to #1661 and #1706: TLS has a notion of orderly named TLS shutdown we can use or not.Related to #1661 and #1706: TLS has a notion of orderly named TLS shutdown we can use or not.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/1780library version issue2022-11-02T15:10:20ZGene Clibrary version issueI have a library versioning issue starting on march 29 with commit 8a136d92b39c7.
Problem is when trying to run kea-dhcp4:
`/usr/bin/kea-dhcp4: error while loading shared libraries: libkea-dhcp_ddns.so.15: cannot open shared object fil...I have a library versioning issue starting on march 29 with commit 8a136d92b39c7.
Problem is when trying to run kea-dhcp4:
`/usr/bin/kea-dhcp4: error while loading shared libraries: libkea-dhcp_ddns.so.15: cannot open shared object file: No such file or directory`
Current version in build is '16' not 15.
ldd on the binary gives:
```
# ldd /usr/bin/kea-dhcp4 | grep ddns
libkea-dhcp_ddns.so.16 => /usr/lib/libkea-dhcp_ddns.so.16 (0x00007ff2b3135000)
libkea-dhcp_ddns.so.15 => not found
```
Build on arch linux with :
- gcc 10.2.0-6
- binutils 2.36.1-2
- autoconf 2.71-1backlog