Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2024-03-21T16:21:16Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/414Use new lease user contexts in RADIUS accounting2024-03-21T16:21:16ZFrancis DupontUse new lease user contexts in RADIUS accountingMigrated from https://oldkea.isc.org/ticket/5658
Current code has many potential problems and was scheduled to use use contexts from the beginning but it was postponed because user contexts in leases were implemented later:
- save/load...Migrated from https://oldkea.isc.org/ticket/5658
Current code has many potential problems and was scheduled to use use contexts from the beginning but it was postponed because user contexts in leases were implemented later:
- save/load to a CSV file is implemented but never tested.
- eraseCreateTimestamp() is called only when a STOP event is sent so the timestamp stays in memory without more control
+ obviously using an user-context is the right way: extent following the lease one, save in stable storage, etc.
If memory leak on RADIUS accounting experiments are not conclusive this should be tried.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3301Add missing YANG nodes before the 2.6.0 release2024-03-21T15:03:05ZAndrei Pavelandrei@isc.orgAdd missing YANG nodes before the 2.6.0 releaseMissing YANG nodes:
- `ddns-conflict-resolution-mode`
- `retry-on-startup`Missing YANG nodes:
- `ddns-conflict-resolution-mode`
- `retry-on-startup`kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3298Make test utility class MemHostDataSource thread-safe2024-03-21T15:02:10ZAndrei Pavelandrei@isc.orgMake test utility class MemHostDataSource thread-safe`MemHostDataSource` is used in certain unit tests.
RADIUS MT unit tests required `MemHostDataSource` to be thread-safe, so the `TestHostCache` that derives it overrode all its methods and added a `lock_guard` to each.
To avoid this boi...`MemHostDataSource` is used in certain unit tests.
RADIUS MT unit tests required `MemHostDataSource` to be thread-safe, so the `TestHostCache` that derives it overrode all its methods and added a `lock_guard` to each.
To avoid this boilerplate code, ideally, `MemHostDataSource` should be made thread-safe itself.
This was not done at the time due to lack of time before the release.
When this is done, remember to remove the overridden methods from `TestHostCache`:
- `premium/src/hooks/dhcp/radius/tests/access_unittests.cc`
- `premium/src/hooks/dhcp/radius/tests/accounting_unittests.cc`
@fdupont says
> Note the mutex must be at most protected.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/3286Allow absolute values for DDNS RR TTLs (to correctly meet RFC 4702, Section 5)2024-03-21T14:54:27ZRobin EdserAllow absolute values for DDNS RR TTLs (to correctly meet RFC 4702, Section 5)We are currently preparing a migration from `dhcpd` to Kea and are struggling a bit with DNS TTLs for DDNS entries created with Kea. We have a requirement from the organisation to have our default lease time be `2 days` / `172800 seconds...We are currently preparing a migration from `dhcpd` to Kea and are struggling a bit with DNS TTLs for DDNS entries created with Kea. We have a requirement from the organisation to have our default lease time be `2 days` / `172800 seconds`, but in combination with a short TTL of `300 seconds` because our Juniper firewall rules are almost entirely name based.
Since Kea only calculates the TTL we are currently having to set `ddns-ttl-percent` to `.00174` to get a `301 second` TTL. However since we are setting this globally, the result is that any client classes where we explicitly want much shorter lease than the default to get a `1 second` TTL.
RFC 4702, Section 5 does also mention that TTLs should also be configurable as an absolute time interval:
> We recognize that individual administrators
will have varying requirements: DHCP servers and clients SHOULD allow
administrators to configure TTLs and upper and lower bounds on the
TTL values, either as an absolute time interval or as a percentage of
the lease time.
This is something that would be ideal for us and hopefully useful for others. I hope it can be considered.
Thank you to the Kea devs and ISC for all your hard work :heart:next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/3277Result YXRRSET for in Dual Stack Environment2024-03-21T14:51:54ZDavid SchmidtResult YXRRSET for in Dual Stack EnvironmentI have a Dual Stack environment with kea-dhcp4-server, kea-dhcp6-server and kea-dhcp-ddns-server.
I am running kea 2.2 on devuan 12, my source code check showed it's an issue in version 2.5.7 still.
DDNS is enabled with conflict resolu...I have a Dual Stack environment with kea-dhcp4-server, kea-dhcp6-server and kea-dhcp-ddns-server.
I am running kea 2.2 on devuan 12, my source code check showed it's an issue in version 2.5.7 still.
DDNS is enabled with conflict resolution for both kea-dhcp servers.
When the DHCP lease is released, DDNS trys to cleanup the regarding A/AAAA RRs and both PTR RRs.
When the cleanup of FwdRRSet is executed in Dual Stack environment, the RRSET cleanup of A resp. AAAA - whatever comes first - will fail with Rcode YXRRSET because the other Fwd RRSET is still there. In case of A removal, the AAAA will still be existing, in case of AAAA removal the A record will still exist. Therefore the prerequisit in buildRemoveFwdRRsRequest() neither A nor AAAA exists won't be fulfilled. This behaviour leads to corrupted PTR entries in DDNS.
To fix the issue I changed the function removingFwdRRsHandler() in src/bin/d2/nc_remove.cc to accept rcode == dns:Rcode::YXRRSET() in case of IO_COMPLETED_EVT also.
```
057 09:28:42.773 kea-dhcp-ddns.dhcp-to-d2 DHCP_DDNS_QUEUE_MGR_QUEUE_RECEIVE Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: received and queued a request.
057 09:28:42.773 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_STARTING_TRANSACTION Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5:
057 09:28:42.774 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Forward Add to server: 192.168.x.x port:53
057 09:28:42.787 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:28:42.787 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: NOERROR
057 09:28:42.787 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Reverse Replace to server: 192.168.x.x port:53
057 09:28:42.796 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:28:42.796 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: NOERROR
057 09:28:42.796 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: successfully added the DNS mapping addition for this request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: yes
FQDN: [lan-client.xxx.de.]
IP Address: [192.168.x.x]
DHCID: [000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5]
Lease Expires On: 20240226094842
Lease Length: 1200
Conflict Resolution: yes
057 09:28:43.317 kea-dhcp-ddns.dhcp-to-d2 DHCP_DDNS_QUEUE_MGR_QUEUE_RECEIVE Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: received and queued a request.
057 09:28:43.317 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_STARTING_TRANSACTION Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5:
057 09:28:43.318 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Forward Add to server: 192.168.x.x port:53
057 09:28:43.319 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:28:43.320 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: YXDOMAIN
057 09:28:43.321 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Forward Replace to server: 192.168.x.x port:53
057 09:28:43.335 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:28:43.335 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: NOERROR
057 09:28:43.336 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Reverse Replace to server: 192.168.x.x port:53
057 09:28:43.344 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:28:43.344 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: NOERROR
057 09:28:43.344 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: successfully added the DNS mapping addition for this request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: yes
FQDN: [lan-client.xxx.de.]
IP Address: [fdxx::282]
DHCID: [000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5]
Lease Expires On: 19700101000000
Lease Length: 2400
Conflict Resolution: yes
057 09:40:04.392 kea-dhcp-ddns.dhcp-to-d2 DHCP_DDNS_QUEUE_MGR_QUEUE_RECEIVE Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: received and queued a request.
057 09:40:04.393 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_STARTING_TRANSACTION Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5:
057 09:40:04.393 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Forward A/AAAA Remove to server: 192.168.x.x port:53
057 09:40:04.405 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:40:04.405 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: NOERROR
057 09:40:04.405 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_REQUEST_SENT Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Forward RR Remove to server: 192.168.x.x port:53
057 09:40:04.405 kea-dhcp-ddns.asiodns ASIODNS_FETCH_COMPLETED upstream fetch to 192.168.x.x(53) has now completed
057 09:40:04.405 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_UPDATE_RESPONSE_RECEIVED Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: to server: 192.168.x.x port:53 status: SUCCESS, rcode: **YXRRSET**
057 09:40:04.405 kea-dhcp-ddns.d2-to-dns **DHCP_DDNS_FORWARD_REMOVE_RRS_REJECTED** DNS Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Server, 192.168.x.x port:53, rejected a DNS update request to remove forward RR entries for FQDN, lan-client.xxx.de., with an RCODE: 7
057 09:40:04.405 kea-dhcp-ddns.d2-to-dns DHCP_DDNS_REMOVE_FAILED DHCP_DDNS Request ID 000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5: Transaction outcome: Status: Failed, Event: UPDATE_FAILED_EVT, Forward change: failed, Reverse change: failed, request: Type: 1 (CHG_REMOVE)
Forward Change: yes
Reverse Change: yes
FQDN: [lan-client.xxx.de.]
IP Address: [fdxx::282]
DHCID: [000201C75462DD83B490219141DCF95599F6AA2F60B0E1BB3A7140840FDE38B84301D5]
Lease Expires On: 20240226100843
Lease Length: 2400
Conflict Resolution: yes
```next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/3275Kea DB allows to store too short identifier in the lease table2024-03-21T14:50:56ZSlawek FigielKea DB allows to store too short identifier in the lease tableWhile performing some experiments in Stork, I found that the Kea database accepts identifiers that are too short (less than 3 bytes) in the `lease6` table. It causes the error to be thrown when the identifier is processed. I noticed it b...While performing some experiments in Stork, I found that the Kea database accepts identifiers that are too short (less than 3 bytes) in the `lease6` table. It causes the error to be thrown when the identifier is processed. I noticed it blocks fetching this lease by API. I don't know if it has any other internal consequences.
Steps to reproduce:
1. Setup Kea 2.3.8 or above with PostgreSQL.
2. Configure lease database.
3. Insert a lease with too short DUID (e.g., `00`)
```
INSERT INTO lease6(address, duid, valid_lifetime, expire, subnet_id, pref_lifetime, lease_type, iaid, prefix_len, hwtype, hwaddr_source, state) VALUES('3001:db8:1::2', DECODE('00', 'hex'), 3600, NOW() + interval '1' MONTH, 1, 1800, 0, 1, 128, 0, 0, 1);
```
4. Send the `lease-get` command with the specified address (i.e., `3001:db8:1::2`).
5. Observe the error:
```
stork-agent-kea6-1 | INFO COMMAND_RECEIVED Received command 'lease6-get'
stork-agent-kea6-1 | INFO CTRL_AGENT_COMMAND_RECEIVED command lease6-get received from remote address 127.0.0.1
stork-agent-kea6-1 | INFO COMMAND_RECEIVED Received command 'lease6-get'
stork-agent-kea6-1 | ERROR LEASE_CMDS_GET6_FAILED lease6-get command failed (parameters: { "ip-address": "3001:db8:1::2", "type": "IA_NA" }, reason: Could not convert data to Lease6, reason: identifier is too short (1), at least 3 is required)
stork-agent-kea6-1 | ERROR HOOKS_CALLOUT_ERROR error returned by callout on hook $lease6_get registered by library with index 1 (callout address 0x7f12e8310e90) (callout duration 0.593 ms)
stork-agent-kea6-1 | INFO CTRL_AGENT_COMMAND_FORWARDED command lease6-get successfully forwarded to the service dhcp6 from remote address 127.0.0.1
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/3167BLQ: query-by-link-address and shared networks2024-03-21T13:20:14ZTomek MrugalskiBLQ: query-by-link-address and shared networksThis is a continuation of #3149. It was brought to our attention that the `QUERY_BY_LINK_ADDRESS` does not return PD leases properly in some circumstances. The algorithm we came up with is as follows:
Proposed algorithm for QUERY_BY_LIN...This is a continuation of #3149. It was brought to our attention that the `QUERY_BY_LINK_ADDRESS` does not return PD leases properly in some circumstances. The algorithm we came up with is as follows:
Proposed algorithm for QUERY_BY_LINK_ADDRESS:
1. select subnet for specified address, pick its subnet-id
2. (if shared network is used, select all subnet-ids for all subnets in the shared network) - this behavior should be configurable (extra parameter that governs if this step should be done or not).
3. return all leases (NA, PD) with the matching subnet-id
Steps 1 and 3 are to be implemented in #3149. This ticket is about extending the code with shared network scenario. Once implemented, it should be configurable if the leases from shared network should be returned or not. The parameter could be global.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2050Provide basic configuration templates for sample use cases2024-03-21T12:45:56ZVicky Riskvicky@isc.orgProvide basic configuration templates for sample use casesWe have a number of example configurations in a separate file in the Kea distribution. These show how to use different features of Kea. The problem is, a new user is looking for a template to cut and paste to start with.
What we would ...We have a number of example configurations in a separate file in the Kea distribution. These show how to use different features of Kea. The problem is, a new user is looking for a template to cut and paste to start with.
What we would like is to **add example configurations that a user will recognize as 'probably fits my needs', and document these in the ARM**. The example configuration descriptions should include what we are assuming the requirements are for that scenario, what lease lifetimes, traffic levels and so on we expect, and what hardware/sw we suggest. If we can import the configurations into the ARM, great, or we else we can link to the json files. Then we can refer them to the existing examples for how to add the xyz feature, if their scenario requires that and we didn't include it.
These example configurations could be included as an appendix to the ARM or in the Getting Started section.
We might want a handful of these eventually, starting with the simplest and most common.
* [x] **power home user** - 256 addresses, dhcpv4 or ipv6 pd, wants failover with v. inexpensive hw, minimal traffic, no dbs. !1418
* [ ] **small organization** - several small dhcpv4 subnets, 20 host reservations, failover, memfile, guest wifi plus 'internal' users. Low traffic Maybe we could model this on the old ISC hq?
* [ ] **multi-site enterprise** - DHCPv4 and DHCPv6. multiple clusters each serving local geography. 100s of host reservations, 1000s of clients, failover (within a site), separate guest network/wifi, possibly captive portal to register?)
* [ ] **hub and spokes enterprise**, such as retail (dozens to hundreds of locations with local failover, centralized configuration mgmt, likely dhcpv4 only legacy devices with odd vendor options....).
* [ ] **small wired service provider** (1-3 data centers, <100K subs, v4 and v6 w/pd, failover, multi-threading, forensic logging, classification for premium, known and unknown users, home gateways with RFC 1918, 3-4 addresses per gw. e.g. small municipal fiber provider
* [ ] **large wired service provider** (>3 data centers, >100K subs, v4 and v6 with pd, config backend. Some ability to identify premium users. e.g. Cable access provider, cable modems.
* [ ] **wireless service provider** (not sure how this is different, except perhaps much shorter lease times, higher traffic for the same number of users, more likely to be v6? highest performance configuration, captive portal)next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/2863require-client-classes does not prioritize classes options2024-03-21T12:42:39ZMarcin Godzinarequire-client-classes does not prioritize classes optionsUsing `require-client-classes` does not prioritize options defined in classes.
I tried classifying clients by empty host reservations and by class test.
**Recreation:**
`00:03:00:01:f6:f5:f4:f3:f2:11` is sending Solicit and option 23 ...Using `require-client-classes` does not prioritize options defined in classes.
I tried classifying clients by empty host reservations and by class test.
**Recreation:**
`00:03:00:01:f6:f5:f4:f3:f2:11` is sending Solicit and option 23 requirements.
Kea responds with Advertise, including option 23.
I expect "2001:db8::2" in option 23, which is defined in the class, but receive "2001:db8::1" from the subnet.
Tested configs:
<details><summary>1 - using empty reservation (both with and without "only-if-required": true) </summary>
```
{
"Dhcp6": {
"subnet6": [
{
"subnet": "2001:db8:1::/64",
"pools": [
{
"pool": "2001:db8:1::1-2001:db8:1::1"
}
],
"interface": "enp0s9",
"option-data": [
{
"code": 23,
"csv-format": true,
"data": "2001:db8::1",
"name": "dns-servers",
"space": "dhcp6"
}
],
"require-client-classes": [
"blocked"
]
}
],
"interfaces-config": {
"interfaces": [
"enp0s9"
]
},
"client-classes": [
{
"name": "blocked",
"option-data": [
{
"name": "dns-servers",
"data": "2001:db8::2"
}
]
}
],
"reservations": [
{
"duid": "00:03:00:01:f6:f5:f4:f3:f2:11",
"client-classes": [
"blocked"
]
}
],
"reservation-mode": "global",
"renew-timer": 1000,
"rebind-timer": 2000,
"preferred-lifetime": 3000,
"valid-lifetime": 4000,
"lease-database": {
"type": "memfile"
}
}
}
```
</details>
<details><summary>2 - using class test (both with and without "only-if-required": true)</summary>
```
{
"Dhcp6": {
"subnet6": [
{
"subnet": "2001:db8:1::/64",
"pools": [
{
"pool": "2001:db8:1::1-2001:db8:1::1"
}
],
"interface": "enp0s9",
"option-data": [
{
"code": 23,
"csv-format": true,
"data": "2001:db8::1",
"name": "dns-servers",
"space": "dhcp6"
}
],
"require-client-classes": [
"blocked"
]
}
],
"interfaces-config": {
"interfaces": [
"enp0s9"
]
},
"client-classes": [
{
"name": "blocked",
"test": "option[1].hex == 0x00030001f6f5f4f3f211",
"only-if-required": true,
"option-data": [
{
"name": "dns-servers",
"data": "2001:db8::2"
}
]
}
],
"reservations": [
{
"duid": "00:03:00:01:f6:f5:f4:f3:f2:11"
}
],
"reservation-mode": "global",
"renew-timer": 1000,
"rebind-timer": 2000,
"preferred-lifetime": 3000,
"valid-lifetime": 4000,
"lease-database": {
"type": "memfile"
}
}
}
```
</details>next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/1559doc: picking the right redundancy solution (HA vs shared database)2024-03-21T12:23:39ZTomek Mrugalskidoc: picking the right redundancy solution (HA vs shared database)Once the situation with MySQL group replication improves (see #1411, #593 and #980) and we get more experience with running Kea with a cluster, we should document this a possible alternative for HA.
Support and sales are vitally interes...Once the situation with MySQL group replication improves (see #1411, #593 and #980) and we get more experience with running Kea with a cluster, we should document this a possible alternative for HA.
Support and sales are vitally interested in this. Hence the customer label.
At various times it was commented that the decision tree for recently added in host reservation docs is very useful. Regardless if this ends up as a KB article or part of Kea ARM, there should be a decision tree helping the reader to navigate through available options.next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/1623Config Backend migration tool2024-03-21T12:22:05ZCathy AlmondConfig Backend migration tool---
name: Control block/configuration migration tool
about: Similar to #1078, this is a request for tools to assist Kea users who decide to change their back-end provisioning - in this instance, their configuration. This should (ideally...---
name: Control block/configuration migration tool
about: Similar to #1078, this is a request for tools to assist Kea users who decide to change their back-end provisioning - in this instance, their configuration. This should (ideally) cater for all scenarios, so not just changing which DB backend is being used, but also migration from not-CB to CB and vice versa
---
I don't think anyone else has opened this yet - but if we do tackle this, it would be worth bearing in mind that configuration/CB backend version control or logging might also turn out to be A Thing - so we need to consider that use case/evolution in the design too.
**Is your feature request related to a problem? **
See [Support ticket #17332](https://support.isc.org/Ticket/Display.html?id=17332) for details of which customer for whom this would be useful.
The likelihood is that they will wish to implement CB backend on the DB backend on which it's available now, but migrate to their preferred DB backend, once there is CB support there too (as well as complete coverage of all configuration options in the CB - at the moment there isn't).
**Update**: As discussed in [Porto](https://pad.isc.org/p/porto2022-stork-roadmap-and-backlog#L31), we'd like to make more generic. While the ultimate solution will likely cover Stork overseeing the migration, some parts of the functionality should be implemented in Kea. In particular, the following was discussed:
- `config-get`/`config-set` like commands that would retrieve/set the full configuration from CB
Once the above is implemented, it will open up plenty of opportunities for Stork. In particular, scenarios such as: "add subnets defined in a config file to CB, delete subents from config file, write updated config file to disk". The same can be repeated for other configuration elements (shared networks, classes, HR, etc).next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/1186JSON translator tool for CB2024-03-21T12:21:55ZPeter DaviesJSON translator tool for CB---
name: JSON translator tool for CB
about: Importing elements from a json configuration into CB
---
**Some initial questions**
This request looks like an extension to GT [#333](https://gitlab.isc.org/isc-projects/kea/-/issues/333) "pa...---
name: JSON translator tool for CB
about: Importing elements from a json configuration into CB
---
**Some initial questions**
This request looks like an extension to GT [#333](https://gitlab.isc.org/isc-projects/kea/-/issues/333) "parser libraries for servers (for netconf)
**Is your feature request related to a problem? Please describe.**
When migrating from a json based configuration to the Configuration Backend the user must identify each element in the configuration, locate the correct hooks command and apply the appropriate parameters
**Describe the solution you'd like**
A tool which takes a json configuration file as an input. The tool should identify any elements that are CB configurable for the current Kea version and produce a set of command which will create the appropriate elements in the CB.
**Describe alternatives you've considered**
As an extra function of keama
**Additional context**
Customer ticket RT [#16203](https://support.isc.org/Ticket/Display.html?id=16203)next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/2343CB migration assistant2024-03-21T12:21:07ZPeter DaviesCB migration assistant---
name: CB migration assistant
about: A method to migrate to CB
---
When users need to migrate from a file-based json configuration to the Configuration Backend, or to migrate between the supported databases, it would be useful if **...---
name: CB migration assistant
about: A method to migrate to CB
---
When users need to migrate from a file-based json configuration to the Configuration Backend, or to migrate between the supported databases, it would be useful if **Kea** provided some tool to support this.
Possible methods could:
The implementation of two new **CB** commands ie:
**remote-server4-config-get**
and
**remote-server4-config-set**
Or alternatively the enhancement of the **kea-admin** tool to provide this functionality.
[RT #17095](https://support.isc.org/Ticket/Display.html?id=17095)
[RT #20167](https://support.isc.org/Ticket/Display.html?id=20167)
[RT #21508](https://support.isc.org/Ticket/Display.html?id=21508)
Requested migrations: MySQL -> Postgres, also config to MySQL, config to PostgreSQL.next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/3082kea-ctrl-agent and dual stack listening2024-03-21T11:45:53ZDarren Ankneykea-ctrl-agent and dual stack listeningThe `kea-ctrl-agent` can presently only listen on one address, be that an IPv4 or IPv6 address. If you have a dual stack on the equipment where you want to listen, then you have to choose either the IPv4 or the IPv6 address to configure...The `kea-ctrl-agent` can presently only listen on one address, be that an IPv4 or IPv6 address. If you have a dual stack on the equipment where you want to listen, then you have to choose either the IPv4 or the IPv6 address to configure in the `kea-ctrl-agent.json`.
I propose to add a new parameter to the kea-ctrl-agent configuration "http-hosts" as shown:
```
{
"Control-agent": {
"http-hosts": [
"2001:db8::2",
"10.1.2.2"
],
"http-port": 8000,
"control-sockets": {
"dhcp4": {
"socket-type": "unix",
"socket-name": "/tmp/socket4"
}
}
}
}
```
This would allow listening on multiple IP addresses especially in a dual stack environment. Also, the new parameter would preserve backward compatibility.
FYI: I did solve this problem by running two copies of the `kea-ctrl-agent`. However, I'm not convinced that is a good solution. Configurations and other details included below for illustration.
<details><summary>kea-dhcp4.json</summary>
```
{
"Dhcp4": {
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/socket4"
},
"interfaces-config": {
"interfaces": [
"ens256"
]
},
"lease-database": {
"type": "memfile",
"persist": false
},
"subnet4": [
{
"subnet": "10.1.2.0/24",
"id": 1,
"option-data": [
{
"name": "routers",
"data": "10.1.2.1"
}
],
"pools": [
{
"pool": "10.1.2.100 - 10.1.2.254"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"severity": "INFO",
"output_options": [
{
"output": "stdout"
}
]
}
]
}
}
```
</details>
<details><summary>kea-ctrl-agent-v4.json</summary>
```
{
"Control-agent": {
"http-host": "10.1.2.2",
"http-port": 8000,
"control-sockets": {
"dhcp4": {
"socket-type": "unix",
"socket-name": "/tmp/socket4"
}
}
}
}
```
</details>
<details><summary>kea-ctrl-agent-v6.json</summary>
```
{
"Control-agent": {
"http-host": "2001:db8::2",
"http-port": 8000,
"control-sockets": {
"dhcp4": {
"socket-type": "unix",
"socket-name": "/tmp/socket4"
}
}
}
}
```
</details>
<details><summary>Configuration of ens256</summary>
```
3: ens256: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c0:5f:47 brd ff:ff:ff:ff:ff:ff
altname enp26s0
inet 10.1.2.2/24 brd 10.1.2.255 scope global ens256
valid_lft forever preferred_lft forever
inet6 2001:db8::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec0:5f47/64 scope link
valid_lft forever preferred_lft forever
```
</details>
<details><summary>Daemon command lines</summary>
```
kea-dhcp4 -c kea-dhcp4.json
```
```
kea-ctrl-agent -c kea-ctrl-agent-v4.json
```
```
kea-ctrl-agent -c kea-ctrl-agent-v6.json
```
</details>
<details><summary>Send config-get with curl to both</summary>
```
curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://10.1.2.2:8000/ | jq
```
```
curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://[2001:db8::2]:8000/
```
</details>
Both returned a result successfully.
[SF1260](https://isc.lightning.force.com/lightning/r/Case/5007V00002X2x4cQAB/view)next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/3221Minor doc update: server limitations update after ping-check2024-03-20T11:29:29ZTomek MrugalskiMinor doc update: server limitations update after ping-checkThe section 8.12 (DHCPv4 server limitations) still claims this:
> _The DHCPv4 server does not verify that an assigned address is unused. According to RFC 2131, the allocating server should verify that an address is not used by sending a...The section 8.12 (DHCPv4 server limitations) still claims this:
> _The DHCPv4 server does not verify that an assigned address is unused. According to RFC 2131, the allocating server should verify that an address is not used by sending an ICMP echo request._
This is no longer true after ping-check was implemented.kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3163unstable unit tests2024-03-20T11:23:33ZAndrei Pavelandrei@isc.orgunstable unit testsThe following tests failed irregularly in the past fortnight:
* `AllocEngine6Test.reservedAddressInPoolReassignedOther` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1276/testReport/junit/(root)/AllocEngine6Test/all___debian_1...The following tests failed irregularly in the past fortnight:
* `AllocEngine6Test.reservedAddressInPoolReassignedOther` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1276/testReport/junit/(root)/AllocEngine6Test/all___debian_11_amd64___debian_11_amd64_results___reservedAddressInPoolReassignedOther/
```
test_utils.cc:88
Expected equality of these values:
first->cltt_
Which is: 1700075018
second->cltt_
Which is: 1700075019
```
* `HttpClientTest.unreachable` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1273/testReport/junit/(root)/HttpClientTest/all___alpine_3_16_amd64___alpine_3_16_amd64_results___unreachable/
```
server_client_unittests.cc:437
Failed
Timeout occurred while running the test!
```
* `MemfileLeaseQueryImpl6ProcessTest.queryByClientIdActiveLeases` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1274/testReport/junit/(root)/MemfileLeaseQueryImpl6ProcessTest/all___debian_12_amd64___debian_12_amd64_results___queryByClientIdActiveLeases/
```
lease_query_impl6_unittest.cc:1783
Expected equality of these values:
100
cltt_opt->getValue()
Which is: 101
```
* `MySQLBulkLeaseQuery6ProcessTest.queryByClientIdActiveLeases` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1280/testReport/junit/(root)/MySQLBulkLeaseQuery6ProcessTest/all___freebsd_13_0_amd64___freebsd_13_0_amd64_results___queryByClientIdActiveLeases/
```
bulk_lease_query6_unittest.cc:458
Expected equality of these values:
lease->valid_lft_ - elapsed
Which is: 3500
iaaddr_opt->getValid()
Which is: 3499
```
* `MySQLLeaseQueryImpl6ProcessTest.makeClientOptionSingleLink` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1265/testReport/junit/(root)/PgSQLLeaseQueryImpl6ProcessTest/all___alpine_3_15_amd64___alpine_3_15_amd64_results___makeClientOptionSingleLink/
```
lease_query_impl6_unittest.cc:880
Expected equality of these values:
100
cltt_opt->getValue()
Which is: 101
```
* `MySQLLeaseQueryImpl6ProcessTest.queryByClientIdActiveLeases` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1276/testReport/junit/(root)/MySQLLeaseQueryImpl6ProcessTest/all___debian_10_amd64___debian_10_amd64_results___queryByClientIdActiveLeases/
```
lease_query_impl6_unittest.cc:1783
Expected equality of these values:
100
cltt_opt->getValue()
Which is: 101
```
* `MySQLLeaseQueryImpl6ProcessTest.queryByIpAddressActiveLease` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1276/testReport/junit/(root)/MySQLLeaseQueryImpl6ProcessTest/all___ubuntu_20_04_amd64___ubuntu_20_04_amd64_results___queryByIpAddressActiveLease/
```
lease_query_impl6_unittest.cc:1581
Expected equality of these values:
100
cltt_opt->getValue()
Which is: 101
```
* `PgSQLBulkLeaseQuery6ProcessTest.queryByClientIdActiveLeases` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1275/testReport/junit/(root)/PgSQLBulkLeaseQuery6ProcessTest/all___fedora_38_amd64___fedora_38_amd64_results___queryByClientIdActiveLeases/
```
bulk_lease_query6_unittest.cc:458
Expected equality of these values:
lease->valid_lft_ - elapsed
Which is: 3500
iaaddr_opt->getValid()
Which is: 3499
```
* `PgSQLLeaseQueryImpl6ProcessTest.makeClientOptionSingleLink` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1276/testReport/junit/(root)/PgSQLLeaseQueryImpl6ProcessTest/all___fedora_38_amd64___fedora_38_amd64_results___makeClientOptionSingleLink/
```
lease_query_impl6_unittest.cc:880
Expected equality of these values:
100
cltt_opt->getValue()
Which is: 101
```
* `PgSQLLeaseQueryImpl6ProcessTest.queryByIpAddressActiveLease` https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/1270/testReport/junit/(root)/PgSQLLeaseQueryImpl6ProcessTest/all___rhel_9_amd64___rhel_9_amd64_results___queryByIpAddressActiveLease/
```
lease_query_impl6_unittest.cc:1581
Expected equality of these values:
100
cltt_opt->getValue()
Which is: 101
```kea2.5.8https://gitlab.isc.org/isc-projects/kea/-/issues/1446Control the amount of certain attributes in RADIUS packets per RFCs 2865, 28662024-03-20T11:22:24ZAndrei Pavelandrei@isc.orgControl the amount of certain attributes in RADIUS packets per RFCs 2865, 2866Attributes that are marked with `0`, `0-1`, `1` in RFCs 2865, 2866 need to be verified when building a RADIUS packet. `0+` has no restrictions. More details in #1441.Attributes that are marked with `0`, `0-1`, `1` in RFCs 2865, 2866 need to be verified when building a RADIUS packet. `0+` has no restrictions. More details in #1441.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3268selectSubnet() should return a ConstSubnetXPtr2024-03-18T09:34:02ZFrancis DupontselectSubnet() should return a ConstSubnetXPtrTwo proposals to improve subnets:
- use for getSubnet the same code as for getBySubnetId (so O(log(N)) vs current O(N))
- selectSubnet should return a ConstSubnetXPtr i.e. `boost::shared_ptr<const SubnetX>`
The first proposal is trivi...Two proposals to improve subnets:
- use for getSubnet the same code as for getBySubnetId (so O(log(N)) vs current O(N))
- selectSubnet should return a ConstSubnetXPtr i.e. `boost::shared_ptr<const SubnetX>`
The first proposal is trivial tp implement so should be done ASAP if there is no good reason to keep the current full scan.
The second proposal is more complex: if a SubnetXPtr can be cast to a ConstSubnetXPtr it is not true for boost::any_cast (so for hook parameters) and of course it requires to not use a not const method (but as there is no reason to modify the subnet returned by selectSubnet one can consider that all not modifying methods should be const methods...).next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3290Clarify application of the ha-scopes command in the actual deployments2024-03-14T15:02:26ZMarcin GodzinaClarify application of the ha-scopes command in the actual deployments`ha-scopes` command can modify servers scopes without changing its role and other HA parameters.
It can be a powerful tool, but its use can put the server in a state that will be very confusing for the Administrator.
I think this comman...`ha-scopes` command can modify servers scopes without changing its role and other HA parameters.
It can be a powerful tool, but its use can put the server in a state that will be very confusing for the Administrator.
I think this command requires more documentation and warnings about its usage.
For example: \
We have a hot standby pair and send the `ha-scopes` command to the `standby` server, enabling scopes of both servers.
This results in `primary` and `standby` servers replying to DHCP traffic. But the second server still reports as in a `standby` state.
This can lead to massive confusion for Administrators.kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3289DHCPv4: bad option 81 data (invalid FQDN) causes halt in further processing o...2024-03-14T15:00:06ZDarren AnkneyDHCPv4: bad option 81 data (invalid FQDN) causes halt in further processing of packetA packet with option 81 attached with an empty label causes further processing of the client's DHCPv4 packet to cease and the packet to be dropped.
This is very simple to reproduce with the following
<details><summary>Simple configurat...A packet with option 81 attached with an empty label causes further processing of the client's DHCPv4 packet to cease and the packet to be dropped.
This is very simple to reproduce with the following
<details><summary>Simple configuration</summary>
```
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [
"ens256"
]
},
"lease-database": {
"type": "memfile",
"persist": false
},
"calculate-tee-times": true,
"option-data": [
{
"name": "domain-name-servers",
"data": "10.0.0.1"
}
],
"subnet4": [
{
"subnet": "10.1.2.0/24",
"id": 1,
"option-data": [
{
"name": "routers",
"data": "10.1.2.1"
}
],
"pools": [
{
"pool": "10.1.2.100-10.1.2.200"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"severity": "DEBUG",
"debuglevel": 99,
"output_options": [
{
"output": "stdout"
}
]
}
]
}
}
```
</details>
and sending packets with malformed FQDN using `perfdhcp`:
```
perfdhcp -4 -r 1 -p 10 -l ens256 -R 1 -o 81,0100002E656D7074792E6C6162656C2E6578616D706C652E636F6D
```
<details><summary>Messages like this are logged</summary>
```
2024-03-13 11:21:28.124 DEBUG [kea-dhcp4.packets/52340.281473684041744] DHCP4_BUFFER_RECEIVED received buffer from 10.1.2.6:67 to 255.255.255.255:67 over interface ens256
2024-03-13 11:21:28.124 DEBUG [kea-dhcp4.options/52340.281473642041216] DHCP4_BUFFER_UNPACK parsing buffer received from 10.1.2.6 to 255.255.255.255 over interface ens256
2024-03-13 11:21:28.124 DEBUG [kea-dhcp4.bad-packets/52340.281473642041216] DHCP4_PACKET_DROP_0001 failed to parse packet from 10.1.2.6 to 255.255.255.255, received over interface ens256, reason: failed to parse the domain-name in DHCPv4 Client FQDN Option: non terminating empty label in .empty.label.example.com, hwaddr=00:0c:01:02:03:04
```
</details>
Clients with such incorrect FQDNs in option 81 are not able to get an IP address. Option 81 content from such clients is probably not useable and should perhaps be ignored but the client should still get an IP address possibly? This type of error in option 81 was allowed in ISC DHCP and so this is a problem for those migrating to Kea from ISC DHCP.
Attached a pcap of the DHCP packets generated by `perfdhcp`: [fqdn-test.pcap](/uploads/810d5aa88d78f58f1c4b39d6b1eec3d1/fqdn-test.pcap)
[SF1790](https://isc.lightning.force.com/lightning/r/Case/500S6000006lxqtIAA/view)kea2.5.8