Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2023-07-31T13:34:54Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/2627Dynamic DNS in options are not in example DHCPv4 configuration file2023-07-31T13:34:54ZMichael CasadevallDynamic DNS in options are not in example DHCPv4 configuration file**Describe the bug**
Options relating to DDNS in DHCPv4 are not present in the included examples. To get DDNS working with Kea, I had to manually look up and add options like this
```
"dhcp-ddns": {
"enable-updates": true,
...**Describe the bug**
Options relating to DDNS in DHCPv4 are not present in the included examples. To get DDNS working with Kea, I had to manually look up and add options like this
```
"dhcp-ddns": {
"enable-updates": true,
},
"ddns-qualifying-suffix": "ddns.restless.systems",
```
DDNS is methoded in other places, but none of the actual config stanzas appear to be in the file, nor is there a conscience guide showing which flags need to be set, as well as having clients. Furthermore, default behavior is not well documented. For instance, without ddns-qualifying-suffix, my client sent a hostname of "kali", and Kea DHCP attempted to do a UPDATE with that hostname as is.
That could easily leave to unexpected behavior, and security concerns and should be clearly documented.
**Expected behavior**
- Clearer documentation on what must be set in DHCP4 (and 6) for DDNS
- Better documentation on default behaviors
**Environment:**
- Kea version: which release? if it's compiled from git, which revision. Use kea-dhcp4 -V to find out.
- OS: [e.g. Ubuntu 16.04 x64]
- Which features were compiled in (in particular which backends)
- If/which hooks where loaded in
**Environment:**
- Kea version: 2.2.0, compiled from tarball on site
- Ubuntu 22.04.1
**Additional Information**
This was done as part of a livestream learning how to use Kea, documenting this behavior.
**Contacting you**
GitLab is fine, can provide more ways if needed.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2480Documentation - Update KB Article Understanding Client Classification2023-07-31T13:34:54ZPeter DaviesDocumentation - Update KB Article Understanding Client Classification**Update KB Article Understanding Client Classification**
The early-global-reservations-lookup for classed was implemented in release 2.1.4 see #2249
This optionally changes the phases of subnet selection and host reservation.
It need...**Update KB Article Understanding Client Classification**
The early-global-reservations-lookup for classed was implemented in release 2.1.4 see #2249
This optionally changes the phases of subnet selection and host reservation.
It needs to be explained in the KB article:
https://kb.isc.org/docs/understanding-client-classificationnext-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/1559doc: picking the right redundancy solution (HA vs shared database)2024-03-21T12:23:39ZTomek Mrugalskidoc: picking the right redundancy solution (HA vs shared database)Once the situation with MySQL group replication improves (see #1411, #593 and #980) and we get more experience with running Kea with a cluster, we should document this a possible alternative for HA.
Support and sales are vitally interes...Once the situation with MySQL group replication improves (see #1411, #593 and #980) and we get more experience with running Kea with a cluster, we should document this a possible alternative for HA.
Support and sales are vitally interested in this. Hence the customer label.
At various times it was commented that the decision tree for recently added in host reservation docs is very useful. Regardless if this ends up as a KB article or part of Kea ARM, there should be a decision tree helping the reader to navigate through available options.next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/1547custom option examples2022-11-02T15:10:19ZTomek Mrugalskicustom option examplesWe should improve the custom option examples. Here are some requests:
1. [custom option 191](https://lists.isc.org/pipermail/kea-users/2019-November/002570.html)We should improve the custom option examples. Here are some requests:
1. [custom option 191](https://lists.isc.org/pipermail/kea-users/2019-November/002570.html)backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1153Rewrite the client classification documentation in Kea ARM2022-11-02T15:10:17ZMarcin SiodelskiRewrite the client classification documentation in Kea ARMClient classification is a complex topic. We started simple but over the years we have added more and more feature to client classification. While reviewing the most recent addition to client classification in #1139 we found that certain...Client classification is a complex topic. We started simple but over the years we have added more and more feature to client classification. While reviewing the most recent addition to client classification in #1139 we found that certain paragraphs are unclear. For example, see this thread: https://gitlab.isc.org/isc-projects/kea/-/merge_requests/686#note_115873. We think it may be now good time to rewrite the documentation about the client classification and perhaps add some diagrams explaining how it all works together.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/3310Documentation should include more examples with IPv6 addresses in URLs2024-03-25T12:34:33ZFrancis DupontDocumentation should include more examples with IPv6 addresses in URLsThe reason is the syntax is no so trivial... I suggest to add at least one in ARM (hooks-ha.rst) and in kea6 examples.The reason is the syntax is no so trivial... I suggest to add at least one in ARM (hooks-ha.rst) and in kea6 examples.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/3302Is Host Cache required for RADIUS?2024-03-28T16:15:48ZFrancis DupontIs Host Cache required for RADIUS?The Host Cache was designed for RADIUS in order to not perform an access/auth exchange with the RADIUS server for each query: when the query comes from an already seen client (same RADIUS idenfier) the answer from the RADIUS server is av...The Host Cache was designed for RADIUS in order to not perform an access/auth exchange with the RADIUS server for each query: when the query comes from an already seen client (same RADIUS idenfier) the answer from the RADIUS server is available from the host cache. This was critical when both were designed because the access/auth exchange was synchronous (i.e. blocking until the answer is received) and single threaded (i.e. blocking the whole DHCP service). Perhaps it is less true today but the host cache is in memory when RADIUS exchanges are over the network so far slower, and the Host Cache also handles negative answers so covers (excepting for the bug described in #3269) all cases.
The Host Cache has a second function for RADIUS: when the RADIUS server returns an address (vs a pool name which is translated into a client class name directly added to the query object) a host entry for this reserved address is inserted in the Host Cache. The idea is the host lookup will be able to find it. This is not essential: the host entry can be attached to the callout handle associated to the query and got back latter as the current code does for the [re]selected subnet.kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3290Clarify application of the ha-scopes command in the actual deployments2024-03-14T15:02:26ZMarcin GodzinaClarify application of the ha-scopes command in the actual deployments`ha-scopes` command can modify servers scopes without changing its role and other HA parameters.
It can be a powerful tool, but its use can put the server in a state that will be very confusing for the Administrator.
I think this comman...`ha-scopes` command can modify servers scopes without changing its role and other HA parameters.
It can be a powerful tool, but its use can put the server in a state that will be very confusing for the Administrator.
I think this command requires more documentation and warnings about its usage.
For example: \
We have a hot standby pair and send the `ha-scopes` command to the `standby` server, enabling scopes of both servers.
This results in `primary` and `standby` servers replying to DHCP traffic. But the second server still reports as in a `standby` state.
This can lead to massive confusion for Administrators.kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3288add couple sentences describing what tools/kea-breeder/kb.py does and why2024-03-14T14:58:34ZWlodzimierz Wenceladd couple sentences describing what tools/kea-breeder/kb.py does and whyExtend help message or just add comments to explain what is the purpose of `tools/kea-breeder/kb.py` scriptExtend help message or just add comments to explain what is the purpose of `tools/kea-breeder/kb.py` scriptkea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3279ddns[46]_update documented argument names incorrect2024-03-27T15:17:48ZPatrick Armitageddns[46]_update documented argument names incorrectsrc/bin/dhcp[46]/dhcp[46]_hooks.dox document arguments _fwd_update_, _rev_update_ and _ddns_params_. Using these parameter names causes an exception to be thrown:
```
ERROR HOOKS_CALLOUT_EXCEPTION exception thrown by callout on hook ddns...src/bin/dhcp[46]/dhcp[46]_hooks.dox document arguments _fwd_update_, _rev_update_ and _ddns_params_. Using these parameter names causes an exception to be thrown:
```
ERROR HOOKS_CALLOUT_EXCEPTION exception thrown by callout on hook ddns4_update registered by library with index 1 (callout address 0x7fff875b8ffc): unable to find argument with name fwd_update
```
The names for these arguments in the code are _fwd-update_, _rev-update_ and _ddns-param_, i.e. the _'s should be -'s.
The following patch corrects the issue:
```
commit 67063ae09d2c1f924586404eea2fa85a328bccb5 (HEAD -> master)
Author: Quentin Armitage <quentin@armitage.org.uk>
Date: Thu Feb 29 17:44:38 2024 +0000
Fix documentation for ddns[46]_update hooks
The documented argument names fwd_update, rev_update and ddns_params
should be fwd-update, rev_update and ddns-params.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
diff --git a/src/bin/dhcp4/dhcp4_hooks.dox b/src/bin/dhcp4/dhcp4_hooks.dox
index ae6c903ff9..ed0620e035 100644
--- a/src/bin/dhcp4/dhcp4_hooks.dox
+++ b/src/bin/dhcp4/dhcp4_hooks.dox
@@ -260,9 +260,9 @@ called before "subnet4_select".
- name: @b response4, type: isc::dhcp::Pkt4Ptr, direction: <b>in</b>
- name: @b subnet4, type: isc::dhcp::Subnet4Ptr, direction: <b>in</b>
- name: @b hostname, type: std::string, direction: <b>in/out</b>
- - name: @b fwd_update, type: bool, direction: <b>in/out</b>
- - name: @b rev_update, type: bool, direction: <b>in/out</b>
- - name: @b ddns_params, type: isc::dhcp::DdnsParamsPtr, direction: <b>in</b>
+ - name: @b fwd-update, type: bool, direction: <b>in/out</b>
+ - name: @b rev-update, type: bool, direction: <b>in/out</b>
+ - name: @b ddns-params, type: isc::dhcp::DdnsParamsPtr, direction: <b>in</b>
- @b Description: this callout is executed after the server has selected
a lease and has formed a host name to associate with the lease and/or use
@@ -272,17 +272,17 @@ called before "subnet4_select".
host name as well as whether or not forward and/or reverse updates are
enabled.
- Upon entry into the callout, the arguments <b>hostname</b>,<b>fwd_update</b>,
- and <b>rev_update</b> have been set by the server based on the client packet,
+ Upon entry into the callout, the arguments <b>hostname</b>,<b>fwd-update</b>,
+ and <b>rev-update</b> have been set by the server based on the client packet,
and various configuration values (e.g host reservations, DDNS behavioral
parameters, etc). Upon return from the callout, any changes to these
values will be applied as follows:
- If <b>hostname</b> has changed it will be used to update the outbound
host name (option 12) if it exists, the output FQDN option (option 81)
if it exists, and used as the FQDN sent in DNS updates
- - Forward DNS update(s) will be done if <b>fwd_update</b> is true (and
+ - Forward DNS update(s) will be done if <b>fwd-update</b> is true (and
<b>kea-dhcp-ddns</b> connectivity is enabled)
- - Reverse DNS update(s) will be done if <b>rev_update</b> is true (and
+ - Reverse DNS update(s) will be done if <b>rev-update</b> is true (and
<b>kea-dhcp-ddns</b> connectivity is enabled)
- <b>Next step status</b>: Not applicable, its value will be ignored.
```
There appears to be no tests for the ddns[46]_update hooks. Should some be added?kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3252HA multiple relationships and RADIUS reselect are incompatible2024-03-27T15:26:47ZFrancis DupontHA multiple relationships and RADIUS reselect are incompatibleNothing trivial can be done to fix this other to drop the first query (RADIUS hook parks the query at the subnet select callout and knows the right subnet when the RADIUS response is received). For other queries using cached RADIUS infor...Nothing trivial can be done to fix this other to drop the first query (RADIUS hook parks the query at the subnet select callout and knows the right subnet when the RADIUS response is received). For other queries using cached RADIUS information the correctness relies on the order of the HA and RADIUS hooks (RADIUS before HA).kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3232Include JSONs from doc/examples in the ARM2024-02-01T14:54:13ZAndrei Pavelandrei@isc.orgInclude JSONs from doc/examples in the ARMThe configurations in `doc/examples` are mainly aimed at helping administrators, yet they are not included in the ARM with the exception of a few complex HA examples.
Some of the configurations are mentioned through path without linking...The configurations in `doc/examples` are mainly aimed at helping administrators, yet they are not included in the ARM with the exception of a few complex HA examples.
Some of the configurations are mentioned through path without linking anywhere. Furthermore, the path matches the location in the Kea sources, but not in the Kea installation. An administrator would have to git-clone to find them.
I suggest adding a section to the ARM which includes all of them. This would be done programmatically as opposed to hardcoding each file. Ideally, the directory hierarchy would also be respected and displayed in the ARM section.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3221Minor doc update: server limitations update after ping-check2024-03-20T11:29:29ZTomek MrugalskiMinor doc update: server limitations update after ping-checkThe section 8.12 (DHCPv4 server limitations) still claims this:
> _The DHCPv4 server does not verify that an assigned address is unused. According to RFC 2131, the allocating server should verify that an address is not used by sending a...The section 8.12 (DHCPv4 server limitations) still claims this:
> _The DHCPv4 server does not verify that an assigned address is unused. According to RFC 2131, the allocating server should verify that an address is not used by sending an ICMP echo request._
This is no longer true after ping-check was implemented.kea2.6.0https://gitlab.isc.org/isc-projects/kea/-/issues/3113Don't seem to be able to skip subnet/lease selection in a hook2024-03-28T08:10:19ZAndrew ForgueDon't seem to be able to skip subnet/lease selection in a hookWhat's the proper way to skip lease/subnet selection and delegate _everything_ to a hook library? I'm trying to hook kea up to a custom IPAM system.
The best I can tell is that you implement `pkt4_receive`/`pkt4_send` and tell `lease4_...What's the proper way to skip lease/subnet selection and delegate _everything_ to a hook library? I'm trying to hook kea up to a custom IPAM system.
The best I can tell is that you implement `pkt4_receive`/`pkt4_send` and tell `lease4_select` and `subnet4_select` as `setStatus(CalloutHandle::NEXT_STEP_SKIP)`.
The hook documentation for lease4_select says:
> Next step status: If any callout installed on the "lease4_select" hook sets the next step action to SKIP, the server will not assign any lease and the callouts become responsible for the lease assignment. If the callouts fail to provide a lease, the packet processing will continue, but client will not get an address.
I'm confused as to which (other) callouts should "provide a lease" if I'm skipping lease4_select? Should I be overwriting the lease4 argument in `lease4_select` instead, and setting `NEXT_STATUS_CONTINUE`? If I do this, how do I prevent Kea from recording the lease? Do I need to SKIP `lease4_*` callouts too?
The only subnet is one from `0.0.0.0` - `255.255.255.255`
```
int pkt4_receive(CalloutHandle &handle) {
... business logic here ...
}
int pkt4_send(CalloutHandle &handle) {
... business logic here ...
}
int lease4_select(CalloutHandle &handle) {
handle.setStatus(CalloutHandle::NEXT_STEP_SKIP);
return 0;
}
int subnet4_select(CalloutHandle &handle) {
handle.setStatus(CalloutHandle::NEXT_STEP_SKIP);
return 0;
}
```
Kea 2.4 seems to drop the packet after DHCP4_PACKET_NAK_0003 (even though pkt4_send will eventually fill in everything), the client never receives anything:
```
2023-10-17 06:44:16.759 DEBUG [kea-dhcp4.packets/657887.140610219676288] DHCP4_BUFFER_RECEIVED received buffer from 127.1.2.3:6671 to 127.0.0.1:6672 over interface lo
2023-10-17 06:44:16.759 DEBUG [kea-dhcp4.options/657887.140610166056640] DHCP4_BUFFER_UNPACK parsing buffer received from 127.1.2.3 to 127.0.0.1 over interface lo
2023-10-17 06:44:16.759 DEBUG [kea-dhcp4.packets/657887.140610166056640] DHCP4_PACKET_RECEIVED [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: DHCPDISCOVER (type 1) received from 127.1.2.3 to 127.0.0.1 on interface lo
2023-10-17 06:44:16.759 DEBUG [kea-dhcp4.packets/657887.140610166056640] DHCP4_QUERY_DATA [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1, packet details: local_address=127.0.0.1:6672, remote_address=127.1.2.3:6671, msg_type=DHCPDISCOVER (1), transid=0x
1,
options:
type=053, len=001: 1 (uint8)
type=060, len=015: "HTTPClient::7::" (string)
type=082, len=012:,
options:
type=001, len=004: 65:74:68:30
type=005, len=004: 172.16.42.1 (ipv4-address)
type=093, len=002: 0(uint16)
2023-10-17 06:44:16.759 DEBUG [kea-dhcp4.callouts/657887.140610166056640] HOOKS_CALLOUTS_BEGIN begin all callouts for hook pkt4_receive
2023-10-17 06:44:16.759 INFO [kea-dhcp4.myhooklib-callouts/657887.140610166056640] LOG_MYHOOKLIB_GENERIC Carbide: type=082, len=012:,
options:
type=001, len=004: 65:74:68:30
type=005, len=004: 172.16.42.1 (ipv4-address)
2023-10-17 06:44:16.759 INFO [kea-dhcp4.myhooklib-callouts/657887.140610166056640] LOG_MYHOOKLIB_PKT4_RECEIVE: CIRCUIT ID [eth0] in packet
2023-10-17 06:44:16.759 INFO [kea-dhcp4.myhooklib-callouts/657887.140610166056640] LOG_MYHOOKLIB_GENERIC Carbide: type=060, len=015: "HTTPClient::7::" (string)
2023-10-17 06:44:16.759 ERROR [kea-dhcp4.myhooklib-callouts/657887.140610166056640] LOG_MYHOOKLIB_PKT4_RECEIVE: Missing option [93] in packet
2023-10-17 06:44:16.846 DEBUG [kea-dhcp4.callouts/657887.140610166056640] HOOKS_CALLOUT_CALLED hooks library with index 1 has called a callout on hook pkt4_receive that has address 0x7fe25b9f3ae3 (callout duration: 87.199 ms)
2023-10-17 06:44:16.846 DEBUG [kea-dhcp4.callouts/657887.140610166056640] HOOKS_CALLOUTS_COMPLETE completed callouts for hook pkt4_receive (total callouts duration: 87.199 ms)
2023-10-17 06:44:16.846 DEBUG [kea-dhcp4.dhcpsrv/657887.140610166056640] DHCPSRV_CFGMGR_SUBNET4_ADDR selected subnet 0.0.0.0/0 for packet received by matching address 172.16.42.1
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.packets/657887.140610166056640] DHCP4_SUBNET_SELECTED [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: the subnet with ID 1 was selected for client assignments
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.packets/657887.140610166056640] DHCP4_SUBNET_DATA [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: the selected subnet details: 0.0.0.0/0
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ONE_SUBNET_ID_IDENTIFIER get one host with IPv4 reservation for subnet id 1, identified by hwaddr=020000000001
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ALL_IDENTIFIER get all hosts with reservations using identifier: hwaddr=020000000001
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ALL_IDENTIFIER_COUNT using identifier hwaddr=020000000001, found 0 host(s)
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ONE_SUBNET_ID_IDENTIFIER_NULL host not found using subnet id 1 and identifier hwaddr=020000000001
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ONE_SUBNET_ID_IDENTIFIER get one host with IPv4 reservation for subnet id 1, identified by circuit-id=65746830
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ALL_IDENTIFIER get all hosts with reservations using identifier: circuit-id=65746830
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ALL_IDENTIFIER_COUNT using identifier circuit-id=65746830, found 0 host(s)
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ONE_SUBNET_ID_IDENTIFIER_NULL host not found using subnet id 1 and identifier circuit-id=65746830
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.dhcp4/657887.140610166056640] DHCP4_CLASS_ASSIGNED [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: client packet has been assigned to the following class(es): UNKNOWN
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.dhcp4/657887.140610166056640] DHCP4_CLASS_ASSIGNED [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: client packet has been assigned to the following class(es): ALL, VENDOR_CLASS_HTTPClient::7::, UNKNOWN
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.ddns/657887.140610166056640] DHCP4_CLIENT_HOSTNAME_PROCESS [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: processing client's Hostname option
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.dhcpsrv/657887.140610166056640] DHCPSRV_MEMFILE_GET_HWADDR obtaining IPv4 leases for hardware address hwtype=1 02:00:00:00:00:01
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.alloc-engine/657887.140610166056640] ALLOC_ENGINE_V4_OFFER_NEW_LEASE allocation engine will try to offer new lease to the client [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4 get one host with reservation for subnet id 1 and IPv4 address 0.0.0.1
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ALL_ADDRESS4 get all hosts with reservations for IPv4 address 0.0.0.1
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ALL_ADDRESS4_COUNT using address 0.0.0.1, found 0 host(s)
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.hosts/657887.140610166056640] HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4_NULL host not found using subnet id 1 and address 0.0.0.1
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.dhcpsrv/657887.140610166056640] DHCPSRV_MEMFILE_GET_ADDR4 obtaining IPv4 lease for address 0.0.0.1
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.callouts/657887.140610166056640] HOOKS_CALLOUTS_BEGIN begin all callouts for hook lease4_select
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.callouts/657887.140610166056640] HOOKS_CALLOUT_CALLED hooks library with index 1 has called a callout on hook lease4_select that has address 0x7fe25b9f4647 (callout duration: 0.007 ms)
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.callouts/657887.140610166056640] HOOKS_CALLOUTS_COMPLETE completed callouts for hook lease4_select (total callouts duration: 0.007 ms)
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.dhcpsrv/657887.140610166056640] DHCPSRV_HOOK_LEASE4_SELECT_SKIP Lease4 creation was skipped, because of callout skip flag.
```
... not sure what's supposed to happen at this point to prevent the WARN/ERROR of not having a lease ...
Then:
```
2023-10-17 06:44:16.847 WARN [kea-dhcp4.alloc-engine/657887.140610166056640] ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: failed to allocate an IPv4 lease in the subnet 0.0.0.0/0, subnet-id 1, shared network (none)
2023-10-17 06:44:16.847 WARN [kea-dhcp4.alloc-engine/657887.140610166056640] ALLOC_ENGINE_V4_ALLOC_FAIL [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: failed to allocate an IPv4 address after 1 attempt(s)
2023-10-17 06:44:16.847 WARN [kea-dhcp4.alloc-engine/657887.140610166056640] ALLOC_ENGINE_V4_ALLOC_FAIL_CLASSES [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: Failed to allocate an IPv4 address for client with classes: ALL, VENDOR_CLASS_HTTPClient::7
::, UNKNOWN
2023-10-17 06:44:16.847 DEBUG [kea-dhcp4.bad-packets/657887.140610166056640] DHCP4_PACKET_NAK_0003 [hwtype=1 02:00:00:00:00:01], cid=[no info], tid=0x1: failed to advertise a lease, client sent ciaddr 0.0.0.0, requested-ip-address (no address)
```
... no further output here ...kea2.6.0Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/3098Effect of behavioural parameters when ddns is disabled:2024-03-27T12:58:34ZPeter DaviesEffect of behavioural parameters when ddns is disabled:
Effect of behavioural parameters when ddns is disabled:
There are a number of behavioural parameters which control what gets sent to d2.
Some settings also control what is returned to the client and saved as the host-
name in th...
Effect of behavioural parameters when ddns is disabled:
There are a number of behavioural parameters which control what gets sent to d2.
Some settings also control what is returned to the client and saved as the host-
name in the lease information.
Setting "dhcp-ddns.enable-updates": false turns off ddns, but some of these settings
remain active.
For example, the "ddns-qualifying-suffix" setting may affect hostnames even if
ddns are disabled. It has been brought to our attention that this is not clearly
documented in the ARM.
RT [#22818](https://support.isc.org/Ticket/Display.html?id=22818)
SF [#00001287](https://isc.lightning.force.com/lightning/r/Case/5007V00002XcaY4QAJ/view)kea2.5.8https://gitlab.isc.org/isc-projects/kea/-/issues/3057Update Template Classes in the ARM2024-03-22T06:23:10ZPeter DaviesUpdate Template Classes in the ARMTo save duplicating work in updating two sources of documentation it has been
suggested the the KB article about [template](https://kb.isc.org/docs/facilitating-classification-with-template-classes) classes could be moved to the ARM. ...To save duplicating work in updating two sources of documentation it has been
suggested the the KB article about [template](https://kb.isc.org/docs/facilitating-classification-with-template-classes) classes could be moved to the ARM.
The "Facilitating Classification with Template Classes" KB article contain the
following use case examples:
Example. OUI Vendor
Use case 1. Reference the spawned class directly in configuration
Use case 2. Have a class dependency on the template class or spawned class
Use case 3. Define the spawned class
Use case 4. Lease limiting and rate limiting ok
The following examples are not found in the ARM:
Use case 1. Reference the spawned class directly in configuration
Use case 2. Have a class dependency on the template class or spawned classnext-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3024Post audit: Write KB article/ARM section about securing DB connection2023-09-21T10:10:03ZTomek MrugalskiPost audit: Write KB article/ARM section about securing DB connectionAs pointed out in [@manu's audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#12-secure-db-connection), we should have a kind of tutorial or step by step guide how to secure Kea and MariaDB/Postgres connect...As pointed out in [@manu's audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#12-secure-db-connection), we should have a kind of tutorial or step by step guide how to secure Kea and MariaDB/Postgres connection.
I think this would be best achieved by having a config example in the ARM + a KB article explaining how to do the changes in Maria/Postgres installations.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3021Post audit: update ARM to show how to confirm source code integrity2023-09-21T10:09:54ZTomek MrugalskiPost audit: update ARM to show how to confirm source code integrityAnother proposal by [@manu's audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#10-remote-administrative-access-authentication-restful-api). We should document how to check the integrity of the source code ...Another proposal by [@manu's audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#10-remote-administrative-access-authentication-restful-api). We should document how to check the integrity of the source code (and packages, too).
With the SBOM being increasingly focused, this is an important aspect. Fortunately, it's very easy doc update.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/3015Post audit: update docs2023-09-21T10:10:46ZTomek MrugalskiPost audit: update docs@manu completed an audit and pointed the following problems [in his report](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023):
- [ ] 2. Elaborate more about \[meta\] package, in particular how to run only selec...@manu completed an audit and pointed the following problems [in his report](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023):
- [ ] 2. Elaborate more about \[meta\] package, in particular how to run only selected service. Looks like a good idea also to update the security section and point out that one should only run the services that are strictly needed.
- [ ] 3. Elaborate more about `interface` requirement for making the service running in [ARM QuickStart section](https://kea.readthedocs.io/en/kea-2.2.0/arm/quickstart.html#quick-start-guide-for-dhcpv4-and-dhcpv6-services) - this should be easy, a sentence or two pointing out that binding address is by default set to defensive 127.0.0.1.
- [ ] 4. Correct references in configs
- [ ] 5. Clarify sentence in DDNS (it's `dhcp-ddns` in `Dhcp4` or `Dhcp6`)
- [ ] 6. Clarify about sockets open by default (add something like this "While Kea doesn't open any sockets by default on its own, the default configs shipped with packages do define some socket and Kea opens them).next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2773Update doc for PostgreSQL >= 152023-07-05T10:39:18ZFrancis DupontUpdate doc for PostgreSQL >= 15PostgreSQL >= 15 requires extra commands to grant permissions for things e.g. tables inside databases. The documentation should be updated so admins can use recent versions of PostgreSQL using only Kea docs (vs having to googling...).PostgreSQL >= 15 requires extra commands to grant permissions for things e.g. tables inside databases. The documentation should be updated so admins can use recent versions of PostgreSQL using only Kea docs (vs having to googling...).next-stable-2.6