Merge ~holmanb/ubuntu/+source/isc-dhcp:ubuntu/devel into ubuntu/+source/isc-dhcp:ubuntu/devel
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||
Approved revision: | not available | ||||
Merged at revision: | ba63f11edd0ce4fc4b1e3883767dd7c74b3f0d7d | ||||
Proposed branch: | ~holmanb/ubuntu/+source/isc-dhcp:ubuntu/devel | ||||
Merge into: | ubuntu/+source/isc-dhcp:ubuntu/devel | ||||
Diff against target: |
29 lines (+10/-0) 2 files modified
debian/apparmor/sbin.dhclient (+4/-0) debian/changelog (+6/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Robie Basak | Approve | ||
Canonical Server Reporter | Pending | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+439186@code.launchpad.net |
Commit message
Allow disabling hook scripts.
Description of the change
Motivation:
When executing dhclient, cloud-init does not want OS-induced variation in behavior caused by the contents of /sbin/dhclient-
Formerly cloud-init used "dhclient sandboxing" to work around apparmor rules in dhclient. With recent changes[1], cloud-init has removed sandboxing and changed file locations to work with dedicated PID and lease file apparmor locations. Unfortunately under this scheme, when the script call fails (due to apparmor blocking execution of /bin/true), dhclient falls back to using the default script, /sbin/dhclient-
[1] https:/
The change:
Dhclient doesn't provide a mechanism for disabling hook scripts, which may provide undesirable system side effects. It does, however, allow the caller to define custom scripts. Therefore, one way to effectively disable hook scripts is to provide a no-op script, such as /bin/true. This MP allows dhclient to execute /bin/true such that default hook scripts may effectively be disabled.
Before this change, note the "Permission denied" in the output:
$ sudo dhclient -1 -v -lf /run/dhclient.lease -pf /run/dhclient.pid enp24s0 -sf /bin/true
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https:/
execve (/bin/true, ...): Permission denied
Listening on LPF/enp24s0/
Sending on LPF/enp24s0/
Sending on Socket/fallback
DHCPREQUEST for 192.168.1.145 on enp24s0 to 255.255.255.255 port 67
DHCPACK of 192.168.1.145 from 192.168.1.1
execve (/bin/true, ...): Permission denied
bound to 192.168.1.145 -- renewal in 39752 seconds.
After this change, note the "Permission denied" is gone.
$ sudo dhclient -1 -v -lf /run/dhclient.lease -pf /run/dhclient.pid enp24s0 -sf /bin/true
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https:/
Listening on LPF/enp24s0/
Sending on LPF/enp24s0/
Sending on Socket/fallback
xid: warning: no netdev with useable HWADDR found for seed's uniqueness enforcement
xid: rand init seed (0x646bc97f) built using gethostid
DHCPREQUEST for 192.168.1.145 on enp24s0 to 255.255.255.255 port 67 (xid=0x46eceb7d)
DHCPACK of 192.168.1.145 from 192.168.1.1 (xid=0x7debec46)
bound to 192.168.1.145 -- renewal in 39745 seconds.
This looks fine and we can upload this now if required. One comment inline to adjust the profile relaxation to be just a bit tighter, assuming it works (please test).
However we should send this to Debian, and if they end up implementing the change differently, we'd end up have to test two different ways of doing it. So, if we have time, could you please send this to Debian for review first? This depends on what you need this for, which I don't know :-)
If however you need it quickly, then +1 to upload this to Ubuntu with just my inline comment addressed. Please let me know if so, and I'll sponsor.