Merge lp:~jtv/maas/packaging-custom-dhcpd into lp:~maas-maintainers/maas/packaging

This will not work.

As I showed at https://code.launchpad.net/~smoser/maas/packaging.lp1049177/+merge/124083/comments/267072 and /etc/init/isc-dhcp-server.conf, the permissions on the leases file must be root:root and must be or the daemon will fail due to apparmor restrictions.

Additionally, you can avoid a fork and have the same functionality with:
  read INTERFACES < "${INTERFACES_FILE}"

Wow, that could have been a little clearer: there is no explicit mention of this in the referred text, but it in turn has a link to a script that, near the bottom, sets the ownership of the leases file to root:root. Now, how does the regular dhcpd write to a leases file if it has to be root-owned? Or is that a restriction we face but the regular dhcpd doesn't? And why does the whole directory need to be root-owned?

Also, I think there could be something important missing from the text above. “and must be or the daemon will fail” — must be what?

"must be root:root and must be, or the daemon will fail"
I missed the ','.

I agree, that what you were trying to do seems logically to be a better solution. I tried the very same thing, and lost probably an hour in it figuring out why it didnt' work. If I had just started with the working version (/etc/init/isc-dhcp-server) I'd have not lost time.

You're certainly welcome to try to improve this, but if you are going to attempt to do so, please verify that it actually works.

Scott, does the latest version address your concerns?

For the historical record: it turns out isc-dhcp-server underwent a significant change in Quantal. In Precise, the leases file must be owned by dhcpd; in Quantal, it must be owned by root.

I've updated my branches (this one and lp:~jtv/maas/custom-dhcp for the maas codebase) to reflect the Quantal situation. For simplicity I also changed the apparmor snippet to grant access to /var/lib/maas/dhcpd.leases rather than /var/lib/maas/dhcpd/*.leases.

I ran dhcpd using the resulting upstart script and apparmor snippet (making apparmor reload its config, of course) and it got past the checking and opening of the leases file OK. I had it set up not to serve any real DHCP, but it said that it wrote 0 leases — the expected number — whereas all failed attempts broke before that point.

My testing was still haphazard: all configuration etc. was done by hand. The next thing I'd like to learn is the proper way to combine a maas branch with a packaging branch, so I can build and install test packages.

Jeroen

8 -/var/lib/maas/dhcpd/*.leases* lrw,
9 +/var/lib/maas/dhcpd.leases* lrw,

I'd just leave that as it was. I do not think that the '*' hits anything other than 'dchpd', but in the dhcpv6 code, it is used to as dhcpd6.leases. So, if it were up to me, I'd just leave it as it is.

66 + chmod a+r $LFILE

Was there some explicit reason for this invention?
Neither precise nor quantal's isc-dhcp-server.conf file do this. I suspect it does nothing as the default umask for upstart jobs is probably 'a+r'.

Also, I mentioned previously:
 INTERFACES=`cat $INTERFACES_FILE`
is better done as:
 read INTERFACES < "${INTERFACES_FILE}"

It saves a fork.

I'll go ahead and approve this, but I really would like those things fixed.
Changing things from a production working example (isc-dhcp-server.conf) with minimal test and minimal time to fix fallout is probably not well advised at this point. I'm just trying to save us heartache.

I met you halfway on the leases file's location: /var/lib/maas/dhcpd*.leases — that matches the IPv6 version as well as the IPv4 version, but still leaves out the extra directory level.

—

Yes, there is a reason for the “chmod a+r”: MAAS currently reads the leases file.

—

I replaced the “cat” with the “read.” I don't think saving a rare fork() is going to meet our scalability challenge though. :)

Jeroen

> I met you halfway on the leases file's location: /var/lib/maas/dhcpd*.leases —
> that matches the IPv6 version as well as the IPv4 version, but still leaves
> out the extra directory level.
>
> —
>
> Yes, there is a reason for the “chmod a+r”: MAAS currently reads the leases
> file.

As I said, there is no reason for explicitly setting this. Heres an example why:
$ cat /etc/init/foo.conf
task
script
 {
 echo "my umask: $(umask)"
 rm -f /tmp/foo
 touch /tmp/foo
 ls -l /tmp/foo
 } > /tmp/foo.out 2>&1
end script

$ sudo start foo ; cat /tmp/foo.out
foo stop/waiting
my umask: 0022
-rw-r--r-- 1 root root 0 Sep 19 10:12 /tmp/foo

$ sudo sh -c 'umask 666; sudo start foo' ; cat /tmp/foo.out
foo stop/waiting
my umask: 0022
-rw-r--r-- 1 root root 0 Sep 19 10:13 /tmp/foo

That shows at 0022 is the umask for upstart (which is exactly what you're chmoding to). So the chmod is un-necessary.

> I replaced the “cat” with the “read.” I don't think saving a rare fork() is
> going to meet our scalability challenge though. :)

The fork there in this case is about 100 times slower. Agreed, it doesn't matter here, but if 2 solutions do the same thing but 1 is 2 orders of magnitude faster, better to do that one.
fork is about 1000

> > Yes, there is a reason for the “chmod a+r”: MAAS currently reads the leases
> > file.
>
> As I said, there is no reason for explicitly setting this. Heres an example
> why:

You said “probably.” I didn't take the risk. Being certain that this isn't dependent on some obscure factor that may change is worth more than saving a rare fork().

Jeroen