chroot problem
Steve Farr
sfarr at rootgroup.com
Wed Aug 12 22:17:59 UTC 2009
Just in case it's of use to anyone else out there in the future, I got my
problem resolved... I had selinux running in the Enforcing+Targeted mode, and
when I switched off the chroot options I saw that dhcpd was getting denied
access to write to (the real) /var/db/dhcpd.leases. Evidently CentOS's
selinux dhcpd "target" profile isn't accepting of dhcpd making writes to
/var/db; maybe it's because it used to use /var/state/dhcp with 3.x.
Apparently it also disapproves of dhcpd chrooting. Anyway, with selinux
disabled it can chroot just fine during startup.
I did notice, though, that with --enable-early-chroot turned on, it still
needs a /etc/dhcpd.conf even though it's reading config from the one in the
chroot jail at /chroot/dhcpd/etc. Both copies of dhcpd.conf have to be
present for the service to start, but if the one in /etc is missing, it
doesn't throw an error - it just does nothing at all when you send it the
start command. Is that by design, or is it supposed to be chrooting just a
little bit "earlier?"
-Steve
-----Original Message-----
From: Steve Farr
Sent: Sun 8/9/2009 8:30 AM
To: dhcp-users at lists.isc.org
Cc:
Subject: chroot problem
I read the posts below, but am having a slightly different issue with
dhcp-4.1.0p1 and was hoping someone could help... I compiled with
--enable-paranoia --disable-dhcpv6, and am running on CentOS 5 w/ kernel
2.6.18-128.2.1.el5-x86_64 and gcc-4.1.2-44.el5. I am able to start dhcpd with
either the actual file, /proc/net/dev, copied into my chroot jail at
/chroot/dhcpd, or with the proc filesystem mounted at /chroot/dhcpd/proc –
either is fine. However, when I reboot the server, dhcpd will not start from
its rc3.d script. It throws the following error:
Aug 7 17:20:58 inres02 dhcpd: chroot("/chroot/dhcpd"): Permission
denied
But, if I just log on to the server a minute later and do “service
dhcpd start” or "/etc/init.d/dhcpd start" the service comes right up with no
problems. Does anyone have any suggestions?
-Steve
**************************
Niall,
Thanks for your help. I was able to resolve the issue by creating
/proc/net within the chroot jail and copying dev and if_inet6 there.
Chris Vaughan
-----Original Message-----
From: dhcp-users-bounces at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users>
[mailto:dhcp-users-bounces at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users> ] On Behalf Of
dhcp-users-request at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users>
Sent: Thursday, 15 January 2009 8:19 PM
To: dhcp-users at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users>
Subject: dhcp-users Digest, Vol 3, Issue 20
Send dhcp-users mailing list submissions to
dhcp-users at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
<https://lists.isc.org/mailman/listinfo/dhcp-users>
or, via email, send a message with subject or body 'help' to
dhcp-users-request at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users>
You can reach the person managing the list at
dhcp-users-owner at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. Re: Chroot issue (Niall O'Reilly)
2. Re: Shared Network (mattf at etex.net
<https://lists.isc.org/mailman/listinfo/dhcp-users> )
3. Restart Problem - segfault ... error 15 (Tarik Gasmi)
4. Match if substring ... (Matej)
5. Re: Match if substring ... (Matej)
6. List archives... (E Johnson)
7. RE: List archives... (Frank Bulk - iName.com)
8. lease file: Bad file descriptor, Broken pipe (Rudy Gevaert)
----------------------------------------------------------------------
Message: 1
Date: Wed, 14 Jan 2009 13:01:42 +0000
From: Niall O'Reilly <Niall.oReilly at ucd.ie
<https://lists.isc.org/mailman/listinfo/dhcp-users> >
Subject: Re: Chroot issue
To: Users of ISC DHCP <dhcp-users at lists.isc.org
<https://lists.isc.org/mailman/listinfo/dhcp-users> >
Cc: Niall.oReilly at ucd.ie
<https://lists.isc.org/mailman/listinfo/dhcp-users>
Message-ID: <1231938102.6843.101.camel at d410-heron
<https://lists.isc.org/mailman/listinfo/dhcp-users> >
Content-Type: text/plain
On Wed, 2009-01-14 at 13:40 +1100, Chris Vaughan wrote:
> I have compiled ISC DHCP 4.1.0 on CentOS 5 with the
--enable-paranoia
> and -enable-early-chroot
I expect that '--enable-early-chroot' is significant.
> options, when I go to start this to run in a
> chroot jail, I am confronted with an error, as follows.
>
> dhcpd -chroot /var/dhcp -user dhcp -group dhcp
> Internet Systems Consortium DHCP Server 4.1.0
> Copyright 2004-2008 Internet Systems Consortium.
> All rights reserved.
> For info, please visit http://www.isc.org/sw/dhcp/
<http://www.isc.org/sw/dhcp/>
> Wrote 0 leases to leases file.
> Error opening '/proc/net/dev' to list interfaces
> Can't get list of interfaces.
Reference to /proc/... is relative to your current
file-system
root. That's to say that dhcpd is looking for
/var/dhcp/proc/..., which very likely doesn't exist.
I've used Edelkind's 'paranoia patch' for years, and am very
pleased that ISC have integrated it into their release, not
least because I nagged for it. Although I haven't any
experience yet with 4.1, I suspect that you can avoid the
problem by disabling the 'early' chroot. The idea is (or
used
to be) that any tasks which would fail due to the relevant
file
systems being unavailable after chroot are done before a
'late'
chroot.
Otherwise, you'll need to mount the /proc filesystem also at
/var/dhcp/proc. You may also need some of the files below
/dev.
Best regards
Niall O'Reilly
University College Dublin IT Services
Email secured by Check Point
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 16998 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20090812/1926e6a1/attachment.bin>
More information about the dhcp-users
mailing list