[Kea-users] Testing the kea-failover peer with muti threading and TLS support
Wlodek Wencel
wlodek at isc.org
Wed Jun 28 12:37:22 UTC 2023
Sorry I don't have time to go through entire thread here today :( but
what I can tell now is this solution is working, in our testing one of
the nodes configuration is:
{
"Dhcp4": {
"option-data": [],
"hooks-libraries": [
{
"library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so"
},
{
"library": "/usr/local/lib/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [
{
"peers": [
{
"auto-failover": true,
"name": "server1",
"role": "primary",
"url": "https://172.28.0.31:8003/"
},
{
"auto-failover": true,
"name": "server2",
"role": "standby",
"url": "https://172.28.0.32:8003/"
}
],
"state-machine": {
"states": []
},
"mode": "hot-standby",
"heartbeat-delay": 2000,
"max-ack-delay": 1000,
"max-response-delay": 4000,
"max-unacked-clients": 4,
"this-server-name": "server1",
"trust-anchor":
"/usr/local/var/lib/kea/ca_cert.pem",
"cert-file":
"/usr/local/var/lib/kea/server_cert.pem",
"key-file":
"/usr/local/var/lib/kea/server_key.pem",
"require-client-certs": false,
"multi-threading": {
"enable-multi-threading": true,
"http-dedicated-listener": true,
"http-listener-threads": 0,
"http-client-threads": 0
}
}
]
}
}
],
"shared-networks": [],
"subnet4": [
{
"subnet": "192.168.50.0/24",
"pools": [
{
"pool": "192.168.50.1-192.168.50.200"
}
],
"interface": "enp0s9"
}
],
"interfaces-config": {
"interfaces": [
"enp0s9"
]
},
"renew-timer": 1000,
"rebind-timer": 2000,
"valid-lifetime": 4000,
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "/usr/local/var/log/kea.log"
}
],
"severity": "DEBUG",
"debuglevel": 99
}
],
"lease-database": {
"type": "memfile"
}
}
}
hope that will help you in your investigation
Wlodek
On 28/06/2023 13:44, Kraishak Mahtha wrote:
> Hi Darren,
>
> I am deploying at my lab currently but, when we get more familiar we
> will proceed with production. I tried yes even with 2.3.8 and I am
> facing an issue, I thought it could be because of my certificates, and
> when I am reading more on this I saw a note in the reference document
> that
> "A sample set of certificates and associated objects is available at
> src/lib/asiolink/testutils/ca".
> I have downloaded the source from GIT and from the folder
> kea-master\kea-master\src\lib\asiolink\testutils\ca I used the
> following certificates as follows
> "trust-anchor": "/root/kea-server.crt"
> "cert-file": "/root/kea-server.csr"
> "key-file": "/root/kea-server.key"
>
> But with this, I am getting the following error
> 11:33:40.411 DEBUG [kea-dhcp4.hooks/13148.140464316582080]
> HOOKS_STD_CALLOUT_REGISTERED hooks library
> /opt/tcpwave/lib/kea/hooks/libdhcp_ha.so registered standard callout
> for hook leases4_committed at address 0x7fc05b249e70
> 2023-06-28 11:33:40.413 ERROR
> [kea-dhcp4.ha-hooks/13148.140464316582080] HA_CONFIGURATION_FAILED
> failed to configure High Availability hooks library: bad TLS config
> for server dhcp1: load of cert file '/root/kea-server.csr' failed: no
> start line
>
>
> Thanks
>
> On Wed, Jun 28, 2023 at 3:47 PM Darren Ankney
> <darren.ankney at gmail.com> wrote:
>
> Hi Kraishak,
>
> When are you deploying? You may want to test with 2.3.8 as the
> release of the next stable (2.4.0) is coming soon. As for certificate
> use, I am not an expert in that area, but I believe that the .pem
> format is most common and correct.
>
> Thank you,
>
> Darren Ankney
>
> On Wed, Jun 28, 2023 at 12:48 AM Kraishak Mahtha
> <kraishak.edu at gmail.com> wrote:
> >
> > Hi Darren,
> > Thank you for the suggestion. I forget to mention, I am using
> the kea 2.2.0 version the last stable one (Yes as its the latest
> version compared to 2.17 ) we don't need kea-control agents and I
> am using HA+MT I don't have dependency on kea-control agent on
> any of the peer-servers
> >
> > I have one more doubt about the certificate type to be used. In
> the kea 2.2.0 document, The document says "Objects in files must
> be in the PEM format" under section 23.1.2 TLS/HTTPS Configuration.
> > And also I checked the examples config in reference documents,
> and most of them show with .pem files for all three attributes
> > "trust-anchor": /usr/lib/kea/CA.pem,
> > "cert-file": /usr/lib/kea/server1_cert.pem,
> > "key-file": /usr/lib/kea/server1_key.pem
> >
> > 1)So my doubt is do all three certificates should be in .pem format?
> >
> > Asking this because while I am reading about the certificate
> content, at one of the places it says "The sample set of the
> certificates are available at src/lib/asiolink/testutils/ca kea
> source folder and when I see there I don't see .pem files
> > I just want to test with that sample certificates to rule out
> whether the issue is either with the environment setup or with my
> certificates.
> >
> > Thanks
> >
> > On Wed, Jun 28, 2023 at 2:10 AM Darren Ankney
> <darren.ankney at gmail.com> wrote:
> >>
> >> Hi Kraishak,
> >>
> >> In the latest 2.3.8 ARM, the full quote is:
> >>
> >> "Before Kea 2.1.7 using HTTPS in the HA setup required use of the
> >> Control Agent on all peers."
> >>
> >> followed by:
> >>
> >> "Since Kea 2.1.7 the HTTPS server side is supported:"
> >>
> >> see
> https://kea.readthedocs.io/en/kea-2.3.8/arm/hooks.html#https-support
> >> for full details.
> >>
> >> On Tue, Jun 27, 2023 at 12:26 PM Kraishak Mahtha
> <kraishak.edu at gmail.com> wrote:
> >> >
> >> > Hi, I am using the kea-failover peer with Muti threading
> enabled HA+MT so hence I am not using the control -agent and using
> it directly, and everything is working fine as expected.
> >> > Here now I am trying to use TLS with certificates configured
> but it does not seems to work as expected, When I was reading more
> on the certificates section I see a line saying "using HTTPS in
> the HA setup required use of the Control Agent on all peers", so
> just to rule out my issue with certificates, do we need to
> use/configure Control agent on all peer for TLS even after
> enabling multi-threading?
> >> >
> >> > Thanks in Advance
> >> > Kraishak
> >> >
> >> > --
> >> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >> >
> >> > To unsubscribe visit
> https://lists.isc.org/mailman/listinfo/kea-users.
> >> >
> >> > Kea-users mailing list
> >> > Kea-users at lists.isc.org
> >> > https://lists.isc.org/mailman/listinfo/kea-users
> >> --
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >> To unsubscribe visit
> https://lists.isc.org/mailman/listinfo/kea-users.
> >>
> >> Kea-users mailing list
> >> Kea-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/kea-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230628/befc1d46/attachment-0001.htm>
More information about the Kea-users
mailing list