Created attachment 204390 [details] compressed archive of the modified net/kea port To whom it may concern, I have a question concerning the Kea DHCP Server package of the FreeBSD repository. But at first I want to describe what I want to do, what problems I have and how I have solved them. I want to provide the Kea DHCP service within a jail container. Furthermore, I want to manage this service with Ansible. During the installation and configuration of that service, I noticed two problems with the rc script of Kea. The first problem relates to the use of Kea within a jail container. The usage of Kea within a jail container is easily possible and it is also described in the Kea Documentation since Kea version 1.4 (https://ftp.isc.org/isc/Kea/cur/doc/Kea-guide.pdf, page 39). The problem is now that the keyword "nojail" in Kea's rc script prevents the service from starting automatically when the jail container starts. The second problem has to do with the invocation of rc script. This current script uses the keactrl tool to start one or more of the services that are provided by the Kea suite and all information on which services have to be started can be found in the keactrl.conf file. The problem is that the returncode of keactrl is usually 0. The same is true if you want to check the state of a single service of this suite. Normally, the service(8) command returns a 0 if a service is running and 1 if the service is not running. In the case of the Kea's rc script the keactrl displays a conclusion of all services states on stdout and returns always 0. Especially configuration management systems, in my case Ansible, and other programs or scripts use the returncode of the service(8) command to determinate the state of a service. For example Ansible checks the state of a service before it starts or stops this. So it is not possible to start a Kea service as usual. To solve these problems, I developed a new rc script for the Kea suite which can be used within a jail container and controls each service separately. The control is done by using the name of the invoked rc script, so that all Kea services only have to be a soft link to this new rc script. A compressed archive of the modified net/kea port can be found in the attachment. And now back to my question. Is it possible to replace the current Kea rc script in the port source with the rc script I developed or add it to the port source? I thank you in advance for your answer. Best regards Martin
(In reply to Martin Pietsch from comment #0) 1. Regarding the first issue, if you just remove the 'nojail' keyword, are you able to run Kea successfully inside a jail? I am interested in using this approach as well. 2. I do not think this is a future-proof solution. I would suggest fixing keactrl's '-s' switch upstream (I don't think it's working at the moment), altogether with its exit code. As a side note, could you submit your suggestions as a patch (uncompressed)? Thank you!
Created attachment 208936 [details] patch for Kea's rc file without nojail keyword
Created attachment 208937 [details] Makefile patch of Kea's port to provide a new rc file
Comment on attachment 208936 [details] patch for Kea's rc file without nojail keyword --- kea.orig/files/kea.in 2019-11-05 13:39:02.428216863 +0100 +++ kea/files/kea.in 2019-11-05 13:53:53.760854516 +0100 @@ -3,7 +3,7 @@ # # PROVIDE: kea # REQUIRE: netif routing -# KEYWORD: nojail shutdown +# KEYWORD: shutdown # # Add the following to /etc/rc.conf[.local] to enable this service
Created attachment 208938 [details] patch for Kea's rc file without nojail keyword
Created attachment 208939 [details] pkg-plist patch of Kea's port to provide a new rc file
Created attachment 208940 [details] new rc file for Kea
I'm sorry the answer took so long. Here are my answers now: Yes, Kea runs very well inside a jail. There is even the possibility to run a HA-cluster with primary, secondary and backup (jail)nodes. My current configuration consists of a primary and secondary node on two machines. But you have to pay attention, if you want run a Kea jail with a virtual network interface that is connected with the real network via NAT and port forwarding. In this case "bootp" requests will not reach the server inside the jail. In order to ensure that "bootp" requests can also be processed by the server, it is necessary to "unhide" the bpf-devices of the jail host for the Kea jail. This is done with the devfs rules. The keyword "nojail" prevents the automatic start of a rc file inside a jail. This is also described in the man page of rc(8) in point 5 of the section "Operation of rc". A service marked with this keywork is not automatically executed when the jail starts. But that is not what I want. So I removed it and everything was well. The patch file "patch-files-kea.in" contains this change. The patch files "patch-Makefile" and "patch-pkg-plist" and the file kea_dhcp4.in are used for my suggestion of a new rc file for Kea. I hope that is right. The patch files "patch-Makefile" and "patch-pkg-plist" and the file kea_dhcp4.in are used for my suggestion of a new rc file for Kea. By linking the rc file kea_dhcp4 to kea_dhcp6, kea_ctrl_agent etc it is possible to start each server individually and to get the correct exit code of them. I hope this is the right way to provide such patches.
(In reply to Martin Pietsch from comment #9) Thank you for your explanation. I'll test Kea contained in a jail, that one should be an easy fix. Regarding the other suggestion, splitting the services into individual services (and rc scripts) instead of using keactrl, I still think it's better to fix it upstream. Right now, issuing `keactrl status -s dhcp6`, for example, does not work, as can be seen in the current implementation of keactrl: https://gitlab.isc.org/isc-projects/kea/blob/628d764179824329a5c654d69a9934f174d23e4a/src/bin/keactrl/keactrl.in#L395 The `-s|--server` flag is essentially a NOP. Once this is working, you should be able to control individual servers using this flag regardless of the platform you are running Kea on, and have the appropriate exit code. So I still think you should pursue your suggestion (2) upstream. However, this decision is up to the maintainer.
+1 on there being no good reason to prevent running kea in a jail. Kea runs quite well in a jail, either with UDP or raw sockets. It was rather puzzling to wonder why DHCP didn't come back up after a power outage here, after configuring HA, especially as the jails were running. Seems as though you can manually start the service, but it won't start on boot with the `nojail` keyword present. There's not a good reason I can think of to prevent it from running in a jail. If your'e trying to run it with raw sockets, well, read the jail and devfs man pages.
I think that the rc script should also have NETWORK in its PROVIDE. Other wise (in my case) kea-dhcp6 will not start at boot.
(In reply to jad from comment #12) Sorry that should be in its REQUIRE not PROVIDE
Created attachment 218091 [details] add require NETWORK, remove nojail Let's fix this one.
This is fixed in ports 5d3a48d7fef24a13a831425e53ee8fc466e88872