dhcp/kea
SHA256
7
0
Fork 3
forked from pool/kea
Code Pull Requests Activity

Update services, user, group and dir access #2

Manually merged
jengelh merged 1 commits from jcronenberg/kea:master into master 2025-04-15 14:16:00 +02:00
Conversation 10 Commits 1 Files Changed 8 +150 -78
8 changed files with 150 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kea-ctrl-agent.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=ISC Kea Control Agent
Before=multi-user.target
After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
[Service]
User=kea
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
[Install]
WantedBy=multi-user.target

16
kea-dhcp-ddns.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=ISC Kea DHCP-DDNS server
Before=multi-user.target
After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
[Service]
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
[Install]
WantedBy=multi-user.target

16
kea-dhcp4.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=ISC Kea DHCPv4 server
Before=multi-user.target
After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
[Service]
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
[Install]
WantedBy=multi-user.target

16
kea-dhcp6.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=ISC Kea DHCPv6 server
Before=multi-user.target
After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
[Service]
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
[Install]
WantedBy=multi-user.target

3
kea-sysusers.conf Normal file
View File

@@ -0,0 +1,3 @@
#Type Name ID GECOS Home directory Shell
g kea - - - -
u kea -:kea "Kea DHCP Server" /var/lib/kea -

2
kea-tmpfiles.conf Normal file
View File

@@ -0,0 +1,2 @@
#Type Path Mode User Group Age Argument
d /run/kea 0775 kea kea - -

8
kea.changes
View File

@@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Apr 2 15:29:59 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Split off services into separate ones to allow more fine grained
control for e.g. capabilities.
- Add new kea user and group under which these services will run.
- Tighten access to state and log directories
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 26 16:01:54 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com> Wed Mar 26 16:01:54 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>

152
kea.spec
View File

@@ -57,6 +57,12 @@ Source: https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz
Source2: https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz.asc Source2: https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz.asc
# https://www.isc.org/pgpkey/ # https://www.isc.org/pgpkey/
Source3: kea.keyring Source3: kea.keyring
Source4: kea-dhcp4.service
Source5: kea-dhcp6.service
Source6: kea-dhcp-ddns.service
Source7: kea-ctrl-agent.service
Source8: kea-sysusers.conf
Source9: kea-tmpfiles.conf
Patch0: kea-2.6.1-boost_1.87-compat.patch Patch0: kea-2.6.1-boost_1.87-compat.patch
BuildRequires: autoconf >= 2.59 BuildRequires: autoconf >= 2.59
BuildRequires: automake BuildRequires: automake
@@ -355,7 +361,7 @@ Development files for the Kea DHCP server
%autosetup -p1 -n kea-%version %autosetup -p1 -n kea-%version
%build %build
export FREERADIUS_INCLUDE="%_includedir/freeradius" export FREERADIUS_INCLUDE="%{_includedir}/freeradius"
export FREERADIUS_LIB="" export FREERADIUS_LIB=""
export FREERADIUS_DICTIONARY="" export FREERADIUS_DICTIONARY=""
autoreconf -fi autoreconf -fi
@@ -368,56 +374,45 @@ autoreconf -fi
--with-dhcp-mysql --with-dhcp-pgsql \ --with-dhcp-mysql --with-dhcp-pgsql \
--enable-perfdhcp --enable-shell --enable-perfdhcp --enable-shell
make %{?_smp_mflags} make %{?_smp_mflags}
%sysusers_generate_pre %{SOURCE8} %{name} %{name}-user.conf
%install %install
b=%buildroot
%make_install %make_install
find %buildroot -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
mkdir -p "$b/%_unitdir" "$b/%_tmpfilesdir" "$b/%_sysusersdir"
cat <<-EOF >"$b/%_unitdir/kea.service"
[Unit]
Description=ISC Kea DHCP server
Before=multi-user.target
After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
[Service]
Type=forking
Environment=KEA_PIDFILE_DIR=%_rundir/%name
RuntimeDirectory=kea
ExecStart=%_sbindir/keactrl start
ExecReload=%_sbindir/keactrl reload
ExecStop=%_sbindir/keactrl stop
[Install]
WantedBy=multi-user.target
Alias=dhcp-server.service
EOF
cat <<-EOF >"$b/%_tmpfilesdir/kea.conf"
d /run/kea 0775 keadhcp keadhcp -
EOF
echo 'u keadhcp - "Kea DHCP server" /var/lib/kea' >system-user-keadhcp.conf
cp -a system-user-keadhcp.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-keadhcp.conf random system-user-keadhcp.conf
perl -i -pe 's{%_localstatedir/log/kea-}{%_localstatedir/log/kea/}' \ install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/kea-dhcp4.service
"$b/%_sysconfdir/kea"/*.conf install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/kea-dhcp6.service
install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
install -D -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/kea-ctrl-agent.service
mkdir -p "$b%_localstatedir/log/kea" install -D -m 0644 %{SOURCE8} %{buildroot}%{_sysusersdir}/%{name}-user.conf
install -D -m 0644 %{SOURCE9} %{buildroot}%{_tmpfilesdir}/%{name}-tmpfiles.conf
perl -i -pe 's{%{_localstatedir}/log/kea-}{%_localstatedir/log/kea/}' \
"%{buildroot}/%{_sysconfdir}/kea"/*.conf
install -d -m 0750 "%{buildroot}%{_localstatedir}/log/kea"
# Remove unnecessary files # Remove unnecessary files
find "%buildroot/%_libdir" -name "*.so.*" -type l -delete find "%{buildroot}/%{_libdir}" -name "*.so.*" -type l -delete
rm -Rf "%buildroot/%python3_sitelib/kea/__pycache__" rm -Rf "%{buildroot}/%{python3_sitelib}/kea/__pycache__"
%pre -f random.pre %pre -f kea.pre
systemd-tmpfiles --create kea.conf || : %service_add_pre kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
%service_add_pre kea.service
%post %post
%service_add_post kea.service %tmpfiles_create %{_tmpfilesdir}/%{name}-tmpfiles.conf
%service_add_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
if [ $1 -gt 1 ]; then
chown -R kea:kea %{_sharedstatedir}/kea
chown -R kea:kea %{_localstatedir}/log/kea
fi
%preun %preun
%service_del_preun kea.service %service_del_preun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
%postun %postun
%service_del_postun kea.service %service_del_postun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
%ldconfig_scriptlets -n libkea-asiodns%asiodns_sover %ldconfig_scriptlets -n libkea-asiodns%asiodns_sover
%ldconfig_scriptlets -n libkea-asiolink%asiolink_sover %ldconfig_scriptlets -n libkea-asiolink%asiolink_sover
@@ -444,100 +439,101 @@ systemd-tmpfiles --create kea.conf || :
%ldconfig_scriptlets -n libkea-util%util_sover %ldconfig_scriptlets -n libkea-util%util_sover
%files %files
%dir %_sysconfdir/kea %dir %{_sysconfdir}/kea
%config(noreplace) %_sysconfdir/kea/*.conf %config(noreplace) %attr(0640,root,kea) %{_sysconfdir}/kea/*.conf
%_mandir/man8/*.8%{?ext_man} %{_mandir}/man8/*.8%{?ext_man}
%_sbindir/kea* %{_sbindir}/kea*
%_sbindir/perfdhcp %{_sbindir}/perfdhcp
%_datadir/kea/ %{_datadir}/kea/
%_unitdir/*.service %{_unitdir}/*.service
%dir %_localstatedir/lib/kea %dir %attr(0750,kea,kea) %{_sharedstatedir}/kea
%_tmpfilesdir/ %{_sysusersdir}/%{name}-user.conf
%_sysusersdir/ %{_tmpfilesdir}/%{name}-tmpfiles.conf
%attr(0775,keadhcp,keadhcp) %_localstatedir/log/kea/ %attr(0750,kea,kea) %{_localstatedir}/log/kea/
%ghost %{_rundir}/kea
%files doc %files doc
%doc %_datadir/doc/kea/ %doc %{_datadir}/doc/kea/
%exclude %_datadir/doc/kea/html/.buildinfo %exclude %{_datadir}/doc/kea/html/.buildinfo
%files hooks %files hooks
%dir %_libdir/kea %dir %{_libdir}/kea
%_libdir/kea/hooks/ %{_libdir}/kea/hooks/
%files -n libkea-asiodns%asiodns_sover %files -n libkea-asiodns%asiodns_sover
%_libdir/libkea-asiodns.so.%asiodns_sover.* %{_libdir}/libkea-asiodns.so.%asiodns_sover.*
%files -n libkea-asiolink%asiolink_sover %files -n libkea-asiolink%asiolink_sover
%_libdir/libkea-asiolink.so.%asiolink_sover.* %{_libdir}/libkea-asiolink.so.%asiolink_sover.*
%files -n libkea-cc%cc_sover %files -n libkea-cc%cc_sover
%_libdir/libkea-cc.so.%cc_sover.* %{_libdir}/libkea-cc.so.%cc_sover.*
%files -n libkea-cfgclient%cfgclient_sover %files -n libkea-cfgclient%cfgclient_sover
%_libdir/libkea-cfgclient.so.%cfgclient_sover.* %{_libdir}/libkea-cfgclient.so.%cfgclient_sover.*
%files -n libkea-cryptolink%cryptolink_sover %files -n libkea-cryptolink%cryptolink_sover
%_libdir/libkea-cryptolink.so.%cryptolink_sover.* %{_libdir}/libkea-cryptolink.so.%cryptolink_sover.*
%files -n libkea-d2srv%d2srv_sover %files -n libkea-d2srv%d2srv_sover
%_libdir/libkea-d2srv.so.%d2srv_sover.* %{_libdir}/libkea-d2srv.so.%d2srv_sover.*
%files -n libkea-database%database_sover %files -n libkea-database%database_sover
%_libdir/libkea-database.so.%database_sover.* %{_libdir}/libkea-database.so.%database_sover.*
%files -n libkea-dhcp++%dhcppp_sover %files -n libkea-dhcp++%dhcppp_sover
%_libdir/libkea-dhcp++.so.%dhcppp_sover.* %{_libdir}/libkea-dhcp++.so.%dhcppp_sover.*
%files -n libkea-dhcp_ddns%dhcp_ddns_sover %files -n libkea-dhcp_ddns%dhcp_ddns_sover
%_libdir/libkea-dhcp_ddns.so.%dhcp_ddns_sover.* %{_libdir}/libkea-dhcp_ddns.so.%dhcp_ddns_sover.*
%files -n libkea-dhcpsrv%dhcpsrv_sover %files -n libkea-dhcpsrv%dhcpsrv_sover
%_libdir/libkea-dhcpsrv.so.%dhcpsrv_sover.* %{_libdir}/libkea-dhcpsrv.so.%dhcpsrv_sover.*
%files -n libkea-dns++%dnspp_sover %files -n libkea-dns++%dnspp_sover
%_libdir/libkea-dns++.so.%dnspp_sover.* %{_libdir}/libkea-dns++.so.%dnspp_sover.*
%files -n libkea-eval%eval_sover %files -n libkea-eval%eval_sover
%_libdir/libkea-eval.so.%eval_sover.* %{_libdir}/libkea-eval.so.%eval_sover.*
%files -n libkea-exceptions%exceptions_sover %files -n libkea-exceptions%exceptions_sover
%_libdir/libkea-exceptions.so.%exceptions_sover.* %{_libdir}/libkea-exceptions.so.%exceptions_sover.*
%files -n libkea-hooks%hooks_sover %files -n libkea-hooks%hooks_sover
%_libdir/libkea-hooks.so.%hooks_sover.* %{_libdir}/libkea-hooks.so.%hooks_sover.*
%files -n libkea-http%http_sover %files -n libkea-http%http_sover
%_libdir/libkea-http.so.%http_sover.* %{_libdir}/libkea-http.so.%http_sover.*
%files -n libkea-log%log_sover %files -n libkea-log%log_sover
%_libdir/libkea-log.so.%log_sover.* %{_libdir}/libkea-log.so.%log_sover.*
%files -n libkea-mysql%mysql_sover %files -n libkea-mysql%mysql_sover
%_libdir/libkea-mysql.so.%mysql_sover.* %{_libdir}/libkea-mysql.so.%mysql_sover.*
%files -n libkea-pgsql%pgsql_sover %files -n libkea-pgsql%pgsql_sover
%_libdir/libkea-pgsql.so.%pgsql_sover.* %{_libdir}/libkea-pgsql.so.%pgsql_sover.*
%files -n libkea-process%process_sover %files -n libkea-process%process_sover
%_libdir/libkea-process.so.%process_sover.* %{_libdir}/libkea-process.so.%process_sover.*
%files -n libkea-stats%stats_sover %files -n libkea-stats%stats_sover
%_libdir/libkea-stats.so.%stats_sover.* %{_libdir}/libkea-stats.so.%stats_sover.*
%files -n libkea-tcp%tcp_sover %files -n libkea-tcp%tcp_sover
%_libdir/libkea-tcp.so.%tcp_sover.* %{_libdir}/libkea-tcp.so.%tcp_sover.*
%files -n libkea-util-io%util_io_sover %files -n libkea-util-io%util_io_sover
%_libdir/libkea-util-io.so.%util_io_sover.* %{_libdir}/libkea-util-io.so.%util_io_sover.*
%files -n libkea-util%util_sover %files -n libkea-util%util_sover
%_libdir/libkea-util.so.%util_sover.* %{_libdir}/libkea-util.so.%util_sover.*
%files -n python3-kea %files -n python3-kea
%python3_sitelib/kea/ %{python3_sitelib}/kea/
%files devel %files devel
%_includedir/kea/ %{_includedir}/kea/
%_libdir/libkea*.so %{_libdir}/libkea*.so
%changelog %changelog