kea-ctrl-agent.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=ISC Kea Control Agent
+Before=multi-user.target
+After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=kea
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-dhcp-ddns.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=ISC Kea DHCP-DDNS server
+Before=multi-user.target
+After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-dhcp4.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=ISC Kea DHCPv4 server
+Before=multi-user.target
+After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-dhcp6.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=ISC Kea DHCPv6 server
+Before=multi-user.target
+After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-sysusers.conf

@@ -0,0 +1,3 @@
+#Type   Name    ID      GECOS                   Home directory  Shell
+g       kea     -       -                       -               -
+u       kea     -:kea   "Kea DHCP Server"       /var/lib/kea    -

kea-tmpfiles.conf

@@ -0,0 +1,2 @@
+#Type   Path            Mode    User    Group   Age     Argument
+d       /run/kea        0775    kea     kea     -       -

kea.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr  2 15:29:59 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Split off services into separate ones to allow more fine grained
+  control for e.g. capabilities.
+- Add new kea user and group under which these services will run.
+- Tighten access to state and log directories
+
 -------------------------------------------------------------------
 Wed Mar 26 16:01:54 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

kea.spec

@@ -57,6 +57,12 @@ Source:         https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz
 Source2:        https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz.asc
 # https://www.isc.org/pgpkey/
 Source3:        kea.keyring
+Source4:        kea-dhcp4.service
+Source5:        kea-dhcp6.service
+Source6:        kea-dhcp-ddns.service
+Source7:        kea-ctrl-agent.service
+Source8:        kea-sysusers.conf
+Source9:        kea-tmpfiles.conf
 Patch0:         kea-2.6.1-boost_1.87-compat.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
@@ -355,7 +361,7 @@ Development files for the Kea DHCP server
 %autosetup -p1 -n kea-%version
 
 %build
-export FREERADIUS_INCLUDE="%_includedir/freeradius"
+export FREERADIUS_INCLUDE="%{_includedir}/freeradius"
 export FREERADIUS_LIB=""
 export FREERADIUS_DICTIONARY=""
 autoreconf -fi
@@ -368,56 +374,45 @@ autoreconf -fi
 	--with-dhcp-mysql --with-dhcp-pgsql \
 	--enable-perfdhcp --enable-shell
 make %{?_smp_mflags}
+%sysusers_generate_pre %{SOURCE8} %{name} %{name}-user.conf
 
 %install
-b=%buildroot
 %make_install
-find %buildroot -type f -name "*.la" -delete -print
+find %{buildroot} -type f -name "*.la" -delete -print
-mkdir -p "$b/%_unitdir" "$b/%_tmpfilesdir" "$b/%_sysusersdir"
-cat <<-EOF >"$b/%_unitdir/kea.service"
-	[Unit]
-	Description=ISC Kea DHCP server
-	Before=multi-user.target
-	After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
-	[Service]
-	Type=forking
-	Environment=KEA_PIDFILE_DIR=%_rundir/%name
-        RuntimeDirectory=kea
-	ExecStart=%_sbindir/keactrl start
-	ExecReload=%_sbindir/keactrl reload
-	ExecStop=%_sbindir/keactrl stop
-	[Install]
-	WantedBy=multi-user.target
-	Alias=dhcp-server.service
-EOF
-cat <<-EOF >"$b/%_tmpfilesdir/kea.conf"
-	d /run/kea 0775 keadhcp keadhcp -
-EOF
-echo 'u keadhcp - "Kea DHCP server" /var/lib/kea' >system-user-keadhcp.conf
-cp -a system-user-keadhcp.conf "$b/%_sysusersdir/"
-%sysusers_generate_pre system-user-keadhcp.conf random system-user-keadhcp.conf
 
-perl -i -pe 's{%_localstatedir/log/kea-}{%_localstatedir/log/kea/}' \
+install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/kea-dhcp4.service
-	"$b/%_sysconfdir/kea"/*.conf
+install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/kea-dhcp6.service
+install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
+install -D -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/kea-ctrl-agent.service
 
-mkdir -p "$b%_localstatedir/log/kea"
+install -D -m 0644 %{SOURCE8} %{buildroot}%{_sysusersdir}/%{name}-user.conf
+install -D -m 0644 %{SOURCE9} %{buildroot}%{_tmpfilesdir}/%{name}-tmpfiles.conf
+
+perl -i -pe 's{%{_localstatedir}/log/kea-}{%_localstatedir/log/kea/}' \
+	"%{buildroot}/%{_sysconfdir}/kea"/*.conf
+
+install -d -m 0750 "%{buildroot}%{_localstatedir}/log/kea"
 
 # Remove unnecessary files
-find "%buildroot/%_libdir" -name "*.so.*" -type l -delete
+find "%{buildroot}/%{_libdir}" -name "*.so.*" -type l -delete
-rm -Rf "%buildroot/%python3_sitelib/kea/__pycache__"
+rm -Rf "%{buildroot}/%{python3_sitelib}/kea/__pycache__"
 
-%pre -f random.pre
+%pre -f kea.pre
-systemd-tmpfiles --create kea.conf || :
+%service_add_pre kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
-%service_add_pre kea.service
 
 %post
-%service_add_post kea.service
+%tmpfiles_create %{_tmpfilesdir}/%{name}-tmpfiles.conf
+%service_add_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
+if [ $1 -gt 1 ]; then
+    chown -R kea:kea %{_sharedstatedir}/kea
+    chown -R kea:kea %{_localstatedir}/log/kea
+fi
 
 %preun
-%service_del_preun kea.service
+%service_del_preun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
 
 %postun
-%service_del_postun kea.service
+%service_del_postun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
 
 %ldconfig_scriptlets -n libkea-asiodns%asiodns_sover
 %ldconfig_scriptlets -n libkea-asiolink%asiolink_sover
@@ -444,100 +439,101 @@ systemd-tmpfiles --create kea.conf || :
 %ldconfig_scriptlets -n libkea-util%util_sover
 
 %files
-%dir %_sysconfdir/kea
+%dir %{_sysconfdir}/kea
-%config(noreplace) %_sysconfdir/kea/*.conf
+%config(noreplace) %attr(0640,root,kea) %{_sysconfdir}/kea/*.conf
-%_mandir/man8/*.8%{?ext_man}
+%{_mandir}/man8/*.8%{?ext_man}
-%_sbindir/kea*
+%{_sbindir}/kea*
-%_sbindir/perfdhcp
+%{_sbindir}/perfdhcp
-%_datadir/kea/
+%{_datadir}/kea/
-%_unitdir/*.service
+%{_unitdir}/*.service
-%dir %_localstatedir/lib/kea
+%dir %attr(0750,kea,kea) %{_sharedstatedir}/kea
-%_tmpfilesdir/
+%{_sysusersdir}/%{name}-user.conf
-%_sysusersdir/
+%{_tmpfilesdir}/%{name}-tmpfiles.conf
-%attr(0775,keadhcp,keadhcp) %_localstatedir/log/kea/
+%attr(0750,kea,kea) %{_localstatedir}/log/kea/
+%ghost %{_rundir}/kea
 
 %files doc
-%doc %_datadir/doc/kea/
+%doc %{_datadir}/doc/kea/
-%exclude %_datadir/doc/kea/html/.buildinfo
+%exclude %{_datadir}/doc/kea/html/.buildinfo
 
 %files hooks
-%dir %_libdir/kea
+%dir %{_libdir}/kea
-%_libdir/kea/hooks/
+%{_libdir}/kea/hooks/
 
 %files -n libkea-asiodns%asiodns_sover
-%_libdir/libkea-asiodns.so.%asiodns_sover.*
+%{_libdir}/libkea-asiodns.so.%asiodns_sover.*
 
 %files -n libkea-asiolink%asiolink_sover
-%_libdir/libkea-asiolink.so.%asiolink_sover.*
+%{_libdir}/libkea-asiolink.so.%asiolink_sover.*
 
 %files -n libkea-cc%cc_sover
-%_libdir/libkea-cc.so.%cc_sover.*
+%{_libdir}/libkea-cc.so.%cc_sover.*
 
 %files -n libkea-cfgclient%cfgclient_sover
-%_libdir/libkea-cfgclient.so.%cfgclient_sover.*
+%{_libdir}/libkea-cfgclient.so.%cfgclient_sover.*
 
 %files -n libkea-cryptolink%cryptolink_sover
-%_libdir/libkea-cryptolink.so.%cryptolink_sover.*
+%{_libdir}/libkea-cryptolink.so.%cryptolink_sover.*
 
 %files -n libkea-d2srv%d2srv_sover
-%_libdir/libkea-d2srv.so.%d2srv_sover.*
+%{_libdir}/libkea-d2srv.so.%d2srv_sover.*
 
 %files -n libkea-database%database_sover
-%_libdir/libkea-database.so.%database_sover.*
+%{_libdir}/libkea-database.so.%database_sover.*
 
 %files -n libkea-dhcp++%dhcppp_sover
-%_libdir/libkea-dhcp++.so.%dhcppp_sover.*
+%{_libdir}/libkea-dhcp++.so.%dhcppp_sover.*
 
 %files -n libkea-dhcp_ddns%dhcp_ddns_sover
-%_libdir/libkea-dhcp_ddns.so.%dhcp_ddns_sover.*
+%{_libdir}/libkea-dhcp_ddns.so.%dhcp_ddns_sover.*
 
 %files -n libkea-dhcpsrv%dhcpsrv_sover
-%_libdir/libkea-dhcpsrv.so.%dhcpsrv_sover.*
+%{_libdir}/libkea-dhcpsrv.so.%dhcpsrv_sover.*
 
 %files -n libkea-dns++%dnspp_sover
-%_libdir/libkea-dns++.so.%dnspp_sover.*
+%{_libdir}/libkea-dns++.so.%dnspp_sover.*
 
 %files -n libkea-eval%eval_sover
-%_libdir/libkea-eval.so.%eval_sover.*
+%{_libdir}/libkea-eval.so.%eval_sover.*
 
 %files -n libkea-exceptions%exceptions_sover
-%_libdir/libkea-exceptions.so.%exceptions_sover.*
+%{_libdir}/libkea-exceptions.so.%exceptions_sover.*
 
 %files -n libkea-hooks%hooks_sover
-%_libdir/libkea-hooks.so.%hooks_sover.*
+%{_libdir}/libkea-hooks.so.%hooks_sover.*
 
 %files -n libkea-http%http_sover
-%_libdir/libkea-http.so.%http_sover.*
+%{_libdir}/libkea-http.so.%http_sover.*
 
 %files -n libkea-log%log_sover
-%_libdir/libkea-log.so.%log_sover.*
+%{_libdir}/libkea-log.so.%log_sover.*
 
 %files -n libkea-mysql%mysql_sover
-%_libdir/libkea-mysql.so.%mysql_sover.*
+%{_libdir}/libkea-mysql.so.%mysql_sover.*
 
 %files -n libkea-pgsql%pgsql_sover
-%_libdir/libkea-pgsql.so.%pgsql_sover.*
+%{_libdir}/libkea-pgsql.so.%pgsql_sover.*
 
 %files -n libkea-process%process_sover
-%_libdir/libkea-process.so.%process_sover.*
+%{_libdir}/libkea-process.so.%process_sover.*
 
 %files -n libkea-stats%stats_sover
-%_libdir/libkea-stats.so.%stats_sover.*
+%{_libdir}/libkea-stats.so.%stats_sover.*
 
 %files -n libkea-tcp%tcp_sover
-%_libdir/libkea-tcp.so.%tcp_sover.*
+%{_libdir}/libkea-tcp.so.%tcp_sover.*
 
 %files -n libkea-util-io%util_io_sover
-%_libdir/libkea-util-io.so.%util_io_sover.*
+%{_libdir}/libkea-util-io.so.%util_io_sover.*
 
 %files -n libkea-util%util_sover
-%_libdir/libkea-util.so.%util_sover.*
+%{_libdir}/libkea-util.so.%util_sover.*
 
 %files -n python3-kea
-%python3_sitelib/kea/
+%{python3_sitelib}/kea/
 
 %files devel
-%_includedir/kea/
+%{_includedir}/kea/
-%_libdir/libkea*.so
+%{_libdir}/libkea*.so
 
 %changelog