Package: isc-dhcp-client
Version: 4.4.3-P1-1.1
Severity: important
Hello and thanks for maintaining ISC DHCP in Debian!
After upgrading packages ('isc-dhcp-client' itself or other libraries),
it may happen that
# checkrestart
(from the 'debian-goodies' package) tells me that an instance of dhclient
should be restarted.
One option is bringing down the corresponding network interface and then
bringing it up again:
# ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
This works (well, used to work, see below...), but has some drawbacks:
it leaves the box briefly without network, if all goes well; if something
goes wrong, it leaves the box without network, until something else is
done to fix the issue (and it could be troublesome, if you are
administering the box through an SSH session from a distant remote host...);
it may cut existing network connections down; and so forth...
A long time ago, I found what seems to be a better strategy.
First of all, figure out the exact command line for dhclient:
# ps aux | grep dhclien[t]
root 738 0.0 0.0 5868 3604 ? Ss 09:37 0:00
/sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
/var/lib/dhcp/dhclient.enp0s25.leases -I -df
/var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
Then, stop dhclient without releasing the current lease (as documented in
the dhclient(8) man page):
# /sbin/dhclient -x -pf /run/dhclient.enp0s25.pid
Finally start dhclient again with the previously found command line:
# /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s25.pid -lf
/var/lib/dhcp/dhclient.enp0s25.leases -I -df
/var/lib/dhcp/dhclient6.enp0s25.leases enp0s25
This used to work without any network down-time, looked more failsafe and
even quicker.
Unfortunately, this second strategy no longer seems to work.
When I issue the dhclient command with the "-x" option, nothing happens
and dhclient goes on running.
I noticed the following line in /var/log/kern.log :
2023-01-15T11:29:18.045334+01:00 $HOSTNAME kernel: [ 6692.708089] audit:
type=1400 audit(1673778558.040:25): apparmor="DENIED" operation="signal"
profile="/{,usr/}sbin/dhclient" pid=7192 comm="dhclient" requested_mask="send"
denied_mask="send" signal=term peer="unconfined"
It seems to me that the AppArmor configuration in /etc/apparmor.d/sbin.dhclient
is preventing the "-x" option from having any useful effect.
I am not familiar with AppArmor, but I think that this operation should
be somehow possible, otherwise the AppArmor configuration makes the "-x"
option (almost) completely useless.
Moreover, even the first strategy (ifdown/ifup) now seems to fail to
work perfectly. After issueing the following command:
# ifdown $NETWORK_INTERFACE ; ifup $NETWORK_INTERFACE
I see that two dhclient istances are running (the previously existing
one, and a new one). And I see the same error in /var/log/kern.log .
Hence, I have to manually kill the previous instance:
# kill -TERM $OLD_DHCLIENT_PID
All this seems to be extremely annoying and inconvenient.
Please note that I set severity "important" for this bug report,
but one could even claim that this is "grave". Especially taking
into account that ifdown does not stop the running DHCP client...
Please fix the AppArmor configuration or suggest an alternative strategy
to stop the DHCP client without releasing the current lease.
And anyway, please fix the package, so that ifdown works correctly!
Bye and thanks for your time and dedication!
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-6-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-client depends on:
ii debianutils 5.7-0.4
ii iproute2 6.1.0-1
ii libc6 2.36-8
Versions of packages isc-dhcp-client recommends:
ii isc-dhcp-common 4.4.3-P1-1.1
Versions of packages isc-dhcp-client suggests:
pn avahi-autoipd <none>
pn isc-dhcp-client-ddns <none>
pn resolvconf <none>
-- no debconf information
