| 8 Jul 2025 |
 hexa | * not sure why this part doesn't ork | 22:53:11 |
| hexa | * not sure why this part doesn't work | 22:53:13 |
 Zhaofeng Li | yeah, saw that | 22:53:29 |
| Zhaofeng Li | using socket-name = "/run/private/kea/dhcp4.sock"; works, curious | 22:53:31 |
| Zhaofeng Li | the source does if (::stat(path.c_str(), &statbuf) < 0) for the permission check which should follow symlinks, looking | 22:54:19 |
| hexa | huh | 22:56:28 |
| Zhaofeng Li | yeah, this sandbox is weird... let me just nsenter into it I guess | 23:09:48 |
| Zhaofeng Li | the log spam is killing me, is there a way to suppress the serial output from the interactive driver? 🫠| 23:22:28 |
| Zhaofeng Li | anyways, it appears that kea is actually right that it does not have the correct permissions
In [29]: print(router.succeed("nsenter -a -t 761 ls -lah /run/kea/"))
router: must succeed: nsenter -a -t 761 ls -lah /run/kea/
router: (finished: must succeed: nsenter -a -t 761 ls -lah /run/kea/, in 0.02 seconds)
total 56K
drwxr-xr-x 2 kea kea 100 Jul 8 23:19 .
| 23:22:50 |
| hexa | huh, 755 instead of 750 | 23:23:33 |
| hexa | wild | 23:23:34 |
| Zhaofeng Li | but I don't get how /run/private/kea/dhcp4.sock worked then (the real directory is 755 too), maybe something changed the permission | 23:24:47 |
| hexa | kea's umask is 0077 fwiw | 23:25:28 |
| hexa | maybe weird behavior with DynamicUser and RuntimeDirectoryPreserve? | 23:26:10 |
| hexa | maybe we can find out using an audit rule | 23:27:11 |
| Zhaofeng Li | ok, got distracted | 23:49:42 |
| Zhaofeng Li | change socket-path to /run/private/kea/dhcp4.sock -> permission is correct
then, change kea-ctrl-agent to have ExecStart = "/bin/sh -c \"while true; do sleep 1000; done\""; -> bad permission??
| 23:50:03 |
| hexa | uhhhhhhhhhhhh | 23:51:32 |
| hexa | diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix
index 6e0af62425a4..e55e7aa101c0 100644
--- a/nixos/modules/services/networking/kea.nix
+++ b/nixos/modules/services/networking/kea.nix
@@ -277,7 +277,7 @@ in
User = "kea";
ConfigurationDirectory = "kea";
RuntimeDirectory = "kea";
- RuntimeDirectoryMode = "750";
+ RuntimeDirectoryMode = "0750";
RuntimeDirectoryPreserve = true;
StateDirectory = "kea";
UMask = "0077";
| 23:51:46 |
| hexa | * diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix
index 6e0af62425a4..e55e7aa101c0 100644
--- a/nixos/modules/services/networking/kea.nix
+++ b/nixos/modules/services/networking/kea.nix
@@ -277,7 +277,7 @@ in
User = "kea";
ConfigurationDirectory = "kea";
RuntimeDirectory = "kea";
- RuntimeDirectoryMode = "750";
+ RuntimeDirectoryMode = "0750";
RuntimeDirectoryPreserve = true;
StateDirectory = "kea";
UMask = "0077";
| 23:51:50 |
| Zhaofeng Li | I tried this, same thing | 23:51:54 |
| hexa | Zhaofeng Li: does this work for you? | 23:51:57 |
| Zhaofeng Li | * I tried adding a preceding 0, same thing | 23:52:01 |
| hexa | lol, the test did complete here | 23:52:05 |
| hexa | shoot me | 23:52:06 |
| Zhaofeng Li | how?? | 23:52:31 |
| hexa | let me rebase and retry | 23:52:55 |
| Zhaofeng Li | stashed everything and only added the preceding 0, did not succeed (permission error) | 23:55:30 |
| Zhaofeng Li | maybe it's some race and it will sometimes succeed | 23:55:44 |
| Zhaofeng Li | looks like this really isn't a good idea after all: https://github.com/systemd/systemd/issues/5394 | 23:57:45 |
