| 8 Jul 2025 |
 hexa | which means I might need help updating the kea suite, which has been stuck on a vulnerable version for a month | 21:58:26 |
| hexa | https://github.com/NixOS/nixpkgs/pull/411875 | 21:58:39 |
 Zhaofeng Li | is it okay to move to 3.0 directly (IIRC there isn't a separate control server anymore)? | 22:21:29 |
| Zhaofeng Li | or it has to be 2.6.x for backport reasons (surprising they changed this behavior in a revision) | 22:22:28 |
| hexa | yeah, we need the 2.6.3 backport | 22:23:10 |
| hexa | and yeah, the behavior change is what breaks the runtime environment | 22:23:26 |
| hexa | for reasons I don't understand | 22:23:30 |
| Zhaofeng Li | ok, let me try | 22:26:18 |
| Zhaofeng Li | built, the KEA_CONTROL_SOCKET_DIR appears to be honored fine
router # [ 8.927187] kea-ctrl-agent[805]: 2025-07-08 22:43:26.795 INFO [kea-ctrl-agent.dctl/805.140519184328576] DCTL_STARTING Control-agent starting, pid: 805, version: 2.6.3 (stable)
router # [ 8.929422] kea-ctrl-agent[805]: 2025-07-08 22:43:26.798 ERROR [kea-ctrl-agent.ctrl-agent/805.140519184328576] CTRL_AGENT_CONFIG_FAIL Control Agent configuration failed: invalid path specified: '/run/kea/VALUE-IN-CONFIG', supported path is '/run/kea/meow'
router # [ 8.931635] kea-ctrl-agent[805]: 2025-07-08 22:43:26.798 FATAL [kea-ctrl-agent.dctl/805.140519184328576] DCTL_CONFIG_FILE_LOAD_FAIL Control-agent reason: invalid path specified: '/run/kea/VALUE-IN-CONFIG', supported path is '/run/kea/meow'
| 22:46:20 |
| Zhaofeng Li | then there's a permission issue, checking
router # [ 8.841737] kea-ctrl-agent[780]: 2025-07-08 22:45:53.570 ERROR [kea-ctrl-agent.ctrl-agent/780.139821817276288] CTRL_AGENT_CONFIG_FAIL Control Agent configuration failed: socket path:/run/kea does not exist or does not have permssions = 750
| 22:47:04 |
| hexa | RuntimeDirectoryMode = "750";
| 22:51:40 |
| hexa | * RuntimeDirectory = "kea";
RuntimeDirectoryMode = "750";
| 22:52:01 |
| hexa | not sure why this part doesn'tw ork | 22:53:09 |
| hexa | * not sure why this part doesn't ork | 22:53:11 |
| hexa | * not sure why this part doesn't work | 22:53:13 |
| Zhaofeng Li | yeah, saw that | 22:53:29 |
| Zhaofeng Li | using socket-name = "/run/private/kea/dhcp4.sock"; works, curious | 22:53:31 |
| Zhaofeng Li | the source does if (::stat(path.c_str(), &statbuf) < 0) for the permission check which should follow symlinks, looking | 22:54:19 |
| hexa | huh | 22:56:28 |
| Zhaofeng Li | yeah, this sandbox is weird... let me just nsenter into it I guess | 23:09:48 |
| Zhaofeng Li | the log spam is killing me, is there a way to suppress the serial output from the interactive driver? 🫠| 23:22:28 |
| Zhaofeng Li | anyways, it appears that kea is actually right that it does not have the correct permissions
In [29]: print(router.succeed("nsenter -a -t 761 ls -lah /run/kea/"))
router: must succeed: nsenter -a -t 761 ls -lah /run/kea/
router: (finished: must succeed: nsenter -a -t 761 ls -lah /run/kea/, in 0.02 seconds)
total 56K
drwxr-xr-x 2 kea kea 100 Jul 8 23:19 .
| 23:22:50 |
| hexa | huh, 755 instead of 750 | 23:23:33 |
| hexa | wild | 23:23:34 |
| Zhaofeng Li | but I don't get how /run/private/kea/dhcp4.sock worked then (the real directory is 755 too), maybe something changed the permission | 23:24:47 |
| hexa | kea's umask is 0077 fwiw | 23:25:28 |
| hexa | maybe weird behavior with DynamicUser and RuntimeDirectoryPreserve? | 23:26:10 |
| hexa | maybe we can find out using an audit rule | 23:27:11 |
| Zhaofeng Li | ok, got distracted | 23:49:42 |
| Zhaofeng Li | change socket-path to /run/private/kea/dhcp4.sock -> permission is correct
then, change kea-ctrl-agent to have ExecStart = "/bin/sh -c \"while true; do sleep 1000; done\""; -> bad permission??
| 23:50:03 |
