diff --git a/.abf.yml b/.abf.yml index fa6f3f9..4180479 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,11 +1,4 @@ -removed_sources: - dhcp-4.2.5-P1.tar.gz: 120b6e476b2ac0d35e1dc8dee53752c42449b925 - dhcp-4.2.5-P1.tar.gz.sha512.asc: d43248ba82d8a2f393f2f6c283ea06fb2df38d18 - dhcp-4.2.5.tar.gz: d029505509aee83ea28972d5d1c95dc4b5db99f1 - dhcp-4.2.5.tar.gz.sha512.asc: ac49b30ef17acb36cc5603faa5d780e423aa0e06 - dhcp-4.3.0.tar.gz: deed72a4636461042b74de68c2825dc52623e1d1 - dhcp-4.3.0.tar.gz.sha512.asc: e05375f86430f0d92a371fe8f619aa73e65de19a sources: - dhcp-4.3.2.tar.gz: c7fcc4fa2bd135700b410f47eca238dd67419654 - dhcp-4.3.2.tar.gz.sha512.asc: dd76a14f1424e216dfaf186b75566a867de311d4 + dhcp-4.4.1.tar.gz: 7be2c4911107f613c2d4b0a943261603c6b8507a + dhcp-4.4.1.tar.gz.sha512.asc: 1e5af5476f181d2045e4b30171e3f423aa260fbe dhcp-dynamic-dns-examples.tar.bz2: d33980aad3e0380fc89f8346ab37786d39157696 diff --git a/Arch-0002-iproute2.patch b/Arch-0002-iproute2.patch new file mode 100644 index 0000000..ca6b4a8 --- /dev/null +++ b/Arch-0002-iproute2.patch @@ -0,0 +1,15 @@ +https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp + +diff --git a/client/scripts/linux b/client/scripts/linux +index 5fb16121..c4cef632 100755 +--- a/client/scripts/linux ++++ b/client/scripts/linux +@@ -362,7 +362,7 @@ case "$reason" in + interface_up_wait_time=5 + for i in $(seq 0 ${interface_up_wait_time}) + do +- ifconfig ${interface} | grep RUNNING >/dev/null 2>&1 ++ /sbin/ip link show dev ${interface} | grep -q LOWER_UP 2>&1 + if [ $? -eq 0 ]; then + break; + fi diff --git a/ROSA-NEWS b/ROSA-NEWS new file mode 100644 index 0000000..c0eb2c0 --- /dev/null +++ b/ROSA-NEWS @@ -0,0 +1,30 @@ +dhcp v4.4.1 +08.10.2018 +by mikhailnov + +* Dropped old patches +* Now upstream uses built-in bind libraries, we also use them for now (they are linked statically) +* Now it's built with KerberOS support + +* Removed 'After=syslog.target' from systemd service dhcpd.service +https://www.freedesktop.org/wiki/Software/systemd/syslog/ says: +"we do no longer recommend people to order their units after syslog.target" +* Merged old ROSA's dhcpd(6).service and Arch's dhcpd{4|6}.service +* dhclient@.service from Arch Linux, modified a bit to improve secutrity (e.g. usage: systemctl enable dhclient@enp1s0) +* Improved security of dhcpd.service and dhcpd6.service by setting and dropping some capabilities(7) + +* dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd +* use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user +* migration: delete dhcpd user on package uninstallation + +* /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken); +let's use /etc/sysconfig/dhcpd for both IPv4 and IPv6 + +* /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec +Note: they are hardcoded in systemd units + +* .leases files are not packaged any more, because modern dhcpd and dhclient can create them automatically, +but the directoiry, e.g. /var/lib/dhclient, has to exist and be writable. +* Don't remove *.leases on package uninstallation + +* TODO(?): Fedora's patch dhcp-paths.patch diff --git a/dhclient@.service b/dhclient@.service new file mode 100644 index 0000000..98544cd --- /dev/null +++ b/dhclient@.service @@ -0,0 +1,23 @@ +[Unit] +Description=dhclient on %I +Wants=network.target +Before=network.target + +[Service] +ExecStart=/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I +RuntimeDirectory=dhclient@%i +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= +# /var is not read-only +ProtectSystem=true +ProtectHome=true +RestartSec=2s +Restart=on-failure +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target + +# This unit file in based on +# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp diff --git a/dhcp-4.1.1-prevent_wireless_deassociation.patch b/dhcp-4.1.1-prevent_wireless_deassociation.patch deleted file mode 100644 index b19b028..0000000 --- a/dhcp-4.1.1-prevent_wireless_deassociation.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -p -up dhcp-4.1.1/client/scripts/linux.prevent_wireless dhcp-4.1.1/client/scripts/linux ---- dhcp-4.1.1/client/scripts/linux.prevent_wireless 2010-02-25 11:37:31.000000000 -0300 -+++ dhcp-4.1.1/client/scripts/linux 2010-02-25 11:37:37.000000000 -0300 -@@ -13,6 +13,8 @@ - - # 1. ifconfig down apparently deletes all relevant routes and flushes - # the arp cache, so this doesn't need to be done explicitly. -+# 1.1. ifconfig $interface inet 0 is enough, and prevents unneeded -+# deassociation on wireless interfaces - - # 2. The alias address handling here has not been tested AT ALL. - # I'm just going by the doc of modern Linux ip aliasing, which uses -@@ -170,7 +172,7 @@ if [ x$reason = xBOUND ] || [ x$reason = - if [ x$old_ip_address != x ] && [ x$old_ip_address != x$new_ip_address ]; then - # IP address changed. Bringing down the interface will delete all routes, - # and clear the ARP cache. -- ifconfig $interface inet 0 down -+ ifconfig $interface inet 0 - - fi - if [ x$old_ip_address = x ] || [ x$old_ip_address != x$new_ip_address ] || \ -@@ -224,7 +226,7 @@ if [ x$reason = xEXPIRE ] || [ x$reason - fi - if [ x$old_ip_address != x ]; then - # Shut down interface, which will delete routes and clear arp cache. -- ifconfig $interface inet 0 down -+ ifconfig $interface inet 0 - fi - if [ x$alias_ip_address != x ]; then - ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg -@@ -259,7 +261,7 @@ if [ x$reason = xTIMEOUT ]; then - fi - exit_with_hooks 0 - fi -- ifconfig $interface inet 0 down -+ ifconfig $interface inet 0 - exit_with_hooks 1 - fi - diff --git a/dhcp-4.2.0-default-requested-options.patch b/dhcp-4.2.0-default-requested-options.patch deleted file mode 100644 index fea8a4b..0000000 --- a/dhcp-4.2.0-default-requested-options.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up dhcp-4.2.0/client/clparse.c.requested dhcp-4.2.0/client/clparse.c ---- dhcp-4.2.0/client/clparse.c.requested 2010-07-21 13:29:05.000000000 +0200 -+++ dhcp-4.2.0/client/clparse.c 2010-07-21 13:50:29.000000000 +0200 -@@ -37,7 +37,7 @@ - - struct client_config top_level_config; - --#define NUM_DEFAULT_REQUESTED_OPTS 9 -+#define NUM_DEFAULT_REQUESTED_OPTS 14 - struct option *default_requested_options[NUM_DEFAULT_REQUESTED_OPTS + 1]; - - static void parse_client_default_duid(struct parse *cfile); -@@ -111,6 +111,31 @@ isc_result_t read_client_conf () - option_code_hash_lookup(&default_requested_options[8], - dhcpv6_universe.code_hash, &code, 0, MDL); - -+ /* 10 */ -+ code = DHO_NIS_DOMAIN; -+ option_code_hash_lookup(&default_requested_options[9], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 11 */ -+ code = DHO_NIS_SERVERS; -+ option_code_hash_lookup(&default_requested_options[10], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 12 */ -+ code = DHO_NTP_SERVERS; -+ option_code_hash_lookup(&default_requested_options[11], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 13 */ -+ code = DHO_INTERFACE_MTU; -+ option_code_hash_lookup(&default_requested_options[12], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ -+ /* 14 */ -+ code = DHO_DOMAIN_SEARCH; -+ option_code_hash_lookup(&default_requested_options[13], -+ dhcp_universe.code_hash, &code, 0, MDL); -+ - for (code = 0 ; code < NUM_DEFAULT_REQUESTED_OPTS ; code++) { - if (default_requested_options[code] == NULL) - log_fatal("Unable to find option definition for " diff --git a/dhcp-4.2.2-ifup.patch b/dhcp-4.2.2-ifup.patch deleted file mode 100644 index 0050468..0000000 --- a/dhcp-4.2.2-ifup.patch +++ /dev/null @@ -1,185 +0,0 @@ -diff -Naur -x '*~' -x '*.orig' -x '*.rej' dhcp-4.2.2/client/scripts/linux dhcp-4.2.2-ifup/client/scripts/linux ---- dhcp-4.2.2/client/scripts/linux 2011-05-18 22:01:54.000000000 +0200 -+++ dhcp-4.2.2-ifup/client/scripts/linux 2011-08-29 19:07:58.722894019 +0200 -@@ -1,8 +1,11 @@ - #!/bin/bash --# dhclient-script for Linux. Dan Halbert, March, 1997. --# Updated for Linux 2.[12] by Brian J. Murrell, January 1999. --# No guarantees about this. I'm a novice at the details of Linux --# networking. -+# Network Interface Configuration System -+# -+# Based on: -+# dhclient-script for Linux. Dan Halbert, March, 1997. -+# Updated for Linux 2.[12] by Brian J. Murrell, January 1999. -+# Modified for Mandriva Linux 1999-2009 -+ - - # Notes: - -@@ -26,28 +29,35 @@ - ip=/sbin/ip - - make_resolv_conf() { -+ local d -+ local ns -+ -+ if [ -n "$DOMAIN" ]; then -+ d="search $DOMAIN" -+ fi -+ - if [ x"$new_domain_name_servers" != x ]; then -- cat /dev/null > /etc/resolv.conf.dhclient -- chmod 644 /etc/resolv.conf.dhclient -- if [ x"$new_domain_search" != x ]; then -- echo search $new_domain_search >> /etc/resolv.conf.dhclient -+ if [ -n "$DOMAIN" ]; then -+ # already done above -+ d="search $DOMAIN" -+ elif [ x"$new_domain_search" != x ]; then -+ d="search $new_domain_search" - elif [ x"$new_domain_name" != x ]; then - # Note that the DHCP 'Domain Name Option' is really just a domain - # name, and that this practice of using the domain name option as - # a search path is both nonstandard and deprecated. -- echo search $new_domain_name >> /etc/resolv.conf.dhclient -+ d="search $new_domain_name" - fi - for nameserver in $new_domain_name_servers; do -- echo nameserver $nameserver >>/etc/resolv.conf.dhclient -+ ns="$ns"$'\n'"nameserver ${nameserver}" - done - -- mv /etc/resolv.conf.dhclient /etc/resolv.conf - elif [ "x${new_dhcp6_name_servers}" != x ] ; then -- cat /dev/null > /etc/resolv.conf.dhclient6 -- chmod 644 /etc/resolv.conf.dhclient6 -- -- if [ "x${new_dhcp6_domain_search}" != x ] ; then -- echo search ${new_dhcp6_domain_search} >> /etc/resolv.conf.dhclient6 -+ if [ -n "$DOMAIN" ]; then -+ # already done above -+ d="search $DOMAIN" -+ elif [ "x${new_dhcp6_domain_search}" != x ] ; then -+ d="search ${new_dhcp6_domain_search}" - fi - shopt -s nocasematch - for nameserver in ${new_dhcp6_name_servers} ; do -@@ -59,11 +69,13 @@ - else - zone_id= - fi -- echo nameserver ${nameserver}$zone_id >> /etc/resolv.conf.dhclient6 -+ ns="$ns"$'\n'"nameserver ${nameserver}$zone_id" - done - shopt -u nocasematch -+ fi - -- mv /etc/resolv.conf.dhclient6 /etc/resolv.conf -+ if [ -n "$d" -o -n "$ns" ]; then -+ change_resolv_conf "$d" "$ns" - fi - } - -@@ -88,6 +100,25 @@ - fi - fi - -+# Import Mandriva Linux configuration -+cd /etc/sysconfig/network-scripts; -+. /etc/sysconfig/network-scripts/network-functions -+. /etc/rc.d/init.d/functions -+ -+[ -f ../network ] && . ../network -+[ -f ../networking/network ] && . ../networking/network -+ -+CONFIG=$interface -+ -+need_config ${CONFIG} -+ -+if [ -f "${CONFIG}" ]; then -+ source_config -+else -+ echo $"$0: configuration for $interface not found." >&2 -+ DEVICE=$interface -+fi -+ - ### - ### DHCPv4 Handlers - ### -@@ -138,15 +169,6 @@ - - if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \ - [ x$reason = xREBIND ] || [ x$reason = xREBOOT ]; then -- current_hostname=`hostname` -- if [ x$current_hostname = x ] || \ -- [ x$current_hostname = "x(none)" ] || \ -- [ x$current_hostname = xlocalhost ] || \ -- [ x$current_hostname = x$old_host_name ]; then -- if [ x$new_host_name != x$old_host_name ]; then -- hostname "$new_host_name" -- fi -- fi - - if [ x$old_ip_address != x ] && [ x$alias_ip_address != x ] && \ - [ x$alias_ip_address != x$old_ip_address ]; then -@@ -165,12 +187,14 @@ - ifconfig $interface inet $new_ip_address $new_subnet_arg \ - $new_broadcast_arg $mtu_arg - # Add a network route to the computed network address. -+ if [ "${PEERGATEWAY}" != "no" ]; then - for router in $new_routers; do - if [ "x$new_subnet_mask" = "x255.255.255.255" ] ; then - route add -host $router dev $interface - fi - route add default gw $router $metric_arg dev $interface - done -+ fi - else - # we haven't changed the address, have we changed other options - # that we wish to update? -@@ -193,7 +217,25 @@ - ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg - route add -host $alias_ip_address $interface:0 - fi -- make_resolv_conf -+ if [ -n "$METRIC" ]; then -+ ifmetric $interface $METRIC -+ fi -+ if [ "${PEERDNS}" != "no" ]; then -+ make_resolv_conf -+ fi -+ if [ "${NEEDHOSTNAME}" = "yes" ]; then -+ if [ -z "$new_host_name" ]; then -+ eval `/bin/ipcalc --silent --hostname $new_ip_address` -+ new_host_name=$HOSTNAME -+ fi -+ if [ -n "$new_host_name" ]; then -+ current_hostname=`hostname` -+ -+ if [ "$new_host_name" != "$current_hostname" ]; then -+ set_hostname $new_host_name -+ fi -+ fi -+ fi - exit_with_hooks 0 - fi - -@@ -227,13 +269,17 @@ - ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg - route add -host $alias_ip_address dev $interface:0 - fi -+ if [ "${PEERGATEWAY}" != "no" ]; then - for router in $new_routers; do - if [ "x$new_subnet_mask" = "x255.255.255.255" ] ; then - route add -host $router dev $interface - fi - route add default gw $router $metric_arg dev $interface - done -+ fi -+ if [ "${PEERDNS}" != "no" ]; then - make_resolv_conf -+ fi - exit_with_hooks 0 - fi - ifconfig $interface inet 0 down diff --git a/dhcp-4.2.2-missing-ipv6-not-fatal.patch b/dhcp-4.2.2-missing-ipv6-not-fatal.patch deleted file mode 100644 index 3e94311..0000000 --- a/dhcp-4.2.2-missing-ipv6-not-fatal.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -Naur -x '*~' -x '*.rej' -x '*.orig' dhcp-4.2.2/common/discover.c dhcp-4.2.2-missing-ipv6-not-fatal/common/discover.c ---- dhcp-4.2.2/common/discover.c 2011-07-20 00:22:48.000000000 +0200 -+++ dhcp-4.2.2-missing-ipv6-not-fatal/common/discover.c 2011-09-12 13:33:04.300509236 +0200 -@@ -455,7 +455,7 @@ - } - - #ifdef DHCPv6 -- if (local_family == AF_INET6) { -+ if ((local_family == AF_INET6) && !access("/proc/net/if_inet6", R_OK)) { - ifaces->fp6 = fopen("/proc/net/if_inet6", "r"); - if (ifaces->fp6 == NULL) { - log_error("Error opening '/proc/net/if_inet6' to " -@@ -466,6 +466,8 @@ - ifaces->fp = NULL; - return 0; - } -+ } else { -+ ifaces->fp6 = NULL; - } - #endif - -@@ -733,7 +735,7 @@ - return 1; - } - #ifdef DHCPv6 -- if (!(*err)) { -+ if (!(*err) && ifaces->fp6) { - if (local_family == AF_INET6) - return next_iface6(info, err, ifaces); - } -@@ -752,7 +754,8 @@ - ifaces->sock = -1; - #ifdef DHCPv6 - if (local_family == AF_INET6) { -- fclose(ifaces->fp6); -+ if (ifaces->fp6) -+ fclose(ifaces->fp6); - ifaces->fp6 = NULL; - } - #endif diff --git a/dhcp-4.2.5-P1-man.patch b/dhcp-4.2.5-P1-man.patch deleted file mode 100644 index 84bb383..0000000 --- a/dhcp-4.2.5-P1-man.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -Naur dhcp-4.2.5-P1/client/dhclient.conf.5 dhcp-4.2.5-P1.oden/client/dhclient.conf.5 ---- dhcp-4.2.5-P1/client/dhclient.conf.5 2013-03-05 19:26:51.000000000 +0100 -+++ dhcp-4.2.5-P1.oden/client/dhclient.conf.5 2013-03-28 11:55:37.131387053 +0100 -@@ -202,7 +202,8 @@ - options. Only the option names should be specified in the request - statement - not option parameters. By default, the DHCPv4 client - requests the subnet-mask, broadcast-address, time-offset, routers, --domain-name, domain-name-servers and host-name options while the DHCPv6 -+domain-search, domain-name, domain-name-servers, host-name, nis-domain, -+nis-servers, ntp-servers and interface-mtu options while the DHCPv6 - client requests the dhcp6 name-servers and domain-search options. Note - that if you enter a \'request\' statement, you over-ride these defaults - and these options will not be requested. -@@ -713,7 +714,7 @@ - supersede domain-search "fugue.com", "rc.vix.com", "home.vix.com"; - prepend domain-name-servers 127.0.0.1; - request subnet-mask, broadcast-address, time-offset, routers, -- domain-name, domain-name-servers, host-name; -+ domain-search, domain-name, domain-name-servers, host-name; - require subnet-mask, domain-name-servers; - script "CLIENTBINDIR/dhclient-script"; - media "media 10baseT/UTP", "media 10base2/BNC"; diff --git a/dhcp.spec b/dhcp.spec index afb80a5..e8c4425 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -1,16 +1,18 @@ -%define major_version 4.3.2 +%define major_version 4.4.1 %define patch_version %{nil} +%define var_dhcpd %{_var}/lib/dhcpd +%define var_dhclient %{_var}/lib/dhclient Name: dhcp Epoch: 3 Version: %{major_version}%{patch_version} -Release: 7 +Release: 4 Summary: The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client License: Distributable Group: System/Servers URL: http://www.isc.org/software/dhcp Source0: ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz -Source1: ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz.sha512.asc +#Source1: ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz.sha512.asc Source2: dhcpd.conf Source4: dhcp-dynamic-dns-examples.tar.bz2 Source7: dhcpreport.pl @@ -24,25 +26,29 @@ Source16: dhcrelay.service Source17: dhcpd.tmpfiles Source18: dhclient.tmpfiles Source19: dhcrelay.tmpfiles -# mageia patches -Patch100: dhcp-4.2.2-ifup.patch -#Patch101: dhcp-4.2.2-fix-format-errors.patch # I see it applied in the source already -# prevents needless deassociation, working around mdv bug #43441 -Patch102: dhcp-4.1.1-prevent_wireless_deassociation.patch -Patch103: dhcp-4.2.5-P1-man.patch -# fedora patches -Patch7: dhcp-4.2.0-default-requested-options.patch -#Patch8: dhcp-4.2.2-xen-checksum.patch # fixed in upstream since 4.3.2 -Patch15: dhcp-4.2.2-missing-ipv6-not-fatal.patch +# sysusers.d(5) (systemd-sysusers) +Source20: isc-dhcpd.conf +#Source21: isc-dhcp-client.conf +# Per-interface dhclient service from Arch Linux (modified) +Source22: dhclient@.service +Source100: ROSA-NEWS + Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.3.0-64_bit_lease_parse.patch -BuildRequires: bind-devel +Patch19: Arch-0002-iproute2.patch + +# Starting from dhcp 4.x built in Bind libs are used +#BuildRequires: bind-devel BuildRequires: groff-base BuildRequires: groff-for-man BuildRequires: libtool BuildRequires: openldap-devel BuildRequires: systemd-units +# --with-ldap-gssapi +BuildRequires: krb5-devel +BuildRequires: pkgconfig(libcap-ng) Requires(post,preun): rpm-helper +Requires: bash %description DHCP (Dynamic Host Configuration Protocol) is a protocol which allows @@ -151,50 +157,44 @@ Requires(pre): openldap-config %prep %setup -q -n %{name}-%{major_version}%{patch_version} -%patch100 -p1 -b .ifup -#patch101 -p1 -b .format_not_a_string_literal_and_no_format_arguments -%patch102 -p1 -b .prevent_wireless_deassociation -%patch103 -p1 -b .man +#%setup +pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd -# Add NIS domain, NIS servers, NTP servers, interface-mtu and domain-search -# to the list of default requested DHCP options -%patch7 -p1 -b .requested -# Handle Xen partial UDP checksums -#patch8 -p1 -b .xen -# If the ipv6 kernel module is missing, do not segfault -# (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #19367]) -%patch15 -p1 -b .noipv6 # Handle cases in add_timeout() where the function is called with a NULL # value for the 'when' parameter %patch17 -p1 -b .dracut # Ensure 64-bit platforms parse lease file dates & times correctly %patch18 -p1 -b .64-bit_lease_parse - -install -m0644 %{SOURCE10} doc +# change ipconfig to modern ip (from Arch) +%patch19 -p1 +# change hardcoded paths from /sbin/dhc* to /usr/sbin/dhc*, if there are any +sed -i 'includes/dhcpd.h' -e 's,\"/sbin/dhc,\"/usr/sbin/dhc,g' || true %build %serverbuild_hardened %configure2_5x \ - --enable-paranoia \ - --enable-early-chroot \ - --with-ldapcrypto \ - --with-srv-lease-file=%{_var}/lib/dhcpd/dhcpd.leases \ - --with-srv6-lease-file=%{_var}/lib/dhcpd/dhcpd6.leases \ - --with-cli-lease-file=%{_var}/lib/dhclient/dhclient.leases \ - --with-cli6-lease-file=%{_var}/lib/dhclient/dhclient6.leases \ + --with-srv-lease-file=%{var_dhcpd}/dhcpd.leases \ + --with-srv6-lease-file=%{var_dhcpd}/dhcpd6.leases \ + --with-cli-lease-file=%{var_dhclient}/dhclient.leases \ + --with-cli6-lease-file=%{var_dhclient}/dhclient6.leases \ --with-srv-pid-file=/run/dhcpd/dhcpd.pid \ --with-srv6-pid-file=/run/dhcpd/dhcpd6.pid \ --with-cli-pid-file=/run/dhclient/dhclient.pid \ --with-cli6-pid-file=/run/dhclient/dhclient6.pid \ --with-relay-pid-file=/run/dhcrelay/dhcrelay.pid \ - --disable-static -%make + --enable-paranoia \ + --enable-early-chroot \ + --with-ldap \ + --with-ldapcrypto \ + --with-ldap-gssapi +make %install %makeinstall_std -# Install correct dhclient-script +install -m0644 %{SOURCE10} doc +install -m0644 %{SOURCE100} ROSA-NEWS install -d %{buildroot}/sbin mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient install -m 755 client/scripts/linux %{buildroot}/sbin/dhclient-script @@ -203,11 +203,16 @@ install -d %{buildroot}%{_unitdir} install -m 644 %{SOURCE12} %{buildroot}%{_unitdir}/dhcpd.service install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}/dhcpd6.service install -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dhcrelay.service +install -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/ install -D -p -m 644 %{SOURCE17} %{buildroot}%{_tmpfilesdir}/dhcpd.conf install -D -p -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/dhclient.conf install -D -p -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/dhcrelay.conf +install -d %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE20} %{buildroot}%{_sysusersdir}/ +#install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/ + install -m 755 %{SOURCE7} %{SOURCE8} %{buildroot}%{_sbindir} install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir} install -m 755 contrib/ldap/dhcpd-conf-to-ldap %{buildroot}%{_sbindir} @@ -223,7 +228,7 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig/dhcpd < %{buildroot}%{_sysconfdir}/sysconfig/dhcrelay <&1 >/dev/null || true %files common -%doc README contrib/ldap/README.ldap RELNOTES +%doc README ROSA-NEWS contrib/ldap/README.ldap RELNOTES %doc contrib/3.0b1-lease-convert %{_mandir}/man5/dhcp-options.5* @@ -338,8 +340,7 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases %{_mandir}/man5/dhcpd.leases.5* %{_mandir}/man5/dhcp-eval.5* %{_mandir}/man8/dhcpd.8* -%dir %{_var}/lib/dhcpd -%config(noreplace) %ghost %{_var}/lib/dhcpd/dhcpd.leases +%config %{_sysusersdir}/isc-dhcpd.conf %files relay %{_unitdir}/dhcrelay.service @@ -352,13 +353,12 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases %doc client/dhclient.conf.example %attr (0755,root,root) /sbin/dhclient-script %{_tmpfilesdir}/dhclient.conf +%{_unitdir}/dhclient@.service /sbin/dhclient %{_mandir}/man5/dhclient.conf.5* %{_mandir}/man5/dhclient.leases.5* %{_mandir}/man8/dhclient.8* %{_mandir}/man8/dhclient-script.8* -%dir %{_var}/lib/dhclient -%config(noreplace) %ghost %{_var}/lib/dhclient/dhclient.leases %files devel %{_includedir}/* diff --git a/dhcpd.service b/dhcpd.service index 4cb5a58..278ea7e 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -1,13 +1,33 @@ [Unit] Description=DHCPv4 Server Daemon -After=syslog.target network.target ldap.service +Documentation=man:dhcpd(8) man:dhcpd.conf(5) +Wants=network-online.target +# ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?) +After=network-online.target time-sync.target ldap.service [Service] Environment=CONFIGFILE=/etc/dhcpd.conf LEASEFILE=/var/lib/dhcpd/dhcpd.leases EnvironmentFile=-/etc/sysconfig/dhcpd Type=forking -PIDFile=/run/dhcpd/dhcpd.pid ExecStart=/usr/sbin/dhcpd -pf /run/dhcpd/dhcpd.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES +PIDFile=/run/dhcpd/dhcpd.pid +User=isc-dhcpd +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN +# not ProtectSystem=full because we need a writable leases file in /var +ProtectSystem=true +ProtectHome=true +KillSignal=SIGINT +# We pull in network-online.target for a configured network connection. +# However this is not guaranteed to be the network connection our +# networks are configured for. So try to restart on failure with a delay +# of two seconds. Rate limiting kicks in after 12 seconds. +RestartSec=2s +Restart=on-failure +StartLimitInterval=12s [Install] WantedBy=multi-user.target + +# This unit file in based on ROSA's unit file and Arch's +# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp diff --git a/dhcpd.tmpfiles b/dhcpd.tmpfiles index d545ce8..dd3b209 100644 --- a/dhcpd.tmpfiles +++ b/dhcpd.tmpfiles @@ -1 +1 @@ -d /run/dhcpd 755 root root +d /run/dhcpd 755 isc-dhcpd isc-dhcpd diff --git a/dhcpd6.service b/dhcpd6.service index bd1fac4..f4c3bea 100644 --- a/dhcpd6.service +++ b/dhcpd6.service @@ -1,13 +1,33 @@ [Unit] -Description=DHCPv6 Server Daemon -After=syslog.target network.target +Description=DHCPv4 Server Daemon +Documentation=man:dhcpd(8) man:dhcpd.conf(5) +Wants=network-online.target +# ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?) +After=network-online.target time-sync.target ldap.service [Service] -Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcp/dhcpd6.leases -EnvironmentFile=-/etc/sysconfig/dhcpd6 +Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcpd/dhcpd6.leases +EnvironmentFile=-/etc/sysconfig/dhcpd Type=forking -PIDFile=/var/run/dhcpd6.pid -ExecStart=/usr/sbin/dhcpd -6 -pf /var/run/dhcpd6.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES +ExecStart=/usr/sbin/dhcpd -6 -pf /run/dhcpd/dhcpd6.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES +PIDFile=/run/dhcpd/dhcpd6.pid +User=isc-dhcpd +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN +# not ProtectSystem=full because we need a writable leases file in /var +ProtectSystem=true +ProtectHome=true +KillSignal=SIGINT +# We pull in network-online.target for a configured network connection. +# However this is not guaranteed to be the network connection our +# networks are configured for. So try to restart on failure with a delay +# of two seconds. Rate limiting kicks in after 12 seconds. +RestartSec=2s +Restart=on-failure +StartLimitInterval=12s [Install] WantedBy=multi-user.target + +# This unit file in based on ROSA's unit file and Arch's +# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp diff --git a/isc-dhcp-client.conf b/isc-dhcp-client.conf new file mode 100644 index 0000000..8ab9da2 --- /dev/null +++ b/isc-dhcp-client.conf @@ -0,0 +1,4 @@ +# The shell is /sbin/nologin +u isc-dhcp-client - "ISC DHCP client user" / +g isc-dhcp-client - "ISC DHCP client group" +m isc-dhcp-client isc-dhcp-client diff --git a/isc-dhcpd.conf b/isc-dhcpd.conf new file mode 100644 index 0000000..92a85e3 --- /dev/null +++ b/isc-dhcpd.conf @@ -0,0 +1,4 @@ +# The shell is /sbin/nologin +u isc-dhcpd - "ISC DHCP daemon user" / +g isc-dhcpd - "ISC DHCP daemon group" +m isc-dhcpd isc-dhcpd