Merge pull request #1 from djam/dhcp:rosa2016.1

Backports latest r10 to r8

.abf.yml

@@ -1,11 +1,4 @@
-removed_sources:
-  dhcp-4.2.5-P1.tar.gz: 120b6e476b2ac0d35e1dc8dee53752c42449b925
-  dhcp-4.2.5-P1.tar.gz.sha512.asc: d43248ba82d8a2f393f2f6c283ea06fb2df38d18
-  dhcp-4.2.5.tar.gz: d029505509aee83ea28972d5d1c95dc4b5db99f1
-  dhcp-4.2.5.tar.gz.sha512.asc: ac49b30ef17acb36cc5603faa5d780e423aa0e06
-  dhcp-4.3.0.tar.gz: deed72a4636461042b74de68c2825dc52623e1d1
-  dhcp-4.3.0.tar.gz.sha512.asc: e05375f86430f0d92a371fe8f619aa73e65de19a
 sources:
-  dhcp-4.3.2.tar.gz: c7fcc4fa2bd135700b410f47eca238dd67419654
-  dhcp-4.3.2.tar.gz.sha512.asc: dd76a14f1424e216dfaf186b75566a867de311d4
+  dhcp-4.4.1.tar.gz: 7be2c4911107f613c2d4b0a943261603c6b8507a
+  dhcp-4.4.1.tar.gz.sha512.asc: 1e5af5476f181d2045e4b30171e3f423aa260fbe
   dhcp-dynamic-dns-examples.tar.bz2: d33980aad3e0380fc89f8346ab37786d39157696

Arch-0002-iproute2.patch

@@ -0,0 +1,15 @@
+https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp
+
+diff --git a/client/scripts/linux b/client/scripts/linux
+index 5fb16121..c4cef632 100755
+--- a/client/scripts/linux
++++ b/client/scripts/linux
+@@ -362,7 +362,7 @@ case "$reason" in
+         interface_up_wait_time=5
+         for i in $(seq 0 ${interface_up_wait_time})
+         do
+-            ifconfig ${interface} | grep RUNNING >/dev/null 2>&1
++            /sbin/ip link show dev ${interface} | grep -q LOWER_UP 2>&1
+             if [ $? -eq 0 ]; then
+                 break;
+             fi

ROSA-NEWS

@@ -0,0 +1,30 @@
+dhcp v4.4.1
+08.10.2018
+by mikhailnov
+
+* Dropped old patches
+* Now upstream uses built-in bind libraries, we also use them for now (they are linked statically)
+* Now it's built with KerberOS support
+
+* Removed 'After=syslog.target' from systemd service dhcpd.service
+https://www.freedesktop.org/wiki/Software/systemd/syslog/ says:
+"we do no longer recommend people to order their units after syslog.target"
+* Merged old ROSA's dhcpd(6).service and Arch's dhcpd{4|6}.service
+* dhclient@.service from Arch Linux, modified a bit to improve secutrity (e.g. usage: systemctl enable dhclient@enp1s0)
+* Improved security of dhcpd.service and dhcpd6.service by setting and dropping some capabilities(7)
+
+* dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd
+* use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user
+* migration: delete dhcpd user on package uninstallation
+
+* /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken);
+let's use /etc/sysconfig/dhcpd for both IPv4 and IPv6
+
+* /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec
+Note: they are hardcoded in systemd units
+
+* .leases files are not packaged any more, because modern dhcpd and dhclient can create them automatically,
+but the directoiry, e.g. /var/lib/dhclient, has to exist and be writable.
+* Don't remove *.leases on package uninstallation
+
+* TODO(?): Fedora's patch dhcp-paths.patch

dhclient@.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=dhclient on %I
+Wants=network.target
+Before=network.target
+
+[Service]
+ExecStart=/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I
+RuntimeDirectory=dhclient@%i
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
+# /var is not read-only
+ProtectSystem=true
+ProtectHome=true
+RestartSec=2s
+Restart=on-failure
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
+[Install]
+WantedBy=multi-user.target
+
+# This unit file in based on
+# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp

dhcp-4.1.1-prevent_wireless_deassociation.patch

@@ -1,39 +0,0 @@
-diff -p -up dhcp-4.1.1/client/scripts/linux.prevent_wireless dhcp-4.1.1/client/scripts/linux
---- dhcp-4.1.1/client/scripts/linux.prevent_wireless	2010-02-25 11:37:31.000000000 -0300
-+++ dhcp-4.1.1/client/scripts/linux	2010-02-25 11:37:37.000000000 -0300
-@@ -13,6 +13,8 @@
- 
- # 1. ifconfig down apparently deletes all relevant routes and flushes
- # the arp cache, so this doesn't need to be done explicitly.
-+# 1.1. ifconfig $interface inet 0 is enough, and prevents unneeded
-+# deassociation on wireless interfaces
- 
- # 2. The alias address handling here has not been tested AT ALL.
- # I'm just going by the doc of modern Linux ip aliasing, which uses
-@@ -170,7 +172,7 @@ if [ x$reason = xBOUND ] || [ x$reason =
-   if [ x$old_ip_address != x ] && [ x$old_ip_address != x$new_ip_address ]; then
-     # IP address changed. Bringing down the interface will delete all routes,
-     # and clear the ARP cache.
--    ifconfig $interface inet 0 down
-+    ifconfig $interface inet 0
- 
-   fi
-   if [ x$old_ip_address = x ] || [ x$old_ip_address != x$new_ip_address ] || \
-@@ -224,7 +226,7 @@ if [ x$reason = xEXPIRE ] || [ x$reason 
-   fi
-   if [ x$old_ip_address != x ]; then
-     # Shut down interface, which will delete routes and clear arp cache.
--    ifconfig $interface inet 0 down
-+    ifconfig $interface inet 0
-   fi
-   if [ x$alias_ip_address != x ]; then
-     ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg
-@@ -259,7 +261,7 @@ if [ x$reason = xTIMEOUT ]; then
-    fi
-     exit_with_hooks 0
-   fi
--  ifconfig $interface inet 0 down
-+  ifconfig $interface inet 0
-   exit_with_hooks 1
- fi
- 

dhcp-4.2.0-default-requested-options.patch

@@ -1,44 +0,0 @@
-diff -up dhcp-4.2.0/client/clparse.c.requested dhcp-4.2.0/client/clparse.c
---- dhcp-4.2.0/client/clparse.c.requested	2010-07-21 13:29:05.000000000 +0200
-+++ dhcp-4.2.0/client/clparse.c	2010-07-21 13:50:29.000000000 +0200
-@@ -37,7 +37,7 @@
- 
- struct client_config top_level_config;
- 
--#define NUM_DEFAULT_REQUESTED_OPTS	9
-+#define NUM_DEFAULT_REQUESTED_OPTS	14
- struct option *default_requested_options[NUM_DEFAULT_REQUESTED_OPTS + 1];
- 
- static void parse_client_default_duid(struct parse *cfile);
-@@ -111,6 +111,31 @@ isc_result_t read_client_conf ()
- 	option_code_hash_lookup(&default_requested_options[8],
- 				dhcpv6_universe.code_hash, &code, 0, MDL);
- 
-+	/* 10 */
-+	code = DHO_NIS_DOMAIN;
-+	option_code_hash_lookup(&default_requested_options[9],
-+				dhcp_universe.code_hash, &code, 0, MDL);
-+
-+	/* 11 */
-+	code = DHO_NIS_SERVERS;
-+	option_code_hash_lookup(&default_requested_options[10],
-+				dhcp_universe.code_hash, &code, 0, MDL);
-+
-+	/* 12 */
-+	code = DHO_NTP_SERVERS;
-+	option_code_hash_lookup(&default_requested_options[11],
-+				dhcp_universe.code_hash, &code, 0, MDL);
-+
-+	/* 13 */
-+	code = DHO_INTERFACE_MTU;
-+	option_code_hash_lookup(&default_requested_options[12],
-+				dhcp_universe.code_hash, &code, 0, MDL);
-+
-+	/* 14 */
-+	code = DHO_DOMAIN_SEARCH;
-+	option_code_hash_lookup(&default_requested_options[13],
-+				dhcp_universe.code_hash, &code, 0, MDL);
-+
- 	for (code = 0 ; code < NUM_DEFAULT_REQUESTED_OPTS ; code++) {
- 		if (default_requested_options[code] == NULL)
- 			log_fatal("Unable to find option definition for "

dhcp-4.2.2-ifup.patch

@@ -1,185 +0,0 @@
-diff -Naur -x '*~' -x '*.orig' -x '*.rej' dhcp-4.2.2/client/scripts/linux dhcp-4.2.2-ifup/client/scripts/linux
---- dhcp-4.2.2/client/scripts/linux	2011-05-18 22:01:54.000000000 +0200
-+++ dhcp-4.2.2-ifup/client/scripts/linux	2011-08-29 19:07:58.722894019 +0200
-@@ -1,8 +1,11 @@
- #!/bin/bash
--# dhclient-script for Linux. Dan Halbert, March, 1997.
--# Updated for Linux 2.[12] by Brian J. Murrell, January 1999.
--# No guarantees about this. I'm a novice at the details of Linux
--# networking.
-+# Network Interface Configuration System
-+#
-+# Based on:
-+#   dhclient-script for Linux. Dan Halbert, March, 1997.
-+#   Updated for Linux 2.[12] by Brian J. Murrell, January 1999.
-+#   Modified for Mandriva Linux 1999-2009
-+
- 
- # Notes:
- 
-@@ -26,28 +29,35 @@
- ip=/sbin/ip
- 
- make_resolv_conf() {
-+  local d
-+  local ns
-+  
-+  if [ -n "$DOMAIN" ]; then
-+    d="search $DOMAIN"
-+  fi
-+
-   if [ x"$new_domain_name_servers" != x ]; then
--    cat /dev/null > /etc/resolv.conf.dhclient
--    chmod 644 /etc/resolv.conf.dhclient
--    if [ x"$new_domain_search" != x ]; then
--      echo search $new_domain_search >> /etc/resolv.conf.dhclient
-+    if [ -n "$DOMAIN" ]; then
-+     # already done above
-+     d="search $DOMAIN"
-+    elif [ x"$new_domain_search" != x ]; then
-+      d="search $new_domain_search" 
-     elif [ x"$new_domain_name" != x ]; then
-       # Note that the DHCP 'Domain Name Option' is really just a domain
-       # name, and that this practice of using the domain name option as
-       # a search path is both nonstandard and deprecated.
--      echo search $new_domain_name >> /etc/resolv.conf.dhclient
-+      d="search $new_domain_name" 
-     fi
-     for nameserver in $new_domain_name_servers; do
--      echo nameserver $nameserver >>/etc/resolv.conf.dhclient
-+      ns="$ns"$'\n'"nameserver ${nameserver}"
-     done
- 
--    mv /etc/resolv.conf.dhclient /etc/resolv.conf
-   elif [ "x${new_dhcp6_name_servers}" != x ] ; then
--    cat /dev/null > /etc/resolv.conf.dhclient6
--    chmod 644 /etc/resolv.conf.dhclient6
--
--    if [ "x${new_dhcp6_domain_search}" != x ] ; then
--      echo search ${new_dhcp6_domain_search} >> /etc/resolv.conf.dhclient6
-+    if [ -n "$DOMAIN" ]; then
-+     # already done above
-+     d="search $DOMAIN"
-+    elif [ "x${new_dhcp6_domain_search}" != x ] ; then
-+      d="search ${new_dhcp6_domain_search}"
-     fi
-     shopt -s nocasematch 
-     for nameserver in ${new_dhcp6_name_servers} ; do
-@@ -59,11 +69,13 @@
-       else
- 	zone_id=
-       fi
--      echo nameserver ${nameserver}$zone_id >> /etc/resolv.conf.dhclient6
-+      ns="$ns"$'\n'"nameserver ${nameserver}$zone_id"
-     done
-     shopt -u nocasematch 
-+  fi
- 
--    mv /etc/resolv.conf.dhclient6 /etc/resolv.conf
-+  if [ -n "$d" -o -n "$ns" ]; then
-+     change_resolv_conf "$d" "$ns"
-   fi
- }
- 
-@@ -88,6 +100,25 @@
-   fi
- fi
- 
-+# Import Mandriva Linux configuration
-+cd /etc/sysconfig/network-scripts;
-+. /etc/sysconfig/network-scripts/network-functions
-+. /etc/rc.d/init.d/functions
-+
-+[ -f ../network ] && . ../network
-+[ -f ../networking/network ] && . ../networking/network
-+
-+CONFIG=$interface
-+
-+need_config ${CONFIG}
-+
-+if [ -f "${CONFIG}" ]; then
-+    source_config
-+else
-+    echo $"$0: configuration for $interface not found." >&2
-+    DEVICE=$interface
-+fi
-+
- ###
- ### DHCPv4 Handlers
- ###
-@@ -138,15 +169,6 @@
-   
- if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \
-    [ x$reason = xREBIND ] || [ x$reason = xREBOOT ]; then
--  current_hostname=`hostname`
--  if [ x$current_hostname = x ] || \
--     [ x$current_hostname = "x(none)" ] || \
--     [ x$current_hostname = xlocalhost ] || \
--     [ x$current_hostname = x$old_host_name ]; then
--    if [ x$new_host_name != x$old_host_name ]; then
--      hostname "$new_host_name"
--    fi
--  fi
-     
-   if [ x$old_ip_address != x ] && [ x$alias_ip_address != x ] && \
- 		[ x$alias_ip_address != x$old_ip_address ]; then
-@@ -165,12 +187,14 @@
-     ifconfig $interface inet $new_ip_address $new_subnet_arg \
- 					$new_broadcast_arg $mtu_arg
-     # Add a network route to the computed network address.
-+   if [ "${PEERGATEWAY}" != "no" ]; then
-     for router in $new_routers; do
-       if [ "x$new_subnet_mask" = "x255.255.255.255" ] ; then
- 	route add -host $router dev $interface
-       fi
-       route add default gw $router $metric_arg dev $interface
-     done
-+   fi
-   else
-     # we haven't changed the address, have we changed other options           
-     # that we wish to update?
-@@ -193,7 +217,25 @@
-     ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg
-     route add -host $alias_ip_address $interface:0
-   fi
--  make_resolv_conf
-+  if [ -n "$METRIC" ]; then
-+	ifmetric $interface $METRIC
-+  fi
-+  if [ "${PEERDNS}" != "no" ]; then 
-+     make_resolv_conf
-+  fi
-+  if [ "${NEEDHOSTNAME}" = "yes" ]; then
-+      if [ -z "$new_host_name" ]; then
-+	  eval `/bin/ipcalc --silent --hostname $new_ip_address`
-+	  new_host_name=$HOSTNAME
-+      fi
-+      if [ -n "$new_host_name" ]; then
-+	  current_hostname=`hostname`
-+	  
-+	  if [ "$new_host_name" != "$current_hostname" ]; then
-+	      set_hostname $new_host_name
-+	  fi
-+      fi
-+  fi
-   exit_with_hooks 0
- fi
- 
-@@ -227,13 +269,17 @@
-       ifconfig $interface:0 inet $alias_ip_address $alias_subnet_arg
-       route add -host $alias_ip_address dev $interface:0
-     fi
-+   if [ "${PEERGATEWAY}" != "no" ]; then
-     for router in $new_routers; do
-       if [ "x$new_subnet_mask" = "x255.255.255.255" ] ; then
- 	route add -host $router dev $interface
-       fi
-       route add default gw $router $metric_arg dev $interface
-     done
-+   fi
-+   if [ "${PEERDNS}" != "no" ]; then
-     make_resolv_conf
-+   fi
-     exit_with_hooks 0
-   fi
-   ifconfig $interface inet 0 down

dhcp-4.2.2-missing-ipv6-not-fatal.patch

@@ -1,40 +0,0 @@
-diff -Naur -x '*~' -x '*.rej' -x '*.orig' dhcp-4.2.2/common/discover.c dhcp-4.2.2-missing-ipv6-not-fatal/common/discover.c
---- dhcp-4.2.2/common/discover.c	2011-07-20 00:22:48.000000000 +0200
-+++ dhcp-4.2.2-missing-ipv6-not-fatal/common/discover.c	2011-09-12 13:33:04.300509236 +0200
-@@ -455,7 +455,7 @@
- 	}
- 
- #ifdef DHCPv6
--	if (local_family == AF_INET6) {
-+	if ((local_family == AF_INET6) && !access("/proc/net/if_inet6", R_OK)) {
- 		ifaces->fp6 = fopen("/proc/net/if_inet6", "r");
- 		if (ifaces->fp6 == NULL) {
- 			log_error("Error opening '/proc/net/if_inet6' to "
-@@ -466,6 +466,8 @@
- 			ifaces->fp = NULL;
- 			return 0;
- 		}
-+	} else {
-+		ifaces->fp6 = NULL;
- 	}
- #endif
- 
-@@ -733,7 +735,7 @@
- 		return 1;
- 	}
- #ifdef DHCPv6
--	if (!(*err)) {
-+	if (!(*err) && ifaces->fp6) {
- 		if (local_family == AF_INET6)
- 			return next_iface6(info, err, ifaces);
- 	}
-@@ -752,7 +754,8 @@
- 	ifaces->sock = -1;
- #ifdef DHCPv6
- 	if (local_family == AF_INET6) {
--		fclose(ifaces->fp6);
-+		if (ifaces->fp6)
-+			fclose(ifaces->fp6);
- 		ifaces->fp6 = NULL;
- 	}
- #endif

dhcp-4.2.5-P1-man.patch

@@ -1,22 +0,0 @@
-diff -Naur dhcp-4.2.5-P1/client/dhclient.conf.5 dhcp-4.2.5-P1.oden/client/dhclient.conf.5
---- dhcp-4.2.5-P1/client/dhclient.conf.5	2013-03-05 19:26:51.000000000 +0100
-+++ dhcp-4.2.5-P1.oden/client/dhclient.conf.5	2013-03-28 11:55:37.131387053 +0100
-@@ -202,7 +202,8 @@
- options.  Only the option names should be specified in the request
- statement - not option parameters.  By default, the DHCPv4 client
- requests the subnet-mask, broadcast-address, time-offset, routers,
--domain-name, domain-name-servers and host-name options while the DHCPv6
-+domain-search, domain-name, domain-name-servers, host-name, nis-domain,
-+nis-servers, ntp-servers and interface-mtu options while the DHCPv6
- client requests the dhcp6 name-servers and domain-search options.  Note
- that if you enter a \'request\' statement, you over-ride these defaults
- and these options will not be requested.
-@@ -713,7 +714,7 @@
-     supersede domain-search "fugue.com", "rc.vix.com", "home.vix.com";
-     prepend domain-name-servers 127.0.0.1;
-     request subnet-mask, broadcast-address, time-offset, routers,
--	    domain-name, domain-name-servers, host-name;
-+	    domain-search, domain-name, domain-name-servers, host-name;
-     require subnet-mask, domain-name-servers;
-     script "CLIENTBINDIR/dhclient-script";
-     media "media 10baseT/UTP", "media 10base2/BNC";

dhcp.spec

@@ -1,16 +1,18 @@
-%define major_version	4.3.2
+%define major_version	4.4.1
 %define patch_version	%{nil}
+%define var_dhcpd %{_var}/lib/dhcpd
+%define var_dhclient %{_var}/lib/dhclient
 
 Name:		dhcp
 Epoch:		3
 Version:	%{major_version}%{patch_version}
-Release:	7
+Release:	4
 Summary:	The ISC DHCP (Dynamic Host Configuration Protocol) server/relay agent/client
 License:	Distributable
 Group:		System/Servers
 URL:		http://www.isc.org/software/dhcp
 Source0:	ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz
-Source1:	ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz.sha512.asc
+#Source1:	ftp://ftp.isc.org/isc/%{name}/%{major_version}%{patch_version}/%{name}-%{major_version}%{patch_version}.tar.gz.sha512.asc
 Source2:	dhcpd.conf
 Source4:	dhcp-dynamic-dns-examples.tar.bz2
 Source7:	dhcpreport.pl
@@ -24,25 +26,29 @@ Source16:	dhcrelay.service
 Source17:	dhcpd.tmpfiles
 Source18:	dhclient.tmpfiles
 Source19:	dhcrelay.tmpfiles
-# mageia patches
-Patch100:	dhcp-4.2.2-ifup.patch
-#Patch101:	dhcp-4.2.2-fix-format-errors.patch # I see it applied in the source already
-# prevents needless deassociation, working around mdv bug #43441
-Patch102:	dhcp-4.1.1-prevent_wireless_deassociation.patch
-Patch103:	dhcp-4.2.5-P1-man.patch
-# fedora patches
-Patch7:		dhcp-4.2.0-default-requested-options.patch
-#Patch8:	dhcp-4.2.2-xen-checksum.patch # fixed in upstream since 4.3.2
-Patch15:	dhcp-4.2.2-missing-ipv6-not-fatal.patch
+# sysusers.d(5) (systemd-sysusers)
+Source20:	isc-dhcpd.conf
+#Source21:	isc-dhcp-client.conf
+# Per-interface dhclient service from Arch Linux (modified)
+Source22:	dhclient@.service
+Source100:	ROSA-NEWS
+
 Patch17:	dhcp-4.2.0-add_timeout_when_NULL.patch
 Patch18:	dhcp-4.3.0-64_bit_lease_parse.patch
-BuildRequires:	bind-devel
+Patch19:	Arch-0002-iproute2.patch
+
+# Starting from dhcp 4.x built in Bind libs are used
+#BuildRequires:	bind-devel
 BuildRequires:	groff-base
 BuildRequires:	groff-for-man
 BuildRequires:	libtool
 BuildRequires:	openldap-devel
 BuildRequires:	systemd-units
+# --with-ldap-gssapi
+BuildRequires:	krb5-devel
+BuildRequires:	pkgconfig(libcap-ng)
 Requires(post,preun): rpm-helper
+Requires:	bash
 
 %description 
 DHCP (Dynamic Host Configuration Protocol) is a protocol which allows 
@@ -151,50 +157,44 @@ Requires(pre):	openldap-config
 
 %prep
 %setup -q -n %{name}-%{major_version}%{patch_version}
-%patch100 -p1 -b .ifup
-#patch101 -p1 -b .format_not_a_string_literal_and_no_format_arguments
-%patch102 -p1 -b .prevent_wireless_deassociation
-%patch103 -p1 -b .man
+#%setup
+pushd bind ; tar -xvf bind.tar.gz >/dev/null ; popd
 
-# Add NIS domain, NIS servers, NTP servers, interface-mtu and domain-search
-# to the list of default requested DHCP options
-%patch7 -p1 -b .requested
-# Handle Xen partial UDP checksums
-#patch8 -p1 -b .xen
-# If the ipv6 kernel module is missing, do not segfault
-# (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #19367])
-%patch15 -p1 -b .noipv6
 # Handle cases in add_timeout() where the function is called with a NULL
 # value for the 'when' parameter
 %patch17 -p1 -b .dracut
 # Ensure 64-bit platforms parse lease file dates & times correctly
 %patch18 -p1 -b .64-bit_lease_parse
-
-install -m0644 %{SOURCE10} doc
+# change ipconfig to modern ip (from Arch)
+%patch19 -p1
+# change hardcoded paths from /sbin/dhc* to /usr/sbin/dhc*, if there are any
+sed -i 'includes/dhcpd.h' -e 's,\"/sbin/dhc,\"/usr/sbin/dhc,g' || true
 
 %build
 %serverbuild_hardened
 %configure2_5x \
-    --enable-paranoia \
-    --enable-early-chroot \
-    --with-ldapcrypto \
-    --with-srv-lease-file=%{_var}/lib/dhcpd/dhcpd.leases \
-    --with-srv6-lease-file=%{_var}/lib/dhcpd/dhcpd6.leases \
-    --with-cli-lease-file=%{_var}/lib/dhclient/dhclient.leases \
-    --with-cli6-lease-file=%{_var}/lib/dhclient/dhclient6.leases \
+    --with-srv-lease-file=%{var_dhcpd}/dhcpd.leases \
+    --with-srv6-lease-file=%{var_dhcpd}/dhcpd6.leases \
+    --with-cli-lease-file=%{var_dhclient}/dhclient.leases \
+    --with-cli6-lease-file=%{var_dhclient}/dhclient6.leases \
     --with-srv-pid-file=/run/dhcpd/dhcpd.pid \
     --with-srv6-pid-file=/run/dhcpd/dhcpd6.pid \
     --with-cli-pid-file=/run/dhclient/dhclient.pid \
     --with-cli6-pid-file=/run/dhclient/dhclient6.pid \
     --with-relay-pid-file=/run/dhcrelay/dhcrelay.pid \
-    --disable-static
-%make
+    --enable-paranoia \
+    --enable-early-chroot \
+    --with-ldap \
+    --with-ldapcrypto \
+    --with-ldap-gssapi
+make
 
 %install
 
 %makeinstall_std
 
-# Install correct dhclient-script
+install -m0644 %{SOURCE10} doc
+install -m0644 %{SOURCE100} ROSA-NEWS
 install -d %{buildroot}/sbin
 mv %{buildroot}%{_sbindir}/dhclient %{buildroot}/sbin/dhclient
 install -m 755 client/scripts/linux %{buildroot}/sbin/dhclient-script
@@ -203,11 +203,16 @@ install -d %{buildroot}%{_unitdir}
 install -m 644 %{SOURCE12} %{buildroot}%{_unitdir}/dhcpd.service
 install -m 644 %{SOURCE14} %{buildroot}%{_unitdir}/dhcpd6.service
 install -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dhcrelay.service
+install -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/
 
 install -D -p -m 644 %{SOURCE17} %{buildroot}%{_tmpfilesdir}/dhcpd.conf
 install -D -p -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/dhclient.conf
 install -D -p -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/dhcrelay.conf
 
+install -d %{buildroot}%{_sysusersdir}
+install -m 644 %{SOURCE20} %{buildroot}%{_sysusersdir}/
+#install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/
+
 install -m 755 %{SOURCE7} %{SOURCE8} %{buildroot}%{_sbindir}
 install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}
 install -m 755 contrib/ldap/dhcpd-conf-to-ldap %{buildroot}%{_sbindir}
@@ -223,7 +228,7 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd <<EOF
 # CONFIGFILE="/etc/dhcpd.conf"
 
 # Where to store the lease state information.
-# LEASEFILE="/var/lib/dhcpd/dhcpd.leases"
+# LEASEFILE="%{var_dhcpd}/dhcpd.leases"
 
 # Define INTERFACES to limit which network interfaces dhcpd listens on.
 # The default null value causes dhcpd to listen on all interfaces.
@@ -234,11 +239,6 @@ cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcpd <<EOF
 OPTIONS="-q"
 EOF
 
-install -d %{buildroot}%{_var}/lib/dhcpd
-touch %{buildroot}%{_var}/lib/dhcpd/dhcpd.leases
-install -d %{buildroot}%{_var}/lib/dhclient
-touch %{buildroot}%{_var}/lib/dhclient/dhclient.leases
-
 cat > %{buildroot}%{_sysconfdir}/sysconfig/dhcrelay <<EOF
 # Define SERVERS with a list of one or more DHCP servers where
 # DHCP packets are to be relayed to and from.  This is mandatory.
@@ -283,16 +283,14 @@ include %{_sysconfdir}/openldap/schema/dhcp.schema
 
 EOF
 
-%pre server
-%_pre_useradd dhcpd /dev/null /bin/false
-
 %post server
 %_post_service dhcpd
 %tmpfiles_create dhcpd.conf
-# New dhcpd lease file
-if [ ! -f %{_var}/lib/dhcpd/dhcpd.leases ]; then
-    touch %{_var}/lib/dhcpd/dhcpd.leases
-fi
+%sysusers_create isc-dhcpd.conf
+# migrate from root:root as it was before ROSA package v4.4.1
+# create this directory if it does not esist and then chmod it to allow dhcpd to work properly
+[ ! -d %{var_dhcpd}/ ] && mkdir -p %{var_dhcpd}/
+[ -d %{var_dhcpd} ] && chown -R isc-dhcpd:isc-dhcpd %{var_dhcpd}/
 
 %preun server
 %_preun_service dhcpd
@@ -305,14 +303,18 @@ fi
 %_preun_service dhcrelay
 
 %post client
-touch %{_var}/lib/dhclient/dhclient.leases
+# migrate from root:root as it was before ROSA package v4.4.1
+# create this directory if it does not esist and then chmod it to allow dhcpd to work properly
+[ ! -d %{var_dhclient}/ ] && mkdir -p %{var_dhclient}/
 %tmpfiles_create dhclient.conf
 
-%postun client
-rm -rf %{_var}/lib/dhclient/dhclient.leases
+%postun server
+# Migrate from dhcpd user created by scripts
+# to a dynamic user by systemd-sysusers
+%_postun_userdel dhcpd 2>&1 >/dev/null || true
 
 %files common
-%doc README contrib/ldap/README.ldap RELNOTES
+%doc README ROSA-NEWS contrib/ldap/README.ldap RELNOTES
 %doc contrib/3.0b1-lease-convert
 %{_mandir}/man5/dhcp-options.5*
 
@@ -338,8 +340,7 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases
 %{_mandir}/man5/dhcpd.leases.5*
 %{_mandir}/man5/dhcp-eval.5*
 %{_mandir}/man8/dhcpd.8*
-%dir %{_var}/lib/dhcpd
-%config(noreplace) %ghost %{_var}/lib/dhcpd/dhcpd.leases
+%config %{_sysusersdir}/isc-dhcpd.conf
 
 %files relay
 %{_unitdir}/dhcrelay.service
@@ -352,13 +353,12 @@ rm -rf %{_var}/lib/dhclient/dhclient.leases
 %doc client/dhclient.conf.example
 %attr (0755,root,root) /sbin/dhclient-script
 %{_tmpfilesdir}/dhclient.conf
+%{_unitdir}/dhclient@.service
 /sbin/dhclient
 %{_mandir}/man5/dhclient.conf.5*
 %{_mandir}/man5/dhclient.leases.5*
 %{_mandir}/man8/dhclient.8*
 %{_mandir}/man8/dhclient-script.8*
-%dir %{_var}/lib/dhclient
-%config(noreplace) %ghost %{_var}/lib/dhclient/dhclient.leases
 
 %files devel
 %{_includedir}/*

dhcpd.service

@@ -1,13 +1,33 @@
 [Unit]
 Description=DHCPv4 Server Daemon
-After=syslog.target network.target ldap.service
+Documentation=man:dhcpd(8) man:dhcpd.conf(5)
+Wants=network-online.target
+# ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?)
+After=network-online.target time-sync.target ldap.service
 
 [Service]
 Environment=CONFIGFILE=/etc/dhcpd.conf LEASEFILE=/var/lib/dhcpd/dhcpd.leases
 EnvironmentFile=-/etc/sysconfig/dhcpd
 Type=forking
-PIDFile=/run/dhcpd/dhcpd.pid
 ExecStart=/usr/sbin/dhcpd -pf /run/dhcpd/dhcpd.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES
+PIDFile=/run/dhcpd/dhcpd.pid
+User=isc-dhcpd
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+# not ProtectSystem=full because we need a writable leases file in /var
+ProtectSystem=true
+ProtectHome=true
+KillSignal=SIGINT
+# We pull in network-online.target for a configured network connection.
+# However this is not guaranteed to be the network connection our
+# networks are configured for. So try to restart on failure with a delay
+# of two seconds. Rate limiting kicks in after 12 seconds.
+RestartSec=2s
+Restart=on-failure
+StartLimitInterval=12s
 
 [Install]
 WantedBy=multi-user.target
+
+# This unit file in based on ROSA's unit file and Arch's
+# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp

dhcpd.tmpfiles

@@ -1 +1 @@
-d /run/dhcpd 755 root root
+d /run/dhcpd 755 isc-dhcpd isc-dhcpd

dhcpd6.service

@@ -1,13 +1,33 @@
 [Unit]
-Description=DHCPv6 Server Daemon
-After=syslog.target network.target
+Description=DHCPv4 Server Daemon
+Documentation=man:dhcpd(8) man:dhcpd.conf(5)
+Wants=network-online.target
+# ldap.service: probably LDAP server starts first and dhcpd must start providing DHCP server only after LDAP has started to use LDAP for IP addresses (?)
+After=network-online.target time-sync.target ldap.service
 
 [Service]
-Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcp/dhcpd6.leases
-EnvironmentFile=-/etc/sysconfig/dhcpd6
+Environment=CONFIGFILE=/etc/dhcpd6.conf LEASEFILE=/var/lib/dhcpd/dhcpd6.leases
+EnvironmentFile=-/etc/sysconfig/dhcpd
 Type=forking
-PIDFile=/var/run/dhcpd6.pid
-ExecStart=/usr/sbin/dhcpd -6 -pf /var/run/dhcpd6.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES
+ExecStart=/usr/sbin/dhcpd -6 -pf /run/dhcpd/dhcpd6.pid -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES
+PIDFile=/run/dhcpd/dhcpd6.pid
+User=isc-dhcpd
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+# not ProtectSystem=full because we need a writable leases file in /var
+ProtectSystem=true
+ProtectHome=true
+KillSignal=SIGINT
+# We pull in network-online.target for a configured network connection.
+# However this is not guaranteed to be the network connection our
+# networks are configured for. So try to restart on failure with a delay
+# of two seconds. Rate limiting kicks in after 12 seconds.
+RestartSec=2s
+Restart=on-failure
+StartLimitInterval=12s
 
 [Install]
 WantedBy=multi-user.target
+
+# This unit file in based on ROSA's unit file and Arch's
+# https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/dhcp

isc-dhcp-client.conf

@@ -0,0 +1,4 @@
+# The shell is /sbin/nologin
+u isc-dhcp-client - "ISC DHCP client user" /
+g isc-dhcp-client - "ISC DHCP client group"
+m isc-dhcp-client isc-dhcp-client

isc-dhcpd.conf

@@ -0,0 +1,4 @@
+# The shell is /sbin/nologin
+u isc-dhcpd - "ISC DHCP daemon user" /
+g isc-dhcpd - "ISC DHCP daemon group"
+m isc-dhcpd isc-dhcpd