[Maas-devel] dhcpd apparmor setup

Scott Moser smoser at ubuntu.com
Tue Sep 11 15:06:33 UTC 2012 

On Mon, 10 Sep 2012, Jeroen Vermeulen wrote:

> Hi Scott (and list, for the sake of transparent habits):
>
> Last week we discussed how we should run our own instance of dhcpd, so that we
> can easily configure things like which interfaces to listen on.  It requires
> an extension to the apparmor profile for isc-dhcp-server.  This email aims to
> set out how I wanted to do that.
>
> Conclusions from Friday were:
>  * We'll splice into /etc/apparmor.d/local/usr.sbin.dhcpd.

I just spoke with jdstrand in #ubuntu-server on this, and he suggested we
should SRU a change to isc-dhcp-server to have
'#include <isc-dhcpd.d>' in its /etc/apparmor.d/usr.sbin.dhcpd and create
that directory on installation.

Then, maas will just drop its file in there on packaging installation.
We can then keep the same path in both precise and quantal.

I just opened bug
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1049177 to track
that work.

>  * It will #include a config snippet we provide.
>  * Uninstall must undo that, or the profile may break.

The above makes this easier, turning removal into just:
 rm -f /etc/apparmor.d/isc-dhcp.d/maas

>  * This work belongs in packaging.
>  * No standard tools help us do the splicing.
>
> I just extended the maas-provision command with a "customize-config" command:
> it lets you append a custom section to a config file, or replace an existing
> custom section if present.  We can use that to patch the local apparmor
> profile.
>
> My understanding is that maas-dhcp would be the right package to do that in --
> is that correct?
>
> Some locations I had in mind that, if used, the apparmor profile extension
> would have to give access to:
>  - /etc/maas/dhcpd.conf [r]
>  - /var/lib/maas/dhcpd.leases [rw]
>  - [/var]/run/maas-dhcp-server/ [rw]

These look reasonable and follow what eucalyptus has, so looks fine to me.

> Does that sound about right?  We'll need to have an installed snippet that
> grants these permissions, presumably in /etc/maas somewhere. Scott, would it
> be possible for you to provide the snippet, have it installed, and patch the
> local apparmor profile to #include the snippet?  I already have an upstart
> script and I can make the python-side changes to run a customized dhcpd
> instance.

snippet?
Sorry for the slow reply.

More information about the Maas-devel mailing list