DHCP server 上發生 Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied -- 的錯誤訊息

11:02:00 下午          By 洋蔥爸比 Tosian Yang
這兩天為了將 DHCP server 的 IP 租用紀錄檔變更到另外兩台有裝 Veritas cluster 的機器所 mount 的 Dell-MD3000 storage 上,首先,我所想到的方法有兩個,第一個是直接更改 /etc/rc.d/init.d/dhcpd 檔案中關於 daemons start 的那一部份,加上 -lf /path-of-leases-file (例如:/NFSDB/dhcp/dhcpd.leases) 的 option,另一種方法是直接把遠端的 /DB/dhcp mount 到 DHCP server 的 /var/lib/dhcp 來,沒想到不管哪一種都發生了 DHCP server 上的 dhcpd 起不來的問題。

以下的範例是將遠端 KHXDB server (也就是 Veritas cluster 的 VIP) 上的 /DB mount 到 DHCP server 上的 /NFSDB 來,然後再將 /NFSDB/dhcp mount 到 /var/lib/dhcp 來:
[root@KHXDHCPS1 ~]# mount -o bind /NFSDB/dhcp /var/lib/dhcp
[root@KHXDHCPS1 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 4.0G 1.8G 2.1G 46% /
/dev/sda1 1012M 40M 921M 5% /boot
none 4.0G 0 4.0G 0% /dev/shm
/dev/sda3 4.0G 41M 3.7G 2% /inactive_root
/dev/sda6 21G 77M 19G 1% /others
KHXDB:/DB 537G 105M 510G 1% /NFSDB
/NFSDB/dhcp 537G 105M 510G 1% /var/lib/dhcp
原來的 /var/lib/dhcp/dhcpd.leases 在這時已經被指到 KHXDB:/DB/dhcp/dhcpd.leases 去了:
然後將 dhcpd servive 重啟,就出現了 Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied -- 的錯誤訊息,
[root@KHXDHCPS1 ~]# service dhcpd start
Starting dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied --
check for failed database rewrite attempt!
Please read the dhcpd.leases manual page if you
don't know what to do about this.

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.
[FAILED]
偏偏,在開啟除錯模式,並把 dhcpd 放到“幕前” (foreground)來執行後發現一切正常:
[root@KHXDHCPS1 ~]# /usr/sbin/dhcpd -d -f eth0 -lf /var/lib/dhcp/dhcpd.leases
Internet Systems Consortium DHCP Server V3.0.1
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Listening on LPF/eth0/00:1e:c9:ad:55:bf/0/0
Sending on LPF/eth0/00:1e:c9:ad:55:bf/0/0
Sending on Socket/fallback/fallback-net
在幾次測試之後,終於發現只要改到 IP 租用紀錄檔的指定路徑 (例如:/NFSDB/dhcp/dhcpd.leases),或是這個路徑是經過 mount 過的路徑,都會造成 service dhcpd start 失敗。幾經波折,才發現原來這一台 DHCP server 是使用公司精裝的 OS 版本 (RHEL ES4 U6一片 CD 裝),而且重點是,居然把 SELinux 給 enable 了......真是給他一個無語,以前自己裝的 RHEL OS 都習慣性的把 SELinux 給 disable 掉,所以這次才完全沒想到這個方向去,所以接下來便是進去改設定囉:

這裡就直接進 X GUI 畫面,到安全配制項目內,於 SELinux 項目內把 dhcp 部分設定為不監控處理即可。首先:
接著,點開 Modify SELinux Policy 底下 SELinux Service Protection,然後把第一項 Disable SELinux protection for dhcpd daemon 打勾,再按 OK 就行了~
當然要關閉整個 SELinux 也是可行方式,不過這裡就以第一種方式來處理囉。
改完之後,已經可以直接用 service dhcpd start 的方式成功的帶起 dhcpd service 囉:
root@KHXDHCPS1 ~]# service dhcpd restart
Shutting down dhcpd: [ OK ]
Starting dhcpd: [ OK ]
[root@KHXDHCPS1 ~]#
[root@KHXDHCPS1 ~]# ps -aef |grep dhcp
root 21218 1 0 21:08 ? 00:00:00 /usr/sbin/dhcpd eth0
root 21223 20605 0 21:08 pts/0 00:00:00 grep dhcp

檢查一下新的 IP 租用紀錄檔果然已經有新的租用訊息寫進來囉:
[root@KHXDHCPS1 ~]# cat /var/lib/dhcp/dhcpd.leases
# All times in this file are in UTC (GMT), not your local timezone. This is
# not a bug, so please don't ask about it. There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature. If this is inconvenient or confusing to you, we sincerely
# apologize. Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.0.1

lease 10.69.100.244 {
starts 2 2008/07/08 13:02:25;
ends 2 2008/07/08 19:02:25;
binding state active;
next binding state free;
hardware ethernet 00:17:c4:12:77:65;
uid "\001\000\027\304\022we";
client-hostname "WiMAX-demoXX";
}
這裡加註一下:可以用 ls -Z 去觀察一下 /var/lib/dhcp 的目錄屬性,可以秀出關於 SELinux 的權限部分喔:
下面第一部份是修改 SELinux 之前:
[root@KHXDHCPS1 ~]# ls -alZ /var/lib/
drwxr-xr-x root root system_u:object_r:var_lib_t .
drwxr-xr-x root root system_u:object_r:var_t ..
drwxr-xr-x root root system_u:object_r:rpm_var_lib_t alternatives
drwxr-xr-x root root system_u:object_r:var_lib_t cs
drwx------ apache apache system_u:object_r:var_lib_t dav
drwxr-xr-x root root system_u:object_r:dhcp_state_t dhcp
drwxr-x--- root root system_u:object_r:var_lib_t dhcpv6
drwxr-xr-x root root system_u:object_r:var_lib_t games
-rw-r--r-- root root system_u:object_r:var_lib_t logrotate.status
drwxr-xr-x root root system_u:object_r:var_lib_t misc
drwxr-xr-x root root system_u:object_r:var_lib_nfs_t nfs
drwxr-xr-x ntp ntp system_u:object_r:ntp_drift_t ntp
drwxr-xr-x root root system_u:object_r:var_lib_t pcmcia
-rw------- root root user_u:object_r:var_lib_t random-seed
drwxr-xr-x rpm rpm system_u:object_r:rpm_var_lib_t rpm
drwxr-xr-x root root user_u:object_r:var_lib_t scrollkeeper
drwxr-x--- root slocate system_u:object_r:var_lib_t slocate
-rw-r--r-- root root system_u:object_r:var_lib_t supportinfo
drwxr-xr-x root root system_u:object_r:var_lib_t up2date
drwxr-xr-x root root system_u:object_r:var_lib_t xkb
下面這一部份是修改 SELinux 之後,並掛載遠端機器的目錄,會發現 /var/lib/dhcp 的目錄權限部分會被變更,所以在修改 SELinux 之前才會 dhcpd 一直啟動失敗:
[root@KHXDHCPS1 ~]# ls -alZ /var/lib/
drwxr-xr-x root root system_u:object_r:var_lib_t .
drwxr-xr-x root root system_u:object_r:var_t ..
drwxr-xr-x root root system_u:object_r:rpm_var_lib_t alternatives
drwxr-xr-x root root system_u:object_r:var_lib_t cs
drwx------ apache apache system_u:object_r:var_lib_t dav
drwxr-xr-x root root dhcp
drwxr-x--- root root system_u:object_r:var_lib_t dhcpv6
drwxr-xr-x root root system_u:object_r:var_lib_t games
-rw-r--r-- root root system_u:object_r:var_lib_t logrotate.status
drwxr-xr-x root root system_u:object_r:var_lib_t misc
drwxr-xr-x root root system_u:object_r:var_lib_nfs_t nfs
drwxr-xr-x ntp ntp system_u:object_r:ntp_drift_t ntp
drwxr-xr-x root root system_u:object_r:var_lib_t pcmcia
-rw------- root root user_u:object_r:var_lib_t random-seed
drwxr-xr-x rpm rpm system_u:object_r:rpm_var_lib_t rpm
drwxr-xr-x root root user_u:object_r:var_lib_t scrollkeeper
drwxr-x--- root slocate system_u:object_r:var_lib_t slocate
-rw-r--r-- root root system_u:object_r:var_lib_t supportinfo
drwxr-xr-x root root system_u:object_r:var_lib_t up2date
drwxr-xr-x root root system_u:object_r:var_lib_t xkb
接下來的部分是把遠端的載點 Umount 掉之後的狀態:
[root@KHXDHCPS1 ~]# umount /var/lib/dhcp
[root@KHXDHCPS1 ~]# ls -alZ /var/lib/
drwxr-xr-x root root system_u:object_r:var_lib_t .
drwxr-xr-x root root system_u:object_r:var_t ..
drwxr-xr-x root root system_u:object_r:rpm_var_lib_t alternatives
drwxr-xr-x root root system_u:object_r:var_lib_t cs
drwx------ apache apache system_u:object_r:var_lib_t dav
drwxr-xr-x root root root:object_r:var_lib_t dhcp
drwxr-x--- root root system_u:object_r:var_lib_t dhcpv6
drwxr-xr-x root root system_u:object_r:var_lib_t games
-rw-r--r-- root root system_u:object_r:var_lib_t logrotate.status
drwxr-xr-x root root system_u:object_r:var_lib_t misc
drwxr-xr-x root root system_u:object_r:var_lib_nfs_t nfs
drwxr-xr-x ntp ntp system_u:object_r:ntp_drift_t ntp
drwxr-xr-x root root system_u:object_r:var_lib_t pcmcia
-rw------- root root user_u:object_r:var_lib_t random-seed
drwxr-xr-x rpm rpm system_u:object_r:rpm_var_lib_t rpm
drwxr-xr-x root root user_u:object_r:var_lib_t scrollkeeper
drwxr-x--- root slocate system_u:object_r:var_lib_t slocate
-rw-r--r-- root root system_u:object_r:var_lib_t supportinfo
drwxr-xr-x root root system_u:object_r:var_lib_t up2date
drwxr-xr-x root root system_u:object_r:var_lib_t xkb
對了,附註一點,/var/lib/dhcp/dhcpd.leases 檔案中的時間是採用 GMT 所以跟系統實際有所差異,這是正常的。
標籤:   0 意見
0 Responses

張貼留言

訂閱: 張貼留言 (Atom)