maas-devel team mailing list archive

[Jeroen Vermeulen <jtv@xxxxxxxxxxxxx>]

Hi Scott (and list, for the sake of transparent habits):

Last week we discussed how we should run our own instance of dhcpd, so 
that we can easily configure things like which interfaces to listen on. 
 It requires an extension to the apparmor profile for isc-dhcp-server. 
 This email aims to set out how I wanted to do that.

Conclusions from Friday were:
 * We'll splice into /etc/apparmor.d/local/usr.sbin.dhcpd.
 * It will #include a config snippet we provide.
 * Uninstall must undo that, or the profile may break.
 * This work belongs in packaging.
 * No standard tools help us do the splicing.

I just extended the maas-provision command with a "customize-config" 
command: it lets you append a custom section to a config file, or 
replace an existing custom section if present.  We can use that to patch 
the local apparmor profile.

My understanding is that maas-dhcp would be the right package to do that 
in -- is that correct?

Some locations I had in mind that, if used, the apparmor profile 
extension would have to give access to:
 - /etc/maas/dhcpd.conf [r]
 - /var/lib/maas/dhcpd.leases [rw]
 - [/var]/run/maas-dhcp-server/ [rw]

Does that sound about right?  We'll need to have an installed snippet 
that grants these permissions, presumably in /etc/maas somewhere. 
Scott, would it be possible for you to provide the snippet, have it 
installed, and patch the local apparmor profile to #include the snippet? 
 I already have an upstart script and I can make the python-side 
changes to run a customized dhcpd instance.


Jeroen