Kea DHCP Workshop @ Heise, November 2025
1 Webseite
- Kursunterlagen und Folien: https://heise.dane.onl
2 Agenda
- Begrüßung
- Kurzes DHCP 1x1
- Einführung in Kea DHCP
- Praxis: Kea-DHCP Grundkonfiguration
- Praxis: API und dynamische Konfiguration
- Kea-Lease Zuteilung
- Praxis: Mehrere Subnetze
- Praxis: DHCP Reservierungen
- Kea Hochverfügbarkeit
- Praxis: Kea-DHCP Hot-Standby Cluster
- Kea und Datenbanken
- Praxis: Kea-DHCP mit PostgreSQL Datenbank
- Kea Logging und Monitoring
- DHCPv6 und Kea
- Migration von ISC-DHCP zu Kea-DHCP
3 PDF Versionen der Folien und der Übungen
4 Kea DHCP Einführung
4.1 LAB01 - ISC-Kea-DHCP Grundkonfiguration
4.1.1 Netzwerk-Plan
4.1.2 Workshop Server für Übung 1 einrichten
- Eine Root-Shell starten (Passwort
kea-dhcp)[host]$ sudo -i
- In das Verzeichnis
/root/lab/lab01wechseln[host]% cd /root/lab/lab01
- Das
./runShell-Skript ausführen, um die Containerclientundkea-serverzu starten (Das Skript versucht ggf. alte Container zu beenden, sind diese [noch] nicht gestartet, so werden Fehlermeldungen ausgegeben, welche wir aber in diesem Fall ignorieren können) - Prüfe mit dem Kommando
runningdas die Container erfolgreich gestartet wurden[host]% running kea-server client
4.1.3 Eine einfache Kea DHCPv4 Server Konfiguration
- In den Kea-DHCP-Server Container wechseln
[host]% enter kea-server
- Eine Kea DHCPv4 Konfigurationsdatei erstellen
/etc/kea/kea-dhcp4.conf
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "server-eth0" ],
"dhcp-socket-type": "raw"
},
"control-socket": {
"socket-type": "unix",
"socket-name": "kea-dhcp4.socket"
},
"lease-database": {
"type": "memfile",
"lfc-interval": 3600
},
"renew-timer": 900,
"rebind-timer": 1800,
"valid-lifetime": 3600,
"subnet4": [
{
"subnet": "192.0.2.0/24",
"id": "1",
"pools": [ { "pool": "192.0.2.100 - 192.0.2.200" } ],
"option-data": [
{
"name": "routers",
"data": "192.0.2.1"
}
]
}
]},
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "/var/log/kea/kea-dhcp4.log"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}
- Die neue Konfigurationsdatei auf Fehler prüfen. Die Vorlage oben hat zwei Fehler.
% kea-dhcp4 -t /etc/kea/kea-dhcp4.conf Syntax check failed with: /etc/kea/kea-dhcp4.conf:29.7: syntax error, unexpected ",", expecting }
- Finden und berichtigen Sie den Fehler und prüfen Sie die
Konfiguration erneut
- Lösung: Bei
]},vorloggersist ein zusätzliches}, dies muss entfernt werden so das dort],steht. Die Subnet-ID ist ein numerischer Wert, keine Zeichenkette, und darf daher nicht in Hochkommata stehen
- Lösung: Bei
- Beispiel eines erfolgreichen Tests der Konfigurationsdatei
% kea-dhcp4 -t /etc/kea/kea-dhcp4.conf 2025-04-01 10:31:54.260 INFO [kea-dhcp4.hosts/183.139887242189504] HOSTS_BACKENDS_REGISTERED the following host backend types are available: mysql postgresql 2025-04-01 10:31:54.273 WARN [kea-dhcp4.dhcpsrv/183.139887242189504] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. 2025-04-01 10:31:54.275 WARN [kea-dhcp4.dhcp4/183.139887242189504] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. 2025-04-01 10:31:54.287 INFO [kea-dhcp4.dhcpsrv/183.139887242189504] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 192.0.2.0/24 with params: t1=900, t2=1800, valid-lifetime=3600 2025-04-01 10:31:54.299 INFO [kea-dhcp4.dhcpsrv/183.139887242189504] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type raw 2025-04-01 10:31:54.300 INFO [kea-dhcp4.dhcpsrv/183.139887242189504] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type raw 2025-04-01 10:31:54.304 INFO [kea-dhcp4.dhcpsrv/183.139887242189504] DHCPSRV_CFGMGR_ADD_IFACE listening on interface server-eth0
- Starte den Kea DHCPv4 Server mittels Systemd
% systemctl start kea-dhcp4
- Prüfen Sie den Status des Dienstes
% systemctl status kea-dhcp4
● kea-dhcp4.service - Kea DHCPv4 Server
Loaded: loaded (/usr/lib/systemd/system/kea-dhcp4.service; disabled; preset: disabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf, 50-keep-warm.conf
Active: active (running) since Tue 2025-04-01 10:34:29 UTC; 10s ago
Invocation: 3a86492b55794c98876ba33718e9d3c3
Docs: man:kea-dhcp4(8)
Main PID: 194 (kea-dhcp4)
Tasks: 6 (limit: 307)
Memory: 2.8M (peak: 2.9M)
CPU: 49ms
CGroup: /system.slice/kea-dhcp4.service
└─194 /usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
Apr 01 10:34:29 320a0c22ba80 systemd[1]: Started kea-dhcp4.service - Kea DHCPv4 Server.
Apr 01 10:34:29 320a0c22ba80 kea-dhcp4[194]: 2025-04-01 10:34:29.768 INFO [kea-dhcp4.dhcp4/194.140439869610688] DHCP4_STARTING Kea DHCPv4 server version 2.6.1 (stable) starting
Apr 01 10:34:29 320a0c22ba80 kea-dhcp4[194]: 2025-04-01 10:34:29.770 INFO [kea-dhcp4.commands/194.140439869610688] COMMAND_RECEIVED Received command 'config-set'
4.1.4 DHCP Client
- Benutzen Sie ein weiteres Terminal auf den Server (via
tmuxoder weitere Browser-Reiter) - Wechseln Sie in den Client-Container
% enter client
- Die Netzwerk-Schnittstelle
client-eth0hat keine IP-Konfiguration
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: client-eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fa:34:f8:0e:a4:ff brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::f834:f8ff:fe0e:a4ff/64 scope link
valid_lft forever preferred_lft forever
- Starten Sie den DHCP-Client manuell
[client]% dhclient -v client-eth0 Internet Systems Consortium DHCP Client 4.4.2b1 Copyright 2004-2019 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client-eth0/72:28:b2:66:0d:f5 Sending on LPF/client-eth0/72:28:b2:66:0d:f5 Sending on Socket/fallback DHCPDISCOVER on client-eth0 to 255.255.255.255 port 67 interval 3 (xid=0xb1f0b267) DHCPOFFER of 192.0.2.100 from 192.0.2.1 DHCPREQUEST for 192.0.2.100 on client-eth0 to 255.255.255.255 port 67 (xid=0xb1f0b267) DHCPACK of 192.0.2.100 from 192.0.2.1 (xid=0xb1f0b267) bound to 192.0.2.100 -- renewal in 847 seconds.
- Auf dem Kea DHCP Server wurde eine Lease-Datei angelegt
[kea-server]% cat /var/lib/kea/kea-leases4.csv address,hwaddr,client_id,valid_lifetime,expire,subnet_id,fqdn_fwd,fqdn_rev,hostname,state 192.0.2.100,9e:81:8f:31:62:85,ff:8f:31:62:85:00:04:22:6c:05:90:05:96:45:33:8d:ab:47:f1:1b:bf:66:0a,3600,1544097000,1,0,0,,0
4.2 Kea-DHCP-Server REST API und dynamische Neu-Konfiguration
4.2.1 Kea Control-Agent konfigurieren
- Der Socket für die Kommunikation mit dem Kea Control-Agent wird in der Kea-Server-Konfigurationsdatei Datei definiert. Stellen Sie sicher, dass die Socket-Definition für den DHCPv4 Server wie folgt aussieht:
{
"Dhcp4": {
"control-socket": {
"socket-type": "unix",
"socket-name": "kea-dhcp4.socket"
},
"valid-lifetime": 3600,
[...]
- Testen Sie die Konfiguration und starten Sie den Dienst neu
[kea-server]% kea-dhcp4 -t /etc/kea/kea-dhcp4.conf [kea-server]% systemctl restart kea-dhcp4
- Erzeugen Sie eine Konfigurationsdatei für den Kea Control-Agent im Kea DHCP Server Container
unter
/etc/kea/kea-ctrl-agent.conf. Diese Konfiguration bedingt das der Kea Control Agent auf der IPv6 Loopback-Adresse, Port 9099, auf Anfragen via HTTP-REST API wartet:
{
"Control-agent": {
"http-host": "::1",
"http-port": 9099,
"control-sockets": {
"dhcp4": {
"socket-type": "unix",
"socket-name": "kea-dhcp4.socket"
}
},
"loggers": [
{
"name": "kea-ctrl-agent",
"severity": "INFO",
"output_options": [
{
"output": "/var/log/kea/kea-ctrl-agent.log"
}
]
}
]
}
}
- Testen Sie die Konfiguration auf Fehler
[kea-server]% kea-ctrl-agent -t /etc/kea/kea-ctrl-agent.conf
- Starten Sie die Kea Control-Agent
[kea-server]% systemctl start kea-ctrl-agent
[kea-server]% systemctl status kea-ctrl-agent
● kea-ctrl-agent.service - Kea Control Agent
Loaded: loaded (/etc/systemd/system/kea-ctrl-agent.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2018-12-09 21:33:12 UTC; 1s ago
Docs: man:kea-ctrl-agent(8)
Main PID: 361 (kea-ctrl-agent)
Tasks: 1 (limit: 1144)
Memory: 1.8M
CGroup: /machine.slice/libpod-5c5b9d031716ba7b04e2726f7c6f7ef48cdd95d4bbac8c51e7fb591fb7c900c1.scope/system.slice/kea-ctrl-agent.service
└─361 /usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
Dec 09 21:33:12 5c5b9d031716 systemd[1]: Started Kea Control Agent.
Dec 09 21:33:12 5c5b9d031716 kea-ctrl-agent[361]: 2018-12-09 21:33:12.528 INFO [kea-ctrl-agent.dctl/361] DCTL_STARTING Control-agent starting, pid: 361, version: 1.3.0
Dec 09 21:33:12 5c5b9d031716 kea-ctrl-agent[361]: 2018-12-09 21:33:12.531 INFO [kea-ctrl-agent.ctrl-agent/361] CTRL_AGENT_HTTP_SERVICE_STARTED HTTP service bound to address ::1:90>
Dec 09 21:33:12 5c5b9d031716 kea-ctrl-agent[361]: 2018-12-09 21:33:12.531 INFO [kea-ctrl-agent.dctl/361] DCTL_CONFIG_COMPLETE server has completed configuration: listening on ::1,>
- API Kommandos können mittels
curlgetestet werden. Im folgenden Beispiel wird dasconfig-getKommando an den DHCPv4 Server gesendet:
[kea-server]% curl --json '{ "command": "config-get", "service": [ "dhcp4" ] }' http://[::1]:9099/
- Die Ausgabe ist unformatiertes JSON. Mit dem Programm
jqkann die Ausgabe verschönert werden
[kea-server]% curl --no-progress-meter --json '{ "command": "config-get", "service": [ "dhcp4" ] }' \
http://[::1]:9099/ | jq .
jqkann auch dazu benutzt werden, um Teile der JSON Ausgabe zu filtern. DerjqFilter".[0].arguments"erzeugt zusammen mitconfig-getein Teil der Kea Konfigurationsdatei:
[kea-server]% curl --no-progress-meter -s --json '{ "command": "config-get", "service": [ "dhcp4" ] }' \
http://[::1]:9099/ | jq ".[0].arguments.Dhcp4.loggers"
[
{
"debuglevel": 0,
"name": "kea-dhcp4",
"output_options": [
{
"output": "/var/log/kea/kea-dhcp4.log"
}
],
"severity": "INFO"
}
]
- Das API Kommando
list-commandsliefert alle API Kommandos eines Kea Moduls
[kea-server]% curl --no-progress-meter --json \
'{ "command": "list-commands", "service": [ "dhcp4" ] }' \
http://[::1]:9099/ | jq
4.2.2 Dynamische Änderungen der Kea DHCP Konfiguration
- Die Kea-DHCP Konfiguration über das Netzwerk in die Datei
kea-dhcp4.tmpkopieren
[kea-server]% curl --no-progress-meter -s \
--json '{ "command": "config-get", "service": [ "dhcp4" ] }' \
http://[::1]:9099/ | jq ".[0]" > kea-dhcp4.tmp
- Editieren Sie die Datei, fügen sie die
commandundserviceInformationen hinzu und entfernen Sie dieresultund diehashStruktur am Ende der Datei. Machen Sie Änderungen an der Konfiguration des DHCP Servers, fügen Sie einen "user-context" auf der globalen Ebene hinzu:
{
"command": "config-set",
"service": [ "dhcp4" ],
"arguments": {
"Dhcp4": {
"user-context": {
"Kommentar": "Dies ist ein Kommentar im User-Context",
"comment": "/user-context/ Blöcke können beliebige JSON Strukturen beinhalten",
"Kommentti": "Die User-Context Blöcke werden vom Kea-Parser geladen, aber von Kea-Server nicht beachtet"
},
"authoritative": false,
"boot-file-name": "",
"calculate-tee-times": false,
[...]
- Senden Sie die neue Konfiguration zum Server
[kea-server]% curl --no-progress-meter -s -X POST \ -H "Content-Type: application/json" \ -d @kea-dhcp4.tmp http://[::1]:9099/ | jq
- Die erfolgreiche Rückmeldung vom Server
[
{
"arguments": {
"hash": "E919FB6D9AD2F3732843474B49DCD6552833EA96C85FD5BF3A34E1B8CFC6922D"
},
"result": 0,
"text": "Configuration successful."
}
]
- Alle dynamischen Änderungen werden auf dem Server im Hauptspeicher vorgenommen. Um diese Änderungen dauerhaft zu speichern muss die aktuelle Konfiguration des Servers wieder in eine Konfigurationsdatei geschrieben werden (Achtung! Alle Kommentare und die Formatierung und Sortierung der Konfiguration geht verloren)
[kea-server]% curl --no-progress-meter -s -X POST -H "Content-Type: application/json" \
-d '{ "command": "config-write", "arguments": { "filename": "/etc/kea/kea-dhcp4-new.json" }, "service": [ "dhcp4" ] }' \
http://[::1]:9099/ | jq
- Wenn der Kea-DHCP4-Server die Datei nicht schreiben kann:
- Ist das Verzeichnis
/etc/keaschreibbar für den Benutzerkea? - Gehört die Datei
/etc/kea/kea-dhcp4.confdem Benutzerkea? - Lösung:
# chmod -R u+rw /etc/kea # chown -R kea /etc/kea
- Ist das Verzeichnis
- Erfolgreiche Bestätigung vom Server
[
{
"arguments": {
"filename": "/etc/kea/kea-dhcp4-new.json",
"size": 3248
},
"result": 0,
"text": "Configuration written to /etc/kea/kea-dhcp4-new.json successful"
}
]
- Kea-Cookbook: How to add a new subnet via the REST API https://kea-cookbook.de/post/2025/03/20/how-to-add-a-new-subnet-via-the-rest-api/
4.2.3 Den ISC-DHCP Client zur Fehlersuche verwenden (optional)
- Der ISC DHCP Client (Bestandteil der meisten Linux/Unix Systeme) delegiert die Konfiguration des TCP/IP Stacks des Betriebssystems einem Shell-Script.
- Die im DHCP Paket gespeicherten DHCP Daten werden über
Umgebungsvariablen an das Shell-Skript übergeben. Diese Variablen
können mittels des
envBefehls ausgegeben werden - Stoppen Sie den ggf. schon gestarteten
dhclientProzess[client]% dhclient -r
- Starten Sie
dhclientProgramm mit dem Programm/usr/bin/envund betrachten Sie die Ausgabe[client]% dhclient -v -sf /usr/bin/env client-eth0
4.2.4 DHCP Kommunikation mit TCPDUMP betrachten (optional)
- Analysieren Sie auf dem Kea-DHCP-Server die DHCP Kommunikation
zwischen dem DHCP Relay-Agent und dem DHCP-Server mittels
tcpdump[kea-server]% tcpdump -vv -i server-eth0 port 67 or port 68
- Starten Sie eine neue DHCP Lease Anfrage vom Client Container (
dhclient -rgibt die aktuell gehaltene Lease frei).[client]% dhclient -r [client]% dhclient -v -sf /usr/bin/env client-eth0
4.2.5 Lab 01 entfernen
- Verlassen Sie den Kea-Server und den Client Container
- Führen Sie die Skripte
./stopund./cleanauf dem Host aus (im Verzeichnis/root/lab/lab01)
4.3 LAB02 - ISC-DHCP Relay-Agent
4.3.1 Netzwerkplan Lab 02
4.3.2 DHCPv4 mit Relay-Agent
- Arbeiten Sie im Verzeichnis
lab02und starten Sie von dort die Lab-Container
[host]% cd /root/lab/lab02 [host]% ./run
- Starten Sie den DHCPv4 Relay Agent im Container
relay
[host]% enter relay
- Das Relay-Agent Programm wartet auf DHCPv4 Broadcast-Pakete auf der
Netzwerkschnittstelle
relay1-eth0und leitet diese Pakete an den Kea DHCP Server auf der Adresse 100.64.0.1 weiter
[relay]% dhcrelay -id relay1-eth0 -iu relay2-eth0 -d 100.64.0.1 Requesting: relay1-eth0 as upstream: N downstream: Y Requesting: relay2-eth0 as upstream: Y downstream: N Dropped all unnecessary capabilities. Internet Systems Consortium DHCP Relay Agent 4.4.2b1 Copyright 2004-2019 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/relay2-eth0/d2:90:88:da:b9:48 Sending on LPF/relay2-eth0/d2:90:88:da:b9:48 Listening on LPF/relay1-eth0/f6:94:7a:a5:69:9d Sending on LPF/relay1-eth0/f6:94:7a:a5:69:9d Sending on Socket/fallback Dropped all capabilities.
- In einem anderen Terminal wechseln Sie in den Kea DHCP Server Container
[host]% enter kea-server
- Die die DHCP Anfragen von Client-Systemen nun vom Relay-Agent über
UDP eintreffen können wir die Kea-DHCPv4 Konfiguration auf UDP
Socket umstellen:
"dhcp-socket-type": "udp" - Bearbeiten Sie die Datei
/etc/kea/kea-dhcp4.conf:
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "server-eth0" ],
"dhcp-socket-type": "udp"
},
[...]
- Testen Sie die Kea DHCPv4 Konfigurationsdatei
[kea-server]% kea-dhcp4 -t /etc/kea/kea-dhcp4.conf
- Starten Sie den Kea-DHCPv4 Server neu
[kea-server]% systemctl start kea-dhcp4
[kea-server]% systemctl status kea-dhcp4
● kea-dhcp4.service - Kea DHCPv4 Server
Loaded: loaded (/usr/lib/systemd/system/kea-dhcp4.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-12-06 20:26:05 UTC; 3s ago
Docs: man:kea-dhcp4(8)
Main PID: 47 (kea-dhcp4)
Tasks: 1 (limit: 1144)
Memory: 9.2M
CGroup: /machine.slice/libpod-131e8c63aa04d242f4f9c4037b0106eb88a56b03b2bf6e639e306df2e06dd09c.scope/system.slice/kea-dhcp4.service
└─47 /usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
Dec 06 20:26:05 131e8c63aa04 systemd[1]: Started Kea DHCPv4 Server.
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.450 INFO [kea-dhcp4.dhcp4/47] DHCP4_STARTING Kea DHCPv4 server version 1.3.0 starting
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.457 INFO [kea-dhcp4.dhcpsrv/47] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type udp
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.458 INFO [kea-dhcp4.dhcpsrv/47] DHCPSRV_CFGMGR_ADD_IFACE listening on interface server-eth0
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.465 INFO [kea-dhcp4.dhcpsrv/47] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 192.0.2.0/24 wit>
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.466 INFO [kea-dhcp4.dhcp4/47] DHCP4_CONFIG_COMPLETE DHCPv4 server has completed configuration: added IPv4 subnets: 1; DDN>
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.467 INFO [kea-dhcp4.dhcpsrv/47] DHCPSRV_MEMFILE_DB opening memory file lease database: lfc-interval=3600 type=memfile uni>
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.469 INFO [kea-dhcp4.dhcpsrv/47] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/lib/kea/kea-leases4.csv
Dec 06 20:26:05 131e8c63aa04 kea-dhcp4[47]: 2018-12-06 20:26:05.470 INFO [kea-dhcp4.dhcpsrv/47] DHCPSRV_MEMFILE_LFC_SETUP setting up the Lease File Cleanup interval to 3600 sec
- Wechseln Sie innerhalb eines dritten Terminals in den Client Container
[host]% enter client
- Fordern Sie mit dem
dhclientProgramm eine neue DHCP Lease an
[client]% dhclient -v client-eth0 Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client-eth0/b2:b9:2e:f6:5e:65 Sending on LPF/client-eth0/b2:b9:2e:f6:5e:65 Sending on Socket/fallback DHCPDISCOVER on client-eth0 to 255.255.255.255 port 67 interval 6 (xid=0xe8e47a25) DHCPREQUEST on client-eth0 to 255.255.255.255 port 67 (xid=0xe8e47a25) DHCPOFFER from 192.0.2.1 DHCPACK from 192.0.2.1 (xid=0xe8e47a25) bound to 192.0.2.109 -- renewal in 847 seconds.
- Log-Ausgabe auf dem DHCP Relay
Forwarded BOOTREQUEST for b2:b9:2e:f6:5e:65 to 100.64.0.1 Forwarded BOOTREPLY for b2:b9:2e:f6:5e:65 to 192.0.2.109 Forwarded BOOTREQUEST for b2:b9:2e:f6:5e:65 to 100.64.0.1 Forwarded BOOTREPLY for b2:b9:2e:f6:5e:65 to 192.0.2.109
4.3.3 Lab 02 abbauen
- Verlassen Sie die
client,relayundkea-serverContainer - Führen Sie die Skripte
./stopund./cleanim Verzeichnis/root/lab/lab02/auf dem Host aus
4.3.4 Optionale Folien
4.3.5 Alternative OpenSource DHCP Relay Agent Tools
5 Kea Lease Zuteilung
5.1 LAB03 - Mehrere Subnet Definitionen
5.1.1 Netzwerkplan
- Wechseln Sie in das Verzeichnis
/root/lab/lab03auf dem Host - Führen Sie das
./runSkript aus
5.1.2 Definition zweier Subnetze mit Pools
- Wechseln Sie in den
kea-serverContainer% enter kea-server
- Fügen Sie der Kea DHCPv4 Konfiguration ein neues Subnetz 198.100.51.0/24 hinzu
[...]
"subnet4": [
{
"subnet": "192.0.2.0/24",
"id": 1000,
"pools": [ { "pool": "192.0.2.100 - 192.0.2.200" } ],
"option-data": [
{
"name": "routers",
"data": "192.0.2.1"
}
]
},
{
"subnet": "198.100.51.0/24",
"id": 2000,
"pools": [ { "pool": "198.100.51.50 - 198.100.51.90" } ],
"option-data": [
{
"name": "routers",
"data": "198.100.51.1"
}
]
}
[...]
- Testen Sie die neue Konfiguration
[kea-server]% kea-dhcp4 -t /etc/kea/kea-dhcp4.conf INFO [kea-dhcp4.dhcpsrv/48] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type udp INFO [kea-dhcp4.dhcpsrv/48] DHCPSRV_CFGMGR_ADD_IFACE listening on interface server-eth0 INFO [kea-dhcp4.dhcpsrv/48] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 192.0.2.0/24 with params: t1=900, t2=1800, valid-lifetime=3600 INFO [kea-dhcp4.dhcpsrv/48] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 198.100.51.0/24 with params: t1=900, t2=1800, valid-lifetime=3600
- Starten Sie die Kea DHCPv4 Server und stellen Sie sicher das der Dienst ohne Fehler gestartet wurde
[kea-server]% systemctl start kea-dhcp4
[kea-server]% systemctl status kea-dhcp4
● kea-dhcp4.service - Kea DHCPv4 Server
Loaded: loaded (/usr/lib/systemd/system/kea-dhcp4.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2018-12-07 06:26:46 UTC; 5s ago
Docs: man:kea-dhcp4(8)
Main PID: 54 (kea-dhcp4)
Tasks: 1 (limit: 1144)
Memory: 1.9M
CGroup: /machine.slice/libpod-86d66477595de7e99c051c8f5b9c224d5e566cdbd3edbd5562a8b6fe09bc241a.scope/system.slice/kea-dhcp4.service
└─54 /usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
Dec 07 06:26:46 86d66477595d systemd[1]: Started Kea DHCPv4 Server.
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.515 INFO [kea-dhcp4.dhcp4/54] DHCP4_STARTING Kea DHCPv4 server version 1.3.0 starting
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.518 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type udp
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.518 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_CFGMGR_ADD_IFACE listening on interface server-eth0
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.519 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 192.0.2.0/24 wit>
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.519 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 198.100.51.0/24 >
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.519 INFO [kea-dhcp4.dhcp4/54] DHCP4_CONFIG_COMPLETE DHCPv4 server has completed configuration: added IPv4 subnets: 2; DDN>
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.520 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_MEMFILE_DB opening memory file lease database: lfc-interval=3600 type=memfile uni>
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.521 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/lib/kea/kea-leases4.csv
Dec 07 06:26:46 86d66477595d kea-dhcp4[54]: 2018-12-07 06:26:46.521 INFO [kea-dhcp4.dhcpsrv/54] DHCPSRV_MEMFILE_LFC_SETUP setting up the Lease File Cleanup interval to 3600 sec
- In einem neuen Terminal, wechseln sie in den Relay Container und
starten Sie den ISC Relay Agent
% enter relay
- Starten Sie den Relay Agent (zwei Client Netze!)
[relay]% dhcrelay -id relay1-eth0 -id relay2-eth0 -iu relay3-eth0 -d 100.64.0.1 Requesting: relay1-eth0 as upstream: N downstream: Y Requesting: relay2-eth0 as upstream: N downstream: Y Requesting: relay3-eth0 as upstream: Y downstream: N Dropped all unnecessary capabilities. Internet Systems Consortium DHCP Relay Agent 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/relay3-eth0/8e:07:03:58:67:e4 Sending on LPF/relay3-eth0/8e:07:03:58:67:e4 Listening on LPF/relay2-eth0/46:eb:a0:16:f0:8b Sending on LPF/relay2-eth0/46:eb:a0:16:f0:8b Listening on LPF/relay1-eth0/26:fd:31:a7:6f:42 Sending on LPF/relay1-eth0/26:fd:31:a7:6f:42 Sending on Socket/fallback Dropped all capabilities.
- Testen Sie die DHCP Clients von den Client Containern
clientAundclientB
[host]% enter clientA [clientA]% dhclient -v client1-eth0 [host]% enter clientB [clientB]% dhclient -v client2-eth0
5.1.3 Das Problem mit ClientB lösen
- ClientA wird eine IP-Adresse von DHCP Server bekommen, aber ClientB bekommt keine IP-Adresse. Warum?
- Prüfen Sie die Logdatei des Kea-Servers unter
/var/log/kea/kea-dhcp4.log - Vergleichen Sie die IP-Adressen auf dem Relay-Agent mit den IP-Adressen in der Kea-DHCPv4 Konfiguration
5.1.4 Lösung: Es gibt einen Zahlendreher in der Kea Konfiguration
- Berichtigen Sie die Konfiguration (198.51.100.0/24 anstatt 198.100.51.0/24):
[...]
"subnet4": [
{
"subnet": "192.0.2.0/24",
"id": 1000,
"pools": [ { "pool": "192.0.2.100 - 192.0.2.200" } ],
"option-data": [
{
"name": "routers",
"data": "192.0.2.1"
}
]
},
{
"subnet": "198.51.100.0/24",
"id": 2000,
"pools": [ { "pool": "198.51.100.50 - 198.51.100.90" } ],
"option-data": [
{
"name": "routers",
"data": "198.51.100.1"
}
]
}
[...]
- Testen Sie die neue Konfiguration und starten Sie die Kea-DHCP Server neu, wiederholen Sie den Test von ClientB
5.2 Globale DHCP Optionen hinzufügen
- Nun wollen wir zusätzliche DHCP-Optionen an die Client-Rechner senden. Wir beginnen mit der Liste der DNS-Resolver und (nächste Übung) dem lokalen Domänennamen. Da die DNS-Resolver für jedes Subnetz gleich sind, definieren wir die DHCP-Optionen auf der globalen Ebene des DHCP Servers:
"Dhcp4": {
"option-data": [
{
"name": "domain-name-servers",
"code": 6,
"space": "dhcp4",
"csv-format": true,
"data": "100.64.53.53"
}
],
[...]
- Test vom
clientAundclientB
[clientB]% dhclient -r Killed old client process [clientB]% dhclient -v client2-eth0 Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client2-eth0/46:11:30:78:2a:9b Sending on LPF/client2-eth0/46:11:30:78:2a:9b Sending on Socket/fallback DHCPREQUEST on client2-eth0 to 255.255.255.255 port 67 (xid=0xf2ea4a05) DHCPACK from 198.51.100.1 (xid=0xf2ea4a05) bound to 198.51.100.50 -- renewal in 746 seconds.
- Prüfe das der DNS resolver in die Datei
/etc/resolv.confgeschrieben wurde
[clientB]% cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script nameserver 100.64.53.53
5.3 Eine DHCP Option für ein spezifisches Subnetz hinzufügen
- Die Clients sind in unterschiedlichen DNS-Domains:
clientAist in der Domaina.example.com, währendclientBsich in der Domainb.example.combefindet. - Wir definieren eine DHCP Option für die Subnetze in der Datei
/etc/kea/kea-dhcp4.conf. Füge diedomain-nameOption mit unterschiedlichen Werten für die Domain-Namen in die Subnetz-Definitionen:
[...]
"subnet4": [
{
"subnet": "192.0.2.0/24",
"id": 1000,
"pools": [ { "pool": "192.0.2.100 - 192.0.2.200" } ],
"option-data": [
{
"name": "routers",
"data": "192.0.2.1"
},
{
"name": "domain-name",
"data": "a.example.com"
}
]
},
[...]
- Prüfe die Konfigurationsdatei, starte den Kea DHCP Server neu und stelle sicher, das der Kea-Dienst ohne Fehler gestartet ist
- Teste die neuen DHCP Optionen von den DHCP-Clients, stelle sicher
das die unterschiedlichen Domains in der
searchZeile in der Datei/etc/resolv.conferscheinen:
[clientB]% dhclient -r Killed old client process [clientB]% dhclient -v client2-eth0 Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client2-eth0/46:11:30:78:2a:9b Sending on LPF/client2-eth0/46:11:30:78:2a:9b Sending on Socket/fallback DHCPREQUEST on client2-eth0 to 255.255.255.255 port 67 (xid=0xcd1e6c31) DHCPACK from 198.51.100.1 (xid=0xcd1e6c31) bound to 198.51.100.50 -- renewal in 681 seconds. [clientB]% cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search b.example.com nameserver 100.64.53.53
5.4 DHCP Reservierungen
5.4.1 Eine DHCP Reservierung erstellen
- Kea DHCP unterstützt Reservierungen für Leases basierend auf der Hardware-Adresse der Netzwerk-Schnittstelle (MAC-Adresse), der DHCP Unique ID (DUID), der Circut-ID des Relay-Agents oder der Client-ID.
- Ermitteln Sie die Hardware Adresse der Netzwerkschnittstelle des
ClientA Containers mit dem Befehl
ip link showund erstellen Sie eine Reservierung in der Kea DHCPv4 Konfiguration
[...]
"subnet4": [
{
"subnet": "192.0.2.0/24",
"id": 1000,
"pools": [
{
"pool": "192.0.2.100 - 192.0.2.200"
}
],
"option-data": [
{
"name": "routers",
"data": "192.0.2.1"
},
{
"name": "domain-name",
"data": "a.example.com"
}
],
"reservations": [
{
"hw-address": "xx:xx:xx:xx:xx:xx",
"ip-address": "192.0.2.210",
"hostname": "client.a"
}
]
},
[...]
- Testen Sie die Konfiguration und starten Sie den Kea Server Dienst neu
- Testen Sie von
clientAdas die reservierte IP-Adresse dem Client zugewiesen wird und das der Hostname übermittelt wird:
[clientA]% dhclient -r Killed old client process [ClientA]% dhclient -v -sf /usr/bin/env client1-eth0 | grep host_name Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client1-eth0/6a:52:4e:6c:ee:3d Sending on LPF/client1-eth0/6a:52:4e:6c:ee:3d Sending on Socket/fallback DHCPREQUEST on client1-eth0 to 255.255.255.255 port 67 (xid=0xa4d0bd0c) DHCPACK from 192.0.2.1 (xid=0xa4d0bd0c) requested_host_name=1 new_host_name=client.a bound to 192.0.2.210 -- renewal in 833 seconds.
5.4.2 Geschwindigkeit-Optimierungen für DHCP Reservierungen
- Das Prüfen der verschiedenen Client-Merkmale für DHCP Reservierungen kann den Kea DHCP Server verlangsamen. Indem wir dem Kea DHCP Server über die Konfiguration mitteilen, welche Merkmale in dieser Installation verwendet werden, kann die Geschwindigkeit der DHCP-Antworten erhöht werden:
[...]
"reservations-global": false,
"reservations-in-subnet": true,
"reservations-out-of-pool": true,
"host-reservation-identifiers": [ "duid", "hw-address" ],
[...]
5.5 Client-Classing und Vendor-Optionen
5.5.1 Automatische Vendor Klassen
- In dieser Übung wird das Subntz eines Shared-Networks über die Vendor-Option (Option 60) ausgewählt. Kea-DHCP erstellt automatische Vendor-Klassen.
- Bei den in dieser Übung verwendeten Vendor-Optionen handelt es sich um Beispiele und nicht um die realen Werte der Hersteller:
"shared-networks": [
{
"name": "kea-lab01",
"relay": {
"ip-addresses": [ "192.0.2.1" ]
},
"subnet4": [
{
"subnet": "192.0.2.0/26",
"id": 1000,
"client-classes": [ "VENDOR_CLASS_windowsXP" ], # <-- Windows XP Clients will get IP
# from this subnet
"option-data": [
{
"name": "routers",
"data": "192.0.2.1"
}
],
"pools": [
{
"pool": "192.0.2.60 - 192.0.2.63"
}
]
},
{
"subnet": "10.0.0.0/24",
"id": 1001,
"client-classes": [ "VENDOR_CLASS_fedoraLinux" ], # <-- Fedora-Linux Clients will get IP
# from this subnet
"option-data": [
{
"name": "routers",
"data": "10.0.0.1"
}
],
"pools": [
{
"pool": "10.0.0.10 - 10.0.0.11"
}
]
}
]
}
],
[...]
- Teste die Konfiguration und starte den Kea-DHCP Server neu
- Anfrage einer DHCP Lease mit der Vendor-Option
fedoraLinux
[clientA]% dhclient -r Killed old client process [clientA]% dhclient -v -V fedoraLinux Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client1-eth0/1e:d8:f9:75:80:a6 Sending on LPF/client1-eth0/1e:d8:f9:75:80:a6 Sending on Socket/fallback DHCPREQUEST on client1-eth0 to 255.255.255.255 port 67 (xid=0xdf55944) DHCPREQUEST on client1-eth0 to 255.255.255.255 port 67 (xid=0xdf55944) DHCPDISCOVER on client1-eth0 to 255.255.255.255 port 67 interval 8 (xid=0x61d13664) DHCPREQUEST on client1-eth0 to 255.255.255.255 port 67 (xid=0x61d13664) DHCPOFFER from 192.0.2.1 DHCPACK from 192.0.2.1 (xid=0x61d13664) bound to 10.0.0.11 -- renewal in 728 seconds.
- Anfrage einer DHCP Lease mit der Vendor-Option
windowsXP
[clientA]% dhclient -r Killed old client process [clientA]% dhclient -v -V windowsXP Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/client1-eth0/1e:d8:f9:75:80:a6 Sending on LPF/client1-eth0/1e:d8:f9:75:80:a6 Sending on Socket/fallback DHCPREQUEST on client1-eth0 to 255.255.255.255 port 67 (xid=0xdcc6561e) DHCPNAK from 192.0.2.1 (xid=0xdcc6561e) DHCPDISCOVER on client1-eth0 to 255.255.255.255 port 67 interval 7 (xid=0xa3479029) DHCPREQUEST on client1-eth0 to 255.255.255.255 port 67 (xid=0xa3479029) DHCPOFFER from 192.0.2.1 DHCPACK from 192.0.2.1 (xid=0xa3479029) bound to 192.0.2.60 -- renewal in 854 seconds.
5.5.2 Fehlersuche in Client Classes
- Füge die Debug-Ausgabe für Client-Class Entscheidungen im Kea-DHCP
hinzu (Datei
/etc/kea/kea-dhcp4.conf)
"loggers": [
[...]
{
"name": "kea-dhcp4.eval",
"output_options": [ {
"output": "/var/log/kea/kea-dhcp4-eval.log"
} ],
"severity": "DEBUG",
"debuglevel": 55
}
]
- Beispiel-Ausgabe in der Logdatei
/var/log/kea/kea-dhcp4-eval.log
2021-10-01 09:42:02.503 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_OPTION Pushing option 60 with value 0x 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '0' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '3' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_SUBSTRING_EMPTY Popping length 3, start 0, string 0x pushing result 0x 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string 'win' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_EQUAL Popping 0x77696E and 0x pushing result 'false' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_OPTION Pushing option 60 with value 0x 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '0' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '3' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_SUBSTRING_EMPTY Popping length 3, start 0, string 0x pushing result 0x 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string 'win' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_EQUAL Popping 0x77696E and 0x pushing result 'false' 2021-10-01 09:42:02.504 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_NOT Popping 'false' pushing 'true' 2021-10-01 09:42:02.505 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_OPTION Pushing option 60 with value 0x 2021-10-01 09:42:02.505 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '0' 2021-10-01 09:42:02.505 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '3' 2021-10-01 09:42:02.505 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_SUBSTRING_EMPTY Popping length 3, start 0, string 0x pushing result 0x 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string 'win' 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_EQUAL Popping 0x77696E and 0x pushing result 'false' 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_OPTION Pushing option 60 with value 0x 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '0' 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string '3' 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_SUBSTRING_EMPTY Popping length 3, start 0, string 0x pushing result 0x 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_STRING Pushing text string 'win' 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_EQUAL Popping 0x77696E and 0x pushing result 'false' 2021-10-01 09:42:02.506 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_NOT Popping 'false' pushing 'true' 2021-10-01 09:42:05.616 DEBUG [kea-dhcp4.eval/445.140222409295296] EVAL_DEBUG_OPTION Pushing option 60 with value 0x77696E646F777337
5.5.3 Video: Kea DHCP Template Classes
5.5.4 Extra Folien:
5.5.5 Teilnehmerfrage: Client-Klassen und Reservierung
- Option 1: Client-Klassen via Reservierung zuordnen
{
"Dhcp4": {
"client-classes": [
{
"name": "pool_name_1",
"valid-lifetime": 3600
},
{
"name": "pool_name_etc",
"valid-lifetime": 1800
}
],
"reservations-global": true,
"reservations": [
{
"hw-address": "a1:bb:cc:dd:ee:ff",
"client-classes": [
"pool_name_1",
"pool_name_etc"
]
},
{
"hw-address": "a2:bb:cc:dd:ee:ff",
"client-classes": [
"pool_name_etc"
]
}
],
"subnet4": [
{
"id": 1,
"subnet": "10.0.0.0/24",
"pools": [
{
"pool": "10.0.0.10-10.0.0.100",
"client-classes": [
"pool_name_1",
"pool_name_etc"
]
}
],
"reservations": [
{
"hw-address": "a1:bb:cc:dd:ee:ff",
"ip-address": "10.0.0.2"
},
{
"hw-address": "a2:bb:cc:dd:ee:ff",
"ip-address": "10.0.0.3"
}
]
},
{
"id": 2,
"subnet": "192.0.3.0/24",
"pools": [
{
"pool": "192.0.3.10-192.0.3.20",
"client-classes": [
"pool_name_1"
]
}
]
}
]
}
}
- Option 2: Client-Klassen via Test-Ausdruck zuordnen
- Diese Lösung skaliert nur für eine geringe Anzahl von Hosts
{
"Dhcp4": {
"reservations-global": false,
"client-classes": [
{
"name": "pool_name_1",
"test": "match('a1:bb:cc:dd:ee:ff',hexstring(pkt4.mac, ':'))",
"valid-lifetime": 3600
},
{
"name": "pool_name_etc",
"test": "match('a1:bb:cc:dd:ee:ff|a2:bb:cc:dd:ee:ff',hexstring(pkt4.mac, ':'))",
"valid-lifetime": 1800
}
],
"subnet4": [
{
"id": 1,
"subnet": "10.0.0.0/24",
"pools": [
{
"pool": "10.0.0.10-10.0.0.100",
"client-classes": [
"pool_name_1",
"pool_name_etc"
]
}
],
"reservations": [
{
"hw-address": "a1:bb:cc:dd:ee:ff",
"ip-address": "10.0.0.2"
},
{
"hw-address": "a2:bb:cc:dd:ee:ff",
"ip-address": "10.0.0.3"
}
]
},
{
"id": 2,
"subnet": "192.0.3.0/24",
"pools": [
{
"pool": "192.0.3.10-192.0.3.20",
"client-classes": [
"pool_name_1"
]
}
]
}
]
}
}
6 Kea Datenbank und Hochverfügbarkeit
6.1 LAB: Kea Datenbank mit PostgreSQL
6.1.1 Leases-Datenbank in Postgresql
- Starte Sie im
kea-servercontainer - Initialisieren und starten Sie die PostgreSQL Datenbank
[kea-server]% /usr/bin/postgresql-setup --initdb [kea-server]% systemctl enable --now postgresql
- Verbinden Sie sich mit dem Datenbankserver. Dieser PostgreSQL-Server hat kein Passwort, verwenden Sie das leere Passwort, um sich anzumelden. Für eine Produktionsinstallation konfigurieren Sie die Passwortauthentifizierung für den Datenbankserver. Die Konfiguration der PostgreSQL-Authentifizierung ist nicht Gegenstand der ISC Kea DHCP-Schulung.
[kea-server]% su - postgres [kea-server]$ psql postgres psql (16.1) Type "help" for help. postgres=#
- Erstellen Sie eine neue Datenbank,
kea_lease_dbist der Name der Datenbank in diesem Beispiel
postgres=# CREATE DATABASE kea_lease_db; CREATE DATABASE
- Anlegen eines Benutzers für den Kea-Server für den Zugriff auf die Datenbank
postgres=# CREATE USER kea WITH PASSWORD 'secure-password'; CREATE ROLE
- Legen Sie die Berechtigungen für den neuen Benutzer in der Datenbank fest
postgres=# GRANT ALL PRIVILEGES ON DATABASE kea_lease_db TO kea; GRANT
- In PostgreSQL 15 (und höher) müssen Sie dem Benutzer
keazum Besitzer der Datenbank machen und diesem Benutzer die Rechte zum verändern des Datenbank-Schema geben (siehe https://www.cybertec-postgresql.com/en/error-permission-denied-schema-public/)
postgres=# GRANT ALL ON SCHEMA public TO kea; postgres=# ALTER DATABASE kea_lease_db OWNER TO kea;
- Verlassen Sie den PostgreSQL Client
postgres=# \q
- Beenden Sie die Shell mit dem Benutzer
postgresum wieder auf derrootShell zu sein
[kea-server]$ exit [kea-server]% id uid=0(root) gid=0(root) groups=0(root)
- Konfigurieren Sie die PostgreSQL-Datenbank so, dass sie die
Passwort-Authentifizierung für die Kea-Datenbank verwendet. Die Kea-Datenbankeinträge müssen vor denallDatenbankeinträgen in der Datei/var/lib/pgsql/data/pg_hba.conferscheinen.
# TYPE DATABASE USER ADDRESS METHOD local kea_lease_db kea password host kea_lease_db kea 127.0.0.1/32 password host kea_lease_db kea ::1/128 password # "local" is for Unix domain socket connections only local all all peer [...]
- Starten Sie den PostgreSQL Server-Dienst neu
[kea-server]% systemctl restart postgresql
- Füllen Sie die Datenbank mit dem Kea-DHCP Schema mit hilfe des
kea-adminProgramms ( Befehl mit einem Leerzeichen beginnen, um zu verhindern das das Passwort in der Shell-Historie aufgezeichnet wird )
[kea-server]% kea-admin db-init pgsql -u kea -h 127.0.0.1 -p secure-password -n kea_lease_db Checking if there is a database initialized already... Initializing database using script /usr/share/kea/scripts/pgsql/dhcpdb_create.pgsql psql:/usr/share/kea/scripts/pgsql/dhcpdb_create.pgsql:140: NOTICE: function lease4dumpheader() does not exist, skipping psql:/usr/share/kea/scripts/pgsql/dhcpdb_create.pgsql:148: NOTICE: function lease4dumpdata() does not exist, skipping psql:/usr/share/kea/scripts/pgsql/dhcpdb_create.pgsql:178: NOTICE: function lease6dumpheader() does not exist, skipping psql:/usr/share/kea/scripts/pgsql/dhcpdb_create.pgsql:186: NOTICE: function lease6dumpdata() does not exist, skipping Schema version reported after initialization: 22.1
- Kea-DHCP Datenbank-Erweiterung (Hook) für PostgreSQL hinzufügen:
{
"Dhcp4": {
"hooks-libraries": [
{
"library": "/usr/lib64/kea/hooks/libdhcp_pgsql.so"
}
],
- Passen Sie den Block
lease-databasein der Kea-Serverkonfiguration an, um eine Datenbank vom Typ PostgreSQL zu verwenden:
[...]
"lease-database": {
"type": "postgresql",
"host": "localhost",
"name": "kea_lease_db",
"user": "kea",
"password": "secure-password"
},
[...]
- Testen Sie die Konfiguration und starten Sie den Kea-DHCP-Server
- Starten Sie den DHCP-Relay-Dienst im Container
relay
[relay]% dhcrelay -id relay1-eth0 -id relay2-eth0 -iu relay3-eth0 -d 100.64.0.1
- Testen Sie die Installation indem Sie eine DHCP-Lease von
clientAundclientBanfordern - Die Lease-Datenbank kann mit der
lease-dumpFunktion deskea-adminKommandos exportiert werden ( Befehl mit einem Leerzeichen beginnen, um zu verhindern das das Passwort in der Shell-Historie aufgezeichnet wird )
[kea-server]% kea-admin lease-dump pgsql -u kea -h 127.0.0.1 -p secure-password -n kea_lease_db -o leases.csv -4 lease4 successfully dumped to leases.csv [kea-server]% less leases.csv address,hwaddr,client_id,valid_lifetime,expire,subnet_id,fqdn_fwd,fqdn_rev,hostname,state 192.0.2.100,fe15e927353b,ffe927353b000400d52b989bf14fbfaeb1f21908f229d9,3600,2018-12-08 21:39:06+00,1,0,0,,default 198.51.100.50,f2b272a61f8d,ff72a61f8d000405a5b16faf254760879df44a6a58636a,3600,2018-12-08 21:38:01+00,2,0,0,,default
6.1.2 Host/Reservierungen in einer SQL Datenbank (optional)
- Eine Host-Datenbank kann auf die gleiche Weise erstellt werden wie die Leasing-Datenbank (siehe Anweisungen oben)
[...]
"host-database": {
"type": "postgresql",
"host": "localhost",
"name": "kea_host_db",
"user": "kea",
"password": "secure-password"
},
[...]
- Wenn der Datenbankinhalt über Datenbank-Updates gepflegt wird, kann die Host-Reservierungs-Datenbank im Modus /read-only konfiguriert werden:
[...]
"host-database": {
"readonly": true,
"type": "postgresql",
"host": "localhost",
"name": "kea_host_db",
"user": "kea",
"password": "secure-password"
},
[...]
6.1.3 Host Commands
- See https://kea.readthedocs.io/en/latest/arm/hooks.html#host-cmds-host-commands
- Es gibt die "Host-Command" Hooks, welche eine Reihe von neuen Befehlen zur Abfrage und Bearbeitung von Host-Reservierungen bietet. Kea bietet eine Möglichkeit, Host-Reservierungen in einer Datenbank zu speichern. Dies ist insb. bei größeren Installationen sinnvoll. Diese Hooks-Bibliothek bietet Verwaltungsbefehle zum Hinzufügen, Abfragen und Löschen von Host-Reservierungen auf eine sichere Weise, ohne das der Kea-DHCP Server neu gestartet werden muss oder die Konfiguration neu geladen wird.
- Der Host Command Hook ist bis Kea-DHCP 2.6 als kostenpflichtiges Lizenzpaket (Premium Hooks, 549-7499 US$) erhältlich und ab Kea-DHCP 3.0 bestandteil der Open-Source Version von Kea-DHCP.
- Die Open Source "Kea-Python" Hooks erlauben es, Kea Hooks in der
Programmiersprache Python zu erstellen.
https://github.com/davejohncole/kea_python
- Dieses Projekt beinhalten eine Implementation der Hooks Commands in Python.
6.1.4 Lab03 Aufräumen
- Verlassen Sie die
kea-server,relay,clientAundclientBContainer - Führen Sie die Scripte
./stopund./cleanin/root/lab/lab03aus
6.2 LAB05 - Kea-DHCP Failover Cluster
6.2.1 Vorbereitungen
- Starten Sie das Script
./runim Verzeichnis/root/lab/lab05um die Lab-Umgebung zu starten - Gehen Sie in den Container
kea-server1
# enter kea-server1
- Entfernen Sie die PostgreSQL Lease-Datenbank und schalten Sie zurück auf die
in-memoryDatenbank
6.2.2 Kea-DHCP für den Hot-Standby Mode konfigurieren
- Fügen Sie eine HA-Standby-Konfiguration im Container
kea-server1in der Datei/etc/kea/kea-dhcp4.confhinzu. Die Hook-Bibliothekdhcp_lease_cmdsist für das HA-Modul erforderlich (Die Hochverfügbarkeits-Funktion verwendet die in diesem Hook definierten REST-API-Funktionen):
"hooks-libraries": [
{
"library": "/usr/lib64/kea/hooks/libdhcp_lease_cmds.so",
"parameters": { }
},
{
"library": "/usr/lib64/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [ {
"this-server-name": "server1",
"mode": "hot-standby",
"heartbeat-delay": 10000, # miliseconds
"max-response-delay": 20000, # miliseconds
"max-ack-delay": 5000, # miliseconds
"max-unacked-clients": 0, # immediate partner down
"peers": [
{
"name": "server1",
"url": "http://100.64.0.1:9098/",
"role": "primary",
"auto-failover": true
},
{
"name": "server2",
"url": "http://100.64.1.1:9098/",
"role": "standby",
"auto-failover": true
}
]
} ]
}
}
],
[...]
- Ändern Sie den Namen der Netzwerkschnittstelle im Kea-DHCP4-Modul
von
server-eth0inserver1-eth0. - Starte den Kea-DHCP Server
[kea-server1]% systemctl start kea-dhcp4 [kea-server1]% systemctl status kea-dhcp4
- Starten Sie die Überwachung der Kea DHCP4-Logdatei
[kea-server1]% tail -f /var/log/kea/kea-dhcp4.log
- Kopieren Sie die Konfiguration von
kea-server1aufkea-server2(auf dem VM-Host)
[host]% cp /root/lab/conf/kea-dhcp4.conf /root/lab/conf2/
- In einem anderen Terminal, betrete den Container
kea-server2
[host]% enter kea-server2
- Ändern Sie die Konfigurationsoption
this-server-namein der Konfigurationsdatei des Kea DHCP4-Servers in den Textserver2 - Ändern Sie den Schnittstellennamen in der
Kea-DHCP4-Modulkonfiguration von
server-eth0inserver2-eth0. - Starten Sie den Kea Server
[kea-server2]% systemctl start kea-dhcp4
- Starte die Anzeige der Kea-DHCP Logdatei
[kea-server2]% tail -f /var/log/kea/kea-dhcp4.log
- Sie sollten sehen, dass sich das HA-Protokoll synchronisiert und beginnt, Heartbeat-Nachrichten zwischen den beiden Servern zu senden
6.2.3 DHCP-Relay-Agent für den DHCP-Cluster einrichten
- Wechseln Sie an einem anderen Terminal in den Container
relay - Starten Sie das DHCP-Relais, um die Anfragen von Clients an beide Kea DHCP4-Server zu senden.
[relay]% dhcrelay -id relay1-eth0 -id relay2-eth0 -iu relay3-eth0 -iu relay4-eth0 \
-d 100.64.0.1 100.64.1.1
6.2.4 DHCP Client
- Fordern Sie einen Lease von einem Client an. Dieser Lease sollte
von
kea-server1kommen und der Lease sollte mitkea-server2synchronisiert werden (siehe Lease-Datei im Verzeichnis/var/lib/kea/kea-leases4.csv
[client1]% dhclient -v -V fedoraLinux client1-eth0
6.2.5 Failover testen
- Stoppen Sie den Prozess
kea-dhcp4auf dem Rechnerkea-server1.
[kea-server1]% systemctl stop kea-dhcp4
- Die Protokollmeldungen auf
kea-server2sollten den Statuspartner-downanzeigen - Anfragen von
clientAsollten nun nach 5000ms vonkea-server2bedient werden - Starten Sie den Prozess
kea-dhcp4aufkea-server1. Beobachten Sie die Synchronisierung der Lease-Datenbank, fordern Sie einen Lease von einem Client an. Dieser Client sollte nun wieder vonkea-server1bedient werden.
7 Kea DHCP Monitoring und Fehlersuche
8 ISC-DHCP zu Kea-DHCP Migration
9 Kea DHCPv6
9.1 ISC-Kea-DHCPv6 Server
9.1.1 DHCPv6 Übung:
- Wir benutzen wieder die
lab03Umgebung
$ sudo -s % cd /root/lab/lab03 % ./run
- Relay-Agent Container:
- IPv6 Konfiguration für den Relay-Agent
[host]% enter relay
- Den
frrRouting Dienst starten (der vorherige Name der SoftwarefrrwarQuaggaund davorzebra. Beide Begriffe tauchen in der Software noch auf)
[relay]% echo "hostname relay" > /etc/frr/frr.conf [relay]% systemctl enable --now frr
- IPv6 Adressen und SLAAC via Routing-Dienst konfigurieren
[relay]% vtysh Hello, this is Quagga (version 1.2.4). Copyright 1996-2005 Kunihiro Ishiguro, et al. relay# enable relay# conf t relay(config)# interface relay1-eth0 relay(config-if)# ipv6 address fd00:100::1/64 relay(config-if)# no shutdown relay(config-if)# exit relay(config)# interface relay2-eth0 relay(config-if)# ipv6 address fd00:200::1/64 relay(config-if)# no shutdown relay(config-if)# exit relay(config)# interface relay3-eth0 relay(config-if)# ipv6 address 2001:db8:100::1/64 relay(config-if)# ipv6 nd prefix 2001:db8:100::/64 900 300 relay(config-if)# no ipv6 nd suppress-ra relay(config-if)# no shutdown relay(config-if)# exit relay(config)# ipv6 forwarding relay(config)# exit relay# write Building Configuration... Configuration saved to /etc/quagga/zebra.conf [OK] relay# exit
- Die Netzwerkkonfiguration auf dem Relay sollte nun wie folgt aussehen
[root@relay /]% ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 5: relay1-eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 3e:1d:04:2e:95:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.0.2.1/24 scope global relay1-eth0 valid_lft forever preferred_lft forever inet6 fd00:100::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::3c1d:4ff:fe2e:950a/64 scope link valid_lft forever preferred_lft forever 7: relay2-eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether f2:da:3a:f5:33:6b brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet 198.51.100.1/24 scope global relay2-eth0 valid_lft forever preferred_lft forever inet6 fd00:200::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::f0da:3aff:fef5:336b/64 scope link valid_lft forever preferred_lft forever 10: relay3-eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether b2:c9:a0:ec:c5:4d brd ff:ff:ff:ff:ff:ff link-netnsid 2 inet 100.64.0.2/24 scope global relay3-eth0 valid_lft forever preferred_lft forever inet6 2001:db8:100::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::b0c9:a0ff:feec:c54d/64 scope link valid_lft forever preferred_lft forever- Den DHCPv6 Relay-Agent starten
-6wählt IPv6-dDebug Modus (bleibt im Terminal im Vordergrund)-lfür "lower". DHCPv6 Anfrage werden auf diesem Interface empfangen, es ist die Client-Seite des router/relay-ufür "upper". DHCPv6 Anfragen werden auf diesem Interface via der All-Server-Multicast IPv6 Adresse. Dies ist die DHCPv6-Server Seite des router/relay. Ersetze2001:db8::xxxxmit der vollen IPv6 Adresse des Kea-DHCP Containers.
[root@relay /]% dhcrelay -6 -d -l relay1-eth0 -l relay2-eth0 \ -u 2001:db8:100:xxxx%relay3-eth0 Dropped all unnecessary capabilities. Internet Systems Consortium DHCP Relay Agent 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Bound to *:547 Listening on Socket/relay3-eth0 Sending on Socket/relay3-eth0 Listening on Socket/relay2-eth0 Sending on Socket/relay2-eth0 Listening on Socket/relay1-eth0 Sending on Socket/relay1-eth0 Setting hop count limit to 32 for interface relay3-eth0 Dropped all capabilities. [...] - Kea-DHCP-Server
- Arbeite auf dem Kea-DHCP Server Container
[host]% enter kea-server
- Schreibe eine einfache Kea-DHCP6 Konfiguration in der Datei
/etc/kea/kea-dhcp6.conf. Bitte verwende die IPv6 unicast Adresse des Kea-DHCPv6 containers in der Dokumentation:
{ "Dhcp6": { "valid-lifetime": 4000, "renew-timer": 1000, "rebind-timer": 2000, "preferred-lifetime": 3000, "interfaces-config": { "interfaces": [ "server-eth0/2001:db8:100::zzzz" # <-- bitte anpassen ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp6.leases" }, "subnet6": [ { "subnet": "fd00:100::/64", "id": 1000, "pools": [ { "pool": "fd00:100::1-fd00:100::ffff" } ] }, { "subnet": "fd00:200::/64", "id": 2000, "pools": [ { "pool": "fd00:200::1-fd00:200::ffff" } ] } ], "loggers": [ { "name": "kea-dhcp6", "output_options": [ { "output": "/var/log/kea/kea-dhcp6.log" } ], "severity": "INFO", "debuglevel": 0 } ] } }- Die Konfiguration testen
[kea-server]% kea-dhcp6 -t /etc/kea/kea-dhcp6.conf 2018-12-09 19:51:31.987 INFO [kea-dhcp6.dhcpsrv/92] DHCPSRV_CFGMGR_ADD_IFACE listening on interface server-eth0 2018-12-09 19:51:31.990 INFO [kea-dhcp6.dhcpsrv/92] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to configuration: 2001:db8:1::/64 with params t1=1000, t2=2000, preferred-lifetime=3000, valid-lifetime=4000, rapid-commit is disabled
- Den Kea-DHCPv6 Server mittels
systemctlstarten
[kea-server]% systemctl start kea-dhcp6 [kea-server]% systemctl status kea-dhcp6 * kea-dhcp6.service - Kea DHCPv6 Server Loaded: loaded (/usr/lib/systemd/system/kea-dhcp6.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2018-12-09 19:53:47 UTC; 4s ago Docs: man:kea-dhcp6(8) Main PID: 95 (kea-dhcp6) Tasks: 1 (limit: 1144) Memory: 2.3M CGroup: /machine.slice/libpod-5c5b9d031716ba7b04e2726f7c6f7ef48cdd95d4bbac8c51e7fb591fb7c900c1.scope/system.slice/kea-dhcp6.service \ /usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf systemd[1]: Started Kea DHCPv6 Server. kea-dhcp6[95]: 2018-12-09 19:53:47.623 INFO [kea-dhcp6.dhcp6/95] DHCP6_STARTING Kea DHCPv6 server version 1.3.0 starting kea-dhcp6[95]: 2018-12-09 19:53:47.628 INFO [kea-dhcp6.dhcpsrv/95] DHCPSRV_CFGMGR_ADD_IFACE listening on interface server-eth0 kea-dhcp6[95]: 2018-12-09 19:53:47.628 INFO [kea-dhcp6.dhcpsrv/95] DHCPSRV_CFGMGR_NEW_SUBNET4 a new subnet has been added to co> kea-dhcp6[95]: 2018-12-09 19:53:47.628 INFO [kea-dhcp6.dhcp6/95] DHCP6_CONFIG_COMPLETE DHCPv6 server has completed configuratio> kea-dhcp6[95]: 2018-12-09 19:53:47.629 INFO [kea-dhcp6.dhcpsrv/95] DHCPSRV_MEMFILE_DB opening memory file lease database: name=> kea-dhcp6[95]: 2018-12-09 19:53:47.630 INFO [kea-dhcp6.dhcpsrv/95] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /va> kea-dhcp6[95]: 2018-12-09 19:53:47.632 INFO [kea-dhcp6.dhcpsrv/95] DHCPSRV_MEMFILE_LFC_SETUP setting up the Lease File Cleanup > kea-dhcp6[95]: 2018-12-09 19:53:47.633 INFO [kea-dhcp6.dhcp6/95] DHCP6_USING_SERVERID server is using server-id 00:01:00:01:23:> kea-dhcp6[95]: 2018-12-09 19:53:47.634 INFO [kea-dhcp6.dhcp6/95] DHCP6_STARTED Kea DHCPv6 server version 1.3.0 started- Prüfe das der Kea DHCPv6 Server zusätzlich auf die globale
Unicast-Adresse (beginnend mit
2xxx::/16) neben der Link-Lokalen Adresse (fe80::/10) und der Multicast Adresse (ff02::1:2) horcht:
[kea-server]% # lsof -i -n COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME kea-dhcp6 162 root 9u IPv6 93992 0t0 UDP [2001:db8:100:0:74de:2cff:fe55:144]:dhcpv6-server kea-dhcp6 162 root 10u IPv6 93995 0t0 UDP [fe80::74de:2cff:fe55:144]:dhcpv6-server kea-dhcp6 162 root 11u IPv6 93998 0t0 UDP [ff02::1:2]:dhcpv6-server
- Prüfe die Kea-DHCPv6 DUID
[kea-server]% cat /var/lib/kea/kea-dhcp6-serverid
- Überwache die Kea DHCPv6 Log-Datei
[kea-server]% tail -f /var/log/kea/kea-dhcp6.log 2018-12-09 20:20:07.033 INFO [kea-dhcp6.dhcp6/162] DHCP6_STARTED Kea DHCPv6 server version 1.3.0 started
- IPv6 DHCP ClientA / ClientB
- Arbeite auf dem ClientA (oder ClientB)
[host]% enter clientA
- Fordere eine permanente (IANA) IPv6 Adresse an
[clientA]% dhclient -6 -d
- Prüfe die Ausgabe auf den Client
- Prüfe die Ausgabe auf dem Relay-Agent-Container:
Relaying Solicit from fe80::a00:ff:fe00:c0x port 546 going up Relaying Advertise to fe80::a00:ff:fe00:c0x port 546 down. Relaying Request from fe80::a00:ff:fe00:c0x port 546 going up Relaying Reply to fe80::a00:ff:fe00:c0x port 546 down.
- Prüfe die Ausgaben im Log auf dem Kea-Server:
2018-12-09 20:25:20.579 INFO [kea-dhcp6.leases/162] DHCP6_LEASE_ADVERT duid=[00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6], tid=0x331393: lease for address fd00:100::1 and iaid=2698975002 will be advertised 2018-12-09 20:25:21.594 INFO [kea-dhcp6.leases/162] DHCP6_LEASE_ALLOC duid=[00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6], tid=0xc4e72b: lease for address fd00:100::1 and iaid=2698975002 has been allocated 2018-12-09 20:25:22.687 INFO [kea-dhcp6.leases/162] DHCP6_DECLINE_LEASE Client duid=[00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6], tid=0xe04f1d sent DECLINE for address fd00:100::1 and the server marked it as declined. The lease will be recovered in 86400 seconds. 2018-12-09 20:25:23.334 INFO [kea-dhcp6.leases/162] DHCP6_LEASE_ADVERT duid=[00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6], tid=0x5f88b6: lease for address fd00:100::2 and iaid=2698975002 will be advertised 2018-12-09 20:25:24.385 INFO [kea-dhcp6.leases/162] DHCP6_LEASE_ALLOC duid=[00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6], tid=0xa61428: lease for address fd00:100::2 and iaid=2698975002 has been allocated
- Die Lease wieder zurückgeben
[clientA]% dhclient -6 -r
- Vergleichen Sie die Lease-Datenbank auf dem Client mit der
Lease-Datenbank auf dem Server (
ia-naist eine „nicht temporäre“ Adresse,ia-tawäre einec eine „temporäre“ Adresse. Temporäre Adressen werden von Kea DHCPv6 derzeit noch nicht unterstützt)
[clientA]% more /var/lib/dhclient/dhclient6.leases lease6 { interface "client1-eth0"; ia-na a0:df:17:1a { starts 1544387573; renew 1000; rebind 2000; iaaddr fd00:100::2 { starts 1544387573; preferred-life 3000; max-life 4000; } } option dhcp6.client-id 0:4:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6; option dhcp6.server-id 0:1:0:1:23:a0:2f:4b:76:de:2c:55:1:44; }- Server-Lease Datei
/var/lib/kea/dhcp6.leases
[kea-server]% less /var/lib/kea/dhcp6.leases address,duid,valid_lifetime,expire,subnet_id,pref_lifetime,lease_type,iaid,prefix_len,fqdn_fwd,fqdn_rev,hostname,hwaddr,state fd00:100::1,00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6,4000,1544391121,1,3000,0,2698975002,128,0,0,,,0 fd00:100::1,00,86400,1544473522,1,0,0,2698975002,128,0,0,,,1 fd00:100::2,00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6,4000,1544391124,1,3000,0,2698975002,128,0,0,,,0 fd00:100::2,00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6,0,1544387124,1,0,0,2698975002,128,0,0,,,0 fd00:100::2,00:04:39:fe:8c:8b:1e:db:47:fc:a2:1c:23:54:ec:d5:5d:d6,4000,1544391573,1,3000,0,2698975002,128,0,0,,,0
9.2 ISC-Kea-DHCPv6 Rapid-Commit
9.2.1 Änderungen auf dem Kea-DHCPv6 Server
- Erlaube "Rapid-Commit" für eines der Subnetze in der Kea-DHCPv6 Konfiguration
[...]
"subnet6": [
{
"subnet": "fd00:100::/32",
"id": 1000,
"rapid-commit": true,
"pools": [
{
"pool": "fd00:100::1-fd00:100::ffff"
}
],
[...]
- Teste die Konfiguration und lade den Kea-DHCPv6 Server neu
- Überwache die Log-Ausgaben auf dem Kea-DHCPv6 Server
9.2.2 IPv6 DHCP Anfrage mit Rapid-Commit vom Client
- Auf
clientA, erzeuge die Datei/etc/dhcp/dhclient6.confmit einer Rapid-Commit Konfiguration
send dhcp6.rapid-commit;
- Entferne die alte DHCPv6 Lease-Datenbank auf dem Client
[clientA]% rm /var/lib/dhclient/dhclient6.leases
- Fordere eine IPv6-Adresse von DHCPv6 Server mit Rapid-Commit:
[clientA]% dhclient -6 -d -cf /etc/dhcp/dhclient6.conf Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on Socket/client1-eth0 Sending on Socket/client1-eth0 Created duid "\000\0049\376\214\213\036\333G\374\242\034#T\354\325]\326". PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_NA a0:df:17:1a XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on client1-eth0, interval 1080ms. RCV: Reply message on client1-eth0 from fe80::3c1d:4ff:fe2e:950a. RCV: X-- IA_NA a0:df:17:1a RCV: | X-- starts 1544389491 RCV: | X-- t1 - renew +1000 RCV: | X-- t2 - rebind +2000 RCV: | X-- [Options] RCV: | | X-- IAADDR fd00:100::2 RCV: | | | X-- Preferred lifetime 3000. RCV: | | | X-- Max lifetime 4000. RCV: X-- Server ID: 00:01:00:01:23:a0:2f:4b:76:de:2c:55:01:44 PRC: Bound to lease 00:01:00:01:23:a0:2f:4b:76:de:2c:55:01:44. PRC: Renewal event scheduled in 999 seconds, to run for 1000 seconds. PRC: Depreference scheduled in 2999 seconds. PRC: Expiration scheduled in 3999 seconds.
9.3 Kea-DHCPv6 Prefix-Delegation
9.3.1 Prefix Delegation (PD) Konfiguration auf dem Kea-DHCPv6 Server
- Füge die Konfiguration für eine Prefix-Delegation der Kea-DHCPv6
Konfiguration
/etc/kea/kea-dhcp6.confhinzu:
[...]
"subnet6": [
{
"subnet": "fd00:100::/32",
"id": 1000,
"pools": [
{
"pool": "fd00:100::1-fd00:100::ffff"
}
],
"pd-pools": [
{
"prefix": "fd00:100:10::",
"prefix-len": 48,
"delegated-len": 56,
"excluded-prefix": "fd00:100:10::",
"excluded-prefix-len": 64
}
]
},
[...]
9.3.2 DHCPv6-PD Anfrage von einem Client senden
- Sende eine Anfrage für ein IPv6-Netzwerk mit der (
-P) Option (Prefix-Delegation)
[clientA]% dhclient -d -6 -P client1-eth0 Internet Systems Consortium DHCP Client 4.3.6 Copyright 2004-2017 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on Socket/client1-eth0 Sending on Socket/client1-eth0 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_PD a0:df:17:1a XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on client1-eth0, interval 1030ms. RCV: Advertise message on client1-eth0 from fe80::3c1d:4ff:fe2e:950a. RCV: X-- IA_PD a0:df:17:1a RCV: | X-- starts 1544388880 RCV: | X-- t1 - renew +1000 RCV: | X-- t2 - rebind +2000 RCV: | X-- [Options] RCV: | | X-- IAPREFIX fd00:100:10::/56 RCV: | | | X-- Preferred lifetime 3000. RCV: | | | X-- Max lifetime 4000. RCV: X-- Server ID: 00:01:00:01:23:a0:2f:4b:76:de:2c:55:01:44 RCV: Advertisement recorded.P RC: Selecting best advertised lease. PRC: Considering best lease. PRC: X-- Initial candidate 00:01:00:01:23:a0:2f:4b:76:de:2c:55:01:44 (s: 10103, p: 0). XMT: Forming Request, 0 ms elapsed. XMT: X-- IA_PD a0:df:17:1a XMT: | X-- Requested renew +3600 XMT: | X-- Requested rebind +5400 XMT: | | X-- IAPREFIX fd00:100:10::/56 XMT: | | | X-- Preferred lifetime +7200 XMT: | | | X-- Max lifetime +7500 XMT: V IA_PD appended. XMT: Request on client1-eth0, interval 1090ms. RCV: Reply message on client1-eth0 from fe80::3c1d:4ff:fe2e:950a. RCV: X-- IA_PD a0:df:17:1a RCV: | X-- starts 1544388881 RCV: | X-- t1 - renew +1000 RCV: | X-- t2 - rebind +2000 RCV: | X-- [Options] RCV: | | X-- IAPREFIX fd00:100:10::/56 RCV: | | | X-- Preferred lifetime 3000. RCV: | | | X-- Max lifetime 4000. RCV: X-- Server ID: 00:01:00:01:23:a0:2f:4b:76:de:2c:55:01:44 PRC: Bound to lease 00:01:00:01:23:a0:2f:4b:76:de:2c:55:01:44. Prefix BOUND6 old= new=fd00:100:10::/56 PRC: Renewal event scheduled in 998 seconds, to run for 1000 seconds. PRC: Depreference scheduled in 1690 seconds. PRC: Expiration scheduled in 2690 seconds.
10 Extra Inhalte
10.1 Video: NetBox and Kea DHCP
10.2 Kea mit YAML nutzen
10.3 "Sticky" IP-Leases
- Kea-DHCP verteilt im DHCP-Pool neue, zufälltige IP-Adressen
- Soll Kea-DHCP sich alte Leases merken und wiederkehrenden Client-Maschinen wenn möglich die vorherig zugewiesene IP-Adresse geben, so muss diese Konfiguration benutzt werden:
{
"Dhcp4": {
// Setup reclamation of the expired leases and leases affinity.
// Expired leases will be reclaimed every 1 hour. Every 2 hours
// reclaimed leases, which have expired more than 1 year
// ago, will be removed. The limits for leases reclamation
// are 100 leases or 250 ms for a single cycle. A warning message
// will be logged if there are still expired leases in the
// database after 5 consecutive reclamation cycles.
"expired-leases-processing": {
"reclaim-timer-wait-time": 3600,
"flush-reclaimed-timer-wait-time": 7200,
"hold-reclaimed-time": 31536000,
"max-reclaim-leases": 10,
"max-reclaim-time": 250,
"unwarned-reclaim-cycles": 5
},
[...]
10.4 Migration ISC DHCP "allow/deny members of"
- Frage: wie stellt man die folgende ISC-DHCP Konfiguration in Kea-DHCP nach:
in file /etc/dhcp/activezone/dhcpd.conf.netz.xy.sub:
subclass "mobil_all" 00:15:77:ba:aa:7b;
in file /etc/dhcp/activezone/dhcpd.conf.netz.xy.conf:
subnet 10.20.x.y netmask 255.255.248.0 {
option routers 10.20.x.y;
option domain-name-servers <IP>;
include "/etc/dhcp/activezone/dhcpd.conf.netz.x.y.sub";
host reservations...
pool {
allow members of "mobil_all";
range 10.20.x.y...;
- Lösung 1: Host-Reservation
"Dhcp4": {
"reservations": [
{ "hw-address": "00:15:77:ba:aa:7b", "client-classes": [ "mobil_all" ] },
...
],
"subnet4": [
{
"subnet": "10.20.2.0/24",
"id": 1000,
"pools": [
{
"pool": "10.20.2.10 - 10.20.2.20",
"client-classes": [ "mobil_all" ]
}
]
},
...
],,
}
- Lösung 2: Client-Class
"Dhcp4": {
"client-classes": [
{
"name": "mobil_all",
"test": "hexstring(pkt4.mac,":") == "00:15:77:ba:aa:7b"
},
...
],
"subnet4": [
{
"subnet": "10.20.2.0/24",
"pools": [
{
"pool": "10.20.2.10 - 10.20.2.20",
"client-classes": [ "mobil_all" ]
}
]
},
...
],,
}
10.5 Unterschiedliche Lease-Zeiten für Clients mit Reservierungen
"valid-lifetime": 600
"subnet4": {
"client-classes": [{
"name": "reservierungen",
"test": "member('KNOWN')",
"valid-lifetime": 3600
}],
10.6 Lab Umgebung
- Quellcode der Kea-DHCP Workshop Lab-Umgebung: https://github.com/cstrotm/kea-dhcp-training-lab
10.7 Dynamic DNS updates from Kea DHCP
10.7.1 Lab network
- Create the container configuration for the dynamic DNS updates lab
[host]% cd /root/lab/lab04 [host]% ./run
10.7.2 Preparing a BIND 9 DNS server
- Create a simple BIND 9 configuration
[host]% enter bind9 [bind9]% systemctl edit --full named [...] Environment=NAMEDCONF=/etc/namedb/named.conf [..] [bind9]% cd /etc/namedb [bind9]% nano named.conf
- BIND 9 configuration file
options {
recursion no;
directory "/etc/namedb";
};
zone "example.com" {
type master;
allow-update { 100.64.0.1; };
file "example.com";
};
- Create a simple zone file for the domain
example.com
[bind9]% nano example.com
- Content of the
example.comzonefile
$TTL 1h
@ IN SOA dns.example.com. hostmaster 1001 2h 30m 41d 1h
IN NS dns.example.com.
dns IN A 100.64.53.1
- Adjust the file and directory permissions
[bind9]% chown -R named /etc/namedb
- Check configuration and start the BIND 9 DNS-Server
[bind9]% named-checkconf -z /etc/namedb/named.conf
zone example.com/IN: loaded serial 1001
[bind9]% systemctl enable --now named
[bind9]% systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/etc/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-12-08 21:21:31 UTC; 2s ago
Process: 114 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 123 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 121 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking o>
Main PID: 124 (named)
Tasks: 7 (limit: 4915)
Memory: 56.6M
CGroup: /machine.slice/libpod-85f9421313e21d95745a04b15adc67749a39ebce96087a78e0e83db7ef6f3b16.scope/system.slice/named.service
└─124 /usr/sbin/named -u named -c /etc/namedb/named.conf
Dec 08 21:21:31 85f9421313e2 named[124]: none:104: 'max-cache-size 90%' - setting to 10699MB (out of 11888MB)
Dec 08 21:21:31 85f9421313e2 named[124]: configuring command channel from '/etc/rndc.key'
Dec 08 21:21:31 85f9421313e2 named[124]: command channel listening on 127.0.0.1#953
Dec 08 21:21:31 85f9421313e2 named[124]: configuring command channel from '/etc/rndc.key'
Dec 08 21:21:31 85f9421313e2 named[124]: command channel listening on ::1#953
Dec 08 21:21:31 85f9421313e2 named[124]: managed-keys-zone: loaded serial 0
Dec 08 21:21:31 85f9421313e2 named[124]: zone example.com/IN: loaded serial 1001
Dec 08 21:21:31 85f9421313e2 named[124]: all zones loaded
Dec 08 21:21:31 85f9421313e2 named[124]: running
Dec 08 21:21:31 85f9421313e2 systemd[1]: Started Berkeley Internet Name Domain (DNS).
- Query the SOA record from the new DNS-Server, check the flags to see that the answer is authoritative (AA-Flag)
[bind9]% dig @localhost soa example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-10.P2.fc29 <<>> @localhost soa example.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13943 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e2bfaaa71e139bacd7f36d815c0c3643b451622ab4174331 (good) ;; QUESTION SECTION: ;example.com. IN SOA ;; ANSWER SECTION: example.com. 3600 IN SOA dns.example.com. hostmaster.example.com. 1001 7200 1800 3542400 3600 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sat Dec 08 21:23:15 UTC 2018 ;; MSG SIZE rcvd: 119
10.7.3 Dynamic DNS updates from Kea DHCP
- Work on the Kea DHCP Server machine
[host]% enter kea-server
- Create a configuration file for the
kea-dhcp-ddnsdaemon in/etc/kea/kea-dhcp-ddns.conf(writing domain names in full qualified format, including the "." at the end, is very important!):
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"dns-server-timeout": 100,
"ncr-protocol": "UDP",
"ncr-format": "JSON",
"tsig-keys": [],
"forward-ddns": {
"ddns-domains": [
{
"name": "example.com.",
"key-name": "",
"dns-servers": [
{
"hostname": "",
"ip-address": "100.64.53.1",
"port": 53
}
]
}
]
},
"reverse-ddns": {
"ddns-domains": []
},
"loggers": [
{
"name": "kea-dhcp-ddns",
"severity": "INFO",
"output_options": [
{
"output": "/var/log/kea/kea-dhcp-ddns.log"
}
]
}
]
}
}
- Test the configuration file
[kea-server]% kea-dhcp-ddns -t /etc/kea/kea-dhcp-ddns.conf 2018-12-08 21:33:17.546 INFO [kea-dhcp-ddns.dctl/52] DCTL_CONFIG_CHECK_COMPLETE server has completed configuration check: listening on 127.0.0.1, port 53001, using UDP, result: success(0), text=Configuration seems sane.
- Start the Kea DHCP-DDNS (D2) server
[kea-server]% systemctl start kea-dhcp-ddns
[kea-server]% systemctl status kea-dhcp-ddns
● kea-dhcp-ddns.service - Kea DHCP-DDNS Server
Loaded: loaded (/usr/lib/systemd/system/kea-dhcp-ddns.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2018-12-08 21:34:07 UTC; 4s ago
Docs: man:kea-dhcp-ddns(8)
Main PID: 55 (kea-dhcp-ddns)
Tasks: 1 (limit: 4915)
Memory: 1.8M
CGroup: /machine.slice/libpod-e96af203d05ac37853f65c7a93ffdbf87d509873172b7bab5abae1505f6a2c9b.scope/system.slice/kea-dhcp-ddns.service
└─55 /usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
Dec 08 21:34:07 e96af203d05a systemd[1]: Started Kea DHCP-DDNS Server.
Dec 08 21:34:07 e96af203d05a kea-dhcp-ddns[55]: 2018-12-08 21:34:07.445 INFO [kea-dhcp-ddns.dctl/55] DCTL_STARTING DhcpDdns starting, pid: 55, version: 1>
Dec 08 21:34:07 e96af203d05a kea-dhcp-ddns[55]: 2018-12-08 21:34:07.446 INFO [kea-dhcp-ddns.dctl/55] DCTL_CONFIG_COMPLETE server has completed configurat>
Dec 08 21:34:07 e96af203d05a kea-dhcp-ddns[55]: 2018-12-08 21:34:07.446 INFO [kea-dhcp-ddns.dhcpddns/55] DHCP_DDNS_STARTED Kea DHCP-DDNS server version 1>
- In the
kea-dhcp4configuration file, revert back from PostgreSQL backend to the memfile backend for lease storage (because in this lab we do not have the database running)"lease-database": { "type": "memfile", "lfc-interval": 3600 }, - Enable DDNS in the
kea-dhcp4.confconfiguration file
{
"Dhcp4": {
"ddns-replace-client-name": "always",
"ddns-generated-prefix": "host",
"ddns-qualifying-suffix": "example.com.",
"dhcp-ddns": {
"enable-updates": true
},
[...]
- Test the configuration and restart the Kea DHCP server
- Monitor the Kea-DHCP-DDNS logfile
[kea-server]% tail -f /var/log/kea/kea-dhcp-ddns.log
- Start the relay-agent on the
relaycontainer[relay]% dhcrelay -id relay1-eth0 -id relay2-eth0 -iu relay3-eth0 -d 100.64.0.1
- Request a lease from
clientAandclientB. Observe the Kea-DHCP-DDNS logfile:
2018-12-08 21:50:23.003 INFO [kea-dhcp-ddns.dhcpddns/89] DHCP_DDNS_STARTED Kea DHCP-DDNS server version 1.3.0 started 2018-12-08 21:53:49.204 INFO [kea-dhcp-ddns.d2-to-dns/89] DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID 000101900AC838EC971B893D11C655FBB9E1E8343488CB0801F35B74A64CA9424C996E: successfully added the DNS mapping addition for this request: Type: 0 (CHG_ADD) Forward Change: yes Reverse Change: no FQDN: [host-192-0-2-100.example.com.] IP Address: [192.0.2.100] DHCID: [000101900AC838EC971B893D11C655FBB9E1E8343488CB0801F35B74A64CA9424C996E] Lease Expires On: 20181208225349 Lease Length: 3600
- Log on the BIND 9 DNS-Server
# journalctl -fu named -- Logs begin at Sat 2018-12-08 21:07:04 UTC. -- Dec 08 21:21:31 85f9421313e2 named[124]: command channel listening on 127.0.0.1#953 Dec 08 21:21:31 85f9421313e2 named[124]: configuring command channel from '/etc/rndc.key' Dec 08 21:21:31 85f9421313e2 named[124]: command channel listening on ::1#953 Dec 08 21:21:31 85f9421313e2 named[124]: managed-keys-zone: loaded serial 0 Dec 08 21:21:31 85f9421313e2 named[124]: zone example.com/IN: loaded serial 1001 Dec 08 21:21:31 85f9421313e2 named[124]: all zones loaded Dec 08 21:21:31 85f9421313e2 named[124]: running Dec 08 21:21:31 85f9421313e2 systemd[1]: Started Berkeley Internet Name Domain (DNS). Dec 08 21:51:47 85f9421313e2 named[124]: received control channel command 'sync' Dec 08 21:51:47 85f9421313e2 named[124]: dumping all zones: success Dec 08 21:53:49 85f9421313e2 named[124]: client @0x7f9a9c11e0b0 100.64.0.1#54788: updating zone 'example.com/IN': adding an RR at 'host-192-0-2-100.example.com' A 192.0.2.100 Dec 08 21:53:49 85f9421313e2 named[124]: client @0x7f9a9c11e0b0 100.64.0.1#54788: updating zone 'example.com/IN': adding an RR at 'host-192-0-2-100.example.com' DHCID AAEBkArIOOyXG4k9EcZV+7nh6DQ0iMsIAfNbdKZMqUJMmW4=
- Inspect updated zonefile
[bind9]% rndc sync
[bind9]% cat /etc/namedb/example.com
$ORIGIN .
$TTL 3600 ; 1 hour
example.com IN SOA dns.example.com. hostmaster.example.com. (
1003 ; serial
7200 ; refresh (2 hours)
1800 ; retry (30 minutes)
3542400 ; expire (5 weeks 6 days)
3600 ; minimum (1 hour)
)
NS dns.example.com.
$ORIGIN example.com.
dns A 100.64.53.1
host-192-0-2-100 A 192.0.2.100
DHCID ( AAEBkArIOOyXG4k9EcZV+7nh6DQ0iMsIAfNbdKZMqUJM
mW4= ) ; 1 1 32
host-198-51-100-50 A 198.51.100.50
DHCID ( AAEBCI5Fy5lEJYJbJcRaLLKHNUVpTN5HyOU8C/1Ijobh
CjM= ) ; 1 1 32
10.7.4 Reverse DNS zone updates (optional exercise)
- Add a reverse zones to the BIND 9 DNS-Server for the IP-Networks 192.0.2.0/24 (2.0.192.in-addr.arpa.) and 198.51.100.0/24 (100.51.198.in-addr.arpa.).
- Add the reverse zones to the Kea-DHCP-DDNS daemon configuration
- Reload and test
10.7.5 Securing DDNS with TSIG (optional exercise)
- Operating DDNS with authentication based on IP-Adresses is insecure. In production environments, DDNS should be authenticated with TSIG
- In this exercise we change the previous DDNS configuration to use TSIG keys
- Generate a TSIG key
- On the BIND 9 DNS server machine we generate a TSIG key with the
name
kea-ddns
[bind9]% tsig-keygen kea-ddns key "kea-ddns" { algorithm hmac-sha256; secret "iSi6Z2aXlX3AkoWCORnUCUHb80H0x14vI7PaCGL66Co="; };- copy this information at the beginning of the BIND 9 configuration
file
named.conf
key "kea-ddns" { algorithm hmac-sha256; secret "iSi6Z2aXlX3AkoWCORnUCUHb80H0x14vI7PaCGL66Co="; }; options { [...]- Change the zone definition for
example.comto authenticate dynamic DNS update with the TSIG key:
[...] zone "example.com" { type master; allow-update { key "kea-ddns"; }; file "example.com"; };- Check the configuration and reload the BIND 9 DNS-Server
[bind9]% named-checkconf -z /etc/namedb/named.conf zone example.com/IN: loaded serial 1003 [bind9]% rndc reload server reload successful [bind9]% journalctl -fu named
- On the BIND 9 DNS server machine we generate a TSIG key with the
name
- Change the Kea DHCP-DDNS configuration
- On the Kea DHCP server, stop the
kea-dhcp4daemon, remove the lease-file (to trigger new DDNS updates) and start the service again
[kea-server]% systemctl stop kea-dhcp4 [kea-server]% rm /var/lib/kea/kea-leases* [kea-server]% systemctl start kea-dhcp4
- Add the TSIG key into the
tsig-keysarray in thekea-dhcp-ddns.conffile
{ "DhcpDdns": { "ip-address": "127.0.0.1", "port": 53001, "dns-server-timeout": 100, "ncr-protocol": "UDP", "ncr-format": "JSON", "tsig-keys": [ { "name": "kea-ddns", "algorithm": "HMAC-SHA256", "secret": "iSi6Z2aXlX3AkoWCORnUCUHb80H0x14vI7PaCGL66Co=" } ], "forward-ddns": { [...]- Add the name of the TSIG key to use in the
ddns-domainsblock
[...] "forward-ddns": { "ddns-domains": [ { "name": "example.com.", "key-name": "kea-ddns", "dns-servers": [ { "hostname": "", "ip-address": "100.64.53.1", "port": 53 } ] } ] }, [...]- Test the new configuration and restart
kea-dhcp-ddns
[kea-server]% kea-dhcp-ddns -t /etc/kea/kea-dhcp-ddns.conf [kea-server]% systemctl restart kea-dhcp-ddns
- Request a new lease from one of the clients and inspect the log outout on the BIND 9 DNS server
Dec 08 22:23:56 85f9421313e2 named[124]: client @0x7f9a9c101170 100.64.0.1#50032/key kea-ddns: signer "kea-ddns" approved Dec 08 22:23:56 85f9421313e2 named[124]: client @0x7f9a9c101170 100.64.0.1#50032/key kea-ddns: updating zone 'example.com/IN': deleting rrset at 'host-198-51-100-50.example.com' A Dec 08 22:23:56 85f9421313e2 named[124]: client @0x7f9a9c101170 100.64.0.1#50032/key kea-ddns: updating zone 'example.com/IN': adding an RR at 'host-198-51-100-50.example.com' A 198.51.100.50
- On the Kea DHCP server, stop the
10.7.6 Clean Up Lab04
- Exit from the
kea-server,relay,bind9clientAandclientBcontainer - Execute the script
./stopand./cleanin/root/lab/lab04
10.8 Kea-DHCP Webinar Reihe von ISC
- Youtube Playlist: https://www.youtube.com/playlist?list=PLUwyH0o3uuIAQgl5ZmOeP9LKFDkLC2Usp
- ISC DHCP Optionen in Kea DHCP Optionen umschreiben: https://webinar.defaultroutes.de/webinar/15-Kea-DHCP-Options.html