# Failed to start dhcpd

## Rocker

Hi, 

I'm configuring my new server now. Everything works fine, exept the dhcp deamon won't start.

This time I've configured it to start in a chrooted env: /chroot/dhcp

When starting dhcp with /etc/init.d/dhcp start I get the following:

```
server dhcp # /etc/init.d/dhcp start

 * Setting ownership on dhcpd.leases...                                                                                                                               [ ok ]

 * Starting chrooted dhcpd...                                                                                                                                         [ !! ]

```

My /var/log/messages says the following:

```
Mar 13 18:58:46 server dhcpd: unable to create icmp socket: Operation not permitted

Mar 13 18:58:46 server dhcpd: Wrote 0 deleted host decls to leases file.

Mar 13 18:58:46 server dhcpd: Wrote 0 new dynamic host decls to leases file.

Mar 13 18:58:46 server dhcpd: Wrote 0 leases to leases file.

Mar 13 18:58:46 server dhcpd: Open a socket for LPF: Operation not permitted

Mar 13 18:58:46 server dhcpd:

Mar 13 18:58:46 server dhcpd: If you did not get this software from ftp.isc.org, please

Mar 13 18:58:46 server dhcpd: get the latest from ftp.isc.org and install that before

Mar 13 18:58:46 server dhcpd: requesting help.

Mar 13 18:58:46 server dhcpd:

Mar 13 18:58:46 server dhcpd: If you did get this software from ftp.isc.org and have not

Mar 13 18:58:46 server dhcpd: yet read the README, please read it before requesting help.

Mar 13 18:58:46 server dhcpd: If you intend to request help from the dhcp-server@isc.org

Mar 13 18:58:46 server dhcpd: mailing list, please read the section on the README about

Mar 13 18:58:46 server dhcpd: submitting bug reports and requests for help.

Mar 13 18:58:46 server dhcpd:

Mar 13 18:58:46 server dhcpd: Please do not under any circumstances send requests for

Mar 13 18:58:46 server dhcpd: help directly to the authors of this software - please

Mar 13 18:58:46 server dhcpd: send them to the appropriate mailing list as described in

Mar 13 18:58:46 server dhcpd: the README file.

Mar 13 18:58:46 server dhcpd:

Mar 13 18:58:46 server dhcpd: exiting.

```

I can't find any information about this neither on this forum, but also a search on google (with the exact error) does only give 3 results...

Personally, I think that this error is because the chrooted environment. I didn't have any problems with installing dhcp on my old server (wasn't chrooted)

----------

## adaptr

It might help to know how you have configured this.

Have you done what the errors tell you to?

What are the permissions and ownership of your home-grown chroot ?

----------

## Rocker

Hi, here are my config files:

```
# Begin /etc/dhcp/dhcpd.conf

authoritative;

ddns-update-style none;

deny bootp;

one-lease-per-client true;

subnet 192.168.0.0 netmask 255.255.255.0 {

   option broadcast-address 192.168.0.255;

   option routers 192.168.0.1;

   option domain-name-servers 192.168.0.1;

   option domain-name "rutger.homelinux.net";

   option ip-forwarding false;

   pool {

      range 192.168.0.10 192.168.0.20;

      default-lease-time 86400;

      max-lease-time 604800;

   }

}

host rAcer {

        hardware ethernet 00:c0:9f:24:77:bd;

        fixed-address 192.168.0.3;

}

# End /etc/dhcp/dhcpd.conf

```

These is the authorisation for /chroot/dhcp:

```

drwxr-xr-x    5 root     root         4096 Mar 13 08:56 dhcp
```

which are the same as for the non chrooted /etc/dhcp/ directory

BTW, my dhcp server is running right now. I removed the chrooted option, so it's running in a non chrooted environment. But when I set it to chroot again, it fails to start.

So for now, I'm sure that it is related to the chrooted configuration.

----------

## adaptr

Shouldn't the host definition be inside the subnet ?

It certainly is part of it.

And as what user does dhcpd start ?

Only root will have sufficient rights to make the chroot.

----------

## Rocker

```

drwxr-xr-x    5 root     root         4096 Mar 13 08:56 /chroot/dhcp

drwxr-xr-x    2 root     root         4096 Mar 13 08:56 /chroot/dhcp/dev

drwxr-xr-x    3 root     root         4096 Mar 13 08:56 /chroot/dhcp/etc

drwxr-xr-x    2 root     root         4096 Mar 13 18:03 /chroot/dhcp/etc/dhcp

drwxr-xr-x    4 root     root         4096 Mar 13 08:56 /chroot/dhcp/var

drwxr-xr-x    3 dhcp     dhcp         4096 Mar 13 08:56 /chroot/dhcp/var/lib

drwxr-xr-x    2 dhcp     dhcp         4096 Mar 13 20:24 /chroot/dhcp/var/lib/dhcp

drwxr-xr-x    3 root     root         4096 Mar 13 08:56 /chroot/dhcp/var/run

drwxr-xr-x    2 dhcp     dhcp         4096 Mar 13 08:56 /chroot/dhcp/var/run/dhcp

```

These are exact the same auth as /etc/dhcp, /var/run/dhcp, /var/lib/dhcp, etc. The deamon is running as user dhcp.

It is possible that the host definition should be inside, but when I try it, it gives the same error message.

----------

## adaptr

 *Quote:*   

> The deamon is running as user dhcp

 

That would be it, then.

What do the log files have to say ?

Bump up the log level while sorting this out, it should at least tell you something relevant...

----------

## Rocker

 *adaptr wrote:*   

>  *Quote:*   The deamon is running as user dhcp 
> 
> That would be it, then.
> 
> 

 

I guess not, the deamon is writing into /chroot/dhcp/var/lib (for the leases) and /chroot/dhcp/var/run (or the pid file), both directories have write access for user dhcp.

The only thing the log has to say is what is staying in my first post.

----------

## adaptr

The error messages state that dhcpd cannot create network sockets.

Only root can create or bind sockets on low ports, that's why I asked.

----------

## Rocker

OK, and how can I tell syslog-ng to log more messages? Because I'm not very familiar with modifying the logging options.

----------

## adaptr

I can tell  :Wink: 

You have to tell dhcpd to produce more logging messages.

```
man dhcpd.conf
```

to find out where to set the logging level.

----------

## Rocker

pff... I tried al log-facility possibilites, but instead of getting more information, I get less information...  :Crying or Very sad: 

Looks like this is the most detailed log, or maybe I'm doing something wrong... (and I'm afraid that I'm the quilty one...  :Embarassed:  )

----------

## Thulle

You don't happen to run a kernel with grsecurity enabled?

I've just upgraded to 2.4.26-grsec-2.0 and gotten the same error, gonna do some research now:)

----------

## Hackeron

To tell you the truth, I'm not 100% aware of what happened on the low level. It is really as easy as USE="chroot" emerge dhcpd, from there it was self explanatory for me. 

Here are all files in /chroot/dhcpd: 

./dev 

./etc 

./etc/dhcp 

./etc/dhcp/dhclient-script.sample 

./etc/dhcp/dhcpd.conf.sample 

./etc/dhcp/dhcpd.conf 

./etc/dhcp/dhclient.conf.sample 

./var 

./var/lib 

./var/lib/dhcp 

./var/lib/dhcp/.keep 

./var/lib/dhcp/dhcpd.leases~ 

./var/lib/dhcp/dhcpd.leases 

./var/run 

./var/run/dhcp 

./var/run/dhcp/dhcpd.pid 

./var/state 

./var/state/dhcp 

./var/state/dhcp/dhcpd.leases 

So as you can see, nothing in ./dev, and this was all auto created by clever gentoo. 

And 

8316 dhcp 19 0 2728 1532 1960 S 0.0 0.2 0:00.03 dhcpd --- notice that dhcpd is infact running as the dhcp user NOT as root. 

So koodos to gentoo for keeping my system as secure as possible 

Any other info you would like to know from me? -- I cant tell you exactly what I did, I didnt really pay attention, it was just all extremely easy and portage did all the work...

----------

## crash

I did emerge dhcp and next ebuild dhcpxxxx config to make chroot dir.

But when starting dhcpd i got the same problem.

Any tip or solution?

----------

## volumen1

Did you ever resolve this?  I'm betting you were running hardened-sources or using grsec in the kernel?  I was using dhcp in a chroot for a long time and now I'm getting that error and dhcp won't start.  I put hardened-sources on the box yesterday.  When I figure out how to fix it, I'll follow-up.

----------

## UberLord

Want to test with dhcp-3.0.4-r1?

----------

## volumen1

Sure, it can work within these grsec restrictions?  Should I enable chroot capabilities and TPE and all of that again?  I'll start down that path now and follow-up.

----------

## UberLord

I run it with most grsec and pax restrictions - however I do recall one that didn't work with dhcpd now that you mention it. I think it's grsec -> filesystem protections -> chroot jail resrictions -> capability restrictions that causes dhcpd to fail in a chroot. The only other things I don't have set are socket restrictions and logging/auditing.

----------

## volumen1

You nailed it.  Capabilities restrictions still bork it up.  Otherwise that version works great with all of the other grsec pieces I have enabled.  Thanks!

----------

