Merge pull request #4744 from sarthurdev/kea-vrf

dmbaturin · web-flow · commit a3b62f290a90 · 2025-09-30T15:28:01.000+01:00
kea: T7854: Use helper for Kea VRF systemd units
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
@@ -47,9 +47,6 @@ Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
                          /usr/libexec/vyos/op_mode/*
 Cmnd_Alias KEA_IP6_ROUTES = /sbin/ip -6 route replace *,\
                            /sbin/ip -6 route del *
-Cmnd_Alias KEA_DHCP = /bin/ip vrf exec * /usr/sbin/kea-dhcp*,\
-                      /usr/bin/chown * /var/run/kea/*,\
-                      /usr/bin/chown * /run/kea/*
 %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
 			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                         DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
@@ -65,4 +62,3 @@ Cmnd_Alias KEA_DHCP = /bin/ip vrf exec * /usr/sbin/kea-dhcp*,\
 %sudo ALL=NOPASSWD: /usr/bin/mokutil
 
 _kea ALL=NOPASSWD: KEA_IP6_ROUTES
-_kea ALL=NOPASSWD:SETENV: KEA_DHCP
diff --git a/src/etc/systemd/system/isc-kea-dhcp-ddns-server@.service b/src/etc/systemd/system/isc-kea-dhcp-ddns-server@.service
@@ -5,17 +5,10 @@ Wants=network-online.target
 After=vyos-router.service
 
 [Service]
-User=_kea
+User=root
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 Environment="KEA_LOCKFILE_DIR=/run/lock/kea"
-ConfigurationDirectory=kea
-RuntimeDirectory=kea lock/kea
-RuntimeDirectoryPreserve=yes
-LogsDirectory=kea
-LogsDirectoryMode=0750
-StateDirectory=kea
-ExecStart=sudo /bin/ip vrf exec %i /usr/sbin/kea-dhcp-ddns -c /var/run/kea/kea-%i-dhcp-ddns.conf
-ExecStartPost=/bin/sh -c 'sleep 10 && sudo /usr/bin/chown _kea:_kea /var/run/kea/kea-%i-dhcp-ddns* && sudo /usr/bin/chown _kea:_kea /run/kea/logger_lockfile'
+ExecStart=/usr/libexec/vyos/system/kea-vrf-helper %i  /usr/sbin/kea-dhcp-ddns -c /var/run/kea/kea-%i-dhcp-ddns.conf
 Restart=on-failure
 
 [Install]
diff --git a/src/etc/systemd/system/isc-kea-dhcp4-server@.service b/src/etc/systemd/system/isc-kea-dhcp4-server@.service
@@ -5,21 +5,12 @@ Wants=network-online.target
 After=vyos-router.service
 
 [Service]
-User=_kea
+User=root
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
 Environment="KEA_DHCP_DATA_DIR=/config/dhcp"
 Environment="KEA_HOOK_SCRIPTS_PATH=/usr/libexec/vyos/system"
 Environment="KEA_LOCKFILE_DIR=/run/lock/kea"
-ConfigurationDirectory=kea
-ConfigurationDirectoryMode=0750
-RuntimeDirectory=kea lock/kea
-RuntimeDirectoryPreserve=yes
-RuntimeDirectoryMode=0750
-LogsDirectory=kea
-LogsDirectoryMode=0750
-StateDirectory=kea
-ExecStart=sudo -E /bin/ip vrf exec %i /usr/sbin/kea-dhcp4 -c /var/run/kea/kea-%i-dhcp4.conf
-ExecStartPost=/bin/sh -c 'sleep 10 && sudo /usr/bin/chown _kea:_kea /var/run/kea/dhcp4-%i-ctrl* && sudo /usr/bin/chown _kea:_kea /var/run/kea/kea-%i-dhcp4* && sudo /usr/bin/chown _kea:_kea /run/kea/logger_lockfile'
+ExecStart=/usr/libexec/vyos/system/kea-vrf-helper %i /usr/sbin/kea-dhcp4 -c /var/run/kea/kea-%i-dhcp4.conf
 Restart=on-failure
 
 [Install]
diff --git a/src/etc/systemd/system/isc-kea-dhcp6-server@.service b/src/etc/systemd/system/isc-kea-dhcp6-server@.service
@@ -5,21 +5,12 @@ Wants=network-online.target
 After=vyos-router.service
 
 [Service]
-User=_kea
+User=root
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 Environment="KEA_DHCP_DATA_DIR=/config/dhcp"
 Environment="KEA_HOOK_SCRIPTS_PATH=/usr/libexec/vyos/system"
 Environment="KEA_LOCKFILE_DIR=/run/lock/kea"
-ConfigurationDirectory=kea
-ConfigurationDirectoryMode=0750
-RuntimeDirectory=kea lock/kea
-RuntimeDirectoryPreserve=yes
-RuntimeDirectoryMode=0750
-LogsDirectory=kea
-LogsDirectoryMode=0750
-StateDirectory=kea
-ExecStart=sudo -E /bin/ip vrf exec %i /usr/sbin/kea-dhcp6 -c /var/run/kea/kea-%i-dhcp6.conf
-ExecStartPost=/bin/sh -c 'sleep 10 && sudo /usr/bin/chown _kea:_kea /var/run/kea/dhcp6-%i-ctrl* && sudo /usr/bin/chown _kea:_kea /var/run/kea/kea-%i-dhcp6* && sudo /usr/bin/chown _kea:_kea /run/kea/logger_lockfile'
+ExecStart=/usr/libexec/vyos/system/kea-vrf-helper %i /usr/sbin/kea-dhcp6 -c /var/run/kea/kea-%i-dhcp6.conf
 Restart=on-failure
 
 [Install]
diff --git a/src/init/vyos-router b/src/init/vyos-router
@@ -504,6 +504,18 @@ start ()
     nfct helper add tns inet6 tcp
     nft --file /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
 
+    # Create needed kea directories
+    mkdir -p /var/run/kea /run/lock/kea
+    chmod 750 /var/run/kea /run/lock/kea
+    chown _kea:_kea /var/run/kea /run/lock/kea
+    if [ -d /opt/vyatta/etc/config ]; then
+        if [ ! -d /opt/vyatta/etc/config/dhcp ]; then
+            mkdir /opt/vyatta/etc/config/dhcp
+            chmod 750 /opt/vyatta/etc/config/dhcp
+            chown _kea:vyattacfg /opt/vyatta/etc/config/dhcp
+        fi
+    fi
+
     # Ensure rsyslog is the default syslog daemon
     SYSTEMD_SYSLOG="/etc/systemd/system/syslog.service"
     SYSTEMD_RSYSLOG="/lib/systemd/system/rsyslog.service"
diff --git a/src/system/kea-vrf-helper b/src/system/kea-vrf-helper
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+VRF=$1
+shift
+
+export KEA_DHCP_DATA_DIR=/config/dhcp
+export KEA_HOOK_SCRIPTS_PATH=/usr/libexec/vyos/system
+export KEA_LOCKFILE_DIR=/run/lock/kea
+
+ip vrf exec $VRF \
+    setpriv --reuid=_kea --regid=_kea --init-groups \
+        --inh-caps +net_bind_service,+net_raw \
+        --ambient-caps +net_bind_service,+net_raw \
+        $@
