dhcpd cannot write /var/run/dhcpd.pid

New bug can be found at:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/985417

Oops, wrong place for my last comment:) Sorry.

I don't see any apparmor denials in your kern.log and this line is in your apparmor profile:
/{,var/}run/{,dhcp-server/}dhcpd{,6}.pid w,

which allows writes to:
/var/run/dhcpd.pid

This does not seem to be an apparmor problem.

I don't think so eighter, but the problem still exists.
And the automated statement "UpgradeStatus: No upgrade log present (probably fresh install)" is true as well: I did not have the time to mess up anything:) The only file I changed on the complete new system is the attached dhcpd.conf.

My fix below for IPv4 (new /etc/init/isc-dhcp-server.conf)

My take on the problem is:
- Not a apparmor issue.
- The permissions on /var/run is 755, so writable by root only.
- dhcpd tries to write it's pid file after it has dropped root permissions.
- Existing method to get around this
  (from looking at the current /etc/init/isc-dhcp-server.conf upstart file)
  is to create an dhcp-server directory and enable the ownership/permissions on that.
- The upstart conf script is broken and doesn't do this properly.
   - It only creates this directory and sets these permissions on 'restart'(?)
   - It doesn't tell 'dhcpd where is should write it's pid, which defaults to /var/run/dhcpd.pid.

Also: /var/run is being migrated to /run, so I have included that change.

See the attache file for my rework of the upstart script which appears to work for me.
I can start, stop, restart with appropriate messages if I try to start a running service, or stop a stopped service.

I am now getting the following apparmor message.

apparmor="DENIED" operation="open" parent=31445 profile="/usr/sbin/dhcpd" name="/run/dhcp-server/dhcpd.pid" pid=31446 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=121 ouid=121

Having the same messages on my systems which have dhcpd installed.
Don't know if it is very dangerous or not.

I had this issue as well. Fixed it with paulschulz's suggestion of adding the "-pf /run/dhcp-server/dhcpd.pid" command line option into /etc/init/isc-dhcp-server.conf.

FYI, I also added read access to the PID file in the apparmor profile.

also affects isc-dhcp-server-ldap 4.1.ESV-R4-0ubuntu5

same work-around of -pf switch corrects.

I just encountered the same problem. I did two things to work around this:

% cd /etc
% bzr diff
=== modified file 'apparmor.d/usr.sbin.dhcpd'
--- apparmor.d/usr.sbin.dhcpd 2012-05-18 01:12:29 +0000
+++ apparmor.d/usr.sbin.dhcpd 2012-05-19 21:10:55 +0000
@@ -32,7 +32,7 @@
   /var/lib/dhcp/dhcpd{,6}.leases* lrw,
   /var/log/ r,
   /var/log/** rw,
- /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid w,
+ /{,var/}run/{,dhcp-server/}dhcpd{,6}.pid rw,

   # LTSP. See:
   # http://www.ltsp.org/~sbalneav/LTSPManual.html

=== modified file 'dhcp/dhcpd.conf'
--- dhcp/dhcpd.conf 2012-05-19 21:01:43 +0000
+++ dhcp/dhcpd.conf 2012-05-19 21:09:07 +0000
@@ -31,7 +31,7 @@
 # have to hack syslog.conf to complete the redirection).
 log-facility local7;

-pid-file-name "/var/run/dhcp-server/dhcpd.pid";
+pid-file-name "/run/dhcp-server/dhcpd.pid";

 subnet xxx.xxx.xxx.0 netmask 255.255.255.0 {
     option routers xxx.xxx.xxx.xxx;

I honestly don't know whether this is the *right* thing to do, but it works for me (please let me know if I'm opening massive vulnerabilities :).

I think there are possibly two bugs here. The first would be that the default pid file for dhcpd puts it in a location that isn't writable. The second is that even after relocating the pid file, the apparmor setting doesn't allow for reading the pid file.

I change /etc/default/isc-dhcp-server to work around
INTERFACES="-pf /var/run/dhcp-server/dhcpd.pid eth0"

That works for both v4 and v6 scripts.

Hello Varga, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I was affected by this bug today. Installing the -proposed fix was the solution to my problem as well. Thank you!

Based on Gabe's comment, marking verification-done

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.1

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.1) precise-proposed; urgency=low

  * Set -pf option for both isc-dhcp-server and isc-dhcp-server6 so they
    create their pid files in a path that's actually writable. (LP: #985417)
  * Also allow read access to the pid file in the apparmor profile,
    otherwise only the initial start succeeds. (LP: #1005062)
  * On upgrade from dhcp3-server, move /etc/default/dhcp3-server to
    /etc/default/isc-dhcp-server. (LP: #1003971)
  * On upgrade from dhcp3-relay, remove /etc/default/dhcp3-relay.
    (LP: #1005547)
  * Try to preseed isc-dhcp-relay with the values from
    /etc/default/dhcp3-relay. (LP: #1005547)
 -- Stephane Graber <email address hidden> Sun, 27 May 2012 20:41:13 -0400

Hello Varga, or anyone else affected,

Accepted isc-dhcp into oneiric-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The Oneiric package in -proposed got superseded by a security update, and needs to be re-uploaded.

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.