-
Notifications
You must be signed in to change notification settings - Fork 146
/
Copy pathdhcp4-srv.xml
4909 lines (4584 loc) · 216 KB
/
dhcp4-srv.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!--
- Copyright (C) 2014-2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<!-- Converted by db4-upgrade version 1.1 -->
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dhcp4">
<title>The DHCPv4 Server</title>
<section xml:id="dhcp4-start-stop">
<title>Starting and Stopping the DHCPv4 Server</title>
<para>
It is recommended that the Kea DHCPv4 server be started and stopped
using <command>keactrl</command> (described in <xref linkend="keactrl"/>).
However, it is also possible to run the server directly: it accepts
the following command-line switches:
</para>
<itemizedlist>
<listitem>
<simpara>
<command>-c <replaceable>file</replaceable></command> -
specifies the configuration file. This is the only mandatory
switch.</simpara>
</listitem>
<listitem>
<simpara>
<command>-d</command> - specifies whether the server
logging should be switched to debug/verbose mode. In verbose mode,
the logging severity and debuglevel specified in the configuration
file are ignored and "debug" severity and the maximum debuglevel
(99) are assumed. The flag is convenient, for temporarily
switching the server into maximum verbosity, e.g. when
debugging.</simpara>
</listitem>
<listitem>
<simpara>
<command>-p <replaceable>port</replaceable></command> -
specifies UDP port on which the server will listen. This is only
useful during testing, as a DHCPv4 server listening on
ports other than the standard ones will not be able to
handle regular DHCPv4 queries.</simpara>
</listitem>
<listitem>
<simpara>
<command>-t <replaceable>file</replaceable></command> -
specifies the configuration file to be tested. Kea-dhcp4
will attempt to load it, and will conduct sanity
checks. Note that certain checks are possible only while
running the actual server. The actual status is reported
with exit code (0 = configuration looks ok, 1 = error
encountered). Kea will print out log messages to standard
output and error to standard error when testing
configuration.</simpara>
</listitem>
<listitem>
<simpara>
<command>-v</command> - prints out the Kea version and exits.
</simpara>
</listitem>
<listitem>
<simpara>
<command>-V</command> - prints out the Kea extended version with
additional parameters and exits. The listing includes the versions
of the libraries dynamically linked to Kea.
</simpara>
</listitem>
<listitem>
<simpara>
<command>-W</command> - prints out the Kea configuration report
and exits. The report is a copy of the
<filename>config.report</filename> file produced by
<userinput>./configure</userinput>: it is embedded in the
executable binary.
</simpara>
</listitem>
</itemizedlist>
<para>
The <filename>config.report</filename> may also be accessed more
directly. The following command may be used to extract this
information. The binary <userinput>path</userinput> may be found
in the install directory or in the <filename>.libs</filename>
subdirectory in the source tree. For example
<filename>kea/src/bin/dhcp4/.libs/kea-dhcp4</filename>.
<screen>
strings <userinput>path</userinput>/kea-dhcp4 | sed -n 's/;;;; //p'
</screen>
</para>
<para>
On start-up, the server will detect available network interfaces
and will attempt to open UDP sockets on all interfaces
mentioned in the configuration file.
Since the DHCPv4 server opens privileged ports, it requires root
access. Make sure you run this daemon as root.
</para>
<para>
During startup the server will attempt to create a PID file of the
form: localstatedir]/[conf name].kea-dhcp6.pid where:
<itemizedlist>
<listitem>
<simpara><command>localstatedir</command>: The value as passed into the
build configure script. It defaults to "/usr/local/var". (Note
that this value may be overridden at run time by setting the environment
variable KEA_PIDFILE_DIR. This is intended primarily for testing purposes.)
</simpara>
</listitem>
<listitem>
<simpara><command>conf name</command>: The configuration file name
used to start the server, minus all preceding path and file extension.
For example, given a pathname of "/usr/local/etc/kea/myconf.txt", the
portion used would be "myconf".
</simpara>
</listitem>
</itemizedlist>
If the file already exists and contains the PID of a live process,
the server will issue a DHCP4_ALREADY_RUNNING log message and exit. It
is possible, though unlikely, that the file is a remnant of a system crash
and the process to which the PID belongs is unrelated to Kea. In such a
case it would be necessary to manually delete the PID file.
</para>
<para>
The server can be stopped using the <command>kill</command> command.
When running in a console, the server can also be shut down by
pressing ctrl-c. It detects the key combination and shuts
down gracefully.
</para>
</section>
<section xml:id="dhcp4-configuration">
<title>DHCPv4 Server Configuration</title>
<section>
<title>Introduction</title>
<para>
This section explains how to configure the DHCPv4 server using the
Kea configuration backend. (Kea configuration using any other
backends is outside of scope of this document.) Before DHCPv4
is started, its configuration file has to be created. The
basic configuration is as follows:
<screen>
{
# DHCPv4 configuration starts in this line
"Dhcp4": {
# First we set up global values
"valid-lifetime": 4000,
"renew-timer": 1000,
"rebind-timer": 2000,
# Next we setup the interfaces to be used by the server.
"interfaces-config": {
"interfaces": [ "eth0" ]
},
# And we specify the type of lease database
"lease-database": {
"type": "memfile",
"persist": true,
"name": "/var/kea/dhcp4.leases"
},
# Finally, we list the subnets from which we will be leasing addresses.
"subnet4": [
{
"subnet": "192.0.2.0/24",
"pools": [
{
"pool": "192.0.2.1 - 192.0.2.200"
}
]
}
]
# DHCPv4 configuration ends with the next line
}
} </screen>
</para>
<para>The following paragraphs provide a brief overview of the parameters in
the above example together with
their format. Subsequent sections of this chapter go into much greater detail
for these and other parameters.</para>
<para>The lines starting with a hash (#) are comments and are ignored by
the server; they do not impact its
operation in any way.</para>
<para>The configuration starts in the first line with the initial
opening curly bracket (or brace). Each configuration consists of
one or more objects. In this specific example, we have only one
object, called Dhcp4. This is a simplified configuration, as usually
there will be additional objects, like <command>Logging</command> or
<command>DhcpDdns</command>, but we omit them now for clarity. The Dhcp4
configuration starts with the <command>"Dhcp4": {</command> line
and ends with the corresponding closing brace (in the above example,
the brace after the last comment). Everything defined between those
lines is considered to be the Dhcp4 configuration.</para>
<para>In the general case, the order in which those parameters appear does not
matter. There are two caveats here though. The first one is to remember that
the configuration file must be well formed JSON. That means that the parameters
for any given scope must be separated by a comma and there must not be a comma
after the last parameter. When reordering a configuration file, keep in mind that
moving a parameter to or from the last position in a given scope may also require
moving the comma. The second caveat is that it is uncommon — although
legal JSON — to
repeat the same parameter multiple times. If that happens, the last occurrence of a
given parameter in a given scope is used while all previous instances are
ignored. This is unlikely to cause any confusion as there are no real life
reasons to keep multiple copies of the same parameter in your configuration
file.</para>
<para>Moving onto the DHCPv4 configuration elements, the first few elements
define some global parameters. <command>valid-lifetime</command>
defines for how long the addresses (leases) given out by the
server are valid. If nothing changes, a client that got an address is allowed to
use it for 4000 seconds. (Note that integer numbers are specified as is,
without any quotes around them.) <command>renew-timer</command> and
<command>rebind-timer</command> are values (also in seconds) that
define T1 and T2 timers that govern when the client will begin the renewal and
rebind procedures. Note that <command>renew-timer</command> and
<command>rebind-timer</command> are optional. If they are not specified the
client will select values for T1 and T2 timers according to the
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://tools.ietf.org/html/rfc2131">RFC 2131</link>.</para>
<para>The <command>interfaces-config</command> map specifies the server
configuration concerning the network interfaces, on which the server should
listen to the DHCP messages. The <command>interfaces</command> parameter
specifies a list of network interfaces on which the server should listen.
Lists are opened and closed with square brackets, with elements separated
by commas. Had we wanted to listen on two interfaces, the
<command>interfaces-config</command> would look like this:
<screen>
"interfaces-config": {
"interfaces": [ "eth0", "eth1" ]
},
</screen>
</para>
<para>The next couple of lines define the lease database, the place where the server
stores its lease information. This particular example tells the server to use
<command>memfile</command>, which is the simplest (and fastest) database
backend. It uses an in-memory database and stores leases on disk in a CSV
file. This is a very simple configuration. Usually the lease database configuration
is more extensive and contains additional parameters. Note that
<command>lease-database</command>
is an object and opens up a new scope, using an opening brace.
Its parameters (just one in this example - <command>type</command>)
follow. Had there been more than one, they would be separated by commas. This
scope is closed with a closing brace. As more parameters for the Dhcp4 definition
follow, a trailing comma is present.</para>
<para>Finally, we need to define a list of IPv4 subnets. This is the
most important DHCPv4 configuration structure as the server uses that
information to process clients' requests. It defines all subnets from
which the server is expected to receive DHCP requests. The subnets are
specified with the <command>subnet4</command> parameter. It is a list,
so it starts and ends with square brackets. Each subnet definition in
the list has several attributes associated with it, so it is a structure
and is opened and closed with braces. At a minimum, a subnet definition
has to have at least two parameters: <command>subnet</command> (that
defines the whole subnet) and <command>pools</command> (which is a list of
dynamically allocated pools that are governed by the DHCP server).</para>
<para>The example contains a single subnet. Had more than one been defined,
additional elements
in the <command>subnet4</command> parameter would be specified and
separated by commas. For example, to define three subnets, the following
syntax would be used:
<screen>
"subnet4": [
{
"pools": [ { "pool": "192.0.2.1 - 192.0.2.200" } ],
"subnet": "192.0.2.0/24"
},
{
"pools": [ { "pool": "192.0.3.100 - 192.0.3.200" } ],
"subnet": "192.0.3.0/24"
},
{
"pools": [ { "pool": "192.0.4.1 - 192.0.4.254" } ],
"subnet": "192.0.4.0/24"
}
]
</screen>
Note that indentation is optional and is used for aesthetic purposes only.
In some cases in may be preferable to use more compact notation.
</para>
<para>After all the parameters have been specified, we have two contexts open:
global and Dhcp4, hence we need two closing curly brackets to close them.
In a real life configuration file there most likely would be additional
components defined such as Logging or DhcpDdns, so the closing brace would
be followed by a comma and another object definition.</para>
</section>
<section>
<title>Lease Storage</title>
<para>All leases issued by the server are stored in the lease database.
Currently there are four database backends available: memfile (which is the
default backend), MySQL, PostgreSQL and Cassandra.</para>
<section>
<title>DHCPv4 lease field description</title>
<para>
Leases issued by the dhcp4 server are stored in the backends with the fields as,
<screen>address,hwaddr,client_id,valid_lifetime,expire,subnet_id,fqdn_fwd,fqdn_rev,hostname,state</screen>
</para>
<para>
Let's decipher these fields
<itemizedlist>
<listitem>
<simpara><command>address</command>: This field is the actual IPv4 address
offered or assigned to a host.
</simpara>
</listitem>
<listitem>
<simpara><command>hwaddr</command>: The hardware address/MAC address of the host or network
interface on which the lease will be used. Usually the same as <command>clien_id</command>.
</simpara>
</listitem>
<listitem>
<simpara><command>client_id</command>: A unique identifier for the host used by the host
to acquire the lease. Clients are not required to send client identifiers, this will only
appear if a client, in fact, did send one. Usually the same as <command>hwaddr</command>.
</simpara>
</listitem>
<listitem>
<simpara><command>valid_lifetime</command>: The valid-time or lifetime for the lease in seconds for which the lease
is assigned (active) to the host, this is by default <command>3600</command> seconds after which it will be available (free)
to be assign to possibly same or new host.
</simpara>
</listitem>
<listitem>
<simpara><command>expire</command>: The lease end-time, a time in seconds since epoch for which the lease
will expire and will be available (free) for re-assignment.
</simpara>
</listitem>
<listitem>
<simpara><command>subnet_id</command>: The identifier (unique) for the particular subnet from which the lease was assigned.
</simpara>
</listitem>
<listitem>
<simpara><command>fqdn_fwd</command>: A bool value, was forward update performed? Required during lease release or expiration.
</simpara>
</listitem>
<listitem>
<simpara><command>fqdn_rev</command>: A bool value, was reverse update performed? Required during lease release or expiration.
</simpara>
</listitem>
<listitem>
<simpara><command>hostname</command>: A string, hosts hostname. A host may send their
hostname in the host-name option. If the client sends its hostname in this way, the hostname
is recorded in the hostname field. A hostname may be shared by possible many leases if a client
requests two or more addresses.
</simpara>
</listitem>
<listitem>
<simpara><command>state</command>: The state of the lease active, expired or released.
</simpara>
</listitem>
</itemizedlist>
</para>
</section>
<section>
<title>Memfile - Basic Storage for Leases</title>
<para>The server is able to store lease data in different repositories. Larger
deployments may elect to store leases in a database. <xref linkend="database-configuration4"/> describes this option. In typical
smaller deployments though, the server will store lease information in a CSV file rather
than a database. As well as requiring less administration, an
advantage of using a file for storage is that it
eliminates a dependency on third-party database software.</para>
<para>The configuration of the file backend (Memfile) is controlled through
the Dhcp4/lease-database parameters. The <command>type</command> parameter
is mandatory and it specifies which storage for leases the server should use.
The value of <userinput>"memfile"</userinput> indicates that the file should
be used as the storage. The following list gives additional, optional,
parameters that can be used to configure the Memfile backend.
<itemizedlist>
<listitem>
<simpara><command>persist</command>: controls whether the new leases and
updates to existing leases are written to the file. It is strongly
recommended that the value of this parameter is set to
<userinput>true</userinput> at all times, during the server's normal
operation. Not writing leases to disk will mean that if a server is restarted
(e.g. after a power failure), it will not know what addresses have been
assigned. As a result, it may hand out addresses to new clients that are
already in use. The value of <userinput>false</userinput> is mostly useful
for performance testing purposes. The default value of the
<command>persist</command> parameter is <userinput>true</userinput>,
which enables writing lease updates
to the lease file.
</simpara>
</listitem>
<listitem>
<simpara><command>name</command>: specifies an absolute location of the lease
file in which new leases and lease updates will be recorded. The default value
for this parameter is <userinput>"[kea-install-dir]/var/kea/kea-leases4.csv"
</userinput>.</simpara>
</listitem>
<listitem>
<simpara><command>lfc-interval</command>: specifies the interval in seconds, at
which the server will perform a lease file cleanup (LFC). This
removes redundant (historical) information from the lease file
and effectively reduces the lease file size. The cleanup process is described
in more detailed fashion further in this section. The default value of the
<command>lfc-interval</command> is <userinput>3600</userinput>. A value of 0
disables the LFC.</simpara>
</listitem>
</itemizedlist>
</para>
<para>An example configuration of the Memfile backend is presented below:
<screen>
"Dhcp4": {
"lease-database": {
<userinput>"type": "memfile"</userinput>,
<userinput>"persist": true</userinput>,
<userinput>"name": "/tmp/kea-leases4.csv",</userinput>
<userinput>"lfc-interval": 1800</userinput>
}
}
</screen>
This configuration selects the <filename>/tmp/kea-leases4.csv</filename> as
the storage for lease information and enables persistence (writing lease updates
to this file). It also configures the backend perform the periodic cleanup
of the lease files, executed every 30 minutes.
</para>
<para>It is important to know how the lease file contents are organized
to understand why the periodic lease file cleanup is needed. Every time
the server updates a lease or creates a new lease for the client, the new
lease information must be recorded in the lease file. For performance reasons,
the server does not update the existing client's lease in the file, as it would
potentially require rewriting the entire file. Instead, it simply appends the new lease
information to the end of the file: the previous lease entries for the
client are not removed. When the server loads leases from the lease file, e.g.
at the server startup, it assumes that the latest lease entry for the client
is the valid one. The previous entries are discarded. This means that the
server can re-construct the accurate information about the leases even though
there may be many lease entries for each client. However, storing many entries
for each client results in bloated lease file and impairs the performance of
the server's startup and reconfiguration as it needs to process a larger number
of lease entries.
</para>
<para>Lease file cleanup (LFC) removes all previous entries for each client and
leaves only the latest ones. The interval at which the cleanup is performed
is configurable, and it should be selected according to the frequency of lease
renewals initiated by the clients. The more frequent the renewals, the smaller
the value of <command>lfc-interval</command> should be. Note however, that the
LFC takes time and thus it is possible (although unlikely) that new cleanup
is started while the previous cleanup instance is still running, if the
<command>lfc-interval</command> is too short. The server would recover from
this by skipping the new cleanup when it detects that the previous cleanup
is still in progress. But it implies that the actual cleanups will be
triggered more rarely than configured. Moreover, triggering a new cleanup
adds an overhead to the server which will not be able to respond to new
requests for a short period of time when the new cleanup process is spawned.
Therefore, it is recommended that the <command>lfc-interval</command> value
is selected in a way that would allow for the LFC to complete the cleanup before a
new cleanup is triggered.
</para>
<para>Lease file cleanup is performed by a separate process (in background) to avoid
a performance impact on the server process. In order to avoid the conflicts
between two processes both using the same lease files, the LFC process
operates on the copy of the original lease file, rather than on the lease
file used by the server to record lease updates. There are also other files
being created as a side effect of the lease file cleanup. The detailed
description of the LFC is located on the Kea wiki:
<uri xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://kea.isc.org/wiki/LFCDesign">http://kea.isc.org/wiki/LFCDesign</uri>.
</para>
</section>
<section xml:id="database-configuration4">
<title>Lease Database Configuration</title>
<note>
<para>Lease database access information must be configured for the DHCPv4 server,
even if it has already been configured for the DHCPv6 server. The servers
store their information independently, so each server can use a separate
database or both servers can use the same database.</para>
</note>
<para>Lease database configuration is controlled through the Dhcp4/lease-database
parameters. The type of the database must be set to "memfile", "mysql", "postgresql" or
"cql", e.g.
<screen>
"Dhcp4": { "lease-database": { <userinput>"type": "mysql"</userinput>, ... }, ... }
</screen>
Next, the name of the database to hold the leases must be set: this is the
name used when the database was created
(see <xref linkend="mysql-database-create"/>,
<xref linkend="pgsql-database-create"/> or
<xref linkend="cql-database-create"/>).
<screen>
"Dhcp4": { "lease-database": { <userinput>"name": "<replaceable>database-name</replaceable>" </userinput>, ... }, ... }
</screen>
For Cassandra:
<screen>
"Dhcp4": { "lease-database": { <userinput>"keyspace": "<replaceable>database-name</replaceable>" </userinput>, ... }, ... }
</screen>
If the database is located on a different system to the DHCPv4 server, the
database host name must also be specified. (It should be noted that this
configuration may have a severe impact on server performance.):
<screen>
"Dhcp4": { "lease-database": { <userinput>"host": "<replaceable>remote-host-name</replaceable>"</userinput>, ... }, ... }
</screen>
The usual state of affairs will be to have the database on the same machine as
the DHCPv4 server. In this case, set the value to the empty string:
<screen>
"Dhcp4": { "lease-database": { <userinput>"host" : ""</userinput>, ... }, ... }
</screen>
Should the database use a port different than default, it may be
specified as well:
<screen>
"Dhcp4": { "lease-database": { <userinput>"port" : 12345</userinput>, ... }, ... }
</screen>
Should the database be located on a different system, you may need to specify a longer interval
for the connection timeout:
<screen>
"Dhcp4": { "lease-database": { <userinput>"connect-timeout" : <replaceable>timeout-in-seconds</replaceable></userinput>, ... }, ... }
</screen>
The default value of five seconds should be more than adequate for local connections.
If a timeout is given though, it should be an integer greater than zero.
</para>
<para>Finally, the credentials of the account under which the server will
access the database should be set:
<screen>
"Dhcp4": { "lease-database": { <userinput>"user": "<replaceable>user-name</replaceable>"</userinput>,
<userinput>"password": "<replaceable>password</replaceable>"</userinput>,
... },
... }
</screen>
If there is no password to the account, set the password to the empty string
"". (This is also the default.)</para>
</section>
<section xml:id="cassandra-database-configuration4">
<title>Cassandra specific parameters</title>
<para>
Cassandra backend is configured slightly differently. Cassandra has a
concept of contact points that could be used to contact the cluster,
instead of a single IP or hostname. It takes a list of comma separated IP
addresses. This may be specified as:
<screen>
"Dhcp4": {
"lease-database": {
"type": "cql",
<userinput>"contact-points": "<replaceable>ip-address1, ip-address2 [,...]</replaceable>"</userinput>,
...
},
...
}</screen>
</para>
<para>
Cassandra also supports a number of optional parameters:
<itemizedlist>
<listitem><simpara>
<command>reconnect-wait-time</command> - governs how long Kea waits
before attempting to reconnect. Expressed in milliseconds. The default
is 2000 [ms].
</simpara></listitem>
<listitem><simpara>
<command>connect-timeout</command> - sets the timeout for connecting to
a node. Expressed in milliseconds. The default is 5000 [ms].
</simpara></listitem>
<listitem><simpara>
<command>request-timeout</command> - this parameter sets the timeout for
waiting for a response from a node. Expressed in milliseconds. The
default is 12000 [ms].
</simpara></listitem>
<listitem><simpara>
<command>tcp-keepalive</command> - This parameter governs the TCP
keep-alive mechanism. Expressed in seconds of delay. If the parameter
is not present, the mechanism is disabled.
</simpara></listitem>
<listitem><simpara>
<command>tcp-nodelay</command> - This parameter enables/disabled Nagle's
algorithm on connections. The default is true.
</simpara></listitem>
</itemizedlist>
</para>
<para>
For example, a complex Cassandra configuration with most parameters specified
could look as follows:
<screen>
"Dhcp4": {
"lease-database": {
"type": "cql",
"keyspace": "keatest",
"contact-points": "192.0.2.1, 192.0.2.2, 192.0.2.3",
"port": 9042,
"reconnect-wait-time": 2000,
"connect-timeout": 5000,
"request-timeout": 12000,
"tcp-keepalive": 1,
"tcp-nodelay": true
},
...
}</screen>
Similar parameters can be specified for hosts database.
</para>
</section>
</section>
<section xml:id="hosts4-storage">
<title>Hosts Storage</title>
<para>Kea is also able to store information about host reservations in the
database. The hosts database configuration uses the same syntax as the lease
database. In fact, a Kea server opens independent connections for each
purpose, be it lease or hosts information. This arrangement gives the most
flexibility. Kea can be used to keep leases and host reservations
separately, but can also point to the same database. Currently the
supported hosts database types are MySQL, PostgreSQL and Cassandra.</para>
<para>Please note that usage of hosts storage is optional. A user can define
all host reservations in the configuration file. That is the recommended way
if the number of reservations is small. However, when the number of
reservations grows it's more convenient to use host storage. Please note
that both storage methods (configuration file and one of the supported databases)
can be used together. If hosts are defined in both places, the definitions
from the configuration file are checked first and external storage is checked
later, if necessary.</para>
<para>Version 1.4 extends the host storage to multiple storages. Operations
are performed on host storages in the configuration order with a special
case for addition: read-only storages must be configured after a
required read-write storage, or host reservation addition will
always fail.</para>
<section xml:id="hosts-databases-configuration4">
<title>DHCPv4 Hosts Database Configuration</title>
<para>Hosts database configuration is controlled through the Dhcp4/hosts-database
parameters. If enabled, the type of the database must be set to "mysql" or
"postgresql". Other hosts backends may be added in later versions of Kea.
<screen>
"Dhcp4": { "hosts-database": { <userinput>"type": "mysql"</userinput>, ... }, ... }
</screen>
Next, the name of the database to hold the reservations must be set: this is the
name used when the lease database was created (see <xref linkend="supported-databases"/>
for instructions how to setup the desired database type).
<screen>
"Dhcp4": { "hosts-database": { <userinput>"name": "<replaceable>database-name</replaceable>" </userinput>, ... }, ... }
</screen>
If the database is located on a different system than the DHCPv4 server, the
database host name must also be specified. (Again it should be noted that this
configuration may have a severe impact on server performance.):
<screen>
"Dhcp4": { "hosts-database": { <userinput>"host": <replaceable>remote-host-name</replaceable></userinput>, ... }, ... }
</screen>
The usual state of affairs will be to have the database on the same machine as
the DHCPv4 server. In this case, set the value to the empty string:
<screen>
"Dhcp4": { "hosts-database": { <userinput>"host" : ""</userinput>, ... }, ... }
</screen>
Should the database use a port different than default, it may be
specified as well:
<screen>
"Dhcp4": { "hosts-database": { <userinput>"port" : 12345</userinput>, ... }, ... }
</screen>
</para>
<para>Finally, the credentials of the account under which the server will
access the database should be set:
<screen>
"Dhcp4": { "hosts-database": { <userinput>"user": "<replaceable>user-name</replaceable>"</userinput>,
<userinput>"password": "<replaceable>password</replaceable>"</userinput>,
... },
... }
</screen>
If there is no password to the account, set the password to the empty string
"". (This is also the default.)</para>
<para>The multiple storage extension uses a similar syntax: a configuration
is placed into a "hosts-databases" list instead of into a "hosts-database"
entry as in:
<screen>
"Dhcp4": { "hosts-databases": [ { <userinput>"type": "mysql"</userinput>, ... }, ... ], ... }
</screen>
</para>
<para>For additional Cassandra specific parameters, see <xref
linkend="cassandra-database-configuration4"/>.</para>
</section>
<section xml:id="read-only-database-configuration4">
<title>Using Read-Only Databases for Host Reservations</title>
<para>
In some deployments the database user whose name is specified in the database backend
configuration may not have write privileges to the database. This is often
required by the policy within a given network to secure the data from being
unintentionally modified. In many cases administrators have inventory databases
deployed, which contain substantially more information about the hosts than
static reservations assigned to them. The inventory database can be used to create
a view of a Kea hosts database and such view is often read only.
</para>
<para>
Kea host database backends operate with an implicit configuration to both
read from and write to the database. If the database user does not have
write access to the host database, the backend will fail to start and the
server will refuse to start (or reconfigure). However, if access to a read
only host database is required for retrieving reservations for clients
and/or assign specific addresses and options, it is possible to explicitly
configure Kea to start in "read-only" mode. This is controlled by the
<command>readonly</command> boolean parameter as follows:
<screen>
"Dhcp4": { "hosts-database": { <userinput>"readonly": true</userinput>, ... }, ... }
</screen>
Setting this parameter to <userinput>false</userinput> would configure the
database backend to operate in "read-write" mode, which is also a default
configuration if the parameter is not specified.
</para>
<note><para>The <command>readonly</command> parameter is currently only supported
for MySQL and PostgreSQL databases.</para></note>
</section>
</section>
<section xml:id="dhcp4-interface-configuration">
<title>Interface Configuration</title>
<para>The DHCPv4 server has to be configured to listen on specific network
interfaces. The simplest network interface configuration tells the server to
listen on all available interfaces:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"*"</userinput> ]
}
...
},
</screen>
The asterisk plays the role of a wildcard and means "listen on all interfaces".
However, it is usually a good idea to explicitly specify interface names:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"eth1", "eth3"</userinput> ]
},
...
}
</screen>
</para>
<para>It is possible to use wildcard interface name (asterisk) concurrently
with explicit interface names:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"eth1", "eth3", "*"</userinput> ]
},
...
}
</screen>
It is anticipated that this form of usage will only be used when it is desired to
temporarily override a list of interface names and listen on all interfaces.
</para>
<para>Some deployments of DHCP servers require that the servers listen
on the interfaces with multiple IPv4 addresses configured. In these situations,
the address to use can be selected by appending an IPv4 address to the interface
name in the following manner:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"eth1/10.0.0.1", "eth3/192.0.2.3"</userinput> ]
},
...
}
</screen>
</para>
<para>Should the server be required to listen on multiple IPv4 addresses assigned
to the same interface, multiple addresses can be specified for an interface
as in the example below:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"eth1/10.0.0.1", "eth1/10.0.0.2"</userinput> ]
},
...
}
</screen>
</para>
<para>Alternatively, if the server should listen on all addresses for the particular
interface, an interface name without any address should be specified.</para>
<para>Kea supports responding to directly connected clients which don't have
an address configured. This requires that the server
injects the hardware address of the destination into the data link layer
of the packet being sent to the client. The DHCPv4 server utilizes the
raw sockets to achieve this, and builds the entire IP/UDP stack for the
outgoing packets. The down side of raw socket use, however, is that incoming
and outgoing packets bypass the firewalls (e.g. iptables). It is also
troublesome to handle traffic on multiple IPv4 addresses assigned to the
same interface, as raw sockets are bound to the interface and advanced
packet filtering techniques (e.g. using the BPF) have to be used to
receive unicast traffic on the desired addresses assigned to the interface,
rather than capturing whole traffic reaching the interface to which the raw
socket is bound. Therefore, in the deployments where the server doesn't
have to provision the directly connected clients and only receives the
unicast packets from the relay agents, the
DHCP server should be configured to utilize IP/UDP datagram sockets instead of raw sockets.
The following configuration demonstrates how this can be achieved:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"eth1", "eth3"</userinput> ],
"dhcp-socket-type": "udp"
},
...
}
</screen>
The <command>dhcp-socket-type</command> specifies that the IP/UDP sockets will
be opened on all interfaces on which the server listens, i.e. "eth1" and
"eth3" in our case. If the <command>dhcp-socket-type</command> is set to
<userinput>raw</userinput>, it configures the server to use raw sockets
instead. If the <command>dhcp-socket-type</command> value is not specified, the
default value <userinput>raw</userinput> is used.
</para>
<para>Using UDP sockets automatically disables the reception of broadcast
packets from directly connected clients. This effectively means that the
UDP sockets can be used for relayed traffic only. When using the raw sockets,
both the traffic from the directly connected clients and the relayed traffic
will be handled. Caution should be taken when configuring the server to open
multiple raw sockets on the interface with several IPv4 addresses assigned.
If the directly connected client sends the message to the broadcast address
all sockets on this link will receive this message and multiple responses
will be sent to the client. Hence, the configuration with multiple IPv4
addresses assigned to the interface should not be used when the directly
connected clients are operating on that link. To use a single address on
such interface, the "interface-name/address" notation should be used.
</para>
<note>
<para>Specifying the value <userinput>raw</userinput> as the socket type,
doesn't guarantee that the raw sockets will be used! The use of raw sockets
to handle the traffic from the directly connected clients is currently
supported on Linux and BSD systems only. If the raw sockets are not
supported on the particular OS, the server will issue a warning and
fall back to use IP/UDP sockets.</para>
</note>
<para>In typical environment the DHCP server is expected to send back a
response on the same network interface on which the query is received. This is
the default behavior. However, in some deployments it is desired that the
outbound (response) packets will be sent as regular traffic and the outbound
interface will be determined by the routing tables. This kind of asymetric
traffic is uncommon, but valid. Kea now supports a parameter called
<command>outbound-interface</command> that controls this behavior. It supports
two values. The first one, <userinput>same-as-inbound</userinput>, tells Kea
to send back the response on the same inteface the query packet is received. This
is the default behavior. The second one, <userinput>use-routing</userinput>
tells Kea to send regular UDP packets and let the kernel's routing table to
determine most appropriate interface. This only works when
<command>dhcp-socket-type</command> is set to <userinput>udp</userinput>.
An example configuration looks as follows:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "eth1", "eth3" ],
"dhcp-socket-type": "udp",
<userinput>"outbound-interface": "use-routing"</userinput>
},
...
}</screen>
</para>
<para>Interfaces are re-detected at each reconfiguration. This behavior
can be disabled by setting <command>re-detect</command> value to
<userinput>false</userinput>, for instance:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"eth1", "eth3"</userinput> ],
"re-detect": <userinput>false</userinput>
},
...
}
</screen>
Note interfaces are not re-detected during <command>config-test</command>.
</para>
<para>Usually loopback interfaces (e.g. the "lo" or "lo0" interface)
may not be configured but if a loopback interface is explicitely configured
and IP/UDP sockets are specified the loopback interface is accepted.
</para>
<para>It can be used for instance to run Kea in a FreeBSD jail having
only a loopback interface, servicing relayed DHCP request:
<screen>
"Dhcp4": {
"interfaces-config": {
"interfaces": [ <userinput>"lo0"</userinput> ],
"dhcp-socket-type": "udp"
},
...
}</screen>
</para>
</section>
<section xml:id="dhcpinform-unicast-issues">
<title>Issues with Unicast Responses to DHCPINFORM</title>
<para>The use of UDP sockets has certain benefits in deployments
where the server receives only relayed traffic; these benefits are
mentioned in <xref linkend="dhcp4-interface-configuration"/>. From
the administrator's perspective it is often desirable to
configure the system's firewall to filter out the unwanted traffic, and
the use of UDP sockets facilitates this. However, the administrator must
also be aware of the implications related to filtering certain types
of traffic as it may impair the DHCP server's operation.
</para>
<para>In this section we are focusing on the case when the server
receives the DHCPINFORM message from the client via a relay. According
to <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://tools.ietf.org/html/rfc2131">RFC 2131</link>,
the server should unicast the DHCPACK response to the address carried in
the "ciaddr" field. When the UDP socket is in use, the DHCP server
relies on the low level functions of an operating system to build the
data link, IP and UDP layers of the outgoing message. Typically, the
OS will first use ARP to obtain the client's link layer address to be
inserted into the frame's header, if the address is not cached from
a previous transaction that the client had with the server.
When the ARP exchange is successful, the DHCP message can be unicast
to the client, using the obtained address.
</para>
<para>Some system administrators block ARP messages in their network,
which causes issues for the server when it responds to the
DHCPINFORM messages, because the server is unable to send the
DHCPACK if the preceding ARP communication fails. Since the OS is
entirely responsible for the ARP communication and then sending
the DHCP packet over the wire, the DHCP server has no means to
determine that the ARP exchange failed and the DHCP response message
was dropped. Thus, the server does not log any error messages when
the outgoing DHCP response is dropped. At the same time, all hooks
pertaining to the packet sending operation will be called, even
though the message never reaches its destination.
</para>
<para>Note that the issue described in this section is not observed
when the raw sockets are in use, because, in this case, the DHCP server
builds all the layers of the outgoing message on its own and does not
use ARP. Instead, it inserts the value carried in the 'chaddr' field
of the DHCPINFORM message into the link layer.
</para>
<para>Server administrators willing to support DHCPINFORM
messages via relays should not block ARP traffic in their
networks or should use raw sockets instead of UDP sockets.
</para>
</section>
<section xml:id="ipv4-subnet-id">
<title>IPv4 Subnet Identifier</title>
<para>
The subnet identifier is a unique number associated with a particular subnet.
In principle, it is used to associate clients' leases with their respective subnets.
When a subnet identifier is not specified for a subnet being configured, it will
be automatically assigned by the configuration mechanism. The identifiers
are assigned from 1 and are monotonically increased for each subsequent
subnet: 1, 2, 3 ....
</para>
<para>
If there are multiple subnets configured with auto-generated identifiers and