From: Razvan Becheriu Date: Tue, 20 May 2025 17:33:18 +0000 (+0300) Subject: [#3844] backport #3833 to v2_6 X-Git-Tag: Kea-2.6.3~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57e7bc1a302a7dcb180561e11c1565fd7ee2f630;p=thirdparty%2Fkea.git [#3844] backport #3833 to v2_6 --- diff --git a/doc/examples/agent/simple.json b/doc/examples/agent/simple.json index 1b249b2479..80539e626a 100644 --- a/doc/examples/agent/simple.json +++ b/doc/examples/agent/simple.json @@ -28,7 +28,7 @@ // This optional parameter can be used to specify a common // prefix for files handling client credentials. - "directory": "/tmp/kea-creds", + "directory": "/usr/local/share/kea/kea-creds", // This list specifies the user ids and passwords to use for // basic HTTP authentication. If empty or not present any client @@ -47,18 +47,18 @@ "password": "1234" }, - // This specifies a hiddent client. + // This specifies a hidden client. { - // The user id is the content of the file /tmp/kea-creds/hiddenu. + // The user id is the content of the file /usr/local/share/kea/kea-creds/hiddenu. "user-file": "hiddenu", - // The password is the content of the file /tmp/kea-creds/hiddenp. + // The password is the content of the file /usr/local/share/kea/kea-creds/hiddenp. "password-file": "hiddenp" }, // This specifies a hidden client using a secret in a file. { - // The secret is the content of the file /tmp/kea-creds/hiddens + // The secret is the content of the file /usr/local/share/kea/kea-creds/hiddens // which must be in the : format. "password-file": "hiddens" } @@ -128,7 +128,7 @@ "name": "kea-ctrl-agent", "output-options": [ { - "output": "/var/log/kea-ctrl-agent.log", + "output": "/var/log/kea/kea-ctrl-agent.log", // Several additional parameters are possible in addition // to the typical output. Flush determines whether logger // flushes output to a file. Maxsize determines maximum diff --git a/doc/examples/ddns/all-keys.json b/doc/examples/ddns/all-keys.json index 5d562c85f4..02411a1870 100644 --- a/doc/examples/ddns/all-keys.json +++ b/doc/examples/ddns/all-keys.json @@ -145,7 +145,7 @@ // An alternative to secret: specify a file where the secret // can be found. i.e. the secret is the content of the file. - "secret-file": "/tmp/d2-sha1-secret" + "secret-file": "/usr/local/share/kea/d2-sha1-secret" } ], diff --git a/doc/examples/ddns/sample1.json b/doc/examples/ddns/sample1.json index 2c43ba920a..3766700440 100644 --- a/doc/examples/ddns/sample1.json +++ b/doc/examples/ddns/sample1.json @@ -137,7 +137,7 @@ { "name": "d2.sha256.key", "algorithm": "HMAC-SHA256", - "secret-file": "/tmp/d2-sha256-secret" + "secret-file": "/usr/local/share/kea/d2-sha256-secret" }, { "name": "d2.sha512.key", diff --git a/doc/examples/kea4/all-keys-netconf.json b/doc/examples/kea4/all-keys-netconf.json index 42d5062404..0963399053 100644 --- a/doc/examples/kea4/all-keys-netconf.json +++ b/doc/examples/kea4/all-keys-netconf.json @@ -26,7 +26,7 @@ "client-classes": [ { // Class-specific bootfile name to be set in the 'file' field. - "boot-file-name": "/tmp/bootfile.efi", + "boot-file-name": "/usr/local/share/kea/bootfile.efi", // Class name. "name": "phones_server1", diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json index ea00a07304..13150869b9 100644 --- a/doc/examples/kea4/all-keys.json +++ b/doc/examples/kea4/all-keys.json @@ -26,7 +26,7 @@ "client-classes": [ { // Class-specific bootfile name to be set in the 'file' field. - "boot-file-name": "/tmp/bootfile.efi", + "boot-file-name": "/usr/local/share/kea/bootfile.efi", // Class name. "name": "phones_server1", diff --git a/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml b/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml index 5da5cfa5d1..089baa180a 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml b/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml index c17390243e..f143e20999 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml b/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml index 128693173c..12898feefa 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix bad diff --git a/doc/examples/netconf/kea-dhcp6-operations/boot.json b/doc/examples/netconf/kea-dhcp6-operations/boot.json index 18d1da8901..c0c98125ad 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/boot.json +++ b/doc/examples/netconf/kea-dhcp6-operations/boot.json @@ -2,7 +2,7 @@ "Dhcp6": { "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" } } } diff --git a/doc/examples/netconf/kea-dhcp6-operations/logging.xml b/doc/examples/netconf/kea-dhcp6-operations/logging.xml index 7ce04e4682..018551dafb 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/logging.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/logging.xml @@ -12,7 +12,7 @@ 2001:db8::/64 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/netconf.json b/doc/examples/netconf/kea-dhcp6-operations/netconf.json index 653a40c7eb..1e7e0fa5a6 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/netconf.json +++ b/doc/examples/netconf/kea-dhcp6-operations/netconf.json @@ -8,7 +8,7 @@ "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" } } }, diff --git a/doc/examples/netconf/kea-dhcp6-operations/startup.xml b/doc/examples/netconf/kea-dhcp6-operations/startup.xml index b085833b14..14d69e4db0 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/startup.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/startup.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/twopools.xml b/doc/examples/netconf/kea-dhcp6-operations/twopools.xml index 8fb32c9d94..1b44462870 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/twopools.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/twopools.xml @@ -17,7 +17,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml b/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml index ba68a060ad..4e6378a374 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml @@ -21,7 +21,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/template-ha-mt-tls/kea-ca-1.conf b/doc/examples/template-ha-mt-tls/kea-ca-1.conf index 765dd9cc21..1ed335e358 100644 --- a/doc/examples/template-ha-mt-tls/kea-ca-1.conf +++ b/doc/examples/template-ha-mt-tls/kea-ca-1.conf @@ -42,21 +42,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-ha-mt-tls/kea-ca-2.conf b/doc/examples/template-ha-mt-tls/kea-ca-2.conf index 72eb73b1b1..31d8b898f8 100644 --- a/doc/examples/template-ha-mt-tls/kea-ca-2.conf +++ b/doc/examples/template-ha-mt-tls/kea-ca-2.conf @@ -42,21 +42,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf b/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf index 0dc11983e5..b080a92f1c 100644 --- a/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf +++ b/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Multi-threading parameters. diff --git a/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf b/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf index 070569b2a7..d00ac2254c 100644 --- a/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf +++ b/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Multi-threading parameters. diff --git a/doc/examples/template-power-user-home/kea-ca-1.conf b/doc/examples/template-power-user-home/kea-ca-1.conf index 9139008794..42d421926c 100644 --- a/doc/examples/template-power-user-home/kea-ca-1.conf +++ b/doc/examples/template-power-user-home/kea-ca-1.conf @@ -18,21 +18,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-power-user-home/kea-ca-2.conf b/doc/examples/template-power-user-home/kea-ca-2.conf index f36c850aba..518a871ebe 100644 --- a/doc/examples/template-power-user-home/kea-ca-2.conf +++ b/doc/examples/template-power-user-home/kea-ca-2.conf @@ -18,21 +18,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-power-user-home/kea-dhcp4-1.conf b/doc/examples/template-power-user-home/kea-dhcp4-1.conf index d4a9d70560..3ee7137978 100644 --- a/doc/examples/template-power-user-home/kea-dhcp4-1.conf +++ b/doc/examples/template-power-user-home/kea-dhcp4-1.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Use Memfile lease database backend to store leases in a CSV file. diff --git a/doc/examples/template-power-user-home/kea-dhcp4-2.conf b/doc/examples/template-power-user-home/kea-dhcp4-2.conf index f75a99775e..3a535a2aaa 100644 --- a/doc/examples/template-power-user-home/kea-dhcp4-2.conf +++ b/doc/examples/template-power-user-home/kea-dhcp4-2.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Use Memfile lease database backend to store leases in a CSV file. diff --git a/doc/sphinx/arm/agent.rst b/doc/sphinx/arm/agent.rst index 1581a05976..682a151dac 100644 --- a/doc/sphinx/arm/agent.rst +++ b/doc/sphinx/arm/agent.rst @@ -138,12 +138,13 @@ specified for the DHCPv4, DHCPv6, and D2 services. .. note:: As of Kea 2.6.3, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. User contexts can store arbitrary data as long as they are in valid JSON syntax and their top-level element is a map (i.e. the data must be @@ -173,7 +174,7 @@ authorized. When the ``clients`` authentication list is configured and not empty, basic HTTP authentication is required. Each element of the list specifies a user ID and a password. The user ID is mandatory, must -be not empty, and must not contain the colon (:) character. The +not be empty, and must not contain the colon (:) character. The password is optional; when it is not specified an empty password is used. @@ -216,45 +217,8 @@ the example above. Secure Connections ================== -The Kea Control Agent natively supports secure -HTTP connections using TLS. This allows protection against users from -the node where the agent runs, something that a reverse proxy cannot -provide. More about TLS/HTTPS support in Kea can be found in :ref:`tls`. - -TLS is configured using three string parameters with file names, and -a boolean parameter: - -- The ``trust-anchor`` specifies the Certification Authority file name or - directory path. - -- The ``cert-file`` specifies the server certificate file name. - -- The ``key-file`` specifies the private key file name. The file must not - be encrypted. - -- The ``cert-required`` specifies whether client certificates are required - or optional. The default is to require them and to perform mutual - authentication. - -The file format is PEM. Either all the string parameters are specified and -HTTP over TLS (HTTPS) is used, or none is specified and plain HTTP is used. -Configuring only one or two string parameters results in an error. - -.. note:: - - When client certificates are not required, only the server side is - authenticated, i.e. the communication is encrypted with an unknown - client. This protects only against passive attacks; active - attacks, such as "man-in-the-middle," are still possible. - -.. note:: - - No standard HTTP authentication scheme cryptographically binds its end - entity with TLS. This means that the TLS client and server can be - mutually authenticated, but there is no proof they are the same as - for the HTTP authentication. - -The :iscman:`kea-shell` tool also supports TLS. +Configuration options related to Kea Control Agent security can be found in the +:ref:`secure-control-agent` section. .. _agent-launch: diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst index 7cb114dac5..c44736a0ac 100644 --- a/doc/sphinx/arm/ddns.rst +++ b/doc/sphinx/arm/ddns.rst @@ -306,12 +306,13 @@ values are 107 on Linux and 103 on FreeBSD. .. note:: As of Kea 2.6.3, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. Communication over the control channel is conducted using JSON structures. See the `Control Channel section in the Kea Developer's diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index 8b9e21f36f..c5c7ff8b50 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -400,13 +400,13 @@ An example configuration of the memfile backend is presented below: "lease-database": { "type": "memfile", "persist": true, - "name": "/tmp/kea-leases4.csv", + "name": "kea-leases4.csv", "lfc-interval": 1800, "max-row-errors": 100 } } -This configuration selects ``/tmp/kea-leases4.csv`` as the storage +This configuration selects ``kea-leases4.csv`` as the storage for lease information and enables persistence (writing lease updates to this file). It also configures the backend to perform a periodic cleanup of the lease file every 1800 seconds (30 minutes) and sets the maximum number of @@ -4306,7 +4306,7 @@ ISC tested the following configuration: "name": "kea-dhcp4", "output-options": [ { - "output": "/tmp/kea-dhcp4.log" + "output": "kea-dhcp4.log" } ], "severity": "DEBUG", @@ -5170,7 +5170,7 @@ message fields: "hw-address": "aa:bb:cc:dd:ee:ff", "next-server": "10.1.1.2", "server-hostname": "server-hostname.example.org", - "boot-file-name": "/tmp/bootfile.efi" + "boot-file-name": "/usr/local/share/kea/bootfile.efi" } ], ... @@ -7591,12 +7591,13 @@ values are 107 on Linux and 103 on FreeBSD. .. note:: As of Kea 2.6.3, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. Communication over the control channel is conducted using JSON structures. See the diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 9f30d28206..af47d52d06 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -356,13 +356,13 @@ An example configuration of the memfile backend is presented below: "lease-database": { "type": "memfile", "persist": true, - "name": "/tmp/kea-leases6.csv", + "name": "kea-leases6.csv", "lfc-interval": 1800, "max-row-errors": 100 } } -This configuration selects ``/tmp/kea-leases6.csv`` as the storage file +This configuration selects ``kea-leases6.csv`` as the storage file for lease information and enables persistence (writing lease updates to this file). It also configures the backend to perform a periodic cleanup of the lease file every 1800 seconds (30 minutes) and sets the maximum number of @@ -3802,7 +3802,7 @@ ISC tested the following configuration: "loggers": [ { "name": "kea-dhcp6", "output-options": [ { - "output": "/tmp/kea-dhcp6.log" + "output": "kea-dhcp6.log" } ], "severity": "DEBUG", "debuglevel": 0 @@ -6230,7 +6230,7 @@ memory lease file into its data directory. By default this directory is :: "Dhcp6": { - "data-directory": "/var/tmp/kea-server6", + "data-directory": "/var/lib/kea/kea-server6", ... } @@ -7422,12 +7422,13 @@ values are 107 on Linux and 103 on FreeBSD. .. note:: As of Kea 2.6.3, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. Communication over the control channel is conducted using JSON structures. See the diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index 404a15ee04..edfe6d81d4 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -275,15 +275,15 @@ file with the name ``dns.keytab``. .. code-block:: console - kadmin.local -q "ktadd -k /tmp/dns.keytab DNS/server.example.org" + kadmin.local -q "ktadd -k /usr/local/share/kea/dns.keytab DNS/server.example.org" If successfully exported, the following message is displayed: .. code-block:: console Authenticating as principal root/admin@EXAMPLE.ORG with password. - Entry for principal DNS/server.example.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/dns.keytab. - Entry for principal DNS/server.example.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/dns.keytab. + Entry for principal DNS/server.example.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/usr/local/share/kea/dns.keytab. + Entry for principal DNS/server.example.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/usr/local/share/kea/dns.keytab. The DHCP client principal (used by the Kea DHCP-DDNS server) is created the following way: @@ -306,7 +306,7 @@ keytab file with the name ``dhcp.keytab``. .. code-block:: console - kadmin.local -q "ktadd -k /tmp/dhcp.keytab DHCP/admin.example.org" + kadmin.local -q "ktadd -k /usr/local/share/kea/dhcp.keytab DHCP/admin.example.org" Finally, the ``krb5-admin-server`` must be restarted: @@ -910,13 +910,13 @@ This can be done manually via the command: .. code-block:: console - kinit -k -t /tmp/dhcp.keytab DHCP/admin.example.org + kinit -k -t /usr/local/share/kea/dhcp.keytab DHCP/admin.example.org or, when using AD: .. code-block:: console - kinit -k -t /tmp/dhcp.keytab DHCP/kea. + kinit -k -t /usr/local/share/kea/dhcp.keytab DHCP/kea. The credential cache can be displayed using ``klist``. diff --git a/doc/sphinx/arm/ext-netconf.rst b/doc/sphinx/arm/ext-netconf.rst index b32f4efe7d..32bef24e7b 100644 --- a/doc/sphinx/arm/ext-netconf.rst +++ b/doc/sphinx/arm/ext-netconf.rst @@ -431,7 +431,7 @@ making them manageable. For instance, for the DHCPv4 server: { "Dhcp4": { "control-socket": { - "socket-name": "/tmp/kea-dhcp4-ctrl.sock", + "socket-name": "kea-dhcp4-ctrl.sock", "socket-type": "unix" } } @@ -570,7 +570,7 @@ Kea sources. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" } }, @@ -581,7 +581,7 @@ Kea sources. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" } }, @@ -748,7 +748,7 @@ DHCPv6 server: { "Dhcp6": { "control-socket": { - "socket-name": "/tmp/kea-dhcp6-ctrl.sock", + "socket-name": "kea-dhcp6-ctrl.sock", "socket-type": "unix" } } @@ -766,7 +766,7 @@ socket by running: .. code-block:: console - # echo '{ "command": "config-get" }' | socat UNIX:/tmp/kea-dhcp6-ctrl.sock '-,ignoreeof' + # echo '{ "command": "config-get" }' | socat UNIX:/opt/kea/var/run/kea/kea-dhcp6-ctrl.sock '-,ignoreeof' The following is the example ``netconf.json`` configuration for :iscman:`kea-netconf`, to manage the Kea DHCPv6 server: @@ -790,7 +790,7 @@ The following is the example ``netconf.json`` configuration for "managed-servers": { "dhcp6": { "control-socket": { - "socket-name": "/tmp/kea-dhcp6-ctrl.sock", + "socket-name": "kea-dhcp6-ctrl.sock", "socket-type": "unix" } } @@ -826,7 +826,7 @@ The following is the configuration extracted from ``startup.xml``: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -891,7 +891,7 @@ configuration file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -921,7 +921,7 @@ For example, consider this ``BAD-translator.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix bad @@ -946,7 +946,7 @@ server and fails to validate, as in this ``BAD-config.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -984,7 +984,7 @@ configuration in the ``twopools.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -1027,7 +1027,7 @@ This example specifies two subnets in the ``twosubnets.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -1062,7 +1062,7 @@ configuration in the ``logging.xml`` file: 2001:db8::/64 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -1082,7 +1082,7 @@ The corresponding Kea configuration in JSON is: { "Dhcp6": { "control-socket": { - "socket-name": "/tmp/kea-dhcp6-ctrl.sock", + "socket-name": "kea-dhcp6-ctrl.sock", "socket-type": "unix" }, "interfaces-config": { diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst index 24f0efe970..5fcccfce73 100644 --- a/doc/sphinx/arm/hooks-ha.rst +++ b/doc/sphinx/arm/hooks-ha.rst @@ -1598,11 +1598,11 @@ machine as the primary server. This configuration is valid for both the "control-sockets": { "dhcp4": { "socket-type": "unix", - "socket-name": "/tmp/kea-dhcp4-ctrl.sock" + "socket-name": "kea-dhcp4-ctrl.sock" }, "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea-dhcp6-ctrl.sock" + "socket-name": "kea-dhcp6-ctrl.sock" } } } diff --git a/doc/sphinx/arm/hooks-host-cache.rst b/doc/sphinx/arm/hooks-host-cache.rst index ebf0cd9d34..90c3685940 100644 --- a/doc/sphinx/arm/hooks-host-cache.rst +++ b/doc/sphinx/arm/hooks-host-cache.rst @@ -161,10 +161,10 @@ example usage looks as follows: { "command": "cache-load", - "arguments": "/tmp/kea-host-cache.json" + "arguments": "/usr/local/share/kea/kea-host-cache.json" } -This command stores the contents to the ``/tmp/kea-host-cache.json`` +This command stores the contents to the ``/usr/local/share/kea/kea-host-cache.json`` file. That file can then be loaded with the :isccmd:`cache-load` command or processed by any other tool that is able to understand JSON format. diff --git a/doc/sphinx/arm/hooks-lease-cmds.rst b/doc/sphinx/arm/hooks-lease-cmds.rst index 46e54a03e7..7aa31aaad7 100644 --- a/doc/sphinx/arm/hooks-lease-cmds.rst +++ b/doc/sphinx/arm/hooks-lease-cmds.rst @@ -1095,7 +1095,7 @@ to the previous filename: for example, ``.bak14326``. determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than - this value is used in ``name``, Kea will emit an error and refuse to start + this value is used in ``filename``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path portion from ``filename``. diff --git a/doc/sphinx/arm/hooks-user-chk.rst b/doc/sphinx/arm/hooks-user-chk.rst index 37f94b4c88..15bd43d91d 100644 --- a/doc/sphinx/arm/hooks-user-chk.rst +++ b/doc/sphinx/arm/hooks-user-chk.rst @@ -44,7 +44,7 @@ address after their device is restarted. to consult an external source of information about clients and alter Kea's behavior remains useful and of educational value. -The library reads the ``/tmp/user_chk_registry.txt`` file while being loaded +The library reads the ``/usr/local/share/kea/user_chk_registry.txt`` file while being loaded and each time an incoming packet is processed. Each line of the file is expected to contain a self-contained JSON snippet which must have the following two entries: @@ -67,9 +67,9 @@ A sample user registry file is shown below: :: - { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/tmp/v4bootfile" } + { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/usr/local/share/kea/v4bootfile" } { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:06", "tftp_server" : "tftp.v4.example.com" } - { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/tmp/v6bootfile" } + { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/usr/local/share/kea/v6bootfile" } { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:06", "tftp_server" : "tftp.v6.example.com" } As with any other hook libraries provided by ISC, internals of the diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index 3063fb0667..19a9fbe57f 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -36,6 +36,13 @@ protection possible: the two security mechanisms, and therefore no proof that the TLS client and server are the same as the HTTP authentication client and server. +.. note:: + + It is recommend to use privileged ports for HTTP/HTTPS against local attacks + (by users which are connected to the box where Kea servers/agents run). This + measure also prevents against impersonation with HTTP, and Denial of + Service in general. + .. _tls_config: Building Kea with TLS/HTTPS Support @@ -205,6 +212,51 @@ desired. It is highly recommended to read the ``openssl.cnf`` manual page, normally called ``config.5ssl`` and displayed using ``man config``. +.. _secure-control-agent: + +Secure Kea Control Agent +======================== + +The Kea Control Agent natively supports secure +HTTP connections using TLS. This allows protection against users from +the node where the agent runs, something that a reverse proxy cannot +provide. More about TLS/HTTPS support in Kea can be found in :ref:`tls`. + +TLS is configured using three string parameters with file names, and +a boolean parameter: + +- The ``trust-anchor`` specifies the Certification Authority file name or + directory path. + +- The ``cert-file`` specifies the server certificate file name. + +- The ``key-file`` specifies the private key file name. The file must not + be encrypted. + +- The ``cert-required`` specifies whether client certificates are required + or optional. The default is to require them and to perform mutual + authentication. + +The file format is PEM. Either all the string parameters are specified and +HTTP over TLS (HTTPS) is used, or none is specified and plain HTTP is used. +Configuring only one or two string parameters results in an error. + +.. note:: + + When client certificates are not required, only the server side is + authenticated, i.e. the communication is encrypted with an unknown + client. This protects only against passive attacks; active + attacks, such as "man-in-the-middle," are still possible. + +.. note:: + + No standard HTTP authentication scheme cryptographically binds its end + entity with TLS. This means that the TLS client and server can be + mutually authenticated, but there is no proof they are the same as + for the HTTP authentication. + +The :iscman:`kea-shell` tool also supports TLS. + Securing a Kea Deployment ========================= @@ -218,13 +270,29 @@ The Kea architecture is modular, with separate daemons for separate tasks. A Kea deployment may include DHCPv4, DHCPv6, and Dynamic DNS daemons; a Control Agent daemon run on each application server; the ``kea-lfc utility`` for doing periodic lease file cleanup; MySQL and or PostgreSQL databases, run either locally on the application -servers or accessed over the internal network; and a Stork monitoring system. +servers or accessed over the internal network; a Netconf daemon to perform config and stats +monitoring of Kea servers; and a Stork monitoring system. This modular architecture allows the administrator to minimize the attack surface by minimizing the code that is loaded and running. For example, :iscman:`kea-dhcp-ddns` should not be run unless DNS updates are required. Similarly, :iscman:`kea-lfc` is never triggered (and can be safely removed or never installed) if memfile is not used. Potential Kea security issues can be minimized by running only those processes required in the local environment. +.. note:: + + As of Kea 2.6.3, the lease files (DHCPv4 and DHCPv6) and duid file (DHCPv6 only) + may only be loaded from the directory determined at compilation: + ``"[kea-install-dir]/var/lib/kea"``. + This path may be overridden at startup by setting the environment variable + ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + this value is used in ``name`` or ``data-directory``, Kea will emit an error and + refuse to start or, if already running, log an unrecoverable error. + This restriction applies to writing lease file using ``lease4-write`` and + ``lease6-write`` commands. If a path other than this value is used in ``filename``, + Kea will emit an error and refuse to start or, if already running, log an + unrecoverable error. For ease of use in specifying a custom file name simply + omit the path portion from ``filename``. + Limiting Application Permissions -------------------------------- @@ -246,6 +314,17 @@ read from or write to this socket, root access is generally required, although i to run as non-root, the owner of the process can write to it. Access can be controlled using normal file-access control on POSIX systems (owner, group, others, read/write). +.. note:: + + As of Kea 2.6.3, control sockets may only reside in the directory + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. + Kea configuration is controlled by a JSON file on the Kea server. This file can be viewed or edited by anyone with file permissions (which are controlled by the operating system). Note that passwords are stored in clear text in the configuration file, so anyone with access to read the @@ -253,6 +332,12 @@ configuration file can find this information. As a practical matter, anyone with the configuration file has control over Kea. Limiting user permission to read or write the Kea configuration file is an important security step. +.. note:: + + As of Kea 2.6.3, the config file may only be written (using the + ``config-write`` command) to the same directory as the config file used + when starting Kea (passed as a ``-c`` argument). + Securing Database Connections ----------------------------- @@ -267,6 +352,10 @@ in the configuration file.** Depending on the database configuration, it is also possible to verify whether the system user matches the database username. Consult the MySQL or PostgreSQL manual for details. +Kea supports client TLS settings for MySQL database and it must be +configured explicitly for all used connections (configuration, +reservations, leases, forensic logging). + Information Leakage Through Logging ----------------------------------- @@ -277,6 +366,36 @@ Since Kea 1.9.7, this issue has been resolved by replacing the value of all entr Logs are sent to stdout, stderr, files, or syslog; system file permissions system apply to stdout/stderr and files. Syslog may export the logs over the network, exposing them further to possible snooping. +.. note:: + + As of Kea 2.7.9, log files may only be written to the output directory + determined during compilation as: ``"[kea-install-dir]/var/log/kea"``. This + path may be overridden at startup by setting the environment variable + ``KEA_LOG_FILE_DIR`` to the desired path. If a path other than + this value is used in ``output``, Kea will emit an error and refuse to start + or, if already running, log an unrecoverable error. For ease of use simply + omit the path component from ``output`` and specify only the file name. + +Summary of Path Restrictions +---------------------------- + +Path restrictions mentioned through this section can be summarized according to +the following table: + ++-------------------------------------+---------------------------------------+----------------------------------+ +| Restricted Element | Default Value | Environment Variable Override | ++=====================================+=======================================+==================================+ +| Config Files (``config-write``) | Same Directory as Initial Config File | N/A | ++-------------------------------------+---------------------------------------+----------------------------------+ +| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIRECTORY`` | ++-------------------------------------+---------------------------------------+----------------------------------+ +| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` | ++-------------------------------------+---------------------------------------+----------------------------------+ +| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` | ++-------------------------------------+---------------------------------------+----------------------------------+ + + + Cryptography Components ----------------------- @@ -372,6 +491,16 @@ Kea 1.9.2 introduced a new ``auth`` hook point. With this new hook point, it is hook library to extend the access controls, integrate with another authentication authority, or add role-based access control to the Control Agent. +.. note: + + As of Kea 2.6.3, hook libraries may only be loaded from the default installation + directory determined during compilation and shown in the config report as + "Hooks directory". This value may be overridden at startup by setting the + environment variable ``KEA_HOOKS_PATH`` to the desired path. If a path other + than this value is used in a ``library`` element Kea will emit an error and refuse + to load the library. For ease of use ``library`` elements may simply omit path + components. + Kea Security Processes ====================== @@ -400,9 +529,9 @@ processes that are used to ensure adequate code quality: - Each line of code goes through a formal review before it is accepted. The review process is documented and available publicly. -- Roughly 50% of the source code is dedicated to unit tests. As of December 2020, there were over 6000 +- Roughly 50% of the source code is dedicated to unit tests. As of May 2024, there were over 12000 unit tests and the number is increasing with time. Unit tests are required to commit any new feature. -- There are around 1500 system tests for Kea. These simulate both correct and invalid +- There are around 2000 system tests for Kea. These simulate both correct and invalid situations, covering network packets (mostly DHCP, but also DNS, HTTP, HTTPS and others), command-line usage, API calls, database interactions, scripts, and more. - There are performance tests with over 80 scenarios that test Kea overall performance and @@ -416,8 +545,10 @@ processes that are used to ensure adequate code quality: packets in an invalid order) and more. - The Kea development team uses many tools that perform automatic code quality checks, such as danger, as well as internally developed sanity checkers. -- The Kea team uses the following static code analyzers: Coverity Scan, shellcheck, and danger. -- The Kea team uses the following dynamic code analyzers: Valgrind and Thread Sanitizer (TSAN). +- The Kea team uses the following static code analyzers: Coverity Scan, cppcheck, clang-static-analyzer, shellcheck, + flawfinder, semgrep and danger. +- The Kea team uses the following dynamic code analyzers: Valgrind, Thread Sanitizer (TSAN), Address Sanitizer (ASAN), + Undefined Behavior Sanitizer (UBSAN). Fuzz Testing ------------ diff --git a/doc/sphinx/index.rst b/doc/sphinx/index.rst index 438621e38d..24255e295c 100644 --- a/doc/sphinx/index.rst +++ b/doc/sphinx/index.rst @@ -28,6 +28,7 @@ Other useful Kea information can be found in our arm/quickstart arm/install arm/admin + arm/security arm/config arm/keactrl arm/agent @@ -46,7 +47,6 @@ Other useful Kea information can be found in our arm/shell arm/integrations arm/stork - arm/security .. toctree:: :caption: Appendices diff --git a/src/bin/netconf/netconf_config.h b/src/bin/netconf/netconf_config.h index b4f6339c88..34df81a477 100644 --- a/src/bin/netconf/netconf_config.h +++ b/src/bin/netconf/netconf_config.h @@ -56,7 +56,7 @@ namespace netconf { /// "control-socket": /// { /// "socket-type": "unix", -/// "socket-name": "/tmp/server-v4.sock" +/// "socket-name": "server-v4.sock" /// } /// } /// } diff --git a/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox b/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox index ad2be18db4..dcf1fafae4 100644 --- a/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox +++ b/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox @@ -98,7 +98,7 @@ Currently, the library uses a hard coded pathname for the user registry defined in load_unload.cc: @code - const char* registry_fname = "/tmp/user_chk_registry.txt"; + const char* registry_fname = "/usr/local/share/kea/user_chk_registry.txt"; @endcode Each line in the file is a self-contained JSON snippet which must have the @@ -117,9 +117,9 @@ and may have the zero or more of the following entries: Sample user registry file is shown below: @code -{ "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/tmp/v4bootfile" } +{ "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/usr/local/share/kea/v4bootfile" } { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:06", "tftp_server" : "tftp.v4.example.com" } -{ "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/tmp/v6bootfile" } +{ "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/usr/local/share/kea/v6bootfile" } { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:06", "tftp_server" : "tftp.v6.example.com" } @endcode @@ -160,7 +160,7 @@ file. Currently, the library uses a hard coded pathname for the user registry defined in load_unload.cc: @code - const char* user_chk_output_fname = "/tmp/user_chk_outcome.txt"; + const char* user_chk_output_fname = "/usr/local/share/kea/user_chk_outcome.txt"; @endcode If the file cannot be created (or opened), the library will unload. diff --git a/src/hooks/dhcp/user_chk/load_unload.cc b/src/hooks/dhcp/user_chk/load_unload.cc index a31042ca5c..b1bf924718 100644 --- a/src/hooks/dhcp/user_chk/load_unload.cc +++ b/src/hooks/dhcp/user_chk/load_unload.cc @@ -28,11 +28,11 @@ std::fstream user_chk_output; /// @brief User registry input file name. /// @todo Hard-coded for now, this should be configurable. -const char* registry_fname = "/tmp/user_chk_registry.txt"; +const char* registry_fname = "/usr/local/share/kea/user_chk_registry.txt"; /// @brief User check outcome file name. /// @todo Hard-coded for now, this should be configurable. -const char* user_chk_output_fname = "/tmp/user_chk_outcome.txt"; +const char* user_chk_output_fname = "/usr/local/share/kea/user_chk_outcome.txt"; /// @brief Text label of user id in the inbound query in callout context const char* query_user_id_label = "query_user_id"; diff --git a/src/lib/config/client_connection.h b/src/lib/config/client_connection.h index b9d49fc5b4..4ac4688052 100644 --- a/src/lib/config/client_connection.h +++ b/src/lib/config/client_connection.h @@ -50,7 +50,7 @@ class ClientConnectionImpl; /// IOService io_service; /// ClientConnection conn(io_service); /// bool cb_invoked = false; -/// conn.start(ClientConnection::SocketPath("/tmp/kea.sock"), +/// conn.start(ClientConnection::SocketPath("/opt/kea/var/run/kea/kea.sock"), /// ClientConnection::ControlCommand(command), /// [this, &cb_invoked](const boost::system::error_code& ec, /// const ConstJSONFeedPtr& feed) { diff --git a/src/lib/d2srv/d2_config.h b/src/lib/d2srv/d2_config.h index 2b57ddf387..a02541cf9b 100644 --- a/src/lib/d2srv/d2_config.h +++ b/src/lib/d2srv/d2_config.h @@ -78,7 +78,7 @@ namespace d2 { /// "control-socket": /// { /// "socket-type": "unix" , -/// "socket-name": "/tmp/kea-ddns-ctrl-socket" +/// "socket-name": "kea-ddns-ctrl-socket" //// }, /// "tsig-keys": //// [ diff --git a/src/lib/yang/adaptor.h b/src/lib/yang/adaptor.h index d4909fbd32..06e6361885 100644 --- a/src/lib/yang/adaptor.h +++ b/src/lib/yang/adaptor.h @@ -98,7 +98,7 @@ public: /// "control-socket": /// { /// "socket-type": "unix", - /// "socket-name": "/tmp/kea4-ctrl-socket" + /// "socket-name": "kea4-ctrl-socket" /// } /// } /// } diff --git a/src/lib/yang/translator_config.h b/src/lib/yang/translator_config.h index c33e930d2e..a9214099ea 100644 --- a/src/lib/yang/translator_config.h +++ b/src/lib/yang/translator_config.h @@ -144,7 +144,7 @@ namespace yang { /// }, /// "control-socket": { /// "socket-type": "unix", -/// "socket-name": "/tmp/kea4-sock" +/// "socket-name": "kea4-sock" /// }, /// "subnet4": /// [ @@ -180,7 +180,7 @@ namespace yang { /// eth1 /// /// -/// /tmp/kea4-sock +/// kea4-sock /// unix /// /// @@ -310,7 +310,7 @@ namespace yang { /// }, /// "control-socket": { /// "socket-type": "unix", -/// "socket-name": "/tmp/kea6-sock" +/// "socket-name": "kea6-sock" /// }, /// "subnet6": /// [ @@ -345,7 +345,7 @@ namespace yang { /// eth1 /// /// -/// /tmp/kea6-sock +/// kea6-sock /// unix /// /// diff --git a/src/lib/yang/translator_control_socket.h b/src/lib/yang/translator_control_socket.h index f2602c734b..58508590cd 100644 --- a/src/lib/yang/translator_control_socket.h +++ b/src/lib/yang/translator_control_socket.h @@ -35,7 +35,7 @@ namespace yang { /// An example in JSON and YANG formats: /// @code /// { -/// "socket-name": "/tmp/kea.sock", +/// "socket-name": "kea.sock", /// "socket-type": "unix", /// "user-context": { "foo": 1 } /// } @@ -50,7 +50,7 @@ namespace yang { /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ /// control-socket (container) /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ -/// control-socket/socket-name = /tmp/kea.sock +/// control-socket/socket-name = kea.sock /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ /// control-socket/socket-type = unix /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ diff --git a/src/share/api/cache-load.json b/src/share/api/cache-load.json index ed06c48efe..3332ba9994 100644 --- a/src/share/api/cache-load.json +++ b/src/share/api/cache-load.json @@ -7,7 +7,7 @@ "cmd-syntax": [ "{", " \"command\": \"cache-load\",", - " \"arguments\": \"/tmp/kea-host-cache.json\"", + " \"arguments\": \"/usr/local/share/kea/kea-host-cache.json\"", "}" ], "description": "See ",