From: Razvan Becheriu Date: Tue, 20 May 2025 18:07:00 +0000 (+0300) Subject: [#3843] backport #3833 to v2_4 X-Git-Tag: Kea-2.4.2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c4f6de9759378c33d15dc2db1521ab231daed66;p=thirdparty%2Fkea.git [#3843] backport #3833 to v2_4 --- diff --git a/doc/examples/agent/simple.json b/doc/examples/agent/simple.json index 155dd627cf..023384fb87 100644 --- a/doc/examples/agent/simple.json +++ b/doc/examples/agent/simple.json @@ -28,7 +28,7 @@ // This optional parameter can be used to specify a common // prefix for files handling client credentials. - "directory": "/tmp/kea-creds", + "directory": "/usr/local/share/kea/kea-creds", // This list specifies the user ids and passwords to use for // basic HTTP authentication. If empty or not present any client @@ -47,18 +47,18 @@ "password": "1234" }, - // This specifies a hiddent client. + // This specifies a hidden client. { - // The user id is the content of the file /tmp/kea-creds/hiddenu. + // The user id is the content of the file /usr/local/share/kea/kea-creds/hiddenu. "user-file": "hiddenu", - // The password is the content of the file /tmp/kea-creds/hiddenp. + // The password is the content of the file /usr/local/share/kea/kea-creds/hiddenp. "password-file": "hiddenp" }, // This specifies a hidden client using a secret in a file. { - // The secret is the content of the file /tmp/kea-creds/hiddens + // The secret is the content of the file /usr/local/share/kea/kea-creds/hiddens // which must be in the : format. "password-file": "hiddens" } @@ -128,7 +128,7 @@ "name": "kea-ctrl-agent", "output_options": [ { - "output": "/var/log/kea-ctrl-agent.log", + "output": "/var/log/kea/kea-ctrl-agent.log", // Several additional parameters are possible in addition // to the typical output. Flush determines whether logger // flushes output to a file. Maxsize determines maximum diff --git a/doc/examples/kea4/all-keys-netconf.json b/doc/examples/kea4/all-keys-netconf.json index 15fdd266da..46c634653c 100644 --- a/doc/examples/kea4/all-keys-netconf.json +++ b/doc/examples/kea4/all-keys-netconf.json @@ -26,7 +26,7 @@ "client-classes": [ { // Class-specific bootfile name to be set in the 'file' field. - "boot-file-name": "/tmp/bootfile.efi", + "boot-file-name": "/usr/local/share/kea/bootfile.efi", // Class name. "name": "phones_server1", diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json index 38c23367ff..6c7a698390 100644 --- a/doc/examples/kea4/all-keys.json +++ b/doc/examples/kea4/all-keys.json @@ -26,7 +26,7 @@ "client-classes": [ { // Class-specific bootfile name to be set in the 'file' field. - "boot-file-name": "/tmp/bootfile.efi", + "boot-file-name": "/usr/local/share/kea/bootfile.efi", // Class name. "name": "phones_server1", diff --git a/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml b/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml index 5da5cfa5d1..089baa180a 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/BAD-config.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml b/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml index c17390243e..f143e20999 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/BAD-schema.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml b/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml index 128693173c..12898feefa 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/BAD-translator.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix bad diff --git a/doc/examples/netconf/kea-dhcp6-operations/boot.json b/doc/examples/netconf/kea-dhcp6-operations/boot.json index 18d1da8901..c0c98125ad 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/boot.json +++ b/doc/examples/netconf/kea-dhcp6-operations/boot.json @@ -2,7 +2,7 @@ "Dhcp6": { "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" } } } diff --git a/doc/examples/netconf/kea-dhcp6-operations/logging.xml b/doc/examples/netconf/kea-dhcp6-operations/logging.xml index 7ce04e4682..018551dafb 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/logging.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/logging.xml @@ -12,7 +12,7 @@ 2001:db8::/64 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/netconf.json b/doc/examples/netconf/kea-dhcp6-operations/netconf.json index 1a8cd2113a..30c630eb82 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/netconf.json +++ b/doc/examples/netconf/kea-dhcp6-operations/netconf.json @@ -8,7 +8,7 @@ "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" } } }, diff --git a/doc/examples/netconf/kea-dhcp6-operations/startup.xml b/doc/examples/netconf/kea-dhcp6-operations/startup.xml index b085833b14..14d69e4db0 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/startup.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/startup.xml @@ -12,7 +12,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/twopools.xml b/doc/examples/netconf/kea-dhcp6-operations/twopools.xml index 8fb32c9d94..1b44462870 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/twopools.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/twopools.xml @@ -17,7 +17,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml b/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml index ba68a060ad..4e6378a374 100644 --- a/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml +++ b/doc/examples/netconf/kea-dhcp6-operations/twosubnets.xml @@ -21,7 +21,7 @@ eth1 - /tmp/kea6-ctrl-socket + kea6-ctrl-socket unix diff --git a/doc/examples/template-ha-mt-tls/kea-ca-1.conf b/doc/examples/template-ha-mt-tls/kea-ca-1.conf index cec984bff5..a8a297199a 100644 --- a/doc/examples/template-ha-mt-tls/kea-ca-1.conf +++ b/doc/examples/template-ha-mt-tls/kea-ca-1.conf @@ -42,21 +42,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-ha-mt-tls/kea-ca-2.conf b/doc/examples/template-ha-mt-tls/kea-ca-2.conf index 3835a49f48..f54e4fed9e 100644 --- a/doc/examples/template-ha-mt-tls/kea-ca-2.conf +++ b/doc/examples/template-ha-mt-tls/kea-ca-2.conf @@ -42,21 +42,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf b/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf index 5b4ae2fa1f..9df79bd4d2 100644 --- a/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf +++ b/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Multi-threading parameters. diff --git a/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf b/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf index f1b48ae4be..00cf426119 100644 --- a/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf +++ b/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Multi-threading parameters. diff --git a/doc/examples/template-power-user-home/kea-ca-1.conf b/doc/examples/template-power-user-home/kea-ca-1.conf index 04945c8a3e..19267dbe8c 100644 --- a/doc/examples/template-power-user-home/kea-ca-1.conf +++ b/doc/examples/template-power-user-home/kea-ca-1.conf @@ -18,21 +18,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-power-user-home/kea-ca-2.conf b/doc/examples/template-power-user-home/kea-ca-2.conf index c876012aff..13a130b506 100644 --- a/doc/examples/template-power-user-home/kea-ca-2.conf +++ b/doc/examples/template-power-user-home/kea-ca-2.conf @@ -18,21 +18,21 @@ { "comment": "socket to DHCPv4 server", "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Location of the DHCPv6 command channel socket. "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" }, // Location of the D2 command channel socket. "d2": { "socket-type": "unix", - "socket-name": "/tmp/kea-ddns-ctrl-socket", + "socket-name": "kea-ddns-ctrl-socket", "user-context": { "in-use": false } } }, diff --git a/doc/examples/template-power-user-home/kea-dhcp4-1.conf b/doc/examples/template-power-user-home/kea-dhcp4-1.conf index 48b8c2eb86..0a7aaab3f5 100644 --- a/doc/examples/template-power-user-home/kea-dhcp4-1.conf +++ b/doc/examples/template-power-user-home/kea-dhcp4-1.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Use Memfile lease database backend to store leases in a CSV file. diff --git a/doc/examples/template-power-user-home/kea-dhcp4-2.conf b/doc/examples/template-power-user-home/kea-dhcp4-2.conf index 29d8f4ca06..0e81dc170a 100644 --- a/doc/examples/template-power-user-home/kea-dhcp4-2.conf +++ b/doc/examples/template-power-user-home/kea-dhcp4-2.conf @@ -31,7 +31,7 @@ // API between the HA peers. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" }, // Use Memfile lease database backend to store leases in a CSV file. diff --git a/doc/sphinx/arm/agent.rst b/doc/sphinx/arm/agent.rst index 4e30d6a22a..ca67ed1d33 100644 --- a/doc/sphinx/arm/agent.rst +++ b/doc/sphinx/arm/agent.rst @@ -138,12 +138,13 @@ specified for the DHCPv4, DHCPv6, and D2 services. .. note:: As of Kea 2.4.2, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. User contexts can store arbitrary data as long as they are in valid JSON syntax and their top-level element is a map (i.e. the data must be @@ -173,7 +174,7 @@ authorized. When the ``clients`` authentication list is configured and not empty, basic HTTP authentication is required. Each element of the list specifies a user ID and a password. The user ID is mandatory, must -be not empty, and must not contain the colon (:) character. The +not be empty, and must not contain the colon (:) character. The password is optional; when it is not specified an empty password is used. @@ -216,45 +217,8 @@ the example above. Secure Connections ================== -The Kea Control Agent natively supports secure -HTTP connections using TLS. This allows protection against users from -the node where the agent runs, something that a reverse proxy cannot -provide. More about TLS/HTTPS support in Kea can be found in :ref:`tls`. - -TLS is configured using three string parameters with file names, and -a boolean parameter: - -- The ``trust-anchor`` specifies the Certification Authority file name or - directory path. - -- The ``cert-file`` specifies the server certificate file name. - -- The ``key-file`` specifies the private key file name. The file must not - be encrypted. - -- The ``cert-required`` specifies whether client certificates are required - or optional. The default is to require them and to perform mutual - authentication. - -The file format is PEM. Either all the string parameters are specified and -HTTP over TLS (HTTPS) is used, or none is specified and plain HTTP is used. -Configuring only one or two string parameters results in an error. - -.. note:: - - When client certificates are not required, only the server side is - authenticated, i.e. the communication is encrypted with an unknown - client. This protects only against passive attacks; active - attacks, such as "man-in-the-middle," are still possible. - -.. note:: - - No standard HTTP authentication scheme cryptographically binds its end - entity with TLS. This means that the TLS client and server can be - mutually authenticated, but there is no proof they are the same as - for the HTTP authentication. - -The :iscman:`kea-shell` tool also supports TLS. +Configuration options related to Kea Control Agent security can be found in the +:ref:`secure-control-agent` section. .. _agent-launch: diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst index fd972c2438..8bb231f39c 100644 --- a/doc/sphinx/arm/ddns.rst +++ b/doc/sphinx/arm/ddns.rst @@ -298,12 +298,13 @@ values are 107 on Linux and 103 on FreeBSD. .. note:: As of Kea 2.4.2, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. Communication over the control channel is conducted using JSON structures. See the `Control Channel section in the Kea Developer's @@ -955,7 +956,7 @@ Currently Kea's statistics management has the following limitations: .. note:: - Hook libraries, such as the the ISC subscriber-only GSS-TSIG library, + Hook libraries, such as the ISC subscriber-only GSS-TSIG library, make new statistics available in Kea. More information about Kea statistics can be found at :ref:`stats`. diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index 9792ec544e..553962f361 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -400,13 +400,13 @@ An example configuration of the memfile backend is presented below: "lease-database": { "type": "memfile", "persist": true, - "name": "/tmp/kea-leases4.csv", + "name": "kea-leases4.csv", "lfc-interval": 1800, "max-row-errors": 100 } } -This configuration selects ``/tmp/kea-leases4.csv`` as the storage +This configuration selects ``kea-leases4.csv`` as the storage for lease information and enables persistence (writing lease updates to this file). It also configures the backend to perform a periodic cleanup of the lease file every 1800 seconds (30 minutes) and sets the maximum number of @@ -3034,7 +3034,7 @@ into two options, each with the code 240. .. note:: Currently the server does not support storing long options in databases, - either host reservations or the configuration backend. + either via host reservations or the configuration backend. The server is also able to receive packets with split options (options using the same option code) and to fuse the data chunks into one option. This is @@ -3394,7 +3394,7 @@ subnet, and pool, i.e. in the reverse order from the way in which ... } -The first ``option-data`` entry does not hide the second one, because +The first ``option-data`` entry does not hide the second one, because the vendor identifiers (1234 and 5678) are different: the responses will carry two instances of the ``vivco-suboptions`` option, each for a different vendor. @@ -3432,7 +3432,7 @@ DDNS-related parameters are split into two groups: - ``sender-port`` - ``max-queue-size`` - ``ncr-protocol`` - - ``ncr-format"`` + - ``ncr-format`` 2. Behavioral Parameters @@ -4254,7 +4254,7 @@ ISC tested the following configuration: "name": "kea-dhcp4", "output_options": [ { - "output": "/tmp/kea-dhcp4.log" + "output": "kea-dhcp4.log" } ], "severity": "DEBUG", @@ -5045,7 +5045,7 @@ message fields: "hw-address": "aa:bb:cc:dd:ee:ff", "next-server": "10.1.1.2", "server-hostname": "server-hostname.example.org", - "boot-file-name": "/tmp/bootfile.efi" + "boot-file-name": "/usr/local/share/kea/bootfile.efi" } ], ... @@ -7446,12 +7446,13 @@ values are 107 on Linux and 103 on FreeBSD. .. note:: As of Kea 2.4.2, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. Communication over the control channel is conducted using JSON structures. See the diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 9bfbd4622e..480e7764e0 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -356,13 +356,13 @@ An example configuration of the memfile backend is presented below: "lease-database": { "type": "memfile", "persist": true, - "name": "/tmp/kea-leases6.csv", + "name": "kea-leases6.csv", "lfc-interval": 1800, "max-row-errors": 100 } } -This configuration selects ``/tmp/kea-leases6.csv`` as the storage file +This configuration selects ``kea-leases6.csv`` as the storage file for lease information and enables persistence (writing lease updates to this file). It also configures the backend to perform a periodic cleanup of the lease file every 1800 seconds (30 minutes) and sets the maximum number of @@ -3025,7 +3025,7 @@ DDNS-related parameters are split into two groups: - ``sender-port`` - ``max-queue-size`` - ``ncr-protocol`` - - ``ncr-format"`` + - ``ncr-format`` 2. Behavioral Parameters @@ -3608,7 +3608,7 @@ ISC tested the following configuration: "loggers": [ { "name": "kea-dhcp6", "output_options": [ { - "output": "/tmp/kea-dhcp6.log" + "output": "kea-dhcp6.log" } ], "severity": "DEBUG", "debuglevel": 0 @@ -6037,7 +6037,7 @@ memory lease file into its data directory. By default this directory is :: "Dhcp6": { - "data-directory": "/var/tmp/kea-server6", + "data-directory": "/var/lib/kea/kea-server6", ... } @@ -7228,12 +7228,13 @@ values are 107 on Linux and 103 on FreeBSD. .. note:: As of Kea 2.4.2, control sockets may only reside in the directory - determined during compilation as ``"[kea-install-dir]/var/run/kea"``. This - path may be overridden at startup by setting the environment variable - ``KEA_CONTROL_SOCKET_DIR`` to the desired path. If a path other than - this value is used in ``socket-name``, Kea will emit an error and refuse to - start or, if already running, log an unrecoverable error. For ease of use in - simply omit the path component from ``socket-name``. + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. Communication over the control channel is conducted using JSON structures. See the @@ -7867,7 +7868,7 @@ for prefix delegation in a subnet: The Free Lease Queue allocator can only be used for DHCPv6 prefix delegation. An attempt to use this allocator for address assignment (with the ``allocator`` parameter) will cause a configuration error. DHCPv6 address pools are - typically very large and their utilization is low; in these situation, the benefits + typically very large and their utilization is low; in this situation, the benefits of using the FLQ allocator diminish. The amount of time required for the allocator to populate the free lease queue would cause the server to freeze upon startup. diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index 404a15ee04..edfe6d81d4 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -275,15 +275,15 @@ file with the name ``dns.keytab``. .. code-block:: console - kadmin.local -q "ktadd -k /tmp/dns.keytab DNS/server.example.org" + kadmin.local -q "ktadd -k /usr/local/share/kea/dns.keytab DNS/server.example.org" If successfully exported, the following message is displayed: .. code-block:: console Authenticating as principal root/admin@EXAMPLE.ORG with password. - Entry for principal DNS/server.example.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/dns.keytab. - Entry for principal DNS/server.example.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/dns.keytab. + Entry for principal DNS/server.example.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/usr/local/share/kea/dns.keytab. + Entry for principal DNS/server.example.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/usr/local/share/kea/dns.keytab. The DHCP client principal (used by the Kea DHCP-DDNS server) is created the following way: @@ -306,7 +306,7 @@ keytab file with the name ``dhcp.keytab``. .. code-block:: console - kadmin.local -q "ktadd -k /tmp/dhcp.keytab DHCP/admin.example.org" + kadmin.local -q "ktadd -k /usr/local/share/kea/dhcp.keytab DHCP/admin.example.org" Finally, the ``krb5-admin-server`` must be restarted: @@ -910,13 +910,13 @@ This can be done manually via the command: .. code-block:: console - kinit -k -t /tmp/dhcp.keytab DHCP/admin.example.org + kinit -k -t /usr/local/share/kea/dhcp.keytab DHCP/admin.example.org or, when using AD: .. code-block:: console - kinit -k -t /tmp/dhcp.keytab DHCP/kea. + kinit -k -t /usr/local/share/kea/dhcp.keytab DHCP/kea. The credential cache can be displayed using ``klist``. diff --git a/doc/sphinx/arm/ext-netconf.rst b/doc/sphinx/arm/ext-netconf.rst index 83673a29eb..c717a5a67f 100644 --- a/doc/sphinx/arm/ext-netconf.rst +++ b/doc/sphinx/arm/ext-netconf.rst @@ -431,7 +431,7 @@ making them manageable. For instance, for the DHCPv4 server: { "Dhcp4": { "control-socket": { - "socket-name": "/tmp/kea-dhcp4-ctrl.sock", + "socket-name": "kea-dhcp4-ctrl.sock", "socket-type": "unix" } } @@ -570,7 +570,7 @@ Kea sources. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea4-ctrl-socket" + "socket-name": "kea4-ctrl-socket" } }, @@ -581,7 +581,7 @@ Kea sources. "control-socket": { "socket-type": "unix", - "socket-name": "/tmp/kea6-ctrl-socket" + "socket-name": "kea6-ctrl-socket" } }, @@ -748,7 +748,7 @@ DHCPv6 server: { "Dhcp6": { "control-socket": { - "socket-name": "/tmp/kea-dhcp6-ctrl.sock", + "socket-name": "kea-dhcp6-ctrl.sock", "socket-type": "unix" } } @@ -766,7 +766,7 @@ socket by running: .. code-block:: console - # echo '{ "command": "config-get" }' | socat UNIX:/tmp/kea-dhcp6-ctrl.sock '-,ignoreeof' + # echo '{ "command": "config-get" }' | socat UNIX:/opt/kea/var/run/kea/kea-dhcp6-ctrl.sock '-,ignoreeof' The following is the example ``netconf.json`` configuration for :iscman:`kea-netconf`, to manage the Kea DHCPv6 server: @@ -790,7 +790,7 @@ The following is the example ``netconf.json`` configuration for "managed-servers": { "dhcp6": { "control-socket": { - "socket-name": "/tmp/kea-dhcp6-ctrl.sock", + "socket-name": "kea-dhcp6-ctrl.sock", "socket-type": "unix" } } @@ -826,7 +826,7 @@ The following is the configuration extracted from ``startup.xml``: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -891,7 +891,7 @@ configuration file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -921,7 +921,7 @@ For example, consider this ``BAD-translator.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix bad @@ -946,7 +946,7 @@ server and fails to validate, as in this ``BAD-config.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -984,7 +984,7 @@ configuration in the ``twopools.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -1027,7 +1027,7 @@ This example specifies two subnets in the ``twosubnets.xml`` file: eth1 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -1062,7 +1062,7 @@ configuration in the ``logging.xml`` file: 2001:db8::/64 - /tmp/kea-dhcp6-ctrl.sock + kea-dhcp6-ctrl.sock unix @@ -1082,7 +1082,7 @@ The corresponding Kea configuration in JSON is: { "Dhcp6": { "control-socket": { - "socket-name": "/tmp/kea-dhcp6-ctrl.sock", + "socket-name": "kea-dhcp6-ctrl.sock", "socket-type": "unix" }, "interfaces-config": { diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst index 681276a24e..1eefcfcf83 100644 --- a/doc/sphinx/arm/hooks-ha.rst +++ b/doc/sphinx/arm/hooks-ha.rst @@ -1594,11 +1594,11 @@ machine as the primary server. This configuration is valid for both the "control-sockets": { "dhcp4": { "socket-type": "unix", - "socket-name": "/tmp/kea-dhcp4-ctrl.sock" + "socket-name": "kea-dhcp4-ctrl.sock" }, "dhcp6": { "socket-type": "unix", - "socket-name": "/tmp/kea-dhcp6-ctrl.sock" + "socket-name": "kea-dhcp6-ctrl.sock" } } } diff --git a/doc/sphinx/arm/hooks-host-cache.rst b/doc/sphinx/arm/hooks-host-cache.rst index ec8851a74e..792915f398 100644 --- a/doc/sphinx/arm/hooks-host-cache.rst +++ b/doc/sphinx/arm/hooks-host-cache.rst @@ -161,10 +161,10 @@ example usage looks as follows: { "command": "cache-load", - "arguments": "/tmp/kea-host-cache.json" + "arguments": "/usr/local/share/kea/kea-host-cache.json" } -This command stores the contents to the ``/tmp/kea-host-cache.json`` +This command stores the contents to the ``/usr/local/share/kea/kea-host-cache.json`` file. That file can then be loaded with the :isccmd:`cache-load` command or processed by any other tool that is able to understand JSON format. diff --git a/doc/sphinx/arm/hooks-lease-cmds.rst b/doc/sphinx/arm/hooks-lease-cmds.rst index 053609a38f..28bac6ae6a 100644 --- a/doc/sphinx/arm/hooks-lease-cmds.rst +++ b/doc/sphinx/arm/hooks-lease-cmds.rst @@ -1072,7 +1072,7 @@ to the previous filename. For example ``.bak14326``. determined during compilation: ``"[kea-install-dir]/var/lib/kea"``. This path may be overridden at startup by setting the environment variable ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than - this value is used in ``name``, Kea will emit an error and refuse to start + this value is used in ``filename``, Kea will emit an error and refuse to start or, if already running, log an unrecoverable error. For ease of use in specifying a custom file name simply omit the path portion from ``filename``. diff --git a/doc/sphinx/arm/hooks-user-chk.rst b/doc/sphinx/arm/hooks-user-chk.rst index 37f94b4c88..15bd43d91d 100644 --- a/doc/sphinx/arm/hooks-user-chk.rst +++ b/doc/sphinx/arm/hooks-user-chk.rst @@ -44,7 +44,7 @@ address after their device is restarted. to consult an external source of information about clients and alter Kea's behavior remains useful and of educational value. -The library reads the ``/tmp/user_chk_registry.txt`` file while being loaded +The library reads the ``/usr/local/share/kea/user_chk_registry.txt`` file while being loaded and each time an incoming packet is processed. Each line of the file is expected to contain a self-contained JSON snippet which must have the following two entries: @@ -67,9 +67,9 @@ A sample user registry file is shown below: :: - { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/tmp/v4bootfile" } + { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/usr/local/share/kea/v4bootfile" } { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:06", "tftp_server" : "tftp.v4.example.com" } - { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/tmp/v6bootfile" } + { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/usr/local/share/kea/v6bootfile" } { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:06", "tftp_server" : "tftp.v6.example.com" } As with any other hook libraries provided by ISC, internals of the diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index 3063fb0667..19a9fbe57f 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -36,6 +36,13 @@ protection possible: the two security mechanisms, and therefore no proof that the TLS client and server are the same as the HTTP authentication client and server. +.. note:: + + It is recommend to use privileged ports for HTTP/HTTPS against local attacks + (by users which are connected to the box where Kea servers/agents run). This + measure also prevents against impersonation with HTTP, and Denial of + Service in general. + .. _tls_config: Building Kea with TLS/HTTPS Support @@ -205,6 +212,51 @@ desired. It is highly recommended to read the ``openssl.cnf`` manual page, normally called ``config.5ssl`` and displayed using ``man config``. +.. _secure-control-agent: + +Secure Kea Control Agent +======================== + +The Kea Control Agent natively supports secure +HTTP connections using TLS. This allows protection against users from +the node where the agent runs, something that a reverse proxy cannot +provide. More about TLS/HTTPS support in Kea can be found in :ref:`tls`. + +TLS is configured using three string parameters with file names, and +a boolean parameter: + +- The ``trust-anchor`` specifies the Certification Authority file name or + directory path. + +- The ``cert-file`` specifies the server certificate file name. + +- The ``key-file`` specifies the private key file name. The file must not + be encrypted. + +- The ``cert-required`` specifies whether client certificates are required + or optional. The default is to require them and to perform mutual + authentication. + +The file format is PEM. Either all the string parameters are specified and +HTTP over TLS (HTTPS) is used, or none is specified and plain HTTP is used. +Configuring only one or two string parameters results in an error. + +.. note:: + + When client certificates are not required, only the server side is + authenticated, i.e. the communication is encrypted with an unknown + client. This protects only against passive attacks; active + attacks, such as "man-in-the-middle," are still possible. + +.. note:: + + No standard HTTP authentication scheme cryptographically binds its end + entity with TLS. This means that the TLS client and server can be + mutually authenticated, but there is no proof they are the same as + for the HTTP authentication. + +The :iscman:`kea-shell` tool also supports TLS. + Securing a Kea Deployment ========================= @@ -218,13 +270,29 @@ The Kea architecture is modular, with separate daemons for separate tasks. A Kea deployment may include DHCPv4, DHCPv6, and Dynamic DNS daemons; a Control Agent daemon run on each application server; the ``kea-lfc utility`` for doing periodic lease file cleanup; MySQL and or PostgreSQL databases, run either locally on the application -servers or accessed over the internal network; and a Stork monitoring system. +servers or accessed over the internal network; a Netconf daemon to perform config and stats +monitoring of Kea servers; and a Stork monitoring system. This modular architecture allows the administrator to minimize the attack surface by minimizing the code that is loaded and running. For example, :iscman:`kea-dhcp-ddns` should not be run unless DNS updates are required. Similarly, :iscman:`kea-lfc` is never triggered (and can be safely removed or never installed) if memfile is not used. Potential Kea security issues can be minimized by running only those processes required in the local environment. +.. note:: + + As of Kea 2.6.3, the lease files (DHCPv4 and DHCPv6) and duid file (DHCPv6 only) + may only be loaded from the directory determined at compilation: + ``"[kea-install-dir]/var/lib/kea"``. + This path may be overridden at startup by setting the environment variable + ``KEA_DHCP_DATA_DIRECTORY`` to the desired path. If a path other than + this value is used in ``name`` or ``data-directory``, Kea will emit an error and + refuse to start or, if already running, log an unrecoverable error. + This restriction applies to writing lease file using ``lease4-write`` and + ``lease6-write`` commands. If a path other than this value is used in ``filename``, + Kea will emit an error and refuse to start or, if already running, log an + unrecoverable error. For ease of use in specifying a custom file name simply + omit the path portion from ``filename``. + Limiting Application Permissions -------------------------------- @@ -246,6 +314,17 @@ read from or write to this socket, root access is generally required, although i to run as non-root, the owner of the process can write to it. Access can be controlled using normal file-access control on POSIX systems (owner, group, others, read/write). +.. note:: + + As of Kea 2.6.3, control sockets may only reside in the directory + determined during compilation as ``"[kea-install-dir]/var/run/kea"``, + which must also have ``0750`` access rights. This path may be overridden + at startup by setting the environment variable ``KEA_CONTROL_SOCKET_DIR`` + to the desired path. If a path other than this value is used in + ``socket-name``, Kea will emit an error and refuse to start or, if already + running, log an unrecoverable error. For ease of use in simply omit the + path component from ``socket-name``. + Kea configuration is controlled by a JSON file on the Kea server. This file can be viewed or edited by anyone with file permissions (which are controlled by the operating system). Note that passwords are stored in clear text in the configuration file, so anyone with access to read the @@ -253,6 +332,12 @@ configuration file can find this information. As a practical matter, anyone with the configuration file has control over Kea. Limiting user permission to read or write the Kea configuration file is an important security step. +.. note:: + + As of Kea 2.6.3, the config file may only be written (using the + ``config-write`` command) to the same directory as the config file used + when starting Kea (passed as a ``-c`` argument). + Securing Database Connections ----------------------------- @@ -267,6 +352,10 @@ in the configuration file.** Depending on the database configuration, it is also possible to verify whether the system user matches the database username. Consult the MySQL or PostgreSQL manual for details. +Kea supports client TLS settings for MySQL database and it must be +configured explicitly for all used connections (configuration, +reservations, leases, forensic logging). + Information Leakage Through Logging ----------------------------------- @@ -277,6 +366,36 @@ Since Kea 1.9.7, this issue has been resolved by replacing the value of all entr Logs are sent to stdout, stderr, files, or syslog; system file permissions system apply to stdout/stderr and files. Syslog may export the logs over the network, exposing them further to possible snooping. +.. note:: + + As of Kea 2.7.9, log files may only be written to the output directory + determined during compilation as: ``"[kea-install-dir]/var/log/kea"``. This + path may be overridden at startup by setting the environment variable + ``KEA_LOG_FILE_DIR`` to the desired path. If a path other than + this value is used in ``output``, Kea will emit an error and refuse to start + or, if already running, log an unrecoverable error. For ease of use simply + omit the path component from ``output`` and specify only the file name. + +Summary of Path Restrictions +---------------------------- + +Path restrictions mentioned through this section can be summarized according to +the following table: + ++-------------------------------------+---------------------------------------+----------------------------------+ +| Restricted Element | Default Value | Environment Variable Override | ++=====================================+=======================================+==================================+ +| Config Files (``config-write``) | Same Directory as Initial Config File | N/A | ++-------------------------------------+---------------------------------------+----------------------------------+ +| Lease Files | ``var/lib/kea`` | ``KEA_DHCP_DATA_DIRECTORY`` | ++-------------------------------------+---------------------------------------+----------------------------------+ +| Log Files | ``var/log/kea`` | ``KEA_LOG_FILE_DIR`` | ++-------------------------------------+---------------------------------------+----------------------------------+ +| Unix Sockets | ``var/run/kea`` | ``KEA_CONTROL_SOCKET_DIR`` | ++-------------------------------------+---------------------------------------+----------------------------------+ + + + Cryptography Components ----------------------- @@ -372,6 +491,16 @@ Kea 1.9.2 introduced a new ``auth`` hook point. With this new hook point, it is hook library to extend the access controls, integrate with another authentication authority, or add role-based access control to the Control Agent. +.. note: + + As of Kea 2.6.3, hook libraries may only be loaded from the default installation + directory determined during compilation and shown in the config report as + "Hooks directory". This value may be overridden at startup by setting the + environment variable ``KEA_HOOKS_PATH`` to the desired path. If a path other + than this value is used in a ``library`` element Kea will emit an error and refuse + to load the library. For ease of use ``library`` elements may simply omit path + components. + Kea Security Processes ====================== @@ -400,9 +529,9 @@ processes that are used to ensure adequate code quality: - Each line of code goes through a formal review before it is accepted. The review process is documented and available publicly. -- Roughly 50% of the source code is dedicated to unit tests. As of December 2020, there were over 6000 +- Roughly 50% of the source code is dedicated to unit tests. As of May 2024, there were over 12000 unit tests and the number is increasing with time. Unit tests are required to commit any new feature. -- There are around 1500 system tests for Kea. These simulate both correct and invalid +- There are around 2000 system tests for Kea. These simulate both correct and invalid situations, covering network packets (mostly DHCP, but also DNS, HTTP, HTTPS and others), command-line usage, API calls, database interactions, scripts, and more. - There are performance tests with over 80 scenarios that test Kea overall performance and @@ -416,8 +545,10 @@ processes that are used to ensure adequate code quality: packets in an invalid order) and more. - The Kea development team uses many tools that perform automatic code quality checks, such as danger, as well as internally developed sanity checkers. -- The Kea team uses the following static code analyzers: Coverity Scan, shellcheck, and danger. -- The Kea team uses the following dynamic code analyzers: Valgrind and Thread Sanitizer (TSAN). +- The Kea team uses the following static code analyzers: Coverity Scan, cppcheck, clang-static-analyzer, shellcheck, + flawfinder, semgrep and danger. +- The Kea team uses the following dynamic code analyzers: Valgrind, Thread Sanitizer (TSAN), Address Sanitizer (ASAN), + Undefined Behavior Sanitizer (UBSAN). Fuzz Testing ------------ diff --git a/doc/sphinx/index.rst b/doc/sphinx/index.rst index 438621e38d..24255e295c 100644 --- a/doc/sphinx/index.rst +++ b/doc/sphinx/index.rst @@ -28,6 +28,7 @@ Other useful Kea information can be found in our arm/quickstart arm/install arm/admin + arm/security arm/config arm/keactrl arm/agent @@ -46,7 +47,6 @@ Other useful Kea information can be found in our arm/shell arm/integrations arm/stork - arm/security .. toctree:: :caption: Appendices diff --git a/src/bin/netconf/netconf_config.h b/src/bin/netconf/netconf_config.h index b4f6339c88..34df81a477 100644 --- a/src/bin/netconf/netconf_config.h +++ b/src/bin/netconf/netconf_config.h @@ -56,7 +56,7 @@ namespace netconf { /// "control-socket": /// { /// "socket-type": "unix", -/// "socket-name": "/tmp/server-v4.sock" +/// "socket-name": "server-v4.sock" /// } /// } /// } diff --git a/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox b/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox index ad2be18db4..dcf1fafae4 100644 --- a/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox +++ b/src/hooks/dhcp/user_chk/libdhcp_user_chk.dox @@ -98,7 +98,7 @@ Currently, the library uses a hard coded pathname for the user registry defined in load_unload.cc: @code - const char* registry_fname = "/tmp/user_chk_registry.txt"; + const char* registry_fname = "/usr/local/share/kea/user_chk_registry.txt"; @endcode Each line in the file is a self-contained JSON snippet which must have the @@ -117,9 +117,9 @@ and may have the zero or more of the following entries: Sample user registry file is shown below: @code -{ "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/tmp/v4bootfile" } +{ "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/usr/local/share/kea/v4bootfile" } { "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:06", "tftp_server" : "tftp.v4.example.com" } -{ "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/tmp/v6bootfile" } +{ "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/usr/local/share/kea/v6bootfile" } { "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:06", "tftp_server" : "tftp.v6.example.com" } @endcode @@ -160,7 +160,7 @@ file. Currently, the library uses a hard coded pathname for the user registry defined in load_unload.cc: @code - const char* user_chk_output_fname = "/tmp/user_chk_outcome.txt"; + const char* user_chk_output_fname = "/usr/local/share/kea/user_chk_outcome.txt"; @endcode If the file cannot be created (or opened), the library will unload. diff --git a/src/hooks/dhcp/user_chk/load_unload.cc b/src/hooks/dhcp/user_chk/load_unload.cc index a31042ca5c..b1bf924718 100644 --- a/src/hooks/dhcp/user_chk/load_unload.cc +++ b/src/hooks/dhcp/user_chk/load_unload.cc @@ -28,11 +28,11 @@ std::fstream user_chk_output; /// @brief User registry input file name. /// @todo Hard-coded for now, this should be configurable. -const char* registry_fname = "/tmp/user_chk_registry.txt"; +const char* registry_fname = "/usr/local/share/kea/user_chk_registry.txt"; /// @brief User check outcome file name. /// @todo Hard-coded for now, this should be configurable. -const char* user_chk_output_fname = "/tmp/user_chk_outcome.txt"; +const char* user_chk_output_fname = "/usr/local/share/kea/user_chk_outcome.txt"; /// @brief Text label of user id in the inbound query in callout context const char* query_user_id_label = "query_user_id"; diff --git a/src/lib/config/client_connection.h b/src/lib/config/client_connection.h index 6321f34774..2466112f38 100644 --- a/src/lib/config/client_connection.h +++ b/src/lib/config/client_connection.h @@ -50,7 +50,7 @@ class ClientConnectionImpl; /// IOService io_service; /// ClientConnection conn(io_service); /// bool cb_invoked = false; -/// conn.start(ClientConnection::SocketPath("/tmp/kea.sock"), +/// conn.start(ClientConnection::SocketPath("/opt/kea/var/run/kea/kea.sock"), /// ClientConnection::ControlCommand(command), /// [this, &cb_invoked](const boost::system::error_code& ec, /// const ConstJSONFeedPtr& feed) { diff --git a/src/lib/d2srv/d2_config.h b/src/lib/d2srv/d2_config.h index cb141ad6b7..191b3c55b7 100644 --- a/src/lib/d2srv/d2_config.h +++ b/src/lib/d2srv/d2_config.h @@ -80,7 +80,7 @@ namespace d2 { /// "control-socket": /// { /// "socket-type": "unix" , -/// "socket-name": "/tmp/kea-ddns-ctrl-socket" +/// "socket-name": "kea-ddns-ctrl-socket" //// }, /// "tsig-keys": //// [ diff --git a/src/lib/yang/adaptor.h b/src/lib/yang/adaptor.h index d4909fbd32..06e6361885 100644 --- a/src/lib/yang/adaptor.h +++ b/src/lib/yang/adaptor.h @@ -98,7 +98,7 @@ public: /// "control-socket": /// { /// "socket-type": "unix", - /// "socket-name": "/tmp/kea4-ctrl-socket" + /// "socket-name": "kea4-ctrl-socket" /// } /// } /// } diff --git a/src/lib/yang/translator_config.h b/src/lib/yang/translator_config.h index cbdff25171..6a7475bbf6 100644 --- a/src/lib/yang/translator_config.h +++ b/src/lib/yang/translator_config.h @@ -145,7 +145,7 @@ namespace yang { /// }, /// "control-socket": { /// "socket-type": "unix", -/// "socket-name": "/tmp/kea4-sock" +/// "socket-name": "kea4-sock" /// }, /// "subnet4": /// [ @@ -181,7 +181,7 @@ namespace yang { /// eth1 /// /// -/// /tmp/kea4-sock +/// kea4-sock /// unix /// /// @@ -312,7 +312,7 @@ namespace yang { /// }, /// "control-socket": { /// "socket-type": "unix", -/// "socket-name": "/tmp/kea6-sock" +/// "socket-name": "kea6-sock" /// }, /// "subnet6": /// [ @@ -347,7 +347,7 @@ namespace yang { /// eth1 /// /// -/// /tmp/kea6-sock +/// kea6-sock /// unix /// /// diff --git a/src/lib/yang/translator_control_socket.h b/src/lib/yang/translator_control_socket.h index f2602c734b..58508590cd 100644 --- a/src/lib/yang/translator_control_socket.h +++ b/src/lib/yang/translator_control_socket.h @@ -35,7 +35,7 @@ namespace yang { /// An example in JSON and YANG formats: /// @code /// { -/// "socket-name": "/tmp/kea.sock", +/// "socket-name": "kea.sock", /// "socket-type": "unix", /// "user-context": { "foo": 1 } /// } @@ -50,7 +50,7 @@ namespace yang { /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ /// control-socket (container) /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ -/// control-socket/socket-name = /tmp/kea.sock +/// control-socket/socket-name = kea.sock /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ /// control-socket/socket-type = unix /// /kea-ctrl-agent:config/control-sockets/socket[server-type='dhcp4']/ diff --git a/src/share/api/cache-load.json b/src/share/api/cache-load.json index ed06c48efe..3332ba9994 100644 --- a/src/share/api/cache-load.json +++ b/src/share/api/cache-load.json @@ -7,7 +7,7 @@ "cmd-syntax": [ "{", " \"command\": \"cache-load\",", - " \"arguments\": \"/tmp/kea-host-cache.json\"", + " \"arguments\": \"/usr/local/share/kea/kea-host-cache.json\"", "}" ], "description": "See ",