File dhcp.README of Package dhcp
/* README.SuSE for the ISC DHCP server */
Before you can run dhcpd, you have to configure it via
- /etc/sysconfig/dhcpd (general settings)
and
- /etc/dhcpd.conf (configuration file)
See /usr/share/doc/packages/dhcp-server for example configurations.
Note on packet filtering
========================
This dhcp package contains an additional dhcpd binary (/usr/sbin/dhcpd.bsd)
which is compiled using BSD sockets instead of LPF (linux packet filter).
Using that binary, the network traffic handled by dhcpd can be filtered by the
packet filter of the Linux kernel, while the raw sockets used normally would
bypass any filtering. However, there is a tiny number of setups where this can
result in incompatibilities with certain DHCP clients, or with DHCP relay
agents in between. More information and a discussion of side effects was
discussed here:
See http://marc.theaimsgroup.com/?l=dhcp-server&m=108791973729847&w=2
It is possible to choose the binary by adjusting DHCPD_BINARY in
/etc/sysconfig/dhcpd.
Option 119 (Searchlist)
=======================
For this relatively new option (DHCP Option 119, RFC3397) the server does not
have a dedicated configuration option yet. It must be declared as free option,
after compressing the search string with DNS compression (see below), and put
into the configuration like this:
option searchlist code 119 = string;
option searchlist "\x07domain1\x07example\x03com\x00\x07domain2\xc0\x08";
The first line is always used globally; the second one could be placed in a
subnet block.
The compressed string can be generated with the program
/usr/share/doc/packages/dhcp-server/dnscompr.py as shown here (example):
# python /usr/share/doc/packages/dhcp-server/dnscompr.py domain1.example.com domain2.example.com
'\x07domain1\x07example\x03com\x00\x07domain2\xc0\x08'
dnscompr.py needs the python-dnspython package installed, which is shipping
since 10.0. For older SUSE Linux versions the python-module can be found at
http://ftp.suse.com/pub/people/poeml/python-dnspython/
The compression is described in RFC 3397, and (with more detail) in RFC1035.
Chroot Jail
===========
Our version of the ISC dhcp server contains a modified "(non-root/chroot)"
patch by Ari Edelkind. This allows dhcpd to
- run as unprivileged user
- run in a chroot environment (/var/lib/dhcp)
which, in this combination, is the safest possible way of running dhcpd.
In order to be found by dhcpd in the chroot jail, the configuration file
will automatically copied to /var/lib/dhcp/etc/ when the server is started.
Further conf files (include files) can be listed in DHCPD_CONF_INCLUDE_FILES
in /etc/sysconfig/dhcpd.
To enable dhcpd to continue logging from the chroot environment even after
syslogd has been restarted, "-a /var/lib/dhcp/dev/log" is automatically added to the syslog configuration in /etc/sysconfig/syslog.
NOTE:
In the chroot jail, dhcpd can't resolve hostnames unless it can find
the following files:
/etc/localtime
/etc/host.conf
/etc/hosts
/etc/resolv.conf
/lib/libresolv.so.2
/lib/libnss_dns.so.2
/lib/libnss_dns6.so.2
Thererore, these files (about 100 kB) will automatically copied to the chroot
jail when the server is started. (You might have to keep these current if
they are modified dynamically by other programs (e.g./etc/ppp/ip-up) while
dhcpd is running.) This is not a problem at all when you use IP addresses
instead of host names in the config file.
In case of trouble, you can also disable the chroot feature by setting
DHCPD_RUN_CHROOTED in /etc/sysconfig/dhcpd to "no".
See
<http://www.isc.org/ml-archives/dhcp-server/2000/04/msg00097.html>
and
<http://www.securityportal.com/closet/closet20001129.html>
for more information.
Have a lot of fun!
Your SuSE Team
