[Samba] Again kea DHCP-Server

Thu Nov 2 16:37:42 UTC 2023

On Nov 2, 2023, at 03:41, Rowland Penny via samba <samba at lists.samba.org> wrote:

On Wed, 1 Nov 2023 18:34:44 +0000 Owen DeLong via samba <samba at lists.samba.org> wrote: > Well… I’m not convinced KEA can<x-msg://100/#link>͏‌͏
<external.png><https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=65437d017c19b16f36fa287b&lang=en>

On Wed, 1 Nov 2023 18:34:44 +0000
Owen DeLong via samba <samba at lists.samba.org> wrote:

> Well… I’m not convinced KEA can’t be simple DHCP, though I understand
> that one would never know that from reading the KEA documentation.
>
> The following is a complete KEA configuration suitable to do a single
> subnet. In fact, you could probably get away with slightly less. I’ve
> replaced the unique addresses from my environment with placeholders
> (e.g. <network/mask>), but otherwise, this is a working configuration
> from a real environment. I find it easier to use KEA in simple
> environments than keep track of multiple DHCP servers and go back and
> forth amongst their quirks, so I use KEA even in the few simple
> environments I manage.
>
> Below is an example minimal-ish KEA DHCP4 configuration file. Point
> is, I don’t think that the below is particularly complex (all of 56
> lines (additional subnets would require ~17 additional lines each)).
> Yes, the JSON syntax isn’t what I would call “human friendly” and
> it’s very persnickety about some things, but it’s workable.
>

I never said that Kea couldn't be used with Samba, but I can get those
56 lines of Kea conf into 7 lines of dnsmasq config.

No doubt… And if I eliminate the JSON syntax pretty only lines, I get close to that
in kea. Of course, if I go full ugly JSON, I can get it into 1 line, but nobody wants
that.

Further, let’s see you get DNSMASQ to handle a subnet with controller-based
WAPs from three different vendors who each use options 60 and 43 in creative
and incompatible ways.

Yes, DNSMASQ is easy to configure for the worlds simplest subnets. No question.

However, it’s most definitely not an enterprise grade DHCP server for any
decent scale operation.

As I said, if anyone wants to add the Kea config to the Samba wiki,
then please do. I just ask that nothing is removed from the existing
dhcp wiki page.

My personal opinion is that Kea should have been written in 'block'
format, you start with a basic block and add your required blocks. At
the moment, Kea appears to be the 'Swiss army knife' of DHCP servers,
everything in one program.

Actually, KEA is quite modular (look at KEA Hooks Libraries).

However, yes, core KEA is a reference implementation of DHCP which means that
it does implement the full standard (all the RFC “must” and “should” clauses
basically).

However, you don’t have to configure all those things. You can, in fact, configure
just the blocks that are applicable to your environment. With flexibility comes a
small amount of necessary complexity. JSON wouldn’t have been my first
choice, either, but given the very hierarchical nature of DHCP configuration
at scale, it really does make a lot of sense. Especially when you consider
the effort put into allowing for flexible scoping of things like options in
KEA.

For example, in ISC DHCPd, all reservations are global. In Kea, reservations
can be declared and scoped to a subnet, global, client-class, or several
other groupings.

Client classes can be easily applied globally or on a per-subnet basis.
(Old ISC DHCPd they were also global).

Options can be encoded in unique namespaces that can be referenced
within client classes. There are some pre-defined namespaces (e.g. DHCP4)
and you can create new namespaces easily.

Whether these are useful in your particular environment or not, I can’t say,
but they are quite useful in several environments I deal with on a daily basis.

There are many many other capabilities built into KEA that I don’t know
anything about as I don’t use them.

The fact that KEA not only CAN be configured for HA, but can be
configured for HA relatively easily and with a reliable stateful failover
mechanism and state sharing between the members of the HA pair
is a HUGE win over ISC DHCPd IMHO.

Can you do HA with DNSMASQ?

Owen