Configuration Templates
The following sections include configuration templates for
certain deployment types. The example configuration files are also available in the Kea sources,
in the doc/examples directory.
Template: Home Network of a Power User
Below are some templates to assist in configuring the home network of a power user; they may also be appropriate for a small office. These templates make the following assumptions:
The administrator wants to use a single /24 class of IPv4 addresses.
High Availability (HA) is desired, so there are two DHCP servers.
There are a handful of devices, and some of them (e.g. a printer or NAS) require static addresses or extra options.
The administrator does not want to be bothered with database management.
The setup is optimized for minimal to zero maintenance.
Performance is not an issue; hundreds of queries per second are not expected.
IPv6 is not used.
DNS updates will not be performed by Kea.
The logical setup consists of two hosts, each running a Kea DHCPv4 server. Each server acts as one partner of the HA pair.
+-host-1-+ +-host-2-+
| | | |
| DHCPv4 ========= DHCPv4 | ===== - HTTP connection
| | | |
+--------+ +--------+
The servers on host-1 and host-2 both listen on port 8000.
Deployment Considerations
This setup is not expected to be very performant. Most modest hardware will do; Kea has been successfully deployed on Raspberry Pi platforms, for example. If it is running on a VM, 2GB of RAM with one CPU core should be sufficient. Ubuntu LTS is a choice that is easy to set up and is low maintenance; however, any Linux or FreeBSD operating system is fine. Less popular systems, such as OpenBSD or NetBSD, should also work in principle, but they are not regularly tested.
In this example, there are two hosts running Kea:
192.168.1.2 - primary HA server (active, handles all the traffic)
192.168.1.3 - secondary HA server (passive, ready to take over if the primary fails)
The network is 192.168.1.0/24. It is assumed that 192.168.1.1 is the default router.
The whole subnet is split into dynamic and static pools:
192.168.1.100 - 192.168.1.199 - this is the dynamic pool. When new devices appear in the network, they are assigned dynamic addresses from this pool.
The reservations are done outside of this dynamic range (depending on the addressing preference, either 192.168.1.1-192.168.1.99 or 192.168.1.200-192.168.1.254).
To deploy this setup, perform the following steps:
Install the DHCPv4 server on host-1, and copy the configuration file to their typical locations. It is usually in
/etc/keaon Linux and/usr/local/etc/keaon FreeBSD, and the file is typically calledkea-dhcp4.conf. Please consult the startup scripts for any specific system.Alter the following to match the local setup:
The interface name that Kea should listen on (
interfacesininterfaces-config).The interface name that is used to access the subnet (
interfaceinsubnet4).The addressing, if using something other than 192.168.1.0/24. Make sure the control address and port configuration (
socket-addressandsocket-port) matches the HA configuration (urlinhook-libraries/parameters/high-availability/peers).The router option, to match the actual network.
The DNS option, to match the actual network.
If using a firewall, make sure host-1 can reach host-2. An easy way to ensure that is to try to retrieve host-2's config from host-1:
curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://192.168.1.3:8000/The DHCPv4 running configuration should be returned, in JSON format.
Verify that communication between the hosts works in the opposite direction as well (host-2 can connect to host-1), by repeating step 3 from host-2 using host-1's IP address and port.
Install the DHCPv4 server on host-2, as in steps 1 and 2. The config file for the standby server is very similar to the one on the primary server, other than the definition of the
this-server-namefield (and possibly the interface names).
Possible Extensions
This sample configuration is basic but functional. Once it is set up and running, administrators may wish to consider the following changes:
If there is a local DNS server, DNS updates can be configured via Kea. This requires running a DHCP-DDNS update server (
kea-dhcp-ddns). See Overview for details.To run Stateful DHCP for IPv6, a
kea-dhcp6server is necessary. Its configuration is very similar tokea-dhcp4, but there are some notable differences: the default gateway is not configured via the DHCPv6 protocol, but via router advertisements sent by the local router. Also, the DHCPv6 concept of prefix delegation does not exist in DHCPv4. See The DHCPv6 Server for details.To expand the local network, adding a MySQL or PostgreSQL database is a popular solution. Users can choose to store leases, host reservations, and even most of the configuration in a database. See Kea Database Administration and the
lease-database,hosts-database, andconfig-controlparameters in The DHCPv4 Server.To provide more insight into how the DHCP server operates, Kea's RESTful API can query for many runtime statistics or even change the configuration during runtime. Users may also consider deploying Stork, which is a rapidly developing dashboard for Kea. See Monitoring Kea With Stork for more information.
All Kea users should read Kea Security: to learn about various trade-offs between convenience and security in Kea.
Some tweaking of these templates may be required to match specific system needs: at a minimum, the lines highlighted in yellow must be adjusted to match the actual deployment.
Server1's DHCPv4 configuration file:
1// This is an example configuration of the Kea DHCPv4 server 1:
2//
3// - uses High Availability hook library and Lease Commands hook library
4// to enable High Availability function for the DHCP server. This config
5// file is for the primary (the active) server.
6// - uses memfile, which stores lease data in a local CSV file
7// - it assumes a single /24 addressing over a link that is directly reachable
8// (no DHCP relays)
9// - there is a handful of IP reservations
10//
11// It is expected to run with a standby (the passive) server, which has a very similar
12// configuration. The only difference is that "this-server-name" must be set to "server2" on the
13// other server. Also, the interface configuration depends on the network settings of the
14// particular machine.
15
16{
17
18"Dhcp4": {
19
20 // Add names of your network interfaces to listen on.
21 "interfaces-config": {
22 // The DHCPv4 server listens on this interface. When changing this to
23 // the actual name of your interface, make sure to also update the
24 // interface parameter in the subnet definition below.
25 "interfaces": [ "enp0s8" ]
26 },
27
28 // Control socket is required for communication with the
29 // DHCP server. High Availability requires HTTP/HTTPS control sockets
30 // to be configured because lease updates are sent over the RESTful
31 // API between the HA peers.
32 "control-socket": {
33 "socket-type": "http",
34
35 // We need to specify where the agent should listen to incoming HTTP
36 // queries.
37 "socket-address": "192.168.1.2",
38
39 // This specifies the port the server will listen on.
40 "socket-port": 8000
41 },
42
43 // Use Memfile lease database backend to store leases in a CSV file.
44 // Depending on how Kea was compiled, it may also support SQL databases
45 // (MySQL and/or PostgreSQL). Those database backends require more
46 // parameters, like name, host and possibly user and password.
47 // There are dedicated examples for each backend. See Section 7.2.2 "Lease
48 // Storage" for details.
49 "lease-database": {
50 // Memfile is the simplest and easiest backend to use. It's an in-memory
51 // database with data being written to a CSV file. It is very similar to
52 // what ISC DHCP does.
53 "type": "memfile"
54 },
55
56 // Let's configure some global parameters. The home network is not very dynamic
57 // and there's no shortage of addresses, so no need to recycle aggressively.
58 "valid-lifetime": 43200, // leases will be valid for 12h
59 "renew-timer": 21600, // clients should renew every 6h
60 "rebind-timer": 32400, // clients should start looking for other servers after 9h
61
62 // Kea will clean up its database of expired leases once per hour. However, it
63 // will keep the leases in expired state for 2 days. This greatly increases the
64 // chances for returning devices to get the same address again. To guarantee that,
65 // use host reservation.
66 // If both "flush-reclaimed-timer-wait-time" and "hold-reclaimed-time" are
67 // not 0, when the client sends a release message the lease is expired
68 // instead of being deleted from lease storage.
69 "expired-leases-processing": {
70 "reclaim-timer-wait-time": 3600,
71 "hold-reclaimed-time": 172800,
72 "max-reclaim-leases": 0,
73 "max-reclaim-time": 0
74 },
75
76 // Multi-threading parameters.
77 "multi-threading": {
78 // By default, Kea processes packets on multiple threads if the hardware
79 // permits. This example uses single-threaded configuration.
80 "enable-multi-threading": false,
81
82 // When multi-threading is enabled, Kea will process packets on a
83 // number of multiple threads configurable through this option. The
84 // value must be a positive integer (0 means auto-detect).
85 "thread-pool-size": 0,
86
87 // When multi-threading is enabled, Kea will read packets from the
88 // interface and append a working item to the thread pool. This
89 // option configures the maximum number of items that can be queued.
90 // The value must be a positive integer (0 means unlimited).
91 "packet-queue-size": 0
92 },
93
94 // HA requires two hook libraries to be loaded: libdhcp_lease_cmds.so and
95 // libdhcp_ha.so. The former handles incoming lease updates from the HA peers.
96 // The latter implements high availability feature for Kea. Note the library name
97 // should be the same, but the path is OS specific.
98 "hooks-libraries": [
99 // The lease_cmds library must be loaded because HA makes use of it to
100 // deliver lease updates to the server as well as synchronize the
101 // lease database after failure.
102 {
103 "library": "libdhcp_lease_cmds.so"
104 },
105
106 {
107 // The HA hook library should be loaded.
108 "library": "libdhcp_ha.so",
109 "parameters": {
110 // Each server should have the same HA configuration, except for the
111 // "this-server-name" parameter.
112 "high-availability": [ {
113 // This parameter points to this server instance. The respective
114 // HA peers must have this parameter set to their own names.
115 "this-server-name": "server1",
116 // The HA mode is set to hot-standby. In this mode, the active server handles
117 // all the traffic. The standby takes over if the primary becomes unavailable.
118 "mode": "hot-standby",
119 // Heartbeat is to be sent every 10 seconds if no other control
120 // commands are transmitted.
121 "heartbeat-delay": 10000,
122 // Maximum time for partner's response to a heartbeat, after which
123 // failure detection is started. This is specified in milliseconds.
124 // If we don't hear from the partner in 60 seconds, it's time to
125 // start worrying.
126 "max-response-delay": 60000,
127 // The following parameters control how the server detects the
128 // partner's failure. The ACK delay sets the threshold for the
129 // 'secs' field of the received discovers. This is specified in
130 // milliseconds.
131 "max-ack-delay": 5000,
132 // This specifies the number of clients which send messages to
133 // the partner but appear to not receive any response.
134 "max-unacked-clients": 5,
135 // This specifies the maximum timeout (in milliseconds) for the server
136 // to complete sync. If you have a large deployment (high tens or
137 // hundreds of thousands of clients), you may need to increase it
138 // further. The default value is 60000ms (60 seconds).
139 "sync-timeout": 60000,
140 // Multi-threading parameters.
141 "multi-threading": {
142 // By default, Kea processes packets on multiple threads if the hardware
143 // permits. This example uses single-threaded configuration.
144 "enable-multi-threading": false,
145 "http-dedicated-listener": false,
146 "http-listener-threads": 0,
147 "http-client-threads": 0
148 },
149 "peers": [
150 // This is the configuration of this server instance.
151 {
152 "name": "server1",
153 // This specifies the URL of this server instance.
154 // The "control-socket" is needed for the High Availability
155 // with single-threading, and the "socket-address" and
156 // "socket-port" must be set to the corresponding values.
157 "url": "http://192.168.1.2:8000/",
158 // This server is primary. The other one must be
159 // secondary.
160 "role": "primary"
161 },
162 // This is the configuration of the secondary server.
163 {
164 "name": "server2",
165 // Specifies the URL on which the partner's control
166 // channel can be reached.
167 // The "control-socket" is needed for the High Availability
168 // with single-threading, and the "socket-address" and
169 // "socket-port" must be set to the corresponding values.
170 "url": "http://192.168.1.3:8000/",
171 // The other server is secondary. This one must be
172 // primary.
173 "role": "standby"
174 }
175 ]
176 } ]
177 }
178 }
179 ],
180
181 // This example contains a single subnet declaration.
182 "subnet4": [
183 {
184 // Subnet prefix.
185 "subnet": "192.168.1.0/24",
186
187 // There are no relays in this network, so we need to tell Kea that this subnet
188 // is reachable directly via the specified interface.
189 "interface": "enp0s8",
190
191 // Specify a dynamic address pool.
192 "pools": [
193 {
194 "pool": "192.168.1.100-192.168.1.199"
195 }
196 ],
197
198 // These are options that are subnet specific. In most cases, you need to define at
199 // least routers option, as without this option your clients will not be able to reach
200 // their default gateway and will not have Internet connectivity. If you have many
201 // subnets and they share the same options (e.g. DNS servers typically is the same
202 // everywhere), you may define options at the global scope, so you don't repeat them
203 // for every network.
204 "option-data": [
205 {
206 // For each IPv4 subnet you typically need to specify at least one router.
207 "name": "routers",
208 "data": "192.168.1.1"
209 },
210 {
211 // Using cloudflare or Quad9 is a reasonable option. Change this
212 // to your own DNS servers is you have them. Another popular
213 // choice is 8.8.8.8, owned by Google. Using third party DNS
214 // service raises some privacy concerns.
215 "name": "domain-name-servers",
216 "data": "1.1.1.1,9.9.9.9"
217 }
218 ],
219
220 // Some devices should get a static address. Since the .100 - .199 range is dynamic,
221 // let's use the lower address space for this. There are many ways how reservation
222 // can be defined, but using MAC address (hw-address) is by far the most popular one.
223 // You can use client-id, duid and even custom defined flex-id that may use whatever
224 // parts of the packet you want to use as identifiers. Also, there are many more things
225 // you can specify in addition to just an IP address: extra options, next-server, hostname,
226 // assign device to client classes etc. See the Kea ARM, Section 8.3 for details.
227 // The reservations are subnet specific.
228 "reservations": [
229 {
230 "hw-address": "1a:1b:1c:1d:1e:1f",
231 "ip-address": "192.168.1.10"
232 },
233 {
234 "client-id": "01:11:22:33:44:55:66",
235 "ip-address": "192.168.1.11"
236 }
237 ]
238 }
239 ],
240
241 // Logging configuration starts here.
242 "loggers": [
243 {
244 // This section affects kea-dhcp4, which is the base logger for DHCPv4 component. It tells
245 // DHCPv4 server to write all log messages (on severity INFO or higher) to a file. The file
246 // will be rotated once it grows to 2MB and up to 4 files will be kept. The debuglevel
247 // (range 0 to 99) is used only when logging on DEBUG level.
248 "name": "kea-dhcp4",
249 "output-options": [
250 {
251 "output": "/var/log/kea/kea-dhcp4.log",
252 "maxsize": 2048000,
253 "maxver": 4
254 }
255 ],
256 "severity": "INFO",
257 "debuglevel": 0
258 }
259 ]
260}
261}
Server2's DHCPv4 configuration file:
1// This is an example configuration of the Kea DHCPv4 server 2:
2//
3// - uses High Availability hook library and Lease Commands hook library
4// to enable High Availability function for the DHCP server. This config
5// file is for the primary (the active) server.
6// - uses memfile, which stores lease data in a local CSV file
7// - it assumes a single /24 addressing over a link that is directly reachable
8// (no DHCP relays)
9// - there is a handful of IP reservations
10//
11// It is expected to run with a primary (the active) server, which has a very similar
12// configuration. The only difference is that "this-server-name" must be set to "server2" on the
13// other server. Also, the interface configuration depends on the network settings of the
14// particular machine.
15
16{
17
18"Dhcp4": {
19
20 // Add names of your network interfaces to listen on.
21 "interfaces-config": {
22 // The DHCPv4 server listens on this interface. When changing this to
23 // the actual name of your interface, make sure to also update the
24 // interface parameter in the subnet definition below.
25 "interfaces": [ "enp0s8" ]
26 },
27
28 // Control socket is required for communication with the
29 // DHCP server. High Availability requires HTTP/HTTPS control sockets
30 // to be configured because lease updates are sent over the RESTful
31 // API between the HA peers.
32 "control-socket": {
33 "socket-type": "http",
34
35 // We need to specify where the agent should listen to incoming HTTP
36 // queries.
37 "socket-address": "192.168.1.3",
38
39 // This specifies the port the server will listen on.
40 "socket-port": 8000
41 },
42
43 // Use Memfile lease database backend to store leases in a CSV file.
44 // Depending on how Kea was compiled, it may also support SQL databases
45 // (MySQL and/or PostgreSQL). Those database backends require more
46 // parameters, like name, host and possibly user and password.
47 // There are dedicated examples for each backend. See Section 7.2.2 "Lease
48 // Storage" for details.
49 "lease-database": {
50 // Memfile is the simplest and easiest backend to use. It's an in-memory
51 // database with data being written to a CSV file. It is very similar to
52 // what ISC DHCP does.
53 "type": "memfile"
54 },
55
56 // Let's configure some global parameters. The home network is not very dynamic
57 // and there's no shortage of addresses, so no need to recycle aggressively.
58 "valid-lifetime": 43200, // leases will be valid for 12h
59 "renew-timer": 21600, // clients should renew every 6h
60 "rebind-timer": 32400, // clients should start looking for other servers after 9h
61
62 // Kea will clean up its database of expired leases once per hour. However, it
63 // will keep the leases in expired state for 2 days. This greatly increases the
64 // chances for returning devices to get the same address again. To guarantee that,
65 // use host reservation.
66 // If both "flush-reclaimed-timer-wait-time" and "hold-reclaimed-time" are
67 // not 0, when the client sends a release message the lease is expired
68 // instead of being deleted from lease storage.
69 "expired-leases-processing": {
70 "reclaim-timer-wait-time": 3600,
71 "hold-reclaimed-time": 172800,
72 "max-reclaim-leases": 0,
73 "max-reclaim-time": 0
74 },
75
76 // Multi-threading parameters.
77 "multi-threading": {
78 // By default, Kea processes packets on multiple threads if the hardware
79 // permits. This example uses single-threaded configuration.
80 "enable-multi-threading": false,
81
82 // When multi-threading is enabled, Kea will process packets on a
83 // number of multiple threads configurable through this option. The
84 // value must be a positive integer (0 means auto-detect).
85 "thread-pool-size": 0,
86
87 // When multi-threading is enabled, Kea will read packets from the
88 // interface and append a working item to the thread pool. This
89 // option configures the maximum number of items that can be queued.
90 // The value must be a positive integer (0 means unlimited).
91 "packet-queue-size": 0
92 },
93
94 // HA requires two hook libraries to be loaded: libdhcp_lease_cmds.so and
95 // libdhcp_ha.so. The former handles incoming lease updates from the HA peers.
96 // The latter implements high availability feature for Kea. Note the library name
97 // should be the same, but the path is OS specific.
98 "hooks-libraries": [
99 // The lease_cmds library must be loaded because HA makes use of it to
100 // deliver lease updates to the server as well as synchronize the
101 // lease database after failure.
102 {
103 "library": "libdhcp_lease_cmds.so"
104 },
105
106 {
107 // The HA hook library should be loaded.
108 "library": "libdhcp_ha.so",
109 "parameters": {
110 // Each server should have the same HA configuration, except for the
111 // "this-server-name" parameter.
112 "high-availability": [ {
113 // This parameter points to this server instance. The respective
114 // HA peers must have this parameter set to their own names.
115 "this-server-name": "server2",
116 // The HA mode is set to hot-standby. In this mode, the active server handles
117 // all the traffic. The standby takes over if the primary becomes unavailable.
118 "mode": "hot-standby",
119 // Heartbeat is to be sent every 10 seconds if no other control
120 // commands are transmitted.
121 "heartbeat-delay": 10000,
122 // Maximum time for partner's response to a heartbeat, after which
123 // failure detection is started. This is specified in milliseconds.
124 // If we don't hear from the partner in 60 seconds, it's time to
125 // start worrying.
126 "max-response-delay": 60000,
127 // The following parameters control how the server detects the
128 // partner's failure. The ACK delay sets the threshold for the
129 // 'secs' field of the received discovers. This is specified in
130 // milliseconds.
131 "max-ack-delay": 5000,
132 // This specifies the number of clients which send messages to
133 // the partner but appear to not receive any response.
134 "max-unacked-clients": 5,
135 // This specifies the maximum timeout (in milliseconds) for the server
136 // to complete sync. If you have a large deployment (high tens or
137 // hundreds of thousands of clients), you may need to increase it
138 // further. The default value is 60000ms (60 seconds).
139 "sync-timeout": 60000,
140 // Multi-threading parameters.
141 "multi-threading": {
142 // By default, Kea processes packets on multiple threads if the hardware
143 // permits. This example uses single-threaded configuration.
144 "enable-multi-threading": false,
145 "http-dedicated-listener": false,
146 "http-listener-threads": 0,
147 "http-client-threads": 0
148 },
149 "peers": [
150 // This is the configuration of the primary server.
151 {
152 "name": "server1",
153 // Specifies the URL on which the partner's control
154 // channel can be reached.
155 // The "control-socket" is needed for the High Availability
156 // with single-threading, and the "socket-address" and
157 // "socket-port" must be set to the corresponding values.
158 "url": "http://192.168.1.2:8000/",
159 // The other server is primary. This one must be
160 // secondary.
161 "role": "primary"
162 },
163 // This is the configuration of this server instance.
164 {
165 "name": "server2",
166 // This specifies the URL of this server instance.
167 // The "control-socket" is needed for the High Availability
168 // with single-threading, and the "socket-address" and
169 // "socket-port" must be set to the corresponding values.
170 "url": "http://192.168.1.3:8000/",
171 // This server is secondary. The other one must be
172 // primary.
173 "role": "standby"
174 }
175 ]
176 } ]
177 }
178 }
179 ],
180
181 // This example contains a single subnet declaration.
182 "subnet4": [
183 {
184 // Subnet prefix.
185 "subnet": "192.168.1.0/24",
186
187 // There are no relays in this network, so we need to tell Kea that this subnet
188 // is reachable directly via the specified interface.
189 "interface": "enp0s8",
190
191 // Specify a dynamic address pool.
192 "pools": [
193 {
194 "pool": "192.168.1.100-192.168.1.199"
195 }
196 ],
197
198 // These are options that are subnet specific. In most cases, you need to define at
199 // least routers option, as without this option your clients will not be able to reach
200 // their default gateway and will not have Internet connectivity. If you have many
201 // subnets and they share the same options (e.g. DNS servers typically is the same
202 // everywhere), you may define options at the global scope, so you don't repeat them
203 // for every network.
204 "option-data": [
205 {
206 // For each IPv4 subnet you typically need to specify at least one router.
207 "name": "routers",
208 "data": "192.168.1.1"
209 },
210 {
211 // Using cloudflare or Quad9 is a reasonable option. Change this
212 // to your own DNS servers is you have them. Another popular
213 // choice is 8.8.8.8, owned by Google. Using third party DNS
214 // service raises some privacy concerns.
215 "name": "domain-name-servers",
216 "data": "1.1.1.1,9.9.9.9"
217 }
218 ],
219
220 // Some devices should get a static address. Since the .100 - .199 range is dynamic,
221 // let's use the lower address space for this. There are many ways how reservation
222 // can be defined, but using MAC address (hw-address) is by far the most popular one.
223 // You can use client-id, duid and even custom defined flex-id that may use whatever
224 // parts of the packet you want to use as identifiers. Also, there are many more things
225 // you can specify in addition to just an IP address: extra options, next-server, hostname,
226 // assign device to client classes etc. See the Kea ARM, Section 8.3 for details.
227 // The reservations are subnet specific.
228 "reservations": [
229 {
230 "hw-address": "1a:1b:1c:1d:1e:1f",
231 "ip-address": "192.168.1.10"
232 },
233 {
234 "client-id": "01:11:22:33:44:55:66",
235 "ip-address": "192.168.1.11"
236 }
237 ]
238 }
239 ],
240
241 // Logging configuration starts here.
242 "loggers": [
243 {
244 // This section affects kea-dhcp4, which is the base logger for DHCPv4 component. It tells
245 // DHCPv4 server to write all log messages (on severity INFO or higher) to a file. The file
246 // will be rotated once it grows to 2MB and up to 4 files will be kept. The debuglevel
247 // (range 0 to 99) is used only when logging on DEBUG level.
248 "name": "kea-dhcp4",
249 "output-options": [
250 {
251 "output": "/var/log/kea/kea-dhcp4.log",
252 "maxsize": 2048000,
253 "maxver": 4
254 }
255 ],
256 "severity": "INFO",
257 "debuglevel": 0
258 }
259 ]
260}
261}
Template: Secure High Availability Kea DHCP with Multi-Threading
Below are some templates to assist in configuring a secure Kea DHCP server with multi-threading. These templates make the following assumptions:
The administrator wants to set up High Availability (HA) with multi-threading.
The machines running Kea with multi-threading have at least four CPU cores.
The connection to the peer is secured using TLS.
The logical setup consists of two hosts, each running a Kea DHCPv4 server. In the multi-threading setup, control sockets are not required, as the server is using its own dedicated HTTP listener to communicate with the peer. However, HTTPS control sockets can still be used to handle user commands.
+-host-1-+ +-host-2-+
| | | |
| DHCPv4 ========= DHCPv4 | ===== - HTTPS connection
| | | |
+--------+ +--------+
The servers on host-1 and host-2 both listen on port 8001, and the server's dedicated HTTP listener uses port 8000. The DHCP servers communicate with each other via the dedicated HTTP listener, which forwards only the lease-update commands to the peer server.
Deployment Considerations
The setup is not expected to scale automatically. This example uses four threads for processing DHCP traffic, four threads for listening and handling HA peer HTTP requests, and four threads for sending lease updates to the HA peer. The thread queue used to store incoming DHCP requests is set to 64, but proper testing and benchmarks are required to determine the appropriate values for best performance on the deployment setup.
In this example, there are two hosts running Kea:
192.168.1.2 - primary HA server (active, handles all the traffic)
192.168.1.3 - secondary HA server (passive, ready to take over if the primary fails)
The network is 192.168.1.0/24. It is assumed that 192.168.1.1 is the default router.
The whole subnet is split into dynamic pools:
192.168.1.100 - 192.168.1.199 - this is the dynamic pool. When new devices appear in the network, they are assigned dynamic addresses from this pool.
To deploy this setup, follow the steps provided in the power user home setup with the following distinctions:
Alter the following to match the local setup:
The paths to
trust-anchor,cert-file, andkey-filemust be set to the respective values corresponding to the deployment machine.The addressing must be updated, if using something other than 192.168.1.0/24. Make sure the control socket address and port configuration (
socket-addressandsocket-port) is different from the HA configuration (urlinhook-libraries/parameters/high-availability/peers). The HTTP control socket is used to handle only management commands, as the HA module sends lease updates using the dedicated HTTP listener to the peer.
Verify the communication between the HA peers by checking the Kea logs.
Verify that communication between the hosts works in the opposite direction as well (host-2 can connect to host-1), by repeating step 3 from host-2 using host-1's IP address and port.
Install DHCPv4 on host-2, as in steps 1 and 2. The config file for the standby server is very similar to the one on the primary server, other than the definition of the
this-server-namefield (and possibly the interface names).
Possible Extensions
This sample configuration is basic but functional. Once it is set up and running, administrators may wish to consider the following changes:
If using a database, it is also possible to configure TLS for the database backend (for lease, host, configuration backend, or forensic logging). See Database Connectivity for more information.
Some tweaking of these templates may be required to match specific system needs: at a minimum, the lines highlighted in yellow must be adjusted to match the actual deployment.
Server1's DHCPv4 configuration file:
1// This is an example configuration of the Kea DHCPv4 server 1:
2//
3// - uses High Availability hook library and Lease Commands hook library
4// to enable High Availability function for the DHCP server. This config
5// file is for the primary (the active) server.
6// - uses memfile, which stores lease data in a local CSV file
7// - it assumes a single /24 addressing over a link that is directly reachable
8// (no DHCP relays)
9// - there is a handful of IP reservations
10//
11// It is expected to run with a standby (the passive) server, which has a very similar
12// configuration. The only difference is that "this-server-name" must be set to "server2" on the
13// other server. Also, the interface configuration and location of TLS specific files
14// depend on the network settings and configuration of the particular machine.
15
16{
17
18"Dhcp4": {
19
20 // Add names of your network interfaces to listen on.
21 "interfaces-config": {
22 // The DHCPv4 server listens on this interface. When changing this to
23 // the actual name of your interface, make sure to also update the
24 // interface parameter in the subnet definition below.
25 "interfaces": [ "enp0s8" ]
26 },
27
28 // Control socket is required for communication with the
29 // DHCP server. High Availability requires HTTP/HTTPS control sockets
30 // to be configured because lease updates are sent over the RESTful
31 // API between the HA peers.
32 "control-socket": {
33 "socket-type": "https",
34
35 // We need to specify where the server should listen to incoming HTTP
36 // queries.
37 "socket-address": "192.168.1.2",
38
39 // This specifies the port server will listen on.
40 // If enabling HA and multi-threading, the 8000 port is used by the HA
41 // hook library http listener. When using HA hook library with
42 // multi-threading to function, make sure the port used by dedicated
43 // listener is different (e.g. 8001) than the one used by server. Note
44 // the commands should still be sent to the control socket.
45 // The dedicated listener is specifically for HA updates only.
46 "socket-port": 8001,
47
48 // TLS trust anchor (Certificate Authority). This is a file name or
49 // (for OpenSSL only) a directory path.
50 "trust-anchor": "/usr/lib/kea/CA.pem",
51
52 // TLS server certificate file name.
53 "cert-file": "/usr/lib/kea/ca1_cert.pem",
54
55 // TLS server private key file name.
56 "key-file": "/usr/lib/kea/ca1_key.pem",
57
58 // TLS require client certificates flag.
59 "cert-required": true
60 },
61
62 // Multi-threading parameters.
63 "multi-threading": {
64 // By default, Kea processes packets on multiple threads if the hardware permits.
65 "enable-multi-threading": true,
66
67 // When multi-threading is enabled, Kea will process packets on a
68 // number of multiple threads configurable through this option. The
69 // value must be a positive integer (0 means auto-detect).
70 "thread-pool-size": 4,
71
72 // When multi-threading is enabled, Kea will read packets from the
73 // interface and append a working item to the thread pool. This
74 // option configures the maximum number of items that can be queued.
75 // The value must be a positive integer (0 means unlimited).
76 "packet-queue-size": 64
77 },
78
79 // Use Memfile lease database backend to store leases in a CSV file.
80 // Depending on how Kea was compiled, it may also support SQL databases
81 // (MySQL and/or PostgreSQL). Those database backends require more
82 // parameters, like name, host and possibly user and password.
83 // There are dedicated examples for each backend. See Section 7.2.2 "Lease
84 // Storage" for details.
85 "lease-database": {
86 // Memfile is the simplest and easiest backend to use. It's an in-memory
87 // database with data being written to a CSV file. It is very similar to
88 // what ISC DHCP does.
89 "type": "memfile"
90 },
91
92 // Let's configure some global parameters. The home network is not very dynamic
93 // and there's no shortage of addresses, so no need to recycle aggressively.
94 "valid-lifetime": 43200, // leases will be valid for 12h
95 "renew-timer": 21600, // clients should renew every 6h
96 "rebind-timer": 32400, // clients should start looking for other servers after 9h
97
98 // Kea will clean up its database of expired leases once per hour. However, it
99 // will keep the leases in expired state for 2 days. This greatly increases the
100 // chances for returning devices to get the same address again. To guarantee that,
101 // use host reservation.
102 // If both "flush-reclaimed-timer-wait-time" and "hold-reclaimed-time" are
103 // not 0, when the client sends a release message the lease is expired
104 // instead of being deleted from lease storage.
105 "expired-leases-processing": {
106 "reclaim-timer-wait-time": 3600,
107 "hold-reclaimed-time": 172800,
108 "max-reclaim-leases": 0,
109 "max-reclaim-time": 0
110 },
111
112 // HA requires two hook libraries to be loaded: libdhcp_lease_cmds.so and
113 // libdhcp_ha.so. The former handles incoming lease updates from the HA peers.
114 // The latter implements high availability feature for Kea. Note the library name
115 // should be the same, but the path is OS specific.
116 "hooks-libraries": [
117 // The lease_cmds library must be loaded because HA makes use of it to
118 // deliver lease updates to the server as well as synchronize the
119 // lease database after failure.
120 {
121 "library": "libdhcp_lease_cmds.so"
122 },
123
124 {
125 // The HA hook library should be loaded.
126 "library": "libdhcp_ha.so",
127 "parameters": {
128 // Each server should have the same HA configuration, except for the
129 // "this-server-name" parameter.
130 "high-availability": [ {
131 // This parameter points to this server instance. The respective
132 // HA peers must have this parameter set to their own names.
133 "this-server-name": "server1",
134 // The HA mode is set to hot-standby. In this mode, the active server handles
135 // all the traffic. The standby takes over if the primary becomes unavailable.
136 "mode": "hot-standby",
137 // Heartbeat is to be sent every 10 seconds if no other control
138 // commands are transmitted.
139 "heartbeat-delay": 10000,
140 // Maximum time for partner's response to a heartbeat, after which
141 // failure detection is started. This is specified in milliseconds.
142 // If we don't hear from the partner in 60 seconds, it's time to
143 // start worrying.
144 "max-response-delay": 60000,
145 // The following parameters control how the server detects the
146 // partner's failure. The ACK delay sets the threshold for the
147 // 'secs' field of the received discovers. This is specified in
148 // milliseconds.
149 "max-ack-delay": 5000,
150 // This specifies the number of clients which send messages to
151 // the partner but appear to not receive any response.
152 "max-unacked-clients": 5,
153 // This specifies the maximum timeout (in milliseconds) for the server
154 // to complete sync. If you have a large deployment (high tens or
155 // hundreds of thousands of clients), you may need to increase it
156 // further. The default value is 60000ms (60 seconds).
157 "sync-timeout": 60000,
158 // Multi-threading parameters.
159 // To not experience performance degradation when the Kea server is
160 // processing packets on multiple threads, the High Availability module
161 // must have multi-threading enabled.
162 "multi-threading": {
163 // Enable High Availability to benefit from multi-threading. Default: true.
164 "enable-multi-threading": true,
165 // When running in MT mode, the dedicated listener is used to handle
166 // lease updates.
167 "http-dedicated-listener": true,
168 // The number of threads used to handle incoming requests.
169 // A value of 0 instructs the server to use the same number of
170 // threads that the Kea core is using for DHCP multi-threading.
171 "http-listener-threads": 0,
172 // The number of threads used to handle outgoing requests.
173 // A value of 0 instructs the server to use the same number of
174 // threads that the Kea core is using for DHCP multi-threading.
175 "http-client-threads": 0
176 },
177 "peers": [
178 // This is the configuration of this server instance.
179 {
180 "name": "server1",
181 // This specifies the URL of this server dedicated HTTP listener.
182 // The "control-socket" is not needed for the High Availability
183 // with multi-threading, but if it is used, it must use
184 // different values for "socket-address" and "socket-port".
185 "url": "http://192.168.1.2:8005/",
186 // Trust anchor aka certificate authority file or directory.
187 "trust-anchor": "/usr/lib/kea/CA.pem",
188 // Client certificate file name.
189 "cert-file": "/usr/lib/kea/server1_cert.pem",
190 // Private key file name.
191 "key-file": "/usr/lib/kea/server1_key.pem",
192 // Client certificates are required and verified.
193 "require-client-certs": true,
194 // This server is primary. The other one must be
195 // secondary.
196 "role": "primary"
197 },
198 // This is the configuration of the secondary server.
199 {
200 "name": "server2",
201 // This specifies the URL of the other server's dedicated HTTP listener.
202 // The "control-socket" is not needed for the High Availability
203 // with multi-threading, but if it is used, it must use
204 // different values for "socket-address" and "socket-port".
205 "url": "http://192.168.1.3:8005/",
206 // Trust anchor aka certificate authority file or directory.
207 "trust-anchor": "/usr/lib/kea/CA.pem",
208 // Client certificate file name.
209 "cert-file": "/usr/lib/kea/server2_cert.pem",
210 // Private key file name.
211 "key-file": "/usr/lib/kea/server2_key.pem",
212 // Client certificates are required and verified.
213 "require-client-certs": true,
214 // The other server is secondary. This one must be
215 // primary.
216 "role": "standby"
217 }
218 ]
219 } ]
220 }
221 }
222 ],
223
224 // This example contains a single subnet declaration.
225 "subnet4": [
226 {
227 // Subnet prefix.
228 "subnet": "192.168.1.0/24",
229
230 // There are no relays in this network, so we need to tell Kea that this subnet
231 // is reachable directly via the specified interface.
232 "interface": "enp0s8",
233
234 // Specify a dynamic address pool.
235 "pools": [
236 {
237 "pool": "192.168.1.100-192.168.1.199"
238 }
239 ]
240 }
241 ],
242
243 // Logging configuration starts here.
244 "loggers": [
245 {
246 // This section affects kea-dhcp4, which is the base logger for DHCPv4 component. It tells
247 // DHCPv4 server to write all log messages (on severity INFO or higher) to a file. The file
248 // will be rotated once it grows to 2MB and up to 4 files will be kept. The debuglevel
249 // (range 0 to 99) is used only when logging on DEBUG level.
250 "name": "kea-dhcp4",
251 "output-options": [
252 {
253 "output": "/var/log/kea/kea-dhcp4.log",
254 "maxsize": 2048000,
255 "maxver": 4
256 }
257 ],
258 "severity": "INFO",
259 "debuglevel": 0
260 }
261 ]
262}
263}
Server2's DHCPv4 configuration file:
1// This is an example configuration of the Kea DHCPv4 server 2:
2//
3// - uses High Availability hook library and Lease Commands hook library
4// to enable High Availability function for the DHCP server. This config
5// file is for the secondary (the standby) server.
6// - uses memfile, which stores lease data in a local CSV file
7// - it assumes a single /24 addressing over a link that is directly reachable
8// (no DHCP relays)
9// - there is a handful of IP reservations
10//
11// It is expected to run with a primary (the active) server, which has a very similar
12// configuration. The only difference is that "this-server-name" must be set to "server2" on the
13// other server. Also, the interface configuration and location of TLS specific files
14// depend on the network settings and configuration of the particular machine.
15
16{
17
18"Dhcp4": {
19
20 // Add names of your network interfaces to listen on.
21 "interfaces-config": {
22 // The DHCPv4 server listens on this interface. When changing this to
23 // the actual name of your interface, make sure to also update the
24 // interface parameter in the subnet definition below.
25 "interfaces": [ "enp0s8" ]
26 },
27
28 // Control socket is required for communication with the
29 // DHCP server. High Availability requires HTTP/HTTPS control sockets
30 // to be configured because lease updates are sent over the RESTful
31 // API between the HA peers.
32 "control-socket": {
33 "socket-type": "https",
34
35 // We need to specify where the server should listen to incoming HTTP
36 // queries.
37 "socket-address": "192.168.1.3",
38
39 // This specifies the port server will listen on.
40 // If enabling HA and multi-threading, the 8000 port is used by the HA
41 // hook library http listener. When using HA hook library with
42 // multi-threading to function, make sure the port used by dedicated
43 // listener is different (e.g. 8001) than the one used by server. Note
44 // the commands should still be sent to the control socket.
45 // The dedicated listener is specifically for HA updates only.
46 "socket-port": 8001,
47
48 // TLS trust anchor (Certificate Authority). This is a file name or
49 // (for OpenSSL only) a directory path.
50 "trust-anchor": "/usr/lib/kea/CA.pem",
51
52 // TLS server certificate file name.
53 "cert-file": "/usr/lib/kea/ca2_cert.pem",
54
55 // TLS server private key file name.
56 "key-file": "/usr/lib/kea/ca2_key.pem",
57
58 // TLS require client certificates flag.
59 "cert-required": true
60 },
61
62 // Multi-threading parameters.
63 "multi-threading": {
64 // By default, Kea processes packets on multiple threads if the hardware permits.
65 "enable-multi-threading": true,
66
67 // When multi-threading is enabled, Kea will process packets on a
68 // number of multiple threads configurable through this option. The
69 // value must be a positive integer (0 means auto-detect).
70 "thread-pool-size": 4,
71
72 // When multi-threading is enabled, Kea will read packets from the
73 // interface and append a working item to the thread pool. This
74 // option configures the maximum number of items that can be queued.
75 // The value must be a positive integer (0 means unlimited).
76 "packet-queue-size": 64
77 },
78
79 // Use Memfile lease database backend to store leases in a CSV file.
80 // Depending on how Kea was compiled, it may also support SQL databases
81 // (MySQL and/or PostgreSQL). Those database backends require more
82 // parameters, like name, host and possibly user and password.
83 // There are dedicated examples for each backend. See Section 7.2.2 "Lease
84 // Storage" for details.
85 "lease-database": {
86 // Memfile is the simplest and easiest backend to use. It's an in-memory
87 // database with data being written to a CSV file. It is very similar to
88 // what ISC DHCP does.
89 "type": "memfile"
90 },
91
92 // Let's configure some global parameters. The home network is not very dynamic
93 // and there's no shortage of addresses, so no need to recycle aggressively.
94 "valid-lifetime": 43200, // leases will be valid for 12h
95 "renew-timer": 21600, // clients should renew every 6h
96 "rebind-timer": 32400, // clients should start looking for other servers after 9h
97
98 // Kea will clean up its database of expired leases once per hour. However, it
99 // will keep the leases in expired state for 2 days. This greatly increases the
100 // chances for returning devices to get the same address again. To guarantee that,
101 // use host reservation.
102 // If both "flush-reclaimed-timer-wait-time" and "hold-reclaimed-time" are
103 // not 0, when the client sends a release message the lease is expired
104 // instead of being deleted from lease storage.
105 "expired-leases-processing": {
106 "reclaim-timer-wait-time": 3600,
107 "hold-reclaimed-time": 172800,
108 "max-reclaim-leases": 0,
109 "max-reclaim-time": 0
110 },
111
112 // HA requires two hook libraries to be loaded: libdhcp_lease_cmds.so and
113 // libdhcp_ha.so. The former handles incoming lease updates from the HA peers.
114 // The latter implements high availability feature for Kea. Note the library name
115 // should be the same, but the path is OS specific.
116 "hooks-libraries": [
117 // The lease_cmds library must be loaded because HA makes use of it to
118 // deliver lease updates to the server as well as synchronize the
119 // lease database after failure.
120 {
121 "library": "libdhcp_lease_cmds.so"
122 },
123
124 {
125 // The HA hook library should be loaded.
126 "library": "libdhcp_ha.so",
127 "parameters": {
128 // Each server should have the same HA configuration, except for the
129 // "this-server-name" parameter.
130 "high-availability": [ {
131 // This parameter points to this server instance. The respective
132 // HA peers must have this parameter set to their own names.
133 "this-server-name": "server2",
134 // The HA mode is set to hot-standby. In this mode, the active server handles
135 // all the traffic. The standby takes over if the primary becomes unavailable.
136 "mode": "hot-standby",
137 // Heartbeat is to be sent every 10 seconds if no other control
138 // commands are transmitted.
139 "heartbeat-delay": 10000,
140 // Maximum time for partner's response to a heartbeat, after which
141 // failure detection is started. This is specified in milliseconds.
142 // If we don't hear from the partner in 60 seconds, it's time to
143 // start worrying.
144 "max-response-delay": 60000,
145 // The following parameters control how the server detects the
146 // partner's failure. The ACK delay sets the threshold for the
147 // 'secs' field of the received discovers. This is specified in
148 // milliseconds.
149 "max-ack-delay": 5000,
150 // This specifies the number of clients which send messages to
151 // the partner but appear to not receive any response.
152 "max-unacked-clients": 5,
153 // This specifies the maximum timeout (in milliseconds) for the server
154 // to complete sync. If you have a large deployment (high tens or
155 // hundreds of thousands of clients), you may need to increase it
156 // further. The default value is 60000ms (60 seconds).
157 "sync-timeout": 60000,
158 // Multi-threading parameters.
159 // To not experience performance degradation when the Kea server is
160 // processing packets on multiple threads, the High Availability module
161 // must have multi-threading enabled.
162 "multi-threading": {
163 // Enable High Availability to benefit from multi-threading. Default: true.
164 "enable-multi-threading": true,
165 // When running in MT mode, the dedicated listener is used to handle
166 // lease updates.
167 "http-dedicated-listener": true,
168 // The number of threads used to handle incoming requests.
169 // A value of 0 instructs the server to use the same number of
170 // threads that the Kea core is using for DHCP multi-threading.
171 "http-listener-threads": 0,
172 // The number of threads used to handle outgoing requests.
173 // A value of 0 instructs the server to use the same number of
174 // threads that the Kea core is using for DHCP multi-threading.
175 "http-client-threads": 0
176 },
177 "peers": [
178 // This is the configuration of the primary server.
179 {
180 "name": "server1",
181 // This specifies the URL of the other server's dedicated HTTP listener.
182 // The "control-socket" is not needed for the High Availability
183 // with multi-threading, but if it is used, it must use
184 // different values for "socket-address" and "socket-port".
185 "url": "http://192.168.1.2:8005/",
186 // Trust anchor aka certificate authority file or directory.
187 "trust-anchor": "/usr/lib/kea/CA.pem",
188 // Client certificate file name.
189 "cert-file": "/usr/lib/kea/server1_cert.pem",
190 // Private key file name.
191 "key-file": "/usr/lib/kea/server1_key.pem",
192 // Client certificates are required and verified.
193 "require-client-certs": true,
194 // The other server is primary. This one must be
195 // secondary.
196 "role": "primary"
197 },
198 // This is the configuration of this server instance.
199 {
200 "name": "server2",
201 // This specifies the URL of this server dedicated HTTP listener.
202 // The "control-socket" is not needed for the High Availability
203 // with multi-threading, but if it is used, it must use
204 // different values for "socket-address" and "socket-port".
205 "url": "http://192.168.1.3:8005/",
206 // Trust anchor aka certificate authority file or directory.
207 "trust-anchor": "/usr/lib/kea/CA.pem",
208 // Client certificate file name.
209 "cert-file": "/usr/lib/kea/server2_cert.pem",
210 // Private key file name.
211 "key-file": "/usr/lib/kea/server2_key.pem",
212 // Client certificates are required and verified.
213 "require-client-certs": true,
214 // This server is secondary. The other one must be
215 // primary.
216 "role": "standby"
217 }
218 ]
219 } ]
220 }
221 }
222 ],
223
224 // This example contains a single subnet declaration.
225 "subnet4": [
226 {
227 // Subnet prefix.
228 "subnet": "192.168.1.0/24",
229
230 // There are no relays in this network, so we need to tell Kea that this subnet
231 // is reachable directly via the specified interface.
232 "interface": "enp0s8",
233
234 // Specify a dynamic address pool.
235 "pools": [
236 {
237 "pool": "192.168.1.100-192.168.1.199"
238 }
239 ]
240 }
241 ],
242
243 // Logging configuration starts here.
244 "loggers": [
245 {
246 // This section affects kea-dhcp4, which is the base logger for DHCPv4 component. It tells
247 // DHCPv4 server to write all log messages (on severity INFO or higher) to a file. The file
248 // will be rotated once it grows to 2MB and up to 4 files will be kept. The debuglevel
249 // (range 0 to 99) is used only when logging on DEBUG level.
250 "name": "kea-dhcp4",
251 "output-options": [
252 {
253 "output": "/var/log/kea/kea-dhcp4.log",
254 "maxsize": 2048000,
255 "maxver": 4
256 }
257 ],
258 "severity": "INFO",
259 "debuglevel": 0
260 }
261 ]
262}
263}