Bug#929469: systemd-networkd: systemd-networkd: fails with "could not set address: Permission denied"

Michael Biebl biebl at debian.org
Tue Jun 25 22:08:31 BST 2019 

Control: severity -1 important

Hi Raphael

On Wed, 19 Jun 2019 22:33:21 +0200 Michael Biebl <biebl at debian.org> wrote:
> Hi Raphael,
> 
> On Tue, 11 Jun 2019 15:51:14 +0200 Raphael Hertzog <hertzog at debian.org>
> wrote:
> > Hi,
> > 
> > On Wed, 05 Jun 2019, Michael Biebl wrote:
> > > systemd-networkd.service in v241 is locked down more tightly then v232.
> > > It might be worth a try to comment out the hardening features one by one
> > > to see if one of them causes your problem.
> > 
> > Thanks for the idea! I tried that but it did not help. I found the issue
> > after a few more tries tweaking the network configuration file. It's
> > simply that the system has IPv6 disabled in the kernel policy while the
> > .network file instructs to configure an IPv6 address.
> > 
> > Both are contradictory but they happily lived together up-to-now.
> > I don't know what changed but if we don't improve systemd-networkd
> > to just skip IPv6 configuration when the kernel has a policy disabling
> > IPv6, then we will have plenty of servers broken on upgrades because
> > it's quite common to keep the network configuration file provided by
> > the hoster and just disable IPv6 at the kernel level with sysctl:
> > 
> > $ grep ipv6 /etc/sysctl.conf
> > # Disable ipv6
> > net.ipv6.conf.all.disable_ipv6 = 1
> > net.ipv6.conf.default.disable_ipv6 = 1
> > net.ipv6.conf.lo.disable_ipv6 = 1
> 
> Ok, thanks for figuring out the root cause.
> Given that this only happens under very special circumstances and
> networkd not being enabled by default, I'm not entirely sure if this
> issue should qualify as RC.
> Cherry-picking the 6 upstream commits leads to a merge conflict when
> applied on top of v241 and I haven't yet investigated if those can
> easily be resolved.
> TBH, I feel a bit uneasy doing this change so late in the release cycle
> and personally I would downgrade this issue to non-RC and fix this via a
> v243 upload to buster-backports.
> 
> If you feel strongly about this though, please feel free ask the release
> team if the change is ok. A tested patch set would be great in this case.

I haven't heard back from you and my current gut feeling is that this
issue is not RC, so I'm downgrading it to important.
I'm open to be persuaded otherwise though.

Whether we are going to fix this via a stable point release or
stretch-backports remains to be decided. The latter is easier for me, as
it doesn't mean all the administrative overhead of a stable upload.


Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190625/7ecd05ae/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list