Bug#929469: systemd-networkd: systemd-networkd: fails with "could not set address: Permission denied"

Felipe Sateler fsateler at gmail.com
Wed Jun 26 13:17:31 BST 2019


On Tue, Jun 25, 2019, 17:12 Michael Biebl <biebl at debian.org> wrote:

> Control: severity -1 important
>
> Hi Raphael
>
> On Wed, 19 Jun 2019 22:33:21 +0200 Michael Biebl <biebl at debian.org> wrote:
> > Hi Raphael,
> >
> > On Tue, 11 Jun 2019 15:51:14 +0200 Raphael Hertzog <hertzog at debian.org>
> > wrote:
> > > Hi,
> > >
> > > On Wed, 05 Jun 2019, Michael Biebl wrote:
> > > > systemd-networkd.service in v241 is locked down more tightly then
> v232.
> > > > It might be worth a try to comment out the hardening features one by
> one
> > > > to see if one of them causes your problem.
> > >
> > > Thanks for the idea! I tried that but it did not help. I found the
> issue
> > > after a few more tries tweaking the network configuration file. It's
> > > simply that the system has IPv6 disabled in the kernel policy while the
> > > .network file instructs to configure an IPv6 address.
> > >
> > > Both are contradictory but they happily lived together up-to-now.
> > > I don't know what changed but if we don't improve systemd-networkd
> > > to just skip IPv6 configuration when the kernel has a policy disabling
> > > IPv6, then we will have plenty of servers broken on upgrades because
> > > it's quite common to keep the network configuration file provided by
> > > the hoster and just disable IPv6 at the kernel level with sysctl:
> > >
> > > $ grep ipv6 /etc/sysctl.conf
> > > # Disable ipv6
> > > net.ipv6.conf.all.disable_ipv6 = 1
> > > net.ipv6.conf.default.disable_ipv6 = 1
> > > net.ipv6.conf.lo.disable_ipv6 = 1
> >
> > Ok, thanks for figuring out the root cause.
> > Given that this only happens under very special circumstances and
> > networkd not being enabled by default, I'm not entirely sure if this
> > issue should qualify as RC.
> > Cherry-picking the 6 upstream commits leads to a merge conflict when
> > applied on top of v241 and I haven't yet investigated if those can
> > easily be resolved.
> > TBH, I feel a bit uneasy doing this change so late in the release cycle
> > and personally I would downgrade this issue to non-RC and fix this via a
> > v243 upload to buster-backports.
> >
> > If you feel strongly about this though, please feel free ask the release
> > team if the change is ok. A tested patch set would be great in this case.
>
> I haven't heard back from you and my current gut feeling is that this
> issue is not RC, so I'm downgrading it to important.
> I'm open to be persuaded otherwise though.
>
> Whether we are going to fix this via a stable point release or
> stretch-backports remains to be decided. The latter is easier for me, as
> it doesn't mean all the administrative overhead of a stable upload.
>

Perhaps the problem can be mitigated by a NEWS or release guide update.

Honestly, I don't think networkd should keep quiet about ipv6 being
disabled when you explicitly set up an ipv6 address.

Saludos

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190626/00c89a17/attachment.html>


More information about the Pkg-systemd-maintainers mailing list