"unconfigured" NIC can still get IPv6 addresses via RA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Invalid
|
Wishlist
|
Unassigned | ||
Netplan |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
curtin |
Invalid
|
Undecided
|
Unassigned | ||
nplan (Ubuntu) |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Xenial |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Some users omit configuration for some interfaces, and expect that the lack of configuration translates to "no IP address" on the interface, as per netplan documentation.
[Test case]
/!\ Requires an IPv6-capable network.
1) Update nplan.
2) Ensure the nplan configure includes the 'accept-ra: no' option.
3) Run 'netplan apply'
4) Verify that there is no IPv6 address set for the interface where 'accept-ra: no is set; using 'ip -6 addr'.
[Regression potential]
Incorrect configuration of the IPv6 addresses on a device would consistute a regression: for instance, getting an IPv6 SLAAC address when 'accept-ra: no' is set; or no IPv6 address when RAs are being received and 'accept-ra' is not set. Furthermore, possible regressions may look like incorrect IPv6 configuration or missing options on IPv6 or IPv4 setups, in the form of not retrieving an IP address or getting the wrong IP.
---
TL;DR A MAAS NIC that is set to "unconfigured" (or "link up") will get no IPv4 address, but it might still get an IPv6 address via router advertisements (RA), if there is such a service in that network segment.
Whether this is a bug or not is up for discussion. That's the point of this ticket, actually, so that this discussion can be had and be recorded.
We found out about this when we couldn't get any connectivity to instances of an openstack cloud deployed by the autopilot.
After much debugging, we found that the problem was with the br-data bridge on the neutron-gateway node: it didn't have the external NIC (eth1) as part of the bridge.
The neutron-gateway charm, before adding any NIC to a bridge, performs certain checks to see if it's really unused. One of these checks looks for IP addresses on the NIC, both IPv4 and IPv6. In MAAS, that node had eth1 set to "unconfigured", so that eth1 is just "up", but has no IP (v4) address. Turns out this NIC had gotten an IPv6 ULA from an openwrt router in that network segment. That was enough for the charm to not add it to the br-data bridge, thus breaking connectivity to openstack instances that were later brought up.
We shut down the RA service on the openwrt router and then everything worked as expected.
Changed in nplan (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
Changed in nplan (Ubuntu Xenial): | |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
description: | updated |
description: | updated |
tags: | added: id-5966b7c8f96a052f6904d7cb |
tags: |
added: verification-failed-xenial removed: verification-needed-xenial |
This is an Ubuntu default setting, and MAAS does not currently change operating- system- specific settings upon deployment. This could be rendered in a pre-up script for ifupdown, but my understanding is that pre-up scripts will not be available under netplan and networkd.
In order for us to disable the acceptance of IPv6 router advertisements, we would either need to disable IPv6 completely, such as by modifying this sysctl:
net.ipv6. conf.<all| ifname> .disable_ ipv6
... or disable just the acceptance of IPv6 router advertisements using this sysctl:
net.ipv6. conf.<all| ifname> .accept_ ra
I think it seems reasonable that MAAS should be able to configure these settings. However, this is a decision that goes beyond just MAAS. (I'll add curtin to this bug.)