"netplan apply" does not set file mode, umask 077 causes systemd-networkd to be unable to start

Status changed to 'Confirmed' because the bug affects multiple users.

umask 027 is (obviously) sufficient to lead to the issue.

Our customer requires at least umask 027 for all Linux servers in a project. After performing the cahnge "netplan apply" creates configuration files which are not readable by systemd-networkd when the service is restarted.

Hi,

I have reproduced this on bionic, and proposed the following patch to fix it: https://github.com/CanonicalLtd/netplan/pull/36

Regards,
Daniel

This bug was fixed in the package netplan.io - 0.40

---------------
netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 13 Sep 2018 17:29:41 -0400

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification-done with netplan.io 0.40.1~18.04.1 on bionic:

ubuntu@new-man:~$ ls -l /run/systemd/network/
total 8
-rw-r--r-- 1 root root 83 Oct 9 17:14 10-netplan-ens6.link
-rw-r--r-- 1 root root 209 Oct 9 17:14 10-netplan-ens6.network
ubuntu@new-man:~$ sudo netplan generate
ubuntu@new-man:~$ ls -l /run/systemd/network/
total 8
-rw-r--r-- 1 root root 83 Oct 9 17:18 10-netplan-ens6.link
-rw-r--r-- 1 root root 209 Oct 9 17:18 10-netplan-ens6.network

After changing UMASK in /etc/login.defs and logging out, logging back in; I can validate that the files generated by netplan are still written with mode 644, which allows systemd-networkd to read them. This clearly deviates from previous behavior of incorrectly honouring UMASK for these files leading to systemd-networkd being unable to read them.

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification-done on bionic using netplan.io 0.40.1~18.04.2:

Verified that with umask set, netplan correctly generates the files for systemd with 644 permissions, and they are succesfully read by systemd-networkd.

root@working-guinea:~# umask
0077
root@working-guinea:~# cd /run/systemd/system/
root@working-guinea:/run/systemd/system# ls
root@working-guinea:/run/systemd/system# cd ../network/
root@working-guinea:/run/systemd/network# ls
10-netplan-eth0.network 10-netplan-veth0.network
root@working-guinea:/run/systemd/network# ls -altr
total 8
-rw-r--r-- 1 root root 78 Oct 29 20:53 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:53 10-netplan-eth0.network
drwxr-xr-x 2 root root 80 Oct 29 20:53 .
drwxr-xr-x 20 root root 480 Oct 29 20:53 ..
root@working-guinea:/run/systemd/network# touch toto
root@working-guinea:/run/systemd/network# ls -altr
total 8
-rw-r--r-- 1 root root 78 Oct 29 20:53 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:53 10-netplan-eth0.network
drwxr-xr-x 20 root root 480 Oct 29 20:53 ..
-rw------- 1 root root 0 Oct 29 20:54 toto
drwxr-xr-x 2 root root 100 Oct 29 20:54 .
root@working-guinea:/run/systemd/network# netplan apply
root@working-guinea:/run/systemd/network# ls -latr
total 8
-rw------- 1 root root 0 Oct 29 20:54 toto
-rw-r--r-- 1 root root 78 Oct 29 20:54 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:54 10-netplan-eth0.network
drwxr-xr-x 2 root root 100 Oct 29 20:54 .
drwxr-xr-x 21 root root 500 Oct 29 20:54 ..
root@working-guinea:/run/systemd/network# netplan generate
root@working-guinea:/run/systemd/network# ls -latr
total 8
-rw------- 1 root root 0 Oct 29 20:54 toto
drwxr-xr-x 21 root root 500 Oct 29 20:54 ..
-rw-r--r-- 1 root root 78 Oct 29 20:54 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:54 10-netplan-eth0.network
drwxr-xr-x 2 root root 100 Oct 29 20:54 .

This bug was fixed in the package netplan.io - 0.40.1~18.04.2

---------------
netplan.io (0.40.1~18.04.2) bionic; urgency=medium

  * Fix typo breaking rename on 'netplan apply'. (LP: #1770082)

netplan.io (0.40.1~18.04.1) bionic; urgency=medium

  * Backport netplan 0.40.1 to 18.04. (LP: #1793309)

netplan.io (0.40.1) cosmic; urgency=medium

  * tests/generate.py: use random.sample() instead of random.choices() to
    better support older pythons.
  * Deal gracefully with empty files on 'netplan apply' (LP: #1795343)

netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

netplan.io (0.39) cosmic; urgency=medium

  * New upstream release:
    - Allow link-local addresses to be configured. (LP: #1771704)
    - Forces bridges with no addresses to be brought online. (LP: #1736975)

netplan.io (0.38) cosmic; urgency=medium

  * New upstream release:
    - Write udev .rules files to /run/udev/rules.d to enforce interface
      renaming. (LP: #1770082)
    - Don't traceback for 'netplan ip leases' when iface is not managed or
      doesn't DHCP (LP: #1768823)
    - Fix duplicate "/" path separator in error messages (LP: #1771440)
    - Fix incorrect terminal reset in 'netplan try' on Ctrl-C. (LP: #1768798)
    - Updated doc entries: mtu, fix fwmark->mark, cleanup optional.
      (LP: #1768783)
    - Added documentation validation at build.
    - Added configuration example for multi-ip interfaces.
  * tests/integration.py: fix test_eth_and_bridge autopkg test harder.
  * debian/control:
    - Add iproute2 to Depends.
    - Add python3-netifaces to Depends, Build-Depends.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 22 Oct 2018 15:02:30 -0400

The verification of the Stable Release Update for netplan.io has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Resetting the tags to verification-done as per the discussion in https://bugs.launchpad.net/netplan/+bug/1770082/comments/95.

The SRU had been rolled back due to a regression that needed to be fixed, but we still consider the previous verification to be valid.

This bug was fixed in the package netplan.io - 0.40.1~18.04.3

---------------
netplan.io (0.40.1~18.04.3) bionic; urgency=medium

  * Fix idempotency in renaming: bond members should be exempt from rename, as
    they may all share a single MAC for the bond device. (LP: #1802322)
  * tests/integration.py: add test designed to catch the above regression.

netplan.io (0.40.1~18.04.2) bionic; urgency=medium

  * Fix typo breaking rename on 'netplan apply'. (LP: #1770082)

netplan.io (0.40.1~18.04.1) bionic; urgency=medium

  * Backport netplan 0.40.1 to 18.04. (LP: #1793309)

netplan.io (0.40.1) cosmic; urgency=medium

  * tests/generate.py: use random.sample() instead of random.choices() to
    better support older pythons.
  * Deal gracefully with empty files on 'netplan apply' (LP: #1795343)

netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

netplan.io (0.39) cosmic; urgency=medium

  * New upstream release:
    - Allow link-local addresses to be configured. (LP: #1771704)
    - Forces bridges with no addresses to be brought online. (LP: #1736975)

netplan.io (0.38) cosmic; urgency=medium

  * New upstream release:
    - Write udev .rules files to /run/udev/rules.d to enforce interface
      renaming. (LP: #1770082)
    - Don't traceback for 'netplan ip leases' when iface is not managed or
      doesn't DHCP (LP: #1768823)
    - Fix duplicate "/" path separator in error messages (LP: #1771440)
    - Fix incorrect terminal reset in 'netplan try' on Ctrl-C. (LP: #1768798)
    - Updated doc entries: mtu, fix fwmark->mark, cleanup optional.
      (LP: #1768783)
    - Added documentation validation at build.
    - Added configuration example for multi-ip interfaces.
  * tests/integration.py: fix test_eth_and_bridge autopkg test harder.
  * debian/control:
    - Add iproute2 to Depends.
    - Add python3-netifaces to Depends, Build-Depends.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 21 Nov 2018 14:42:59 -0500