Netplan

Unable to set systemd/network settings from netplan yaml

Bug #1777523 reported by Aaron Thomas on 2018-06-18

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	Netplan	Confirmed	Undecided	Unassigned

Bug Description

/etc/netplan/01-netcfg.yaml is unable to set options (upon 'generate' command) in /run/systemd/network/*.network as advertised (on netplan.io).

Namely, in /etc/systemd/resolved.conf, I can specify:

[Network]
LLMNR=no

see https://askubuntu.com/questions/1025309/how-can-i-disable-llmnr-in-systemd-resolved

Which is a global setting. But it has no effect per interface. Per interface this setting is controlled via /etc/systemd/network/*.conf files.

This can be demonstrated by running systemd-resolve --status (after a service restart).

There seems to be no mapping to this value and others in /etc/netplan/*.yaml, that I can otherwise setup in the systemd/network conf files.

See original description

Revision history for this message

Aaron Thomas (athomas-work) wrote on 2018-06-18:

Also see: https://askubuntu.com/questions/1047734/how-can-i-disable-llmnr-in-netplan

Aaron Thomas (athomas-work) on 2018-06-21

description:

updated

Revision history for this message

Aaron Thomas (athomas-work) wrote on 2018-09-25:

I can reproduce this on 300 machines; what do I need to have this looked at by someone?

Revision history for this message

Ryan Harper (raharper) wrote on 2018-09-25:

Hi,

Controlling the DNS settings for interfaces is on the roadmap, but it's not yet landed as you know. In the meantime, you can create a .network file which will disable LLMNR on any interface like the following.

root@c2:~# cat /etc/systemd/network/10-disable-llmnr.network
[Match]
Name=*

[Network]
LLMNR=no

That will apply to any network interface, you can modify the [Match] section to pick interfaces you choose. The systemd-resolve --status output will show that LLMNR setting is applied to the interfaces as well.

# systemd-resolve --status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 56 (eth0)
      Current Scopes: none
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Changed in netplan:
status:	New → Confirmed

Revision history for this message

Ryan Harper (raharper) wrote on 2018-09-25:

https://trello.com/c/vxdv5lIa/12-dns-control-over-llmnr-and-dnssec-and-other-systemd-resolved-functions

Revision history for this message

Aaron Thomas (athomas-work) wrote on 2018-09-25:

Thanks!

Actually, when I did this, and ran 'netplan try', it simply removed all the ip addresses from my interfaces (making me lose access to the server, but, I have an ipmi interface so, no big deal).

Maybe this works for dhcp only? For my machine, it seems to obliterate my configuration.

Here's an example of my netplan file:

network:
  renderer: networkd
  version: 2
  ethernets:
    ens32:
      match:
        macaddress: 00:50:56:b0:80:f3
      addresses: [10.0.0.15/8]
      gateway4: 10.0.0.1
      routes:
      - to: 0.0.0.0/0
        via: 10.0.0.1
        metric: 1
      nameservers:
        search: [localdomain]
        addresses: [10.0.0.2, 10.0.0.3]
      dhcp4: false
      dhcp6: false

my infiniband and external interfaces follow this pattern with different values.

Revision history for this message

Aaron Thomas (athomas-work) wrote on 2018-09-25:

More info on the 10-disable-llmnr.network fix:

My log file says things like:

systemd[1]: Started Network Service.
systemd-networkd[80848]: ens32: Link is not managed by us
systemd-networkd[80848]: ens160: Link is not managed by us
systemd-networkd[80848]: lo: Link is not managed by us

after the change. The ip address disappear, but the LLMNR setting is in fact set to No.

Removing the file results in a return of the ip addresses, and the LLMNR setting is back to Yes again.

Revision history for this message

Ryan Harper (raharper) wrote on 2018-09-25: Re: [Bug 1777523] Re: Unable to set systemd/network settings from netplan yaml

On Tue, Sep 25, 2018 at 6:11 PM Aaron Thomas <email address hidden> wrote:
>
> More info on the 10-disable-llmnr.network fix:
>
> My log file says things like:
>
> systemd[1]: Started Network Service.
> systemd-networkd[80848]: ens32: Link is not managed by us
> systemd-networkd[80848]: ens160: Link is not managed by us
> systemd-networkd[80848]: lo: Link is not managed by us
>
> after the change. The ip address disappear, but the LLMNR setting is in
> fact set to No.
>
> Removing the file results in a return of the ip addresses, and the LLMNR
> setting is back to Yes again.

Hrm, I had thought that multiple network sections were joinable...

Let met test that out. Otherwise that's not much help.

>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1777523
>
> Title:
> Unable to set systemd/network settings from netplan yaml
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/netplan/+bug/1777523/+subscriptions

Revision history for this message

Ryan Harper (raharper) wrote on 2018-09-25:

Well, no multiple .network files don't stack. However, one can use a
drop-in conf.d as long as it matches at least one .network file.

In your case, you have a /run/systemd/network/10-netplan-ens32.network
so the drop-in conf dir for that is 10-netplan-ens32.network.d and in
there we can mv the 10-disable-llmnr.network to 10-disable-llmnr.conf.
And put that in /etc/systemd/network/

So, you should have:

# cat /etc/systemd/network/10-netplan-ens32.network.d/10-disable-llmnr.conf
[Match]
Name=*

[Network]
LLMNR=no

And to confirm, I've got two nics, eth0 (dhcp) and eth1 (static) on
this node and the output of networkctl and resolved looks like this:

# networkctl status
● State: routable
       Address: 10.8.107.134 on eth0
                10.8.107.166 on eth1
                192.168.22.2 on eth1
                fe80::216:3eff:fe9b:1c56 on eth0
                fe80::216:3eff:fe1d:15c9 on eth1
       Gateway: 10.8.107.1 on eth0
                10.8.107.1 on eth1
           DNS: 10.8.107.1
Search Domains: lxd
root@c2:~# systemd-resolve --status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 58 (eth1)
      Current Scopes: DNS
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.8.107.1
          DNS Domain: lxd

Link 56 (eth0)
      Current Scopes: DNS
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.8.107.1
          DNS Domain: lxd

Well, no multiple .network files don't stack.  However, one can use a
drop-in conf.d as long as it matches at least one .network file.

In your case, you have a /run/systemd/network/10-netplan-ens32.network
 so the drop-in conf dir for that is 10-netplan-ens32.network.d and in
there we can mv the 10-disable-llmnr.network to 10-disable-llmnr.conf.
And put that in /etc/systemd/network/

So, you should have:

# cat /etc/systemd/network/10-netplan-ens32.network.d/10-disable-llmnr.conf
[Match]
Name=*

[Network]
LLMNR=no

And to confirm, I've got two nics, eth0 (dhcp) and eth1 (static) on
this node and the output of networkctl and resolved looks like this:

# networkctl status
●        State: routable
       Address: 10.8.107.134 on eth0
                10.8.107.166 on eth1
                192.168.22.2 on eth1
                fe80::216:3eff:fe9b:1c56 on eth0
                fe80::216:3eff:fe1d:15c9 on eth1
       Gateway: 10.8.107.1 on eth0
                10.8.107.1 on eth1
           DNS: 10.8.107.1
Search Domains: lxd
root@c2:~# systemd-resolve --status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Revision history for this message

Aaron Thomas (athomas-work) wrote on 2021-05-13:

Since this was touched in askubuntu recently; thanks for the fix, it does indeed work for my interfaces, ie /etc/systemd/network/10-netplan-<some-interface>.network.d/10-disable-llmnr.conf

It's not netplan, but it works, and since then I've set up my interface management to be one netplan file per interface with all routing specified and so adding this file is easy when necessary.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.