Ubuntu
dropbear package

DROPBEAR_IFDOWN=* takes interface down but leaves netplan config

Bug #1813394 reported by Andreas Fuchs
94
This bug affects 18 people
Affects Status Importance Assigned to Milestone
clevis (Ubuntu)
Confirmed
Undecided
Unassigned
dropbear (Ubuntu)
Confirmed
Undecided
Unassigned
initramfs-tools (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

On bionic, setting the network interface up (e.g. eno1) with DHCP now causes a /run/netplan/eno1.yaml and a /run/net-eno1.conf file to be written. The former gets imported by netplan after boot and causes the DHCP lease from the initrd to be around forever, which I think goes against the intent of DROPBEAR_IFDOWN=*.

I have brewed up a workaround script that lives in /etc/initramfs-tools/scripts/init-bottom/hack-delete-netif-netplan.sh for now:

#### ---- 8< cut >8 --------
#!/bin/sh

PREREQ=""

prereqs() {
        echo "$PREREQ"
}

case "$1" in
        prereqs)
                prereqs
                exit 0
        ;;
esac

. /scripts/functions

log_begin_msg "Deleting all network configuration that systemd could try to import"
rm /run/net-*.conf
rm /run/netplan/*.yaml
log_end_msg
#### ---- 8< cut >8 --------

I think that dropbear-intiramfs's init-bottom script should do this in addition to downing the interfaces that it finds via the DROPBEAR_IFDOWN pattern. Do you agree?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dropbear (Ubuntu):
status: New → Confirmed
Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

I agree. I confirm this is still happening on Ubuntu 20.04.

Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

This also applies when set up with static IP's in /etc/initramfs-tools/initramfs.conf. That case is most prominently noticed as lacking nameservers after boot.

Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

Investigating further reveals that the package is not adapted for netplan in the first place. The maintainer is not on launchpad and the package was imported from Debian Sid.

Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

Digging even further back, it turns out that IFDOWN is in itself a workaround for an equal issue dating back to ~2012. As such, the core of the issue lies with how initramfs network setup overrides netplan. Adding that package.

Given the very limited setup /etc/initramfs-tools/initramfs.conf allows (including the DHCP default mentioned in the description), there is a case to be made for allowing admins to rely on the full config rather than initramfs for their network setup.

Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

It seems the workaround above does not work on Ubuntu 20.04.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in initramfs-tools (Ubuntu):
status: New → Confirmed
Revision history for this message
boxeus (boxeus) wrote :

The easiest way to fix this on linux mint for me was to edit:

/usr/share/initramfs-tools/scripts/init-bottom/dropbear

add these two lines to the end of file:

rm /run/net-*.conf
rm /run/netplan/*.yaml

save and run:

update-initramfs -u

Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

Which version of Mint (or which upstream Ubuntu it is based on?) I wonder if there is a way to get those rows into the configs rather than editing packaged files?

Revision history for this message
Johan Ehnberg (johan-ehnberg) wrote :

I can confirm the workaround by boxeus works on Ubuntu 20.04 LTS. To improve on that, the lines can be added to the /etc/dropbear-initramfs/config config file instead to avoid upgrade issues. It is loaded towards the end of /usr/share/initramfs-tools/scripts/init-bottom/dropbear anyway.

Automation two-liner:
echo -e "rm /run/net-*.conf\nrm /run/netplan/*.yaml" >> /etc/dropbear-initramfs/config
update-initramfs -u

After that, netplan actually works again.

Revision history for this message
MartinRunge (martin-runge) wrote :

The same problem occurs when the hdd is automatically decrypted with clevis and a tang server. The script /usr/share/initramfs-tools/scripts/local-bottom/clevis tries to deactivate the network interface again after it got the secret to decrypt the disk from the tang server:

...
for iface in /sys/class/net/*; do
    if [ -e "$iface" ]; then
        iface=$(basename "$iface")
        ip link set dev "$iface" down
        ip addr flush dev "$iface"
        ip route flush dev "$iface"
    fi
done

The presence of /run/net-*.conf and /run/netplan/*.yaml leads to the interface beeing managed by systemd-networkd instad of NetworkManager here, too.

Instead of implementing removal of the files in dropbear an clevis, maybe there is a single place to serve both, dropbear and clevis?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in clevis (Ubuntu):
status: New → Confirmed
Revision history for this message
Pavel Malyshev (afunix) wrote (last edit ):

Confirming the clevis issue.
Patch for reference:
------------
--- /usr/share/initramfs-tools/scripts/local-bottom/clevis.orig 2022-07-11 10:52:16.938228467 -0500
+++ /usr/share/initramfs-tools/scripts/local-bottom/clevis 2022-07-11 10:30:08.040636353 -0500
@@ -46,5 +46,9 @@ for iface in /sys/class/net/*; do
         ip link set dev "$iface" down
         ip addr flush dev "$iface"
         ip route flush dev "$iface"
+
+ if [ -f "/run/netplan/${iface}.yaml" ]; then
+ rm "/run/netplan/${iface}.yaml"
+ fi
     fi
 done
------------

Followed by: update-initramfs -u -k 'all'

Revision history for this message
Dan Podeanu (pdan) wrote (last edit ):

Patch for /usr/share/initramfs-tools/scripts/init-bottom/dropbear on Ubuntu 22.04-LTS

This feels like the better place for a fix, as it respects Dropbear's original semantic for IFDOWN on systems which run Netplan, which I am certain has good reasons for choosing to preserve the network interfaces configured directly by the kernel.

Needs to be followed by update-initramfs -u -k 'all'

--- /root/dropbear-orig 2022-12-27 10:50:51.619568832 +0000
+++ /usr/share/initramfs-tools/scripts/init-bottom/dropbear 2022-12-27 11:00:26.055331525 +0000
@@ -79,6 +79,9 @@
 ip link set dev "$IFACE" down
 ip address flush dev "$IFACE"
 ip route flush dev "$IFACE"
+ if [ -f "/run/netplan/${IFACE}.yaml" ]; then
+ rm -f "/run/netplan/${IFACE}.yaml"
+ fi
 log_end_msg
 done
 fi

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.