Netplan generates systemd-networkd config files with incorrect file permissions

Bug #1768560 reported by Corey Melanson on 2018-05-02
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
netplan
Medium
Unassigned
netplan.io (Ubuntu)
Medium
Unassigned
Bionic
Undecided
Unassigned

Bug Description

Hello,

If the umask is set to 077 in /etc/profile and /etc/bash.bashrc (to comply with CIS-CAT recommendations), the files that netplan generates in /run/systemd/network are created as 0600 and systemd-networkd will not start.

$ ls -l /run/systemd/network
total 4
-rw------- 1 root root 152 May 2 14:14 10-netplan-eth0.network

$ sudo systemctl start systemd-networkd
Job for systemd-networkd.service failed because the control process exited with error code.
See "systemctl status systemd-networkd.service" and "journalctl -xe" for details.

$ sudo journalctl -xe --no-pager --unit=systemd-networkd.service

May 02 14:39:45 ubuntu1804 systemd[1]: Starting Network Service...
-- Subject: Unit systemd-networkd.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit systemd-networkd.service has begun starting up.
May 02 14:39:45 ubuntu1804 systemd-networkd[8724]: Could not load configuration files: Permission denied
May 02 14:39:45 ubuntu1804 systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=1/FAILURE
May 02 14:39:45 ubuntu1804 systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
May 02 14:39:45 ubuntu1804 systemd[1]: Failed to start Network Service.
-- Subject: Unit systemd-networkd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit systemd-networkd.service has failed.

If I modify the permissions, it will start fine.
$ sudo chmod 0644 /run/systemd/network/*.network
$ sudo systemctl start systemd-networkd
$ sudo systemctl status systemd-networkd
* systemd-networkd.service - Network Service
   Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-05-02 14:43:20 UTC; 20s ago

This is on Ubuntu 18.04 with netplan.io 0.36.1, which is being executed by cloud-init 18.2-14-g6d48d265-0ubuntu1.

Thank you,
Corey Melanson

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in netplan.io (Ubuntu):
status: New → Confirmed

Yes, should enforce proper permissions on the generated files.

Changed in netplan.io (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in netplan:
status: New → Triaged
importance: Undecided → Medium
Daniel Axtens (daxtens) wrote :

It looks like this and bug LP: #1736965 are duplicates.

I have proposed https://github.com/CanonicalLtd/netplan/pull/36 as a fix.

Regards,
Daniel

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.40

---------------
netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 13 Sep 2018 17:29:41 -0400

Changed in netplan.io (Ubuntu):
status: Triaged → Fix Released

Hello Corey, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Hello Corey, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Marking verification-done since the master bug #1736965 was marked verification-done.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers