Netplan generates systemd-networkd config files with incorrect file permissions
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| netplan |
Medium
|
Unassigned | |||
| netplan.io (Ubuntu) |
Medium
|
Unassigned | |||
| Bionic |
Undecided
|
Unassigned | |||
Bug Description
Hello,
If the umask is set to 077 in /etc/profile and /etc/bash.bashrc (to comply with CIS-CAT recommendations), the files that netplan generates in /run/systemd/
$ ls -l /run/systemd/
total 4
-rw------- 1 root root 152 May 2 14:14 10-netplan-
$ sudo systemctl start systemd-networkd
Job for systemd-
See "systemctl status systemd-
$ sudo journalctl -xe --no-pager --unit=
May 02 14:39:45 ubuntu1804 systemd[1]: Starting Network Service...
-- Subject: Unit systemd-
-- Defined-By: systemd
-- Support: http://
--
-- Unit systemd-
May 02 14:39:45 ubuntu1804 systemd-
May 02 14:39:45 ubuntu1804 systemd[1]: systemd-
May 02 14:39:45 ubuntu1804 systemd[1]: systemd-
May 02 14:39:45 ubuntu1804 systemd[1]: Failed to start Network Service.
-- Subject: Unit systemd-
-- Defined-By: systemd
-- Support: http://
--
-- Unit systemd-
If I modify the permissions, it will start fine.
$ sudo chmod 0644 /run/systemd/
$ sudo systemctl start systemd-networkd
$ sudo systemctl status systemd-networkd
* systemd-
Loaded: loaded (/lib/systemd/
Active: active (running) since Wed 2018-05-02 14:43:20 UTC; 20s ago
This is on Ubuntu 18.04 with netplan.io 0.36.1, which is being executed by cloud-init 18.2-14-
Thank you,
Corey Melanson
Yes, should enforce proper permissions on the generated files.
| Changed in netplan.io (Ubuntu): | |
| status: | Confirmed → Triaged |
| importance: | Undecided → Medium |
| Changed in netplan: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Daniel Axtens (daxtens) wrote : | #3 |
It looks like this and bug LP: #1736965 are duplicates.
I have proposed https:/
Regards,
Daniel
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package netplan.io - 0.40
---------------
netplan.io (0.40) cosmic; urgency=medium
* New upstream release:
- networkd: route source is PreferredSource= not From=
- Improve NetworkManager error reporting on unrenderable routes.
- Don't render ipv4 dns-search unless we have an ipv4 address.
(LP: #1786726)
- Set permissive umask on networkd .network, .link and .netdev files
(LP: #1736965, LP: #1768560)
- Fix support for link-scope routes. (LP: #1747455)
- Update man pages for deletion of replug code.
- Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
- Many typo fixes for documentation. (LP: #1783940)
- Various build system fixes.
- Fix integration tests:
- iproute2 output changes for link-scope routes
- fix stability of networkd igmp-resend test
- fix manual_addresses test now that networkd lists ~. domain
- Deduplicate code for parsing interface options
- Add support for optional-addresses.
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 13 Sep 2018 17:29:41 -0400
| Changed in netplan.io (Ubuntu): | |
| status: | Triaged → Fix Released |
Hello Corey, or anyone else affected,
Accepted netplan.io into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in netplan.io (Ubuntu Bionic): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed verification-needed-bionic |
| Łukasz Zemczak (sil2100) wrote : | #6 |
Hello Corey, or anyone else affected,
Accepted netplan.io into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Marking verification-done since the master bug #1736965 was marked verification-done.
| tags: |
added: verification-done-bionic removed: verification-needed verification-needed-bionic |
| Brian Murray (brian-murray) wrote : | #8 |
Hello Corey, or anyone else affected,
Accepted netplan.io into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| tags: |
added: verification-needed verification-needed-bionic removed: verification-done-bionic |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package netplan.io - 0.40.1~18.04.2
---------------
netplan.io (0.40.1~18.04.2) bionic; urgency=medium
* Fix typo breaking rename on 'netplan apply'. (LP: #1770082)
netplan.io (0.40.1~18.04.1) bionic; urgency=medium
* Backport netplan 0.40.1 to 18.04. (LP: #1793309)
netplan.io (0.40.1) cosmic; urgency=medium
* tests/generate.py: use random.sample() instead of random.choices() to
better support older pythons.
* Deal gracefully with empty files on 'netplan apply' (LP: #1795343)
netplan.io (0.40) cosmic; urgency=medium
* New upstream release:
- networkd: route source is PreferredSource= not From=
- Improve NetworkManager error reporting on unrenderable routes.
- Don't render ipv4 dns-search unless we have an ipv4 address.
(LP: #1786726)
- Set permissive umask on networkd .network, .link and .netdev files
(LP: #1736965, LP: #1768560)
- Fix support for link-scope routes. (LP: #1747455)
- Update man pages for deletion of replug code.
- Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
- Many typo fixes for documentation. (LP: #1783940)
- Various build system fixes.
- Fix integration tests:
- iproute2 output changes for link-scope routes
- fix stability of networkd igmp-resend test
- fix manual_addresses test now that networkd lists ~. domain
- Deduplicate code for parsing interface options
- Add support for optional-addresses.
netplan.io (0.39) cosmic; urgency=medium
* New upstream release:
- Allow link-local addresses to be configured. (LP: #1771704)
- Forces bridges with no addresses to be brought online. (LP: #1736975)
netplan.io (0.38) cosmic; urgency=medium
* New upstream release:
- Write udev .rules files to /run/udev/rules.d to enforce interface
renaming. (LP: #1770082)
- Don't traceback for 'netplan ip leases' when iface is not managed or
doesn't DHCP (LP: #1768823)
- Fix duplicate "/" path separator in error messages (LP: #1771440)
- Fix incorrect terminal reset in 'netplan try' on Ctrl-C. (LP: #1768798)
- Updated doc entries: mtu, fix fwmark->mark, cleanup optional.
(LP: #1768783)
- Added documentation validation at build.
- Added configuration example for multi-ip interfaces.
* tests/integrati
* debian/control:
- Add iproute2 to Depends.
- Add python3-netifaces to Depends, Build-Depends.
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 22 Oct 2018 15:02:30 -0400
| Changed in netplan.io (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
| Adam Conrad (adconrad) wrote : | #10 |
Hello Corey, or anyone else affected,
Accepted netplan.io into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in netplan.io (Ubuntu Bionic): | |
| status: | Fix Released → Fix Committed |
Resetting the tags to verification-done as per the discussion in https:/
The SRU had been rolled back due to a regression that needed to be fixed, but we still consider the previous verification to be valid.
| tags: |
added: verification-done-bionic removed: verification-needed verification-needed-bionic |
| Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package netplan.io - 0.40.1~18.04.3
---------------
netplan.io (0.40.1~18.04.3) bionic; urgency=medium
* Fix idempotency in renaming: bond members should be exempt from rename, as
they may all share a single MAC for the bond device. (LP: #1802322)
* tests/integrati
netplan.io (0.40.1~18.04.2) bionic; urgency=medium
* Fix typo breaking rename on 'netplan apply'. (LP: #1770082)
netplan.io (0.40.1~18.04.1) bionic; urgency=medium
* Backport netplan 0.40.1 to 18.04. (LP: #1793309)
netplan.io (0.40.1) cosmic; urgency=medium
* tests/generate.py: use random.sample() instead of random.choices() to
better support older pythons.
* Deal gracefully with empty files on 'netplan apply' (LP: #1795343)
netplan.io (0.40) cosmic; urgency=medium
* New upstream release:
- networkd: route source is PreferredSource= not From=
- Improve NetworkManager error reporting on unrenderable routes.
- Don't render ipv4 dns-search unless we have an ipv4 address.
(LP: #1786726)
- Set permissive umask on networkd .network, .link and .netdev files
(LP: #1736965, LP: #1768560)
- Fix support for link-scope routes. (LP: #1747455)
- Update man pages for deletion of replug code.
- Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
- Many typo fixes for documentation. (LP: #1783940)
- Various build system fixes.
- Fix integration tests:
- iproute2 output changes for link-scope routes
- fix stability of networkd igmp-resend test
- fix manual_addresses test now that networkd lists ~. domain
- Deduplicate code for parsing interface options
- Add support for optional-addresses.
netplan.io (0.39) cosmic; urgency=medium
* New upstream release:
- Allow link-local addresses to be configured. (LP: #1771704)
- Forces bridges with no addresses to be brought online. (LP: #1736975)
netplan.io (0.38) cosmic; urgency=medium
* New upstream release:
- Write udev .rules files to /run/udev/rules.d to enforce interface
renaming. (LP: #1770082)
- Don't traceback for 'netplan ip leases' when iface is not managed or
doesn't DHCP (LP: #1768823)
- Fix duplicate "/" path separator in error messages (LP: #1771440)
- Fix incorrect terminal reset in 'netplan try' on Ctrl-C. (LP: #1768798)
- Updated doc entries: mtu, fix fwmark->mark, cleanup optional.
(LP: #1768783)
- Added documentation validation at build.
- Added configuration example for multi-ip interfaces.
* tests/integrati
* debian/control:
- Add iproute2 to Depends.
- Add python3-netifaces to Depends, Build-Depends.
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 21 Nov 2018 14:42:59 -0500
| Changed in netplan.io (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for netplan.io has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Status changed to 'Confirmed' because the bug affects multiple users.