"unconfigured" NIC can still get IPv6 addresses via RA

This is an Ubuntu default setting, and MAAS does not currently change operating-system-specific settings upon deployment. This could be rendered in a pre-up script for ifupdown, but my understanding is that pre-up scripts will not be available under netplan and networkd.

In order for us to disable the acceptance of IPv6 router advertisements, we would either need to disable IPv6 completely, such as by modifying this sysctl:

net.ipv6.conf.<all|ifname>.disable_ipv6

... or disable just the acceptance of IPv6 router advertisements using this sysctl:

net.ipv6.conf.<all|ifname>.accept_ra

I think it seems reasonable that MAAS should be able to configure these settings. However, this is a decision that goes beyond just MAAS. (I'll add curtin to this bug.)

Also adding 'netplan'; from what I've seen so far, this is not yet possible to configure.

For the record, there is a workaround in MAAS if you want your deployed nodes to be IPv6-free: use the "ipv6.disable=1" kernel parameter. This can be done as a tag if you want it to happen on a per-machine basis, or you can use the settings page to create a global default kernel setting.

Related is bug #1663340, however; MAAS itself currently uses IPv4-mapped IPv6 addresses in its operation, so is not able to operate in such an environment.

Please avoid disabling IPv6 using "ipv6.disable=1". This breaks socket() AF_INET6, which can cripple other software depending on the ability to open sockets() of the AF_INET6 family, even if the system should not use IPv6. It is usually safer to use "ipv6.disable_ipv6=1" instead, which will avoid setting addresses to the interfaces but still not break AF_INET6.

We can look into toggling receiving RAs as IPv6-specific settings.

Indeed, this workaround also breaks the MAAS region itself. ;-)

+1 to ipv6.disable_ipv6 if this is necessary, just note that this allows IPv6 to be enabled without a reboot via sysctl (which apparantly isn't acceptable in some highly-strict environments).

This bug was fixed in the package nplan - 0.25

---------------
nplan (0.25) artful; urgency=medium

  * tests/generate.py: add a test to validate that correct blacklist entries
    are added when creating virtual devices.
  * tests/integration.py: clean up after br0 in networkd's test_bridge_mac; as
    the remaining interface and udev configuration can confuse NetworkManager
    now that it seems to manage random devices it did not create again.
    (LP: #1699371)
  * src/nm.c: set the MTU even though we also specify it in systemd-networkd
    for consumption by udev. NetworkManager will try to set it and might
    otherwise default to the wrong value.
  * src/networkd.c: Set IPv6AcceptRA=no anytime we don't do DHCPv6 (or by the
    same config, SLAAC), and don't have static addresses set. This should fix
    the cases where unconfigured devices still get an IPv6 address.
    (LP: #1655440)
  * src/nm.c: Explicitly set IPv6 method=ignore when IPv6 is otherwise not
    configured; this follows the same logic as setting IPv6AcceptRA=no in
    networkd, with the exception that NM does not currently disable RAs. When
    it does, an unconfigured device for IPv6 will truly be left with no config.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 13 Jul 2017 16:22:18 -0400

Uploaded in nplan 0.25 to artful, so it's Fix Released upstream as well...

After much thought, I think it's better to keep the default as being as "open" as possible, and taking any step we can to provide some working network by default (that is, accepting RAs by default).

I'll be adding a key in netplan to allow disabling RAs independently.

Hello Andreas, or anyone else affected,

Accepted nplan into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nplan/0.29~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Andreas, or anyone else affected,

Accepted nplan into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nplan/0.29~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verification-done on xenial for nplan 0.29~16.04.1:

With accept-ra: no; RAs are no longer used to configure an IPv6 address. Network and kernel behave normally when accept-ra: is not set.

Verification-done on zesty for nplan 0.29~17.04.1:

With accept-ra: no; RAs are no longer used to configure an IPv6 address. Network and kernel behave normally when accept-ra: is not set.

Hello Andreas, or anyone else affected,

Accepted nplan into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nplan/0.32~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Andreas, or anyone else affected,

Accepted nplan into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nplan/0.32~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

nplan 0.32~16.04.2 fails to build because I mismerged 0.32 and broke the code skipping the test_routes_v6 test in the NetworkManager case. Therefore, it can't possibly pass SRU verification.

Hello Andreas, or anyone else affected,

Accepted nplan into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nplan/0.32~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Autopktests still failing for xenial; the test is still not being skipped (we know it won't work on Xenial due to the version of NM shipped there). Marking verification-failed-xenial.

Hello Andreas, or anyone else affected,

Accepted nplan into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nplan/0.32~16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verification-done on xenial for nplan 0.32~16.04.3:
Verification-done on zesty for nplan 0.32~17.04.1:

With accept-ra: no; RAs are no longer used to configure an IPv6 address. Network and kernel behave normally when accept-ra: is not set.

This bug was fixed in the package nplan - 0.32~16.04.3

---------------
nplan (0.32~16.04.3) xenial; urgency=medium

  * tests/integration.py: Really fix skipping test_routes_v6 for the NM
    backend.

nplan (0.32~16.04.2) xenial; urgency=medium

  * tests/integration.py: Fix test_routes_v6 that I clobbered when I re-applied
    the skip rules for 16.04 after merging in 0.32.

nplan (0.32~16.04.1) xenial; urgency=medium

  * Backport netplan 0.32 to 16.04. (LP: #1713142)
  * debian/control: Depend on systemd (>= 229-4ubuntu20) for the PrimarySlave
    feature backported in that revision.
  * tests/integration.py: Skip tests that are still not yet supported in xenial

nplan (0.32) bionic; urgency=medium

  * src/nm.c: better handle the UUID generation; the order of iterating
    through interaces may affect things here. Also make sure the tests catch
    a null UUID.

nplan (0.31) bionic; urgency=medium

  [ Mathieu Trudel-Lapierre ]
  * src/nm.c: generate a UUID for a connection only as needed; when we're
    dealing with NM VLANs. (LP: #1712921)
  * debian/tests/autostart: Make the autostart test more verbose and avoid
    failing right from the start when systemd-networkd is disabled.
    (LP: #1699371)
  * tests/integration.py: bump the NetworkManager timeout for settling to
    120 seconds, autopkgtest infrastructure tends to be a little slow for the
    network device configuration to be applied and noticed by NM.
    (LP: #1699371)

  [ Dimitri John Ledkov ]
  * Reload udevd to invalidate configuration cache of .rules/.link files
    as generate step may have changed them. LP: #1669564

  [ Dan Streetman ]
  * Add another interface driver exception to netplan replug to prevent unbind
    of the Xen VIF interfaces. (LP: #1729573)

nplan (0.30) artful; urgency=medium

  * Add an "optional" syntax node for now to all devices. This is unimplemented
    for now, but intended to allow users to mark some devices as optional: to
    make sure they do not delay boot when configured. (LP: #1664844)

nplan (0.29) artful; urgency=medium

  * Fix autopkgtests in a world where /run/NetworkManager/conf.d already
    exists. nplan is enabled by default, so it might well have the directory
    already created on the filesystem.

nplan (0.28) artful; urgency=medium

  * Revert 56cd3eec which disabled IPv6 Router Advertisements by default. It
    broke default network config in LXD and was contrary to the defaults used
    by the kernel. Reopens LP: 1655440. (LP: #1717404)
  * Add "accept-ra:" key for all device types; this will default to OFF but
    allow users to disable processing Router Advertisements when required by
    their network setup. (LP: #1655440)

nplan (0.27) artful; urgency=medium

  [ Mathieu Trudel-Lapierre ]
  * Fix crash in systemd generator if called by an user on the command-line
  * coverage: fix exclusions to properly not cover our "never reached defaults"

  [ Dimitri John Ledkov ]
  * tests/integration.py: In teardown, stop systemd-networkd.socket.
  * src/networkd.c: Set UseMTU=true by default, whenever DHCP is in use.
    (LP: #1717471)
  * tests/integration.py: fix resolved detection.

nplan (0.26) artful; urgency=medium

 ...

The verification of the Stable Release Update for nplan has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package nplan - 0.32~17.04.1

---------------
nplan (0.32~17.04.1) zesty; urgency=medium

  * Backport 0.32 to 17.04. (LP: #1713142)

nplan (0.32) bionic; urgency=medium

  * src/nm.c: better handle the UUID generation; the order of iterating
    through interaces may affect things here. Also make sure the tests catch
    a null UUID.

nplan (0.31) bionic; urgency=medium

  [ Mathieu Trudel-Lapierre ]
  * src/nm.c: generate a UUID for a connection only as needed; when we're
    dealing with NM VLANs. (LP: #1712921)
  * debian/tests/autostart: Make the autostart test more verbose and avoid
    failing right from the start when systemd-networkd is disabled.
    (LP: #1699371)
  * tests/integration.py: bump the NetworkManager timeout for settling to
    120 seconds, autopkgtest infrastructure tends to be a little slow for the
    network device configuration to be applied and noticed by NM.
    (LP: #1699371)

  [ Dimitri John Ledkov ]
  * Reload udevd to invalidate configuration cache of .rules/.link files
    as generate step may have changed them. LP: #1669564

  [ Dan Streetman ]
  * Add another interface driver exception to netplan replug to prevent unbind
    of the Xen VIF interfaces. (LP: #1729573)

nplan (0.30) artful; urgency=medium

  * Add an "optional" syntax node for now to all devices. This is unimplemented
    for now, but intended to allow users to mark some devices as optional: to
    make sure they do not delay boot when configured. (LP: #1664844)

nplan (0.29) artful; urgency=medium

  * Fix autopkgtests in a world where /run/NetworkManager/conf.d already
    exists. nplan is enabled by default, so it might well have the directory
    already created on the filesystem.

nplan (0.28) artful; urgency=medium

  * Revert 56cd3eec which disabled IPv6 Router Advertisements by default. It
    broke default network config in LXD and was contrary to the defaults used
    by the kernel. Reopens LP: 1655440. (LP: #1717404)
  * Add "accept-ra:" key for all device types; this will default to OFF but
    allow users to disable processing Router Advertisements when required by
    their network setup. (LP: #1655440)

nplan (0.27) artful; urgency=medium

  [ Mathieu Trudel-Lapierre ]
  * Fix crash in systemd generator if called by an user on the command-line
  * coverage: fix exclusions to properly not cover our "never reached defaults"

  [ Dimitri John Ledkov ]
  * tests/integration.py: In teardown, stop systemd-networkd.socket.
  * src/networkd.c: Set UseMTU=true by default, whenever DHCP is in use.
    (LP: #1717471)
  * tests/integration.py: fix resolved detection.

nplan (0.26) artful; urgency=medium

  * Bonding:
    - Add support for specifying a primary slave. (LP: #1709135)
  * Rebind:
    - Fix brcmfmac harder. Treat any 'brcmfmac' driver as not supporting
      rebind. (LP: #1712224)
  * Autopkgtests:
    - Add allow-stderr. Systemd now bleats about a the networkd socket still
      being around and enabled when we restart the service; but we don't need
      to care since we're /restarting/ the service to load the new config.
    - Fix the autostart package to be more sensible: we don't really care if
 ...

Curtin will pass the MAAS provided network config to the target. In netplan format, the accept-ra configuration is present and this will be passed through to the target system and reflected in the installed system. I'm marking the curtin portion here invalid. If curtin does need to do something (for say xenial deployments/ifupdown) then please re-open the task and we'll triage accordingly.

This bug has not seen any activity in the last 6 months, so it is being automatically closed.

If you are still experiencing this issue, please feel free to re-open.

MAAS Team