"netplan apply" does not set file mode, umask 077 causes systemd-networkd to be unable to start

Bug #1736965 reported by Colin on 2017-12-07
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
netplan.io (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
nplan (Ubuntu)
Undecided
Unassigned

Bug Description

[Impact]
Ubuntu users configuring a custom umask on their system

[Test case]
1) set UMASK in /etc/login.defs to 077
2) Configure netplan to use the networkd renderer, run 'sudo netplan apply'.
3) Verify that systemd-network applies the correct network configuration.

[Regression potential]
This enforces setting the umask for the netplan-gnerated configurations to a value that allows networkd to read the files for the configuration. If people rely on the umask, and have otherwise configured systemd-networkd to be able to get the configuration, this would defeat their umask change. The failure more for this is something that isn't supported.

---

If you set your UMASK in /etc/login.defs to 077 then after running "netplan apply" systemd-networkd won't be able to read its configuration files and start:
systemd-networkd[2826]: Could not load configuration files: Permission denied

Annoyingly to report such a thing as bug you need a proper network connection with working DNS before you submit in ubuntu-bug or it will just quit and lose the report. A workaround seems to be to run "ubuntu-bug nplan" then in another terminal run "umask 022" then "netplan apply" before submitting.

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: nplan 0.30
ProcVersionSignature: Ubuntu 4.13.0-17.20-generic 4.13.8
Uname: Linux 4.13.0-17-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.5
Architecture: amd64
Date: Thu Dec 7 10:20:37 2017
ProcEnviron:
 LANGUAGE=en_CA:en
 TERM=screen
 PATH=(custom, no user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: nplan
UpgradeStatus: No upgrade log present (probably fresh install)

Colin (colin-) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nplan (Ubuntu):
status: New → Confirmed

umask 027 is (obviously) sufficient to lead to the issue.

Our customer requires at least umask 027 for all Linux servers in a project. After performing the cahnge "netplan apply" creates configuration files which are not readable by systemd-networkd when the service is restarted.

Daniel Axtens (daxtens) wrote :

Hi,

I have reproduced this on bionic, and proposed the following patch to fix it: https://github.com/CanonicalLtd/netplan/pull/36

Regards,
Daniel

Changed in netplan.io (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.40

---------------
netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 13 Sep 2018 17:29:41 -0400

Changed in netplan.io (Ubuntu):
status: In Progress → Fix Released
description: updated

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification-done with netplan.io 0.40.1~18.04.1 on bionic:

ubuntu@new-man:~$ ls -l /run/systemd/network/
total 8
-rw-r--r-- 1 root root 83 Oct 9 17:14 10-netplan-ens6.link
-rw-r--r-- 1 root root 209 Oct 9 17:14 10-netplan-ens6.network
ubuntu@new-man:~$ sudo netplan generate
ubuntu@new-man:~$ ls -l /run/systemd/network/
total 8
-rw-r--r-- 1 root root 83 Oct 9 17:18 10-netplan-ens6.link
-rw-r--r-- 1 root root 209 Oct 9 17:18 10-netplan-ens6.network

After changing UMASK in /etc/login.defs and logging out, logging back in; I can validate that the files generated by netplan are still written with mode 644, which allows systemd-networkd to read them. This clearly deviates from previous behavior of incorrectly honouring UMASK for these files leading to systemd-networkd being unable to read them.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
removed: verification-done-bionic

Verification-done on bionic using netplan.io 0.40.1~18.04.2:

Verified that with umask set, netplan correctly generates the files for systemd with 644 permissions, and they are succesfully read by systemd-networkd.

root@working-guinea:~# umask
0077
root@working-guinea:~# cd /run/systemd/system/
root@working-guinea:/run/systemd/system# ls
root@working-guinea:/run/systemd/system# cd ../network/
root@working-guinea:/run/systemd/network# ls
10-netplan-eth0.network 10-netplan-veth0.network
root@working-guinea:/run/systemd/network# ls -altr
total 8
-rw-r--r-- 1 root root 78 Oct 29 20:53 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:53 10-netplan-eth0.network
drwxr-xr-x 2 root root 80 Oct 29 20:53 .
drwxr-xr-x 20 root root 480 Oct 29 20:53 ..
root@working-guinea:/run/systemd/network# touch toto
root@working-guinea:/run/systemd/network# ls -altr
total 8
-rw-r--r-- 1 root root 78 Oct 29 20:53 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:53 10-netplan-eth0.network
drwxr-xr-x 20 root root 480 Oct 29 20:53 ..
-rw------- 1 root root 0 Oct 29 20:54 toto
drwxr-xr-x 2 root root 100 Oct 29 20:54 .
root@working-guinea:/run/systemd/network# netplan apply
root@working-guinea:/run/systemd/network# ls -latr
total 8
-rw------- 1 root root 0 Oct 29 20:54 toto
-rw-r--r-- 1 root root 78 Oct 29 20:54 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:54 10-netplan-eth0.network
drwxr-xr-x 2 root root 100 Oct 29 20:54 .
drwxr-xr-x 21 root root 500 Oct 29 20:54 ..
root@working-guinea:/run/systemd/network# netplan generate
root@working-guinea:/run/systemd/network# ls -latr
total 8
-rw------- 1 root root 0 Oct 29 20:54 toto
drwxr-xr-x 21 root root 500 Oct 29 20:54 ..
-rw-r--r-- 1 root root 78 Oct 29 20:54 10-netplan-veth0.network
-rw-r--r-- 1 root root 100 Oct 29 20:54 10-netplan-eth0.network
drwxr-xr-x 2 root root 100 Oct 29 20:54 .

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.40.1~18.04.2

---------------
netplan.io (0.40.1~18.04.2) bionic; urgency=medium

  * Fix typo breaking rename on 'netplan apply'. (LP: #1770082)

netplan.io (0.40.1~18.04.1) bionic; urgency=medium

  * Backport netplan 0.40.1 to 18.04. (LP: #1793309)

netplan.io (0.40.1) cosmic; urgency=medium

  * tests/generate.py: use random.sample() instead of random.choices() to
    better support older pythons.
  * Deal gracefully with empty files on 'netplan apply' (LP: #1795343)

netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

netplan.io (0.39) cosmic; urgency=medium

  * New upstream release:
    - Allow link-local addresses to be configured. (LP: #1771704)
    - Forces bridges with no addresses to be brought online. (LP: #1736975)

netplan.io (0.38) cosmic; urgency=medium

  * New upstream release:
    - Write udev .rules files to /run/udev/rules.d to enforce interface
      renaming. (LP: #1770082)
    - Don't traceback for 'netplan ip leases' when iface is not managed or
      doesn't DHCP (LP: #1768823)
    - Fix duplicate "/" path separator in error messages (LP: #1771440)
    - Fix incorrect terminal reset in 'netplan try' on Ctrl-C. (LP: #1768798)
    - Updated doc entries: mtu, fix fwmark->mark, cleanup optional.
      (LP: #1768783)
    - Added documentation validation at build.
    - Added configuration example for multi-ip interfaces.
  * tests/integration.py: fix test_eth_and_bridge autopkg test harder.
  * debian/control:
    - Add iproute2 to Depends.
    - Add python3-netifaces to Depends, Build-Depends.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 22 Oct 2018 15:02:30 -0400

Changed in netplan.io (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for netplan.io has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Steve Langasek (vorlon) on 2018-11-08
Changed in netplan.io (Ubuntu Bionic):
status: Fix Released → Fix Committed

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
removed: verification-done-bionic

Resetting the tags to verification-done as per the discussion in https://bugs.launchpad.net/netplan/+bug/1770082/comments/95.

The SRU had been rolled back due to a regression that needed to be fixed, but we still consider the previous verification to be valid.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.40.1~18.04.3

---------------
netplan.io (0.40.1~18.04.3) bionic; urgency=medium

  * Fix idempotency in renaming: bond members should be exempt from rename, as
    they may all share a single MAC for the bond device. (LP: #1802322)
  * tests/integration.py: add test designed to catch the above regression.

netplan.io (0.40.1~18.04.2) bionic; urgency=medium

  * Fix typo breaking rename on 'netplan apply'. (LP: #1770082)

netplan.io (0.40.1~18.04.1) bionic; urgency=medium

  * Backport netplan 0.40.1 to 18.04. (LP: #1793309)

netplan.io (0.40.1) cosmic; urgency=medium

  * tests/generate.py: use random.sample() instead of random.choices() to
    better support older pythons.
  * Deal gracefully with empty files on 'netplan apply' (LP: #1795343)

netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

netplan.io (0.39) cosmic; urgency=medium

  * New upstream release:
    - Allow link-local addresses to be configured. (LP: #1771704)
    - Forces bridges with no addresses to be brought online. (LP: #1736975)

netplan.io (0.38) cosmic; urgency=medium

  * New upstream release:
    - Write udev .rules files to /run/udev/rules.d to enforce interface
      renaming. (LP: #1770082)
    - Don't traceback for 'netplan ip leases' when iface is not managed or
      doesn't DHCP (LP: #1768823)
    - Fix duplicate "/" path separator in error messages (LP: #1771440)
    - Fix incorrect terminal reset in 'netplan try' on Ctrl-C. (LP: #1768798)
    - Updated doc entries: mtu, fix fwmark->mark, cleanup optional.
      (LP: #1768783)
    - Added documentation validation at build.
    - Added configuration example for multi-ip interfaces.
  * tests/integration.py: fix test_eth_and_bridge autopkg test harder.
  * debian/control:
    - Add iproute2 to Depends.
    - Add python3-netifaces to Depends, Build-Depends.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 21 Nov 2018 14:42:59 -0500

Changed in netplan.io (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers