"netplan apply" does not set file mode, umask 077 causes systemd-networkd to be unable to start

Bug #1736965 reported by Colin on 2017-12-07
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
netplan.io (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
nplan (Ubuntu)
Undecided
Unassigned

Bug Description

[Impact]
Ubuntu users configuring a custom umask on their system

[Test case]
1) set UMASK in /etc/login.defs to 077
2) Configure netplan to use the networkd renderer, run 'sudo netplan apply'.
3) Verify that systemd-network applies the correct network configuration.

[Regression potential]
This enforces setting the umask for the netplan-gnerated configurations to a value that allows networkd to read the files for the configuration. If people rely on the umask, and have otherwise configured systemd-networkd to be able to get the configuration, this would defeat their umask change. The failure more for this is something that isn't supported.

---

If you set your UMASK in /etc/login.defs to 077 then after running "netplan apply" systemd-networkd won't be able to read its configuration files and start:
systemd-networkd[2826]: Could not load configuration files: Permission denied

Annoyingly to report such a thing as bug you need a proper network connection with working DNS before you submit in ubuntu-bug or it will just quit and lose the report. A workaround seems to be to run "ubuntu-bug nplan" then in another terminal run "umask 022" then "netplan apply" before submitting.

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: nplan 0.30
ProcVersionSignature: Ubuntu 4.13.0-17.20-generic 4.13.8
Uname: Linux 4.13.0-17-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.5
Architecture: amd64
Date: Thu Dec 7 10:20:37 2017
ProcEnviron:
 LANGUAGE=en_CA:en
 TERM=screen
 PATH=(custom, no user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: nplan
UpgradeStatus: No upgrade log present (probably fresh install)

Colin (colin-) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nplan (Ubuntu):
status: New → Confirmed

umask 027 is (obviously) sufficient to lead to the issue.

Our customer requires at least umask 027 for all Linux servers in a project. After performing the cahnge "netplan apply" creates configuration files which are not readable by systemd-networkd when the service is restarted.

Daniel Axtens (daxtens) wrote :

Hi,

I have reproduced this on bionic, and proposed the following patch to fix it: https://github.com/CanonicalLtd/netplan/pull/36

Regards,
Daniel

Changed in netplan.io (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.40

---------------
netplan.io (0.40) cosmic; urgency=medium

  * New upstream release:
    - networkd: route source is PreferredSource= not From=
    - Improve NetworkManager error reporting on unrenderable routes.
    - Don't render ipv4 dns-search unless we have an ipv4 address.
      (LP: #1786726)
    - Set permissive umask on networkd .network, .link and .netdev files
      (LP: #1736965, LP: #1768560)
    - Fix support for link-scope routes. (LP: #1747455)
    - Update man pages for deletion of replug code.
    - Spell Gratuitous ARP correctly and make it work. (LP: #1756701)
    - Many typo fixes for documentation. (LP: #1783940)
    - Various build system fixes.
    - Fix integration tests:
      - iproute2 output changes for link-scope routes
      - fix stability of networkd igmp-resend test
      - fix manual_addresses test now that networkd lists ~. domain
    - Deduplicate code for parsing interface options
    - Add support for optional-addresses.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 13 Sep 2018 17:29:41 -0400

Changed in netplan.io (Ubuntu):
status: In Progress → Fix Released
description: updated

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Hello Colin, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.40.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification-done with netplan.io 0.40.1~18.04.1 on bionic:

ubuntu@new-man:~$ ls -l /run/systemd/network/
total 8
-rw-r--r-- 1 root root 83 Oct 9 17:14 10-netplan-ens6.link
-rw-r--r-- 1 root root 209 Oct 9 17:14 10-netplan-ens6.network
ubuntu@new-man:~$ sudo netplan generate
ubuntu@new-man:~$ ls -l /run/systemd/network/
total 8
-rw-r--r-- 1 root root 83 Oct 9 17:18 10-netplan-ens6.link
-rw-r--r-- 1 root root 209 Oct 9 17:18 10-netplan-ens6.network

After changing UMASK in /etc/login.defs and logging out, logging back in; I can validate that the files generated by netplan are still written with mode 644, which allows systemd-networkd to read them. This clearly deviates from previous behavior of incorrectly honouring UMASK for these files leading to systemd-networkd being unable to read them.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers