On Tue, Jun 25, 2019, 17:12 Michael Biebl <bi...@debian.org> wrote: > Control: severity -1 important > > Hi Raphael > > On Wed, 19 Jun 2019 22:33:21 +0200 Michael Biebl <bi...@debian.org> wrote: > > Hi Raphael, > > > > On Tue, 11 Jun 2019 15:51:14 +0200 Raphael Hertzog <hert...@debian.org> > > wrote: > > > Hi, > > > > > > On Wed, 05 Jun 2019, Michael Biebl wrote: > > > > systemd-networkd.service in v241 is locked down more tightly then > v232. > > > > It might be worth a try to comment out the hardening features one by > one > > > > to see if one of them causes your problem. > > > > > > Thanks for the idea! I tried that but it did not help. I found the > issue > > > after a few more tries tweaking the network configuration file. It's > > > simply that the system has IPv6 disabled in the kernel policy while the > > > .network file instructs to configure an IPv6 address. > > > > > > Both are contradictory but they happily lived together up-to-now. > > > I don't know what changed but if we don't improve systemd-networkd > > > to just skip IPv6 configuration when the kernel has a policy disabling > > > IPv6, then we will have plenty of servers broken on upgrades because > > > it's quite common to keep the network configuration file provided by > > > the hoster and just disable IPv6 at the kernel level with sysctl: > > > > > > $ grep ipv6 /etc/sysctl.conf > > > # Disable ipv6 > > > net.ipv6.conf.all.disable_ipv6 = 1 > > > net.ipv6.conf.default.disable_ipv6 = 1 > > > net.ipv6.conf.lo.disable_ipv6 = 1 > > > > Ok, thanks for figuring out the root cause. > > Given that this only happens under very special circumstances and > > networkd not being enabled by default, I'm not entirely sure if this > > issue should qualify as RC. > > Cherry-picking the 6 upstream commits leads to a merge conflict when > > applied on top of v241 and I haven't yet investigated if those can > > easily be resolved. > > TBH, I feel a bit uneasy doing this change so late in the release cycle > > and personally I would downgrade this issue to non-RC and fix this via a > > v243 upload to buster-backports. > > > > If you feel strongly about this though, please feel free ask the release > > team if the change is ok. A tested patch set would be great in this case. > > I haven't heard back from you and my current gut feeling is that this > issue is not RC, so I'm downgrading it to important. > I'm open to be persuaded otherwise though. > > Whether we are going to fix this via a stable point release or > stretch-backports remains to be decided. The latter is easier for me, as > it doesn't mean all the administrative overhead of a stable upload. >
Perhaps the problem can be mitigated by a NEWS or release guide update. Honestly, I don't think networkd should keep quiet about ipv6 being disabled when you explicitly set up an ipv6 address. Saludos >
