systemd-networkd fails with "could not set address: Permission denied" when IPv6 is disabled in the kernel

[rhertzog]

systemd version the issue has been seen with

241 and 242

Used distribution

Debian buster

Expected behaviour you didn't see

systemd-networkd configuring the network address

Unexpected behaviour you saw

systemd-networkd failed with "could not set address: Permission denied"

Steps to reproduce the problem
I upgraded a working server from Debian 9 (stretch) to Debian buster. Its network configuration was managed with system-networkd:

$ cat /etc/systemd/network/50-default.network
# This file sets the IP configuration of the primary (public) network device.
# You can also see this as "OSI Layer 3" config.
# It was created by the OVH installer, please be careful with modifications.
# Documentation: man systemd.network or
https://www.freedesktop.org/software/systemd/man/systemd.network.html

[Match]
MACAddress=ac:1f:6b:67:cd:e8

[Network]
Description=network interface on public network, with default route
DHCP=no
Address=54.39.104.6/24
Gateway=54.39.104.254
#IPv6AcceptRA=false
NTP=ntp.ovh.net
DNS=127.0.0.1
DNS=213.186.33.99
DNS=2001:41d0:3:163::1
Gateway=2607:5300:0203:39ff:ff:ff:ff:ff

[Address]
Address=2607:5300:0203:3906::/64

[Route]
Destination=2607:5300:0203:39ff:ff:ff:ff:ff
Scope=link
$ cat /etc/systemd/network/50-public-interface.link
# This file configures the relation between network device and device name.
# You can also see this as "OSI Layer 2" config.
# It was created by the OVH installer, please be careful with modifications.
# Documentation: man systemd.link or
https://www.freedesktop.org/software/systemd/man/systemd.link.html

[Match]
MACAddress=ac:1f:6b:67:cd:e8

[Link]
Description=network interface on public network, with default route
MACAddressPolicy=persistent
NamePolicy=kernel database onboard slot path mac
#Name=eth0      # name under which this interface is known under OVH rescue system
#Name=eno3      # name under which this interface is probably known by systemd

The ethernet card is managed by the "ixgbe" network driver:

$ lspci -v
[...]
03:00.0 Ethernet controller: Intel Corporation Ethernet Connection X552/X557-AT 10GBASE-T
        Subsystem: Super Micro Computer Inc Ethernet Connection X552/X557-AT 10GBASE-T
        Flags: bus master, fast devsel, latency 0, IRQ 11
        Memory at 383fffc00000 (64-bit, prefetchable)
        Memory at 383fffe04000 (64-bit, prefetchable)
        Expansion ROM at fb180000 [disabled]
        Capabilities: [40] Power Management version 3
        Capabilities: [50] MSI: Enable- Count=1/1 Maskable+ 64bit+
        Capabilities: [70] MSI-X: Enable+ Count=64 Masked-
        Capabilities: [a0] Express Endpoint, MSI 00
[...]
$ grep ixgbe /var/log/kern.log
May 23 21:19:38 euterpe kernel: [    1.896199] ixgbe: Intel(R) 10 Gigabit PCI Express Network Driver - version 5.1.0-k
May 23 21:19:38 euterpe kernel: [    1.908671] ixgbe: Copyright (c) 1999-2016 Intel Corporation.
May 23 21:19:38 euterpe kernel: [    3.471556] ixgbe 0000:03:00.0: Multiqueue Enabled: Rx Queue count = 8, Tx Queue count = 8 XDP Queue count = 0
May 23 21:19:38 euterpe kernel: [    3.619415] ixgbe 0000:03:00.0: MAC: 5, PHY: 7, PBA No: 023A00-000
May 23 21:19:38 euterpe kernel: [    3.628980] ixgbe 0000:03:00.0: ac:1f:6b:67:cd:e8
May 23 21:19:38 euterpe kernel: [    3.689232] ixgbe 0000:03:00.0: Intel(R) 10 Gigabit Network Connection
May 23 21:19:38 euterpe kernel: [    5.487530] ixgbe 0000:03:00.1: Multiqueue Enabled: Rx Queue count = 8, Tx Queue count = 8 XDP Queue count = 0
May 23 21:19:38 euterpe kernel: [    5.627263] ixgbe 0000:03:00.1: MAC: 5, PHY: 7, PBA No: 023A00-000
May 23 21:19:38 euterpe kernel: [    5.634459] ixgbe 0000:03:00.1: ac:1f:6b:67:cd:e9
May 23 21:19:38 euterpe kernel: [    5.696963] ixgbe 0000:03:00.1: Intel(R) 10 Gigabit Network Connection
May 23 21:19:38 euterpe kernel: [    5.707134] ixgbe 0000:03:00.1 eno4: renamed from eth1
May 23 21:19:38 euterpe kernel: [    5.733678] ixgbe 0000:03:00.0 eno3: renamed from eth0
May 23 21:19:39 euterpe kernel: [   22.934955] ixgbe 0000:03:00.0: registered PHC device on eno3
May 23 21:19:43 euterpe kernel: [   27.453172] ixgbe 0000:03:00.0 eno3: NIC Link is Up 1 Gbps, Flow Control: None

On reboot, the network did not came back and I saw the following messages:

$ grep systemd-networkd /var/log/syslog
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.socket: Incoming traffic
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.socket: Changed listening -> running
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: ConditionCapability=CAP_NET_ADMIN succeeded.
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: Passing 1 fds to service
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: About to execute: /lib/systemd/systemd-networkd
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: Forked /lib/systemd/systemd-networkd as 617
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: Changed dead -> start
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: User lookup succeeded: uid=101 gid=103
May 23 21:19:38 euterpe systemd[617]: systemd-networkd.service: Executing: /lib/systemd/systemd-networkd
May 23 21:19:38 euterpe systemd[1]: systemd-networkd.service: Got notification message from PID 617 (WATCHDOG=1)
May 23 21:19:39 euterpe systemd-networkd[617]: Enumeration completed
May 23 21:19:39 euterpe systemd[1]: systemd-networkd.service: Got notification message from PID 617 (READY=1, STATUS=Processing requests...)
May 23 21:19:39 euterpe systemd[1]: systemd-networkd.service: Changed start -> running
May 23 21:19:39 euterpe systemd[1]: systemd-networkd.service: Job 110 systemd-networkd.service/start finished, result=done
May 23 21:19:39 euterpe systemd-networkd[617]: lo: Removing non-existent address: ::1/128 (valid forever), ignoring
May 23 21:19:43 euterpe systemd-networkd[617]: eno3: Gained carrier
May 23 21:19:43 euterpe systemd-networkd[617]: eno3: could not set address: Permission denied

FWIW, I opened this bug on the Debian side too: https://bugs.debian.org/929469

[rhertzog]

I forgot to say that I tried to apply #12466 and #12505 but that did not fix the problem (I got rid of one error message, but not the one about "could not set address" that we see above).

[yuwata]

Could you provide debugging log of networkd? By creating the following, journal stores debugging logs:

# /etc/systemd/system/systemd-networkd.service.d/override.conf
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

Also, if possible, could you try with the current git master?

[yuwata]

On reboot, the network did not came back and I saw the following messages:

What does this mean? The issue happens only when machine is rebooted?
What happens when restarting networkd? Does systemctl restart systemd-networkd.service solve the issue?

[rhertzog]

On Fri, 24 May 2019, Yu Watanabe wrote: > On reboot, the network did not came back and I saw the following messages: What does this mean? The issue happens only when machine is rebooted? What happens when restarting `networkd`? Does `systemctl restart systemd-networkd.service` solve the issue?

I don't know, right now I don't have console access to the server. All the information I gathered was from rebooting the server in rescue mode and inspecting the logs in the filesystem. I will try to provide you the detailed logs.

…

-- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/

[rhertzog]

Here are the requested debug logs:

May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: ConditionCapability=CAP_NET_ADMIN succeeded.
May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: Passing 1 fds to service
May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: About to execute: /lib/systemd/systemd-networkd
May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: Forked /lib/systemd/systemd-networkd as 617
May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: Changed dead -> start
May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: User lookup succeeded: uid=101 gid=103
May 24 12:08:05 euterpe systemd[617]: systemd-networkd.service: Executing: /lib/systemd/systemd-networkd
May 24 12:08:05 euterpe systemd[1]: systemd-networkd.service: Got notification message from PID 617 (WATCHDOG=1)
May 24 12:08:05 euterpe systemd-networkd[617]: Bus bus-api-network: changing state UNSET → OPENING
May 24 12:08:05 euterpe systemd-networkd[617]: Bus bus-api-network: changing state OPENING → AUTHENTICATING
May 24 12:08:05 euterpe systemd-networkd[617]: timestamp of '/etc/systemd/network' changed
May 24 12:08:05 euterpe systemd-networkd[617]: timestamp of '/lib/systemd/network' changed
May 24 12:08:05 euterpe systemd-networkd[617]: No virtualization found in DMI
May 24 12:08:05 euterpe systemd-networkd[617]: No virtualization found in CPUID
May 24 12:08:05 euterpe systemd-networkd[617]: Virtualization XEN not found, /proc/xen does not exist
May 24 12:08:05 euterpe systemd-networkd[617]: This platform does not support /proc/device-tree
May 24 12:08:05 euterpe systemd-networkd[617]: UML virtualization not found in /proc/cpuinfo.
May 24 12:08:05 euterpe systemd-networkd[617]: This platform does not support /proc/sysinfo
May 24 12:08:05 euterpe systemd-networkd[617]: Found VM virtualization none
May 24 12:08:05 euterpe systemd-networkd[617]: /lib/systemd/network/80-container-host0.network: Conditions in the file do not match the system environment, skipping.
May 24 12:08:05 euterpe systemd-networkd[617]: eno4: New device has no master, continuing without
May 24 12:08:05 euterpe systemd-networkd[617]: eno4: Flags change: +MULTICAST +BROADCAST
May 24 12:08:05 euterpe systemd-networkd[617]: eno4: Link 3 added
May 24 12:08:05 euterpe systemd-networkd[617]: eno4: udev initialized link
May 24 12:08:05 euterpe systemd-networkd[617]: eno4: Saved original MTU: 1500
May 24 12:08:05 euterpe systemd-networkd[617]: eno3: New device has no master, continuing without
May 24 12:08:05 euterpe systemd-networkd[617]: eno3: Flags change: +MULTICAST +BROADCAST
May 24 12:08:05 euterpe systemd-networkd[617]: eno3: Link 2 added
May 24 12:08:05 euterpe systemd-networkd[617]: eno3: udev initialized link
May 24 12:08:05 euterpe systemd-networkd[617]: eno3: Saved original MTU: 1500
May 24 12:08:05 euterpe systemd-networkd[617]: lo: New device has no master, continuing without
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Flags change: +LOOPBACK +UP +LOWER_UP +RUNNING
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Link 1 added
May 24 12:08:05 euterpe systemd-networkd[617]: lo: udev initialized link
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Saved original MTU: 65536
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Adding address: 127.0.0.1/8 (valid forever)
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Adding route: dst: 127.255.255.255/32, src: n/a, gw: n/a, prefsrc: 127.0.0.1
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Adding route: dst: 127.0.0.1/32, src: n/a, gw: n/a, prefsrc: 127.0.0.1
May 24 12:08:05 euterpe systemd-networkd[617]: lo: Adding route: dst: 127.0.0.0/8, src: n/a, gw: n/a, prefsrc: 127.0.0.1
May 24 12:08:06 euterpe systemd-networkd[617]: lo: Adding route: dst: 127.0.0.0/32, src: n/a, gw: n/a, prefsrc: 127.0.0.1
May 24 12:08:06 euterpe systemd-networkd[617]: rtnl: received address with invalid family 129, ignoring
May 24 12:08:06 euterpe systemd-networkd[617]: rtnl: received address with invalid family 128, ignoring
May 24 12:08:06 euterpe systemd-networkd[617]: Enumeration completed
May 24 12:08:06 euterpe systemd[1]: systemd-networkd.service: Got notification message from PID 617 (READY=1, STATUS=Processing requests...)
May 24 12:08:06 euterpe systemd[1]: systemd-networkd.service: Changed start -> running
May 24 12:08:06 euterpe systemd[1]: systemd-networkd.service: Job 97 systemd-networkd.service/start finished, result=done
May 24 12:08:06 euterpe systemd-networkd[617]: Bus bus-api-network: changing state AUTHENTICATING → HELLO
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RequestName cookie=2 reply_cookie=0 signature=su error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=3 reply_cookie=0 signature=s error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_31 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=4 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.2 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Bus bus-api-network: changing state HELLO → RUNNING
May 24 12:08:06 euterpe systemd-networkd[617]: lo: Removing route: dst: ::1/128, src: n/a, gw: n/a, prefsrc: n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Got message type=signal sender=org.freedesktop.DBus.Local destination=n/a path=/org/freedesktop/DBus/Local interface=org.freedesktop.DBus.Local member=Connected cookie=4294967295 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Got message type=signal sender=org.freedesktop.DBus destination=:1.2 path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameAcquired cookie=2 reply_cookie=0 signature=s error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Got message type=signal sender=org.freedesktop.DBus destination=:1.2 path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameAcquired cookie=3 reply_cookie=0 signature=s error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.2 path=n/a interface=n/a member=n/a cookie=4 reply_cookie=2 signature=u error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Successfully acquired requested service name.
May 24 12:08:06 euterpe systemd-networkd[617]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.2 path=n/a interface=n/a member=n/a cookie=5 reply_cookie=3 signature=n/a error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: Match type='signal',sender='org.freedesktop.login1',path='/org/freedesktop/login1',interface='org.freedesktop.login1.Manager',member='PrepareForSleep' successfully installed.
May 24 12:08:06 euterpe systemd-networkd[617]: lo: Removing route: dst: ::1/128, src: n/a, gw: n/a, prefsrc: n/a
May 24 12:08:06 euterpe systemd-networkd[617]: lo: Removing non-existent address: ::1/128 (valid forever), ignoring
May 24 12:08:06 euterpe systemd-networkd[617]: eno4: Link state is up-to-date
May 24 12:08:06 euterpe systemd-networkd[617]: eno4: Unmanaged
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_33 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=5 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: eno3: Link state is up-to-date
May 24 12:08:06 euterpe systemd-networkd[617]: eno3: found matching network '/etc/systemd/network/50-default.network'
May 24 12:08:06 euterpe systemd-networkd[617]: Setting '/proc/sys/net/ipv6/conf/eno3/proxy_ndp' to '0'
May 24 12:08:06 euterpe systemd-networkd[617]: Setting '/proc/sys/net/ipv6/conf/eno3/use_tempaddr' to '0'
May 24 12:08:06 euterpe systemd-networkd[617]: Setting '/proc/sys/net/ipv6/conf/eno3/accept_ra' to '0'
May 24 12:08:06 euterpe systemd-networkd[617]: eno3: Setting address genmode for link
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_32 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: eno3: Bringing link up
May 24 12:08:06 euterpe systemd-networkd[617]: lo: Link state is up-to-date
May 24 12:08:06 euterpe systemd-networkd[617]: lo: Unmanaged
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_31 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=7 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: eno3: Flags change: +UP
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_32 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=8 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:06 euterpe systemd-networkd[617]: LLDP: Started LLDP client
May 24 12:08:06 euterpe systemd-networkd[617]: eno3: Started LLDP.
May 24 12:08:06 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=9 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Flags change: +LOWER_UP +RUNNING
May 24 12:08:10 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_32 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=10 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Gained carrier
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Setting addresses
May 24 12:08:10 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=11 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Updating address: 54.39.104.6/24 (valid forever)
May 24 12:08:10 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_32 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=12 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:10 euterpe systemd-networkd[617]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=13 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Adding route: dst: 54.39.104.6/32, src: n/a, gw: n/a, prefsrc: 54.39.104.6
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Adding route: dst: 54.39.104.255/32, src: n/a, gw: n/a, prefsrc: 54.39.104.6
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Adding route: dst: 54.39.104.0/24, src: n/a, gw: n/a, prefsrc: 54.39.104.6
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Adding route: dst: 54.39.104.0/32, src: n/a, gw: n/a, prefsrc: 54.39.104.6
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: could not set address: Permission denied
May 24 12:08:10 euterpe systemd-networkd[617]: eno3: Addresses set

[rhertzog]

@yuwata How important is it to try with current git master? Do you have reasons to think it could be fixed? I already tried with the two pull requests that I identified as possibly related. Are there other changes that you think could be related?

Do the above logs help you in any way? I want to know if I should keep the server available for further debugging or if I can reset it to Debian stable and reuse it again...

[yuwata]

@rhertzog Sorry, I have no idea now why it fails. Please reset the machine if you need to use the machine with Debian stable.

BTW, which version works fine? That is, what version of systemd does Debian stable have?

[yuwata]

Do you have reasons to think it could be fixed? I already tried with the two pull requests that I identified as possibly related.

We have modified the logic about interfaces to be up recently. So, I'd like to know whether it works for your issue or not.

[rhertzog]

On Mon, 27 May 2019, Yu Watanabe wrote: BTW, which version works fine? That is, what version of systemd does Debian stable have?

Debian Stable has version 232-25+deb9u11

[ssahani]

Can you set Address via ip tool. It seems these is some permission issue.

[rhertzog]

@yuwata So I had the occasion to do more investigation and found the issue. The problem does still exist in git master as of 20190605 (when I built my snapshot).

The problem comes down to the fact that the network configuration file instructs to configure an IPv6 address but that system has a kernel policy disabling IPv6:

$ grep ipv6 /etc/sysctl.conf
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

I don't know what changed between Debian 9 and Debian 10: is it the kernel returning an error when it was silently discarding any request related to IPv6? is it systemd-networkd that is more picky than before? is it the boot order that changed and systemd-sysctl.service is now run before systemd-networkd?

In any case, I don't think that it matters much. You could argue that the network configuration was broken and you would be right... but at the same time, you will break thousands of servers on upgrade (or whenever someone applies a similar policy to disable IPv6 through configuration management). IMO systemd should lookup if IPv6 was enabled or not and simply ignore IPv6 related configuration if it's disabled on the network interface that we're trying to configure.

For consistency, you might want to do the same for IPv4 (i.e. not configure IPv4 if it's disabled, not sure if it's actually possible at this point).

With this supplementary information it should now be easy to reproduce.

[mbiebl]

@rhertzog I don't quite get it: In your example config you configure an IPv6 address and set a IPv6 gateway and at the same time you disable ipv6 via sysctl? This sounds like it was only working by accident under Debian 9 i.e. v232.

[yuwata]

IMO systemd should lookup if IPv6 was enabled or not and simply ignore IPv6 related configuration if it's disabled on the network interface that we're trying to configure.

That make sence for me. But the same time, this is not our bug. @ssahani what do you think about that?

[rhertzog]

@mbiebl You must understand that the network configuration file was provided by the hoster (OVH) who did setup the dedicated server. But then we ran our usual configuration management on it which includes disabling IPv6... you can argue that we should cleanup the network configuration file during this process, but it's best when we don't have to muck around this part since this is clearly the hoster's business. And up to now, this was working just fine.

@yuwata It might not be your bug, but it's still a user-visible regression that will affect many systemd-networkd users. IPv6 is getting more widely deployed but there are still many admins who disable it to reduce the attack surface and because they haven't taken the time to think through all the consequences.

[yuwata]

@rhertzog Please test #12774. Thank you!

[ssahani]

@yuwata clearly a misconfiguration and warning patches are nice to let the user know what is going wrong.

[rhertzog]

@yuwata I made a quick test on a my laptop:

$ sudo sysctl net.ipv6.conf.default.disable_ipv6=1
$ cat /etc/systemd/network/test.netdev 
[NetDev]
Name=test
Kind=dummy
$ cat /etc/systemd/network/test.network 
[Match]
Name=test

[Network]
Address=192.168.5.1/24
Address=abcd:abcd:abcd:abcd::1/64

With this configuration IPv6 is disabled on the test interface when it's created. When I start systemd-network I still see the error:

$ sudo systemctl start systemd-networkd
$ sudo systemctl status systemd-networkd
● systemd-networkd.service - Network Service
   Loaded: loaded (/lib/systemd/system/systemd-networkd.service; disabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-13 11:22:21 CEST; 3min 23s ago
     Docs: man:systemd-networkd.service(8)
 Main PID: 17741 (systemd-network)
   Status: "Processing requests..."
    Tasks: 1
   Memory: 1.9M
   CGroup: /system.slice/systemd-networkd.service
           └─17741 /lib/systemd/systemd-networkd

juin 13 11:22:21 x260-buxy systemd[1]: Starting Network Service...
juin 13 11:22:21 x260-buxy systemd-networkd[17741]: test: netdev ready
juin 13 11:22:21 x260-buxy systemd-networkd[17741]: tun0: Gained IPv6LL
juin 13 11:22:21 x260-buxy systemd-networkd[17741]: enp0s31f6: Gained IPv6LL
juin 13 11:22:21 x260-buxy systemd-networkd[17741]: Enumeration completed
juin 13 11:22:21 x260-buxy systemd[1]: Started Network Service.
juin 13 11:22:21 x260-buxy systemd-networkd[17741]: test: netdev exists, using existing without changing its parameters
juin 13 11:22:21 x260-buxy systemd-networkd[17741]: test: could not set address: Permission denied

Looking through the code I see that it checks the value of net.ipv6.conf.all.disable_ipv6 and not the one of the specific device that is managed. I changed net.ipv6.conf.all.disable_ipv6 and tried again and got this:

$ sudo systemctl status systemd-networkd
● systemd-networkd.service - Network Service
   Loaded: loaded (/lib/systemd/system/systemd-networkd.service; disabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-13 11:30:07 CEST; 4s ago
     Docs: man:systemd-networkd.service(8)
 Main PID: 18032 (systemd-network)
   Status: "Processing requests..."
    Tasks: 1
   Memory: 1.7M
   CGroup: /system.slice/systemd-networkd.service
           └─18032 /lib/systemd/systemd-networkd

juin 13 11:30:07 x260-buxy systemd[1]: Starting Network Service...
juin 13 11:30:07 x260-buxy systemd-networkd[18032]: test: netdev ready
juin 13 11:30:07 x260-buxy systemd-networkd[18032]: Enumeration completed
juin 13 11:30:07 x260-buxy systemd[1]: Started Network Service.
juin 13 11:30:07 x260-buxy systemd-networkd[18032]: test: netdev exists, using existing without changing its parameters
juin 13 11:30:07 x260-buxy systemd-networkd[18032]: test: An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.
juin 13 11:30:07 x260-buxy systemd-networkd[18032]: test: Configured

So I guess it's fixed for most cases where IPv6 is globally disabled. It might still be wrong for a few cases where it's only disabled on some specific interfaces.

[yuwata]

Please also test #12795. Thank you.

[rhertzog]

@yuwata I tested #12795 and it worked fine. Thank you!