Bug 2207878

Summary: NetworkManager should not enable loopback IPv6 without explicit configuration
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: NetworkManagerAssignee: Wen Liang <wenliang>
Status: VERIFIED --- QA Contact: Filip Pokryvka <fpokryvk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: bgalvani, fpokryvk, lrintel, michele, rkhan, sfaye, sukulkar, thaller, till, vbenes
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-1.43.90-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2229671 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2229671    
Attachments:
Description Flags
boot-journal.txt none

Description Marko Myllynen 2023-05-17 07:55:06 UTC 
Description of problem:
Installing RHEL 9.1, configuring the following sysctls, updating initramfs, and rebooting shows IPv6 being disabled on all interfaces after boot and the sysctl values in use as configured:

# cat /etc/sysctl.d/50-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

On the same system upgrading kernel to the latest (currently ~ RHEL 9.2) and rebooting still shows the same results.

However, after upgrading NetworkManager to the latest on the same system or doing a fresh RHEL 9.2 installation with the same configuration we see the loopback having IPv6 enabled and the related sysctl changed even when the configuration file sets it to 1:

# cat /proc/sys/net/ipv6/conf/lo/disable_ipv6
0
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

This procedure of disabling IPv6 is documented in the RHKB article and works on RHEL 7, RHEL 8, and RHEL 9.0-9.1. It would be preferable if RHEL 9.2 would continue working in the same manner. Perhaps NM managing the loopback device should be only opt-in without the need for opt-out anything. Thanks.
Comment 1 Thomas Haller 2023-05-18 11:30:04 UTC 
unless you configure a loopback profile in NetworkManager, NM shouldn't do anything with lo.

Please attach the complete journal from the boot, with `level=TRACE` enabled (see DEBUGGING in `man NetworkManager`).
Comment 2 Marko Myllynen 2023-05-23 07:57:30 UTC 
Created attachment 1966388 [details]
boot-journal.txt

I'm attaching the output of "/usr/bin/journalctl -b -n 50000 > boot-journal.txt" after booting up a test VM with:

# cat /etc/sysctl.d/50-ipv6.conf 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# cat /proc/sys/net/ipv6/conf/lo/disable_ipv6
0

Let me know if any additional information is needed. Thanks.
Comment 3 Thomas Haller 2023-05-23 08:21:49 UTC 
> <info>  [1684828385.5587] device (lo): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
...
> <debug> [1684828385.5590] platform-linux: sysctl: setting '/proc/sys/net/ipv6/conf/lo/disable_ipv6' to '0' (current value is '1')


That's a bug that needs fixing.