Bug 2207878 - NetworkManager should not enable loopback IPv6 without explicit configuration
Summary: NetworkManager should not enable loopback IPv6 without explicit configuration
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: NetworkManager
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Wen Liang
QA Contact: Filip Pokryvka
URL:
Whiteboard:
Depends On:
Blocks: 2229671
TreeView+ depends on / blocked
 
Reported: 2023-05-17 07:55 UTC by Marko Myllynen
Modified: 2023-08-07 09:48 UTC (History)
10 users (show)

Fixed In Version: NetworkManager-1.43.90-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2229671 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
boot-journal.txt (289.94 KB, text/plain)
2023-05-23 07:57 UTC, Marko Myllynen 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker NMT-555 0 None None None 2023-05-17 07:56:40 UTC
Red Hat Issue Tracker RHELPLAN-157456 0 None None None 2023-05-17 07:56:46 UTC
freedesktop.org Gitlab NetworkManager NetworkManager-ci merge_requests 1462 0 None merged ipv6: do not enable IPv6 on externally connected device 2023-08-07 09:00:53 UTC
freedesktop.org Gitlab NetworkManager NetworkManager merge_requests 1694 0 None opened device: do not set disable_ipv6 on external 2023-07-18 19:07:41 UTC

Description Marko Myllynen 2023-05-17 07:55:06 UTC 
Description of problem:
Installing RHEL 9.1, configuring the following sysctls, updating initramfs, and rebooting shows IPv6 being disabled on all interfaces after boot and the sysctl values in use as configured:

# cat /etc/sysctl.d/50-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

On the same system upgrading kernel to the latest (currently ~ RHEL 9.2) and rebooting still shows the same results.

However, after upgrading NetworkManager to the latest on the same system or doing a fresh RHEL 9.2 installation with the same configuration we see the loopback having IPv6 enabled and the related sysctl changed even when the configuration file sets it to 1:

# cat /proc/sys/net/ipv6/conf/lo/disable_ipv6
0
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

This procedure of disabling IPv6 is documented in the RHKB article and works on RHEL 7, RHEL 8, and RHEL 9.0-9.1. It would be preferable if RHEL 9.2 would continue working in the same manner. Perhaps NM managing the loopback device should be only opt-in without the need for opt-out anything. Thanks.
Comment 1 Thomas Haller 2023-05-18 11:30:04 UTC 
unless you configure a loopback profile in NetworkManager, NM shouldn't do anything with lo.

Please attach the complete journal from the boot, with `level=TRACE` enabled (see DEBUGGING in `man NetworkManager`).
Comment 2 Marko Myllynen 2023-05-23 07:57:30 UTC 
Created attachment 1966388 [details]
boot-journal.txt

I'm attaching the output of "/usr/bin/journalctl -b -n 50000 > boot-journal.txt" after booting up a test VM with:

# cat /etc/sysctl.d/50-ipv6.conf 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# cat /proc/sys/net/ipv6/conf/lo/disable_ipv6
0

Let me know if any additional information is needed. Thanks.
Comment 3 Thomas Haller 2023-05-23 08:21:49 UTC 
> <info>  [1684828385.5587] device (lo): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
...
> <debug> [1684828385.5590] platform-linux: sysctl: setting '/proc/sys/net/ipv6/conf/lo/disable_ipv6' to '0' (current value is '1')


That's a bug that needs fixing.
Note You need to log in before you can comment on or make changes to this bug.