ehmry
/
nixpkgs
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Merge pull request #69302 from mayflower/networkd-disallow-dhcp 

networkd: disallow useDHCP
openssl
Linus Heckemann 3 years ago committed by GitHub
parent
da089d7d40 68b42a84fd
commit
0b754fbe54
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 60 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      nixos/doc/manual/release-notes/rl-1909.xml
  2. 20
      nixos/modules/installer/tools/nixos-generate-config.pl
  3. 1
      nixos/modules/installer/tools/tools.nix
  4. 12
      nixos/modules/tasks/network-interfaces-systemd.nix
  5. 5
      nixos/modules/tasks/network-interfaces.nix
  6. 23
      nixos/tests/networking.nix
  7. 1
      nixos/tests/predictable-interface-names.nix
  8. 1
      nixos/tests/systemd-networkd-wireguard.nix

6
nixos/doc/manual/release-notes/rl-1909.xml
Unescape View File

@ -512,6 +512,12 @@
is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories
must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>.
</para>
<para>
The <option>networking.useDHCP</option> option is unsupported in combination with
<option>networking.useNetworkd</option> in anticipation of defaulting to it by default.
It has to be set to <literal>false</literal> and enabled per
interface with <option>networking.interfaces.&lt;name&gt;.useDHCP = true;</option>
</para>
</listitem>
<listitem>
<para>

20
nixos/modules/installer/tools/nixos-generate-config.pl
Unescape View File

@ -563,6 +563,24 @@ $fsAndSwap
${\join "", (map { " $_\n" } (uniq @attrs))}}
EOF
sub generateNetworkingDhcpConfig {
my $config = <<EOF;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
EOF
foreach my $path (glob "/sys/class/net/*") {
my $dev = basename($path);
if ($dev ne "lo") {
$config .= " networking.interfaces.$dev.useDHCP = true;\n";
}
}
return $config;
}
if ($showHardwareConfig) {
print STDOUT $hwConfig;
@ -606,6 +624,8 @@ EOF
EOF
}
my $networkingDhcpConfig = generateNetworkingDhcpConfig();
write_file($fn, <<EOF);
@configuration@
EOF

1
nixos/modules/installer/tools/tools.nix
Unescape View File

@ -96,6 +96,7 @@ in
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
$networkingDhcpConfig
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

12
nixos/modules/tasks/network-interfaces-systemd.nix
Unescape View File

@ -38,6 +38,12 @@ in
} {
assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null;
message = "networking.defaultGateway6.interface is not supported by networkd.";
} {
assertion = cfg.useDHCP == false;
message = ''
networking.useDHCP is not supported by networkd.
Please use per interface configuration and set the global option to false.
'';
} ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: {
assertion = !rstp;
message = "networking.bridges.${n}.rstp is not supported by networkd.";
@ -56,9 +62,7 @@ in
genericNetwork = override:
let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address
++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address;
in {
DHCP = override (dhcpStr cfg.useDHCP);
} // optionalAttrs (gateway != [ ]) {
in optionalAttrs (gateway != [ ]) {
routes = override [
{
routeConfig = {
@ -97,7 +101,7 @@ in
networks."40-${i.name}" = mkMerge [ (genericNetwork mkDefault) {
name = mkDefault i.name;
DHCP = mkForce (dhcpStr
(if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ]));
(if i.useDHCP != null then i.useDHCP else false));
address = forEach (interfaceIps i)
(ip: "${ip.address}/${toString ip.prefixLength}");
networkConfig.IPv6PrivacyExtensions = "kernel";

5
nixos/modules/tasks/network-interfaces.nix
Unescape View File

@ -903,6 +903,11 @@ in
Whether to use DHCP to obtain an IP address and other
configuration for all network interfaces that are not manually
configured.
Using this option is highly discouraged and also incompatible with
<option>networking.useNetworkd</option>. Please use
<option>networking.interfaces.&lt;name&gt;.useDHCP</option> instead
and set this to false.
'';
};

23
nixos/tests/networking.nix
Unescape View File

@ -72,6 +72,7 @@ let
testCases = {
loopback = {
name = "Loopback";
machine.networking.useDHCP = false;
machine.networking.useNetworkd = networkd;
testScript = ''
startAll;
@ -139,14 +140,16 @@ let
virtualisation.vlans = [ 1 2 ];
networking = {
useNetworkd = networkd;
useDHCP = true;
useDHCP = false;
interfaces.eth1 = {
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
interfaces.eth2 = {
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
};
};
@ -320,13 +323,19 @@ let
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = false;
firewall.logReversePathDrops = true; # to debug firewall rules
# reverse path filtering rules for the macvlan interface seem
# to be incorrect, causing the test to fail. Disable temporarily.
firewall.checkReversePath = false;
useDHCP = true;
macvlans.macvlan.interface = "eth1";
interfaces.eth1.ipv4.addresses = mkOverride 0 [ ];
interfaces.eth1 = {
ipv4.addresses = mkOverride 0 [ ];
useDHCP = true;
};
interfaces.macvlan = {
useDHCP = true;
};
};
};
testScript = { ... }:
@ -440,6 +449,7 @@ let
virtual = {
name = "Virtual";
machine = {
networking.useNetworkd = networkd;
networking.interfaces.tap0 = {
ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ];
ipv6.addresses = [ { address = "2001:1470:fffd:2096::"; prefixLength = 64; } ];
@ -489,6 +499,7 @@ let
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
networking = {
useNetworkd = networkd;
useDHCP = false;
interfaces.eth1.ipv6.addresses = singleton {
address = "fd00:1234:5678:1::1";
prefixLength = 64;
@ -514,11 +525,12 @@ let
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = true;
useDHCP = false;
interfaces.eth1 = {
preferTempAddress = true;
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
};
};
@ -526,11 +538,12 @@ let
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = true;
useDHCP = false;
interfaces.eth1 = {
preferTempAddress = false;
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
};
};

1
nixos/tests/predictable-interface-names.nix
Unescape View File

@ -16,6 +16,7 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: {
networking.usePredictableInterfaceNames = lib.mkForce predictable;
networking.useNetworkd = withNetworkd;
networking.dhcpcd.enable = !withNetworkd;
networking.useDHCP = !withNetworkd;
};
testScript = ''

1
nixos/tests/systemd-networkd-wireguard.nix
Unescape View File

@ -2,6 +2,7 @@ let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...
imports = [ common/user-account.nix ];
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
networking.useNetworkd = true;
networking.useDHCP = false;
networking.firewall.enable = false;
virtualisation.vlans = [ 1 ];
environment.systemPackages = with pkgs; [ wireguard-tools ];

Write Preview
Loading…
Cancel
Save