Browse Source

Merge pull request #69302 from mayflower/networkd-disallow-dhcp

networkd: disallow useDHCP
openssl
Linus Heckemann 2 years ago
committed by GitHub
parent
commit
0b754fbe54
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 6
      nixos/doc/manual/release-notes/rl-1909.xml
  2. 20
      nixos/modules/installer/tools/nixos-generate-config.pl
  3. 1
      nixos/modules/installer/tools/tools.nix
  4. 12
      nixos/modules/tasks/network-interfaces-systemd.nix
  5. 5
      nixos/modules/tasks/network-interfaces.nix
  6. 23
      nixos/tests/networking.nix
  7. 1
      nixos/tests/predictable-interface-names.nix
  8. 1
      nixos/tests/systemd-networkd-wireguard.nix

6
nixos/doc/manual/release-notes/rl-1909.xml

@ -512,6 +512,12 @@
is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories
must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>.
</para>
<para>
The <option>networking.useDHCP</option> option is unsupported in combination with
<option>networking.useNetworkd</option> in anticipation of defaulting to it by default.
It has to be set to <literal>false</literal> and enabled per
interface with <option>networking.interfaces.&lt;name&gt;.useDHCP = true;</option>
</para>
</listitem>
<listitem>
<para>

20
nixos/modules/installer/tools/nixos-generate-config.pl

@ -563,6 +563,24 @@ $fsAndSwap
${\join "", (map { " $_\n" } (uniq @attrs))}}
EOF
sub generateNetworkingDhcpConfig {
my $config = <<EOF;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
EOF
foreach my $path (glob "/sys/class/net/*") {
my $dev = basename($path);
if ($dev ne "lo") {
$config .= " networking.interfaces.$dev.useDHCP = true;\n";
}
}
return $config;
}
if ($showHardwareConfig) {
print STDOUT $hwConfig;
@ -606,6 +624,8 @@ EOF
EOF
}
my $networkingDhcpConfig = generateNetworkingDhcpConfig();
write_file($fn, <<EOF);
@configuration@
EOF

1
nixos/modules/installer/tools/tools.nix

@ -96,6 +96,7 @@ in
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
$networkingDhcpConfig
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

12
nixos/modules/tasks/network-interfaces-systemd.nix

@ -38,6 +38,12 @@ in
} {
assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null;
message = "networking.defaultGateway6.interface is not supported by networkd.";
} {
assertion = cfg.useDHCP == false;
message = ''
networking.useDHCP is not supported by networkd.
Please use per interface configuration and set the global option to false.
'';
} ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: {
assertion = !rstp;
message = "networking.bridges.${n}.rstp is not supported by networkd.";
@ -56,9 +62,7 @@ in
genericNetwork = override:
let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address
++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address;
in {
DHCP = override (dhcpStr cfg.useDHCP);
} // optionalAttrs (gateway != [ ]) {
in optionalAttrs (gateway != [ ]) {
routes = override [
{
routeConfig = {
@ -97,7 +101,7 @@ in
networks."40-${i.name}" = mkMerge [ (genericNetwork mkDefault) {
name = mkDefault i.name;
DHCP = mkForce (dhcpStr
(if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ]));
(if i.useDHCP != null then i.useDHCP else false));
address = forEach (interfaceIps i)
(ip: "${ip.address}/${toString ip.prefixLength}");
networkConfig.IPv6PrivacyExtensions = "kernel";

5
nixos/modules/tasks/network-interfaces.nix

@ -903,6 +903,11 @@ in
Whether to use DHCP to obtain an IP address and other
configuration for all network interfaces that are not manually
configured.
Using this option is highly discouraged and also incompatible with
<option>networking.useNetworkd</option>. Please use
<option>networking.interfaces.&lt;name&gt;.useDHCP</option> instead
and set this to false.
'';
};

23
nixos/tests/networking.nix

@ -72,6 +72,7 @@ let
testCases = {
loopback = {
name = "Loopback";
machine.networking.useDHCP = false;
machine.networking.useNetworkd = networkd;
testScript = ''
startAll;
@ -139,14 +140,16 @@ let
virtualisation.vlans = [ 1 2 ];
networking = {
useNetworkd = networkd;
useDHCP = true;
useDHCP = false;
interfaces.eth1 = {
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
interfaces.eth2 = {
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
};
};
@ -320,13 +323,19 @@ let
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = false;
firewall.logReversePathDrops = true; # to debug firewall rules
# reverse path filtering rules for the macvlan interface seem
# to be incorrect, causing the test to fail. Disable temporarily.
firewall.checkReversePath = false;
useDHCP = true;
macvlans.macvlan.interface = "eth1";
interfaces.eth1.ipv4.addresses = mkOverride 0 [ ];
interfaces.eth1 = {
ipv4.addresses = mkOverride 0 [ ];
useDHCP = true;
};
interfaces.macvlan = {
useDHCP = true;
};
};
};
testScript = { ... }:
@ -440,6 +449,7 @@ let
virtual = {
name = "Virtual";
machine = {
networking.useNetworkd = networkd;
networking.interfaces.tap0 = {
ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ];
ipv6.addresses = [ { address = "2001:1470:fffd:2096::"; prefixLength = 64; } ];
@ -489,6 +499,7 @@ let
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
networking = {
useNetworkd = networkd;
useDHCP = false;
interfaces.eth1.ipv6.addresses = singleton {
address = "fd00:1234:5678:1::1";
prefixLength = 64;
@ -514,11 +525,12 @@ let
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = true;
useDHCP = false;
interfaces.eth1 = {
preferTempAddress = true;
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
};
};
@ -526,11 +538,12 @@ let
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = true;
useDHCP = false;
interfaces.eth1 = {
preferTempAddress = false;
ipv4.addresses = mkOverride 0 [ ];
ipv6.addresses = mkOverride 0 [ ];
useDHCP = true;
};
};
};

1
nixos/tests/predictable-interface-names.nix

@ -16,6 +16,7 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: {
networking.usePredictableInterfaceNames = lib.mkForce predictable;
networking.useNetworkd = withNetworkd;
networking.dhcpcd.enable = !withNetworkd;
networking.useDHCP = !withNetworkd;
};
testScript = ''

1
nixos/tests/systemd-networkd-wireguard.nix

@ -2,6 +2,7 @@ let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...
imports = [ common/user-account.nix ];
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
networking.useNetworkd = true;
networking.useDHCP = false;
networking.firewall.enable = false;
virtualisation.vlans = [ 1 ];
environment.systemPackages = with pkgs; [ wireguard-tools ];

Loading…
Cancel
Save