Merge pull request #69302 from mayflower/networkd-disallow-dhcp
networkd: disallow useDHCP
This commit is contained in:
Linus Heckemann
GitHub
commit
0b754fbe54
8 changed files with 60 additions and 9 deletions
|
|
@ -512,6 +512,12 @@
|
|||
is set to <literal>/var/lib/gitlab/state</literal>, <literal>gitlab</literal> and all parent directories
|
||||
must be owned by either <literal>root</literal> or the user specified in <option>services.gitlab.user</option>.
|
||||
</para>
|
||||
<para>
|
||||
The <option>networking.useDHCP</option> option is unsupported in combination with
|
||||
<option>networking.useNetworkd</option> in anticipation of defaulting to it by default.
|
||||
It has to be set to <literal>false</literal> and enabled per
|
||||
interface with <option>networking.interfaces.<name>.useDHCP = true;</option>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
|
|
|
|||
|
|
@ -563,6 +563,24 @@ $fsAndSwap
|
|||
${\join "", (map { " $_\n" } (uniq @attrs))}}
|
||||
EOF
|
||||
|
||||
sub generateNetworkingDhcpConfig {
|
||||
my $config = <<EOF;
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
EOF
|
||||
|
||||
foreach my $path (glob "/sys/class/net/*") {
|
||||
my $dev = basename($path);
|
||||
if ($dev ne "lo") {
|
||||
$config .= " networking.interfaces.$dev.useDHCP = true;\n";
|
||||
}
|
||||
}
|
||||
|
||||
return $config;
|
||||
}
|
||||
|
||||
|
||||
if ($showHardwareConfig) {
|
||||
print STDOUT $hwConfig;
|
||||
|
|
@ -606,6 +624,8 @@ EOF
|
|||
EOF
|
||||
}
|
||||
|
||||
my $networkingDhcpConfig = generateNetworkingDhcpConfig();
|
||||
|
||||
write_file($fn, <<EOF);
|
||||
@configuration@
|
||||
EOF
|
||||
|
|
|
|||
|
|
@ -96,6 +96,7 @@ in
|
|||
# networking.hostName = "nixos"; # Define your hostname.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
||||
$networkingDhcpConfig
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password\@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
|
|
|||
|
|
@ -38,6 +38,12 @@ in
|
|||
} {
|
||||
assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null;
|
||||
message = "networking.defaultGateway6.interface is not supported by networkd.";
|
||||
} {
|
||||
assertion = cfg.useDHCP == false;
|
||||
message = ''
|
||||
networking.useDHCP is not supported by networkd.
|
||||
Please use per interface configuration and set the global option to false.
|
||||
'';
|
||||
} ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: {
|
||||
assertion = !rstp;
|
||||
message = "networking.bridges.${n}.rstp is not supported by networkd.";
|
||||
|
|
@ -56,9 +62,7 @@ in
|
|||
genericNetwork = override:
|
||||
let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address
|
||||
++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address;
|
||||
in {
|
||||
DHCP = override (dhcpStr cfg.useDHCP);
|
||||
} // optionalAttrs (gateway != [ ]) {
|
||||
in optionalAttrs (gateway != [ ]) {
|
||||
routes = override [
|
||||
{
|
||||
routeConfig = {
|
||||
|
|
@ -97,7 +101,7 @@ in
|
|||
networks."40-${i.name}" = mkMerge [ (genericNetwork mkDefault) {
|
||||
name = mkDefault i.name;
|
||||
DHCP = mkForce (dhcpStr
|
||||
(if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ]));
|
||||
(if i.useDHCP != null then i.useDHCP else false));
|
||||
address = forEach (interfaceIps i)
|
||||
(ip: "${ip.address}/${toString ip.prefixLength}");
|
||||
networkConfig.IPv6PrivacyExtensions = "kernel";
|
||||
|
|
|
|||
|
|
@ -903,6 +903,11 @@ in
|
|||
Whether to use DHCP to obtain an IP address and other
|
||||
configuration for all network interfaces that are not manually
|
||||
configured.
|
||||
|
||||
Using this option is highly discouraged and also incompatible with
|
||||
<option>networking.useNetworkd</option>. Please use
|
||||
<option>networking.interfaces.<name>.useDHCP</option> instead
|
||||
and set this to false.
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -72,6 +72,7 @@ let
|
|||
testCases = {
|
||||
loopback = {
|
||||
name = "Loopback";
|
||||
machine.networking.useDHCP = false;
|
||||
machine.networking.useNetworkd = networkd;
|
||||
testScript = ''
|
||||
startAll;
|
||||
|
|
@ -139,14 +140,16 @@ let
|
|||
virtualisation.vlans = [ 1 2 ];
|
||||
networking = {
|
||||
useNetworkd = networkd;
|
||||
useDHCP = true;
|
||||
useDHCP = false;
|
||||
interfaces.eth1 = {
|
||||
ipv4.addresses = mkOverride 0 [ ];
|
||||
ipv6.addresses = mkOverride 0 [ ];
|
||||
useDHCP = true;
|
||||
};
|
||||
interfaces.eth2 = {
|
||||
ipv4.addresses = mkOverride 0 [ ];
|
||||
ipv6.addresses = mkOverride 0 [ ];
|
||||
useDHCP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -320,13 +323,19 @@ let
|
|||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
useNetworkd = networkd;
|
||||
useDHCP = false;
|
||||
firewall.logReversePathDrops = true; # to debug firewall rules
|
||||
# reverse path filtering rules for the macvlan interface seem
|
||||
# to be incorrect, causing the test to fail. Disable temporarily.
|
||||
firewall.checkReversePath = false;
|
||||
useDHCP = true;
|
||||
macvlans.macvlan.interface = "eth1";
|
||||
interfaces.eth1.ipv4.addresses = mkOverride 0 [ ];
|
||||
interfaces.eth1 = {
|
||||
ipv4.addresses = mkOverride 0 [ ];
|
||||
useDHCP = true;
|
||||
};
|
||||
interfaces.macvlan = {
|
||||
useDHCP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
testScript = { ... }:
|
||||
|
|
@ -440,6 +449,7 @@ let
|
|||
virtual = {
|
||||
name = "Virtual";
|
||||
machine = {
|
||||
networking.useNetworkd = networkd;
|
||||
networking.interfaces.tap0 = {
|
||||
ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ];
|
||||
ipv6.addresses = [ { address = "2001:1470:fffd:2096::"; prefixLength = 64; } ];
|
||||
|
|
@ -489,6 +499,7 @@ let
|
|||
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
|
||||
networking = {
|
||||
useNetworkd = networkd;
|
||||
useDHCP = false;
|
||||
interfaces.eth1.ipv6.addresses = singleton {
|
||||
address = "fd00:1234:5678:1::1";
|
||||
prefixLength = 64;
|
||||
|
|
@ -514,11 +525,12 @@ let
|
|||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
useNetworkd = networkd;
|
||||
useDHCP = true;
|
||||
useDHCP = false;
|
||||
interfaces.eth1 = {
|
||||
preferTempAddress = true;
|
||||
ipv4.addresses = mkOverride 0 [ ];
|
||||
ipv6.addresses = mkOverride 0 [ ];
|
||||
useDHCP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -526,11 +538,12 @@ let
|
|||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
useNetworkd = networkd;
|
||||
useDHCP = true;
|
||||
useDHCP = false;
|
||||
interfaces.eth1 = {
|
||||
preferTempAddress = false;
|
||||
ipv4.addresses = mkOverride 0 [ ];
|
||||
ipv6.addresses = mkOverride 0 [ ];
|
||||
useDHCP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: {
|
|||
networking.usePredictableInterfaceNames = lib.mkForce predictable;
|
||||
networking.useNetworkd = withNetworkd;
|
||||
networking.dhcpcd.enable = !withNetworkd;
|
||||
networking.useDHCP = !withNetworkd;
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...
|
|||
imports = [ common/user-account.nix ];
|
||||
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||
networking.useNetworkd = true;
|
||||
networking.useDHCP = false;
|
||||
networking.firewall.enable = false;
|
||||
virtualisation.vlans = [ 1 ];
|
||||
environment.systemPackages = with pkgs; [ wireguard-tools ];
|
||||
|
|
|
|||
Loading…
Reference in a new issue