[pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[DERUMIER, Alexandre]

Hi,

I have a friend who's reported my than ifupdown2 had been installed by
default on pve 8.1 upgrade.

I think it's because pve-network have "Recommends: ifupdown2".


This proxmox server was installed with debian iso, with default ipv6 on
interface (auto eth0 inet6 ..).

Seem that it have impacted the slaac config.   (I had double check some
months ago ipv6 with ifupdown2, all was ok,  but maybe default
accept_ra is different if ifupdown2, not 100% sure ye)

Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[Thomas Lamprecht]

Am 23/11/2023 um 18:50 schrieb DERUMIER, Alexandre:
> Hi,
> 
> I have a friend who's reported my than ifupdown2 had been installed by
> default on pve 8.1 upgrade.
> 
> I think it's because pve-network have "Recommends: ifupdown2".
> 

Well, that was the case since almost forever, but since we added a
recommends for libpve-network-perl to pve-container, qemu-serber and
pve-manager, the SDN packages gets pulled in if APT::Install::Recommends 
is true (by default for most installation) and then also ifupdown2.

But the apt full-upgrade output before the "continue?" prompt shows that,
and allows an admin to still avoid that switch.

I mean also Debian devs ponder about changing the default from ifupdown2 for
a future release [0], as ifupdown is mostly on life-support since a while.

[0]: https://lists.debian.org/debian-devel/2023/06/msg00226.html

We have not yet decided when to fully drop support for old ifudpown, but
for PBS we only ever supported ifupdown2 (we use only the CIDR notation for
passing addresses), but I think that might only be one or two major
releases away – the ifupdown network parsers would *really* benefit from
a bigger overhaul, and dropping support for legacy network might make
that a bit easier.

> Seem that it have impacted the slaac config.   (I had double check some
> months ago ipv6 with ifupdown2, all was ok,  but maybe default
> accept_ra is different if ifupdown2, not 100% sure ye)
> 

If we can improve the transition it'd be naturally nice, but I do not want
to drop that recommendation again for ifupdown2.

thanks,
 Thomas

Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[DERUMIER, Alexandre]

After investigate a litte bit,

I think this is because  ifupdown1  is setting accept_ra=2  by default.


and with ifupdown2, by security, we setup accept_ra=0   until it's
really setup in /etc/network/interfaces


iface vmbr0 inet6 auto
          accept_ra 2


(So maybe adding a note in documentation about this behaviour change
should be enough ?)




-------- Message initial --------
De: Thomas Lamprecht <t.lamprecht@proxmox.com>
À: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
"DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
Objet: Re: [pve-devel] seem than ifupdown2 is installed by default on
upgrade (a friend reported me an ipv6 slaac bug)
Date: 24/11/2023 10:07:30

Am 23/11/2023 um 18:50 schrieb DERUMIER, Alexandre:
> Hi,
> 
> I have a friend who's reported my than ifupdown2 had been installed
> by
> default on pve 8.1 upgrade.
> 
> I think it's because pve-network have "Recommends: ifupdown2".
> 

Well, that was the case since almost forever, but since we added a
recommends for libpve-network-perl to pve-container, qemu-serber and
pve-manager, the SDN packages gets pulled in if
APT::Install::Recommends 
is true (by default for most installation) and then also ifupdown2.

But the apt full-upgrade output before the "continue?" prompt shows
that,
and allows an admin to still avoid that switch.

I mean also Debian devs ponder about changing the default from
ifupdown2 for
a future release [0], as ifupdown is mostly on life-support since a
while.

[0]:
https://antiphishing.cetsi.fr/proxy/v3?i=SGI0YVJGNmxZNE90Z2thMFYLWSxJOf
IERJocpmb73Vs&r=SW5LV3JodE9QZkRVZ3JEYaKpfBJeBDlAX9E2aicRCRO3qsFIBX9zb4p
DqGdxG45MOoGKkZ3R8w3DjSjAvqYgRg&f=bnJjU3hQT3pQSmNQZVE3aPVk4IN9_80BrffiU
1LdpE8rutVeoMKVY490wLTw7_xQ&u=https%3A//lists.debian.org/debian-
devel/2023/06/msg00226.html&k=dFBm

We have not yet decided when to fully drop support for old ifudpown,
but
for PBS we only ever supported ifupdown2 (we use only the CIDR notation
for
passing addresses), but I think that might only be one or two major
releases away – the ifupdown network parsers would *really* benefit
from
a bigger overhaul, and dropping support for legacy network might make
that a bit easier.

> Seem that it have impacted the slaac config.   (I had double check
> some
> months ago ipv6 with ifupdown2, all was ok,  but maybe default
> accept_ra is different if ifupdown2, not 100% sure ye)
> 

If we can improve the transition it'd be naturally nice, but I do not
want
to drop that recommendation again for ifupdown2.

thanks,
 Thomas

Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[Thomas Lamprecht]

Am 24/11/2023 um 11:12 schrieb DERUMIER, Alexandre:
> After investigate a litte bit,
> 
> I think this is because  ifupdown1  is setting accept_ra=2  by default.
> 
> 
> and with ifupdown2, by security, we setup accept_ra=0   until it's
> really setup in /etc/network/interfaces
> 
> 
> iface vmbr0 inet6 auto
>           accept_ra 2

Yeah, it's your patch that broke compat here which we applied
already [0], but upstream hasn't yet [1] (do you know what's going on
with them, much less responsive and no release yet since over three
years, maybe just NVIDIA stifling the great work the cumulus devs?)
anyhow, disabling accept_ra by default was IMO the right call.

[0]: https://git.proxmox.com/?p=ifupdown2.git;a=blob;f=debian/patches/upstream/0001-add-ipv6-slaac-support-inet6-auto-accept_ra.patch;h=9e1bb138e777b3ef914460a32d6d0ba6a1048e70;hb=e6835fd11d94148db9d6fc93a19e6bdb45915e29
[1]: https://github.com/CumulusNetworks/ifupdown2/pull/259
 > 
> (So maybe adding a note in documentation about this behaviour change
> should be enough ?)

Yeah, I added a note now to our release notes known issues & breaking
changes section:

https://pve.proxmox.com/wiki/Roadmap#8.1-known-issues

Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[DERUMIER, Alexandre]

-------- Message initial --------
De: Thomas Lamprecht <t.lamprecht@proxmox.com>
À: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>, pve-
devel@lists.proxmox.com <pve-devel@lists.proxmox.com>
Objet: Re: [pve-devel] seem than ifupdown2 is installed by default on
upgrade (a friend reported me an ipv6 slaac bug)
Date: 24/11/2023 13:49:26

Am 24/11/2023 um 11:12 schrieb DERUMIER, Alexandre:
> After investigate a litte bit,
> 
> I think this is because  ifupdown1  is setting accept_ra=2  by
> default.
> 
> 
> and with ifupdown2, by security, we setup accept_ra=0   until it's
> really setup in /etc/network/interfaces
> 
> 
> iface vmbr0 inet6 auto
>           accept_ra 2


>>Yeah, it's your patch that broke compat here which we applied
>>already [0], but upstream hasn't yet [1] (

yes, this is my patch. I was not sure if we need to change this
accept_ra default to 2.


>>do you know what's going on
>>with them, much less responsive and no release yet since over three
>>years, maybe just NVIDIA stifling the great work the cumulus devs?)


I really think it's Nvidia related. here a friend pull request, about a
vxlan fix, where it's was already fixed in nvidia/cumulus ifupdown2 deb
version (I'm also a cumulus customer, so I verified that indeed they
are sometime minor differences)

https://github.com/CumulusNetworks/ifupdown2/pull/271

"we use an internal repository for ifupdown2 where we actively push our
changes daily/weekly.
Some changes are specific to Cumulus Linux and diverge from upstream
debian (i.e. default values and Cumulus specific features, etc).

So it takes quite some time to review the changes (and diff between
github/internal), and making sure they don't break upstream (and CL
ifupdown2). I pretty much maintain this github repo on my free time,
hence the long delay for the PRs, open issues and sync between
github/internal repo.
"




Looking at the code, I think it's a little bit behind the nvidia
version, but not too much.

But Indeed, they should tag a new version.

Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[DERUMIER, Alexandre]

Hi again,

I have reverified my ifupdown2,

In fact, I setup accept_ra=2  when interfaces is setup as "auto".  (but
not static or manual)


(as inet6 auto = slaac , it make sense to enable accept_ra).




But here, the non working setup is mixing "inet dhcp" + "inet6 auto"


"
auto vmbr2
iface vmbr2 inet dhcp
       bridge-ports eth0
       bridge-stp off
       bridge-fd 0

iface vmbr2 inet6 auto

"


Maybe  is it because ifupdown2 is merging interfaces, looking at debug
log, the "inet6 auto" is not catched.


For this setup, the working config is:


"
auto vmbr2
iface vmbr2 inet dhcp
       bridge-ports eth0
       bridge-stp off
       bridge-fd 0
       accept_ra 2
       autoconf 1
"

Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

[DERUMIER, Alexandre]

>>
>>But here, the non working setup is mixing "inet dhcp" + "inet6 auto"
>>
>>
>>"
>>auto vmbr2
>>iface vmbr2 inet dhcp
>>       bridge-ports eth0
>>       bridge-stp off
>>       bridge-fd 0
>>
>>iface vmbr2 inet6 auto

>>"

Ok, I found the bug, this is because ifupdown2 only allow 1 method for
the interface, even if it's ipv4 vs ipv6)

https://github.com/CumulusNetworks/ifupdown2/issues/174


I have look at it and I have a working patch to fix this.
I just need to polish it a little bit, I'll send try to send it next
week.