Re: [pve-devel] seem than ifupdown2 is installed by default on upgrade (a friend reported me an ipv6 slaac bug)

["DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>]

After investigate a litte bit,

I think this is because  ifupdown1  is setting accept_ra=2  by default.


and with ifupdown2, by security, we setup accept_ra=0   until it's
really setup in /etc/network/interfaces


iface vmbr0 inet6 auto
          accept_ra 2


(So maybe adding a note in documentation about this behaviour change
should be enough ?)




-------- Message initial --------
De: Thomas Lamprecht <t.lamprecht@proxmox.com>
À: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
"DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
Objet: Re: [pve-devel] seem than ifupdown2 is installed by default on
upgrade (a friend reported me an ipv6 slaac bug)
Date: 24/11/2023 10:07:30

Am 23/11/2023 um 18:50 schrieb DERUMIER, Alexandre:
> Hi,
> 
> I have a friend who's reported my than ifupdown2 had been installed
> by
> default on pve 8.1 upgrade.
> 
> I think it's because pve-network have "Recommends: ifupdown2".
> 

Well, that was the case since almost forever, but since we added a
recommends for libpve-network-perl to pve-container, qemu-serber and
pve-manager, the SDN packages gets pulled in if
APT::Install::Recommends 
is true (by default for most installation) and then also ifupdown2.

But the apt full-upgrade output before the "continue?" prompt shows
that,
and allows an admin to still avoid that switch.

I mean also Debian devs ponder about changing the default from
ifupdown2 for
a future release [0], as ifupdown is mostly on life-support since a
while.

[0]:
https://antiphishing.cetsi.fr/proxy/v3?i=SGI0YVJGNmxZNE90Z2thMFYLWSxJOf
IERJocpmb73Vs&r=SW5LV3JodE9QZkRVZ3JEYaKpfBJeBDlAX9E2aicRCRO3qsFIBX9zb4p
DqGdxG45MOoGKkZ3R8w3DjSjAvqYgRg&f=bnJjU3hQT3pQSmNQZVE3aPVk4IN9_80BrffiU
1LdpE8rutVeoMKVY490wLTw7_xQ&u=https%3A//lists.debian.org/debian-
devel/2023/06/msg00226.html&k=dFBm

We have not yet decided when to fully drop support for old ifudpown,
but
for PBS we only ever supported ifupdown2 (we use only the CIDR notation
for
passing addresses), but I think that might only be one or two major
releases away – the ifupdown network parsers would *really* benefit
from
a bigger overhaul, and dropping support for legacy network might make
that a bit easier.

> Seem that it have impacted the slaac config.   (I had double check
> some
> months ago ipv6 with ifupdown2, all was ok,  but maybe default
> accept_ra is different if ifupdown2, not 100% sure ye)
> 

If we can improve the transition it'd be naturally nice, but I do not
want
to drop that recommendation again for ifupdown2.

thanks,
 Thomas