Should `MACAddressPolicy=persistent` for bridges/bonds/all-software-devices be reconsidered?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi everybody,


this email is for discussing MACAddressPolicy=persistent in
/data/src/systemd/network/99-default.link

there is a Fedora CoreOS issue about this:
[1] https://github.com/coreos/fedora-coreos-tracker/issues/919


Since systemd 242 (Apr 2019), this policy applies to more device types
([2]).

[2] https://github.com/systemd/systemd/blob/v247/NEWS#L2332-L2358


This topic was already discussed. For example at [3]. I also brought
this up before at [4], but I'd like to reopen this discussion with the
recent Fedora CoreOS issue.

[3] https://github.com/systemd/systemd/issues/3374
[4]
https://github.com/systemd/systemd/issues/3374#issuecomment-522528484


To reiterate, this causes two problems:

1) for bridge/bond interfaces, there is a special meaning of leaving
the MAC address unassigned. It causes kernel to automatically set the
MAC address when the first port gets attached. By setting a persistent
MAC address, that automatism is not longer possible.

The MAC address can matter, for example, if you configure the DHCP
server to hand out IP addresses based on the MAC address (or based on
the client-id, which in turn might be based on the MAC address). If you
boot many machines (e.g. in data center or cloud), you might know the
MAC address of the machines, and thereby can also determine the
assigned IP addresses. With MACAddressPolicy=persistent the MAC address
is not predictable.


2) udev changing the MAC address causes races with naive scripts/tools.
For example:

  ip monitor link & 
  while : ; do 
    ip link del xxx
    ip link add name xxx type dummy \
    && ip link set xxx addr aa:00:00:00:00:00 \
    && ip link show xxx | grep -q aa:00:00:00:00:00 \
    || break
  done

granted, a script should either set the MAC address from the start, or
it should wait for udev to settle. Still, how many tools out there are
(still) broken?




On RHEL, 99-default.link is patched to set MACAddressPolicy=none.
On Fedora, despite this behavior being there for a while now, I think
it's harmful and should be dropped as well... at least for
bridges/bonds (problem 1) or even all software devices (problem 2).
In my opionion, this approach should be reconsidered for udev in
general.



best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux