-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable networkd by default #264967
base: master
Are you sure you want to change the base?
Enable networkd by default #264967
Conversation
562c9de
to
77d3257
Compare
So I just copied over the todolist from the previous PR and updated the checkboxes accordingly. If someone else thinks something's missing there, feel free to add it. |
re "Talk about useDHCP and anyInterface some more -- do the defaults make sense?": the change that was made in the previous PR is now in The behavior may not be much of an issue with #258680 being merged ( |
@@ -924,6 +924,8 @@ in | |||
description = "NSD authoritative only domain name service"; | |||
|
|||
after = [ "network.target" ]; | |||
# Ensure that knot can bind port 53 before systemd-resolved's stub resolver attempts to. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Ensure that knot can bind port 53 before systemd-resolved's stub resolver attempts to. | |
# Ensure that nsd can bind port 53 before systemd-resolved's stub resolver attempts to. |
@@ -42,6 +42,9 @@ with lib; | |||
description = "djbdns tinydns server"; | |||
wantedBy = [ "multi-user.target" ]; | |||
after = [ "network.target" ]; | |||
# Ensure that pdns-recursor can bind port 53 before systemd-resolved's stub resolver attempts to. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Ensure that pdns-recursor can bind port 53 before systemd-resolved's stub resolver attempts to. | |
# Ensure that tinydns can bind port 53 before systemd-resolved's stub resolver attempts to. |
I'm just jumping in so forgive me if there are already plans to deal with this, but from my experience, having both |
That should be solved by this PR: I assume you have |
I think that case should be covered now the warning added in #256598 |
|
@@ -18,6 +18,10 @@ | |||
into a satisfying solution regarding this problem. | |||
- Updating with `nixos-rebuild boot` and rebooting is recommended, since in some rare cases the `nixos-rebuild switch` into the new generation on a live system might fail due to missing mount units. | |||
|
|||
|
|||
- NixOS now uses [systemd-networkd](#opt-systemd.network.enable) as its default networking backend. With networkd, many network configurations which previously required use of [](#opt-networking.localCommands) can be expressed declaratively. Networkd's connection management is also significantly more reliable than the scripted networking implementation previously in use by default. If you wish to continue using scripted networking, set [](#opt-networking.useNetworkd) to `false`. | |||
- This also means that systemd-resolved is enabled by default. Its stub resolver will bind to port 53 if it is not occupied, which may result in other DNS servers failing to start. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really would love to use resolved but the more I use it the buggier it gets. For example DNSSEC=yes is incredible unreliable and you can no longer connect to DB ICE WiFi. Also the feature that when a handful of DNS packets are dropped of 10'000s it disables your only resolver for 30s is pretty dumb. There are numerous issues about it in the systemd repo which are not fixed for years. (Can't link right now because of mobile)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DNSSEC validation was disabled in 4f461f7.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its stub resolver will bind to port 53 if it is not occupied, which may result in other DNS servers failing to start.
It should be fine though?
% sudo netstat -lpn | grep systemd-resolv
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1650/systemd-resolv
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 1650/systemd-resolv
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1650/systemd-resolv
tcp6 0 0 :::5355 :::* LISTEN 1650/systemd-resolv
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1650/systemd-resolv
udp 0 0 0.0.0.0:5355 0.0.0.0:* 1650/systemd-resolv
udp 0 0 127.0.0.54:53 0.0.0.0:* 1650/systemd-resolv
udp 0 0 127.0.0.53:53 0.0.0.0:* 1650/systemd-resolv
udp6 0 0 :::5353 :::* 1650/systemd-resolv
udp6 0 0 :::5355 :::* 1650/systemd-resolv
unix 2 [ ACC ] STREAM LISTENING 13475 1650/systemd-resolv /run/systemd/resolve/io.systemd.Resolve
unix 2 [ ACC ] STREAM LISTENING 13476 1650/systemd-resolv /run/systemd/resolve/io.systemd.Resolve.Monitor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be fine though?
What do you mean?
This doesn't show any other DNS servers running so you don't seem to be affected?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't listen on [::1]:53/127.0.0.1:53/[::]:53/0.0.0.0:53
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Huh, I've been pretty sure that this will also break (i.e. 0.0.0.0 vs any other IP). Anyways, will check that soonish.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, binding to 0.0.0.0 is not allowed when binding to the same port any other address
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The next release of systemd is supposedly majorly improving this. Looking forward to that.
@@ -57,6 +57,7 @@ in { | |||
{ address = "fd00::1"; prefixLength = 64; } | |||
]; | |||
}; | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we only touch whitespace we might as well drop those to keep the PR smaller.
The example is outdated, as NixOS's networking options have supported static IPv6 configuration for a long time now. With networkd being enabled by default, networking.localCommands loses further relevance and should only be used in extremely niche use cases -- and certainly not encouraged for use cases as common as setting IPv6 addresses.
Since networkd is now enabled by default, we no longer need to enable it explicitly.
Before this patch, `192.168.1.1` was assigned to `eth1` of `client` and DHCP was turned off (`null` is the default for `networking.interfaces.<name>.useDHCP` which means that `DHCP=no` is set if an IP is configured statically). Because of that, the static 10.0.0.10 was never assigned. The VLAN 1 (with `eth1` in it) never gets another IP assigned statically now to make sure `systemd-networkd-wait-online` doesn't succeed before 10.0.0.10 was configured via DHCP. DHCP is turned off globally (as it was before) because this means that `--any` is not set for `systemd-networkd-wait-online` and as a result it's explicitly waited for `eth1` to be ready before checking its IPs (otherwise that would happen too early because `eth0` reaches `routable`/`configured` quicker).
By default, `systemd-resolved(8)` doesn't permit querying for single-label hostnames (i.e. root zones), so the test for a custom root server requires `ResolveUnicastSingleLabel` in resolved to work. Also, run a stub listener on `::1` for the IPv6 testcases.
Underscores in hostnames are invalid and rejected by `systemd-resolved`.
bb495fb
to
fce5407
Compare
@@ -941,6 +941,8 @@ in | |||
description = "NSD authoritative only domain name service"; | |||
|
|||
after = [ "network.target" ]; | |||
# Ensure that knot can bind port 53 before systemd-resolved's stub resolver attempts to. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be nsd, not knot
Description of changes
Continuation of #202488
Things done
networking.*
options that are ignored when using networkduseDHCP
andanyInterface
some more -- do the defaults make sense?