From Fedora Project Wiki
(change the scope of the proposal to limit to bond/bridge/team devices based on mailing list discussion)
mNo edit summary
Line 11: Line 11:


The `systemd-udev` package installs `"/usr/lib/systemd/network/99-default.link"`, which sets
The `systemd-udev` package installs `"/usr/lib/systemd/network/99-default.link"`, which sets
`Link.MACAddressPolicy=persistent` for all software NIC devices. This proposal is to change it
`Link.MACAddressPolicy=persistent` for all software NIC devices. This proposal is to add to
such that we use `Link.MACAddressPolicy=none` for bond/bridge/team devices.
the policy so that such that we use `Link.MACAddressPolicy=none` for bond/bridge/team devices.


== Owner ==
== Owner ==

Revision as of 02:34, 6 July 2022


MAC Address Policy none

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

The systemd-udev package installs "/usr/lib/systemd/network/99-default.link", which sets Link.MACAddressPolicy=persistent for all software NIC devices. This proposal is to add to the policy so that such that we use Link.MACAddressPolicy=none for bond/bridge/team devices.

Owner

  • Name: Thomas Haller (NetworkManager)
  • Email: <thaller@redhat.com>
  • Name: Dusty Mabe (Fedora CoreOS)
  • Email: <dmabe@redhat.com>


Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-07-06
  • Devel list thread
  • FESCo issue: #2824
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

On Fedora, udev by default changes the MAC address of a wide range of software devices. This was introduced by systemd 242 in early 2019 (Fedora 31), when MACAddressPolicy= was extended to affect more types of devices.

With MACAddressPolicy=persistent udev's aim is to provide a stable MAC address, otherwise the kernel will assign a random one. However, that can cause problems.

For interface types bridge/bond/team, an unset MAC address has a special meaning to the kernel and the MAC address of the first port is used. If udev changes the MAC address, that no longer works. Now the generated MAC address is not directly discoverable as it is based on /etc/machine-id (machine-id(5)), among other data. Even if there were a tool to easily calculate the MAC address, it could be cumbersome to use it without logging into the machine first. The MAC address can directly affect the assigned IP address, for example when using DHCP. When booting a new virtual machine, the user might know the MAC address of the (virtual) "physical" interfaces. When bonding/bridging those interfaces, the bond/bridge would get one of the well known MAC addresses. MACAddressPolicy=persistent interferes with that.

While Fedora inherited this behavior from upstream systemd, RHEL-9 does not follow this behavior (centos9, rh#1921094). For RHEL-8, this doesn't apply because the systemd there is too old to change the MAC address of most software devices.

The proposal here is to change to MACAddressPolicy=none for the device types where this causes the most issues (bridge/bond/team).


Feedback

This was also discussed on upstream systemd mailing list here. The upstream systemd maintainers' opinion is that the current udev behavior is desirable, but accepts that distributions (or network stacks such as NetworkManager) may choose to change the default depending on their needs (reference). The goal here is to find out what the Fedora community thinks is the most appropriate default.

The RHEL-9 bug is [rh#1921094].

Benefit to Fedora

Pros:

- Consistent behavior with RHEL8 and RHEL9 for bond/bridge/team devices.

- Bridge and bond interfaces can get the MAC addresses from their first port.

In the case of MACAddressPolicy=none for a bond (or bridge) the bond will get a MAC related to one of its physical NIC devices. In the case of provisioning new systems (especially in a large datacenter) information about the server can be used to configure the network environment (DHCP, Firewall, etc) before the server is ever even powered on. This does mean that you may have to update your network environment configuration if you replace a NIC (con), but that you won't have to update your network environment configuration if you re-install your server (pro), which is what you'd have to do now with MACAddressPolicy=persistent.

Cons:

- Deviate from upstream systemd.

It is desirable that RHEL and Fedora behaves similar. A possible outcome could be the current behavior stays and RHEL 10 would change behavior. On the other hand, different distributions (or even Fedora spins) have different uses and needs. Deviating might be fine. In the same vein, there is also a desire to stay close to upstream systemd behavior. But the uses of systemd project go beyond Fedora/RHEL, so deviating here may also be fine.


Scope

  • Proposal owners:

The main goal of this request is to generate productive discussion and find the desired behavior. The implementation/changes are simple to implement.

  • Other developers:

Other projects that wish a certain MAC address are welcome to set it for their devices. Including using udev's MACAddressPolicy.

  • Release engineering:

Not needed for this change.

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

After the change, the MACAddressPolicy for bond/bridge/team device types will be set to none.


How To Test

Create a bridge/bond interface without setting the MAC address. Note that if MACAddressPolicy=none, the MAC address is random at first. Note that attaching the first port will update the controller's MAC address. On the other hand, with MACAddressPolicy=persistent, the MAC address of the controller is fixed and not inherited from the port.

User Experience

Bond/bridge/team devices would again get assigned the MAC address of the first NIC added to the device.

Dependencies

None.


Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?)

If the change is rejected, nothing needs to be done. The change itself will be simple to implement.

  • Contingency deadline: beta freeze
  • Blocks release? No


Documentation

TODO.

Release Notes