Skip to content

Split generate/configure stages for sd-generator compliance #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 43 commits into
base: main
Choose a base branch
from
Open

Split generate/configure stages for sd-generator compliance #552

wants to merge 43 commits into from

Conversation

slyon
Copy link
Collaborator

@slyon slyon commented Jun 26, 2025
edited
Loading

Description

Refactor Netplan's generate binary to be a proper systemd.generator, according to spec "FO165 – Netplan generator architecture".

New testing of a simulated systemd sandbox is implemented in tests/generator/test_sd-generator.py.

  • Logic that writes systemd unit files (e.g. .service units or override.conf drop-in configs) is now generated in src/gen-*.c and run during daemon-reload.
  • Writing of normal systemd-networkd/NetworkManager/wpa_supplicant/udev/Open vSwitch/SR-IOV config files remains in src/{networkd,nm,sriov,openvswitch}.c.
  • New tests added, utilizing a systemd-run sandbox (TestSystemdGenerator.test_sandbox), that make sure the usr/libexec/netplan/generate binary does not write files outside the allowed scope for a systemd-generator.
  • Adding a new --networkmanager-only parameter, to improve NM integration, by not touching any systemd[-networkd] files
  • Introducing new _netplan_state_get/set_flags() API (internal, for now) to do "validation-only" runs over our NetDef data

Checklist

  • Runs make check successfully.
  • Retains code coverage (make check-coverage).
  • New/changed keys in YAML format are documented.
  • (Optional) Adds example YAML for new feature.
  • (Optional) Closes an open bug in Launchpad. LP#2071747

This should also fix https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2083129 by not re-generating NM configuration on the fly. And https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2090848 by using the new /usr/libexec/netplan/configure --networkmanager-only flag.

@slyon slyon mentioned this pull request Jun 26, 2025
Open
5 tasks
@slyon slyon force-pushed the generator-split-sd-1997 branch 8 times, most recently from 8287a28 to 9105838 Compare July 7, 2025 14:34
@slyon slyon force-pushed the generator-split-sd-1997 branch 2 times, most recently from 15db9ad to 320629c Compare July 8, 2025 14:29
@slyon
Copy link
Collaborator Author

slyon commented Jul 10, 2025
edited
Loading

Packaging TODOs

  • re-generate config in .postinst using usr/libexec/netplan/configure binary as the (new) sd-generator does not touch any systemd-networkd configuration (or its permission).

    Setting up libnetplan1:amd64 (1.1.2-7+DEV) ...
Setting up python3-netplan (1.1.2-7+DEV) ...
Setting up netplan-generator (1.1.2-7+DEV) ...
Removing 'diversion of /lib/systemd/system-generators/netplan to /lib/systemd/system-generators/netplan.usr-is-merged by netplan-generator'
Bail out! ERROR:../src/gen-openvswitch.c:533:_netplan_state_finish_sd_ovs_write: assertion failed: (generator_dir != NULL)
WARNING: Netplan could not re-generate network configuration. Please run 'netplan generate' to see details.
Created symlink '/etc/systemd/system/sysinit.target.wants/netplan-configure.service' → '/usr/lib/systemd/system/netplan-configure.service'.
Setting up netplan.io (1.1.2-7+DEV) ...

  • Adopt NetworkManager capabilities, or avoid NM writing systemd-networkd configuration with root permissions, or rather call configure with the (new) --networkmanager-only parameter:

    /usr/libexec/netplan/configure --networkmanager-only

printf "[Unit]\nCapabilityBoundingSet=CAP_CHOWN\n" | systemctl edit --stdin NetworkManager.service 2>/dev/null

mkdir -p /etc/systemd/system/NetworkManager.service.d && echo "[Service]\nCapabilityBoundingSet=CAP_CHOWN\n" > /etc/systemd/system/NetworkManager.service.d/override.conf && systemctl daemon-reload

  • Install systemd-resolved for cloud-init & autostart DEP-8 tests

@slyon slyon force-pushed the generator-split-sd-1997 branch from 320629c to 4f36a61 Compare July 10, 2025 14:41
@slyon slyon force-pushed the generator-split-sd-1997 branch 5 times, most recently from b507c0d to d2bd8a8 Compare September 16, 2025 11:32
@slyon slyon force-pushed the generator-split-sd-1997 branch 4 times, most recently from 869fc6e to 1ee0b9f Compare September 29, 2025 15:58
@slyon slyon force-pushed the generator-split-sd-1997 branch 7 times, most recently from 42d4420 to 14a12f9 Compare October 8, 2025 12:05
@slyon slyon force-pushed the generator-split-sd-1997 branch from 14a12f9 to c1cd723 Compare October 9, 2025 10:58
slyon added 29 commits October 21, 2025 12:16
@slyon
test:generator:base+sd-generator: execute ./generate in sandbox and .…
aad136d 
…/configure

Run using:
LD_LIBRARY_PATH=_build/src NETPLAN_DBUS_CMD=_build/dbus/netplan-dbus NETPLAN_GENERATE_PATH=$(pwd)/_build/src/generate G_DEBUG=fatal_criticals PYTHONPATH=_build/python-cffi:. pytest -s -v tests/generator/test_sd-generator.py
@slyon
test:args: adopt to sd-generator
133a23f
@slyon
test:generator:auth: adopt for sd-generator
3aca05a
@slyon
test:generator:wifis: adopt to sd-generator
9460451
@slyon
configure: Cannot be called as a sd-generator
fe9bdd1
@slyon
configure: cli:generate: cleanup legacy --mapping option
7b679f5
@slyon
cli:apply: adopt for sd-generator by running the 'configure' stage
0ae387b
@slyon
CI: Install generator-configure stage
07037ea
@slyon
sd-generate: fail on missing generator_dir
34f6f7e
@slyon
CI: workaround NM integration CAP_CHOWN issue (LP: #2090848)
c249940
@slyon
doc: Update docs for sd-generator
537eb80
@slyon
tests:integration: adopt for sd-generator
4ae8913
@slyon
Add initial, basic netplan-configure.service
b69df83
@slyon
CI: install netplan-configure.service
815a816
@slyon
CI: adopt RPM spec for netplan-configure
9ccc5ee
@slyon
generate: allow to force errors in generator
b68b139
@slyon
CI:test:fuzzer: adopt for generate & configure stages
3996096
@slyon
generate: accept the /run/netplan/netplan-try.ready stamp
f071d89
@slyon
gen-networkd: wait-online in generator.late stage
9c69b70
@slyon
test:generator:args: netplan.stamp is no more
2c52680
@slyon
generate:configure: Synchronize late-stage validation between sd-gene…
c6c0309 
…rator and network-configurator

This is to make them fail under the same circumstances, e.g. do not generate
systemd units corresponding to network interfaces that we cannot write any
network configuration files for, due to some late-stage validation error.

Adding new (internal, for now)  _netplan_state_get/set_flags() API.

This is enabled by passing a new NETPLAN_STATE_VALIDATION_ONLY flag to
NetplanState, to skip writing out files.
- The sd-generator (./generate) should not write any network configuration, but still needs to run through its late-stage validations, to fail if the network-configuration would fail.
- The network-configuration should not write any systemd units, but still needs to run trhough its late-stage validations, in order to fail if the sd-generator would fail.

Future improvement:
Ideally, there should not be any late-stage validation inside file writing logic (e.g. [gen-]networkd.c, [gen-]openvswitch.c, ...), but all validation should already be done in the central validation.c stage. Unfortunately, such change is out of scope for this PR.
@slyon
tests: deterministic listdir() using a set()
7d9c721
@slyon
cli:try:generate: avoid calling 'daemon-reload' through NetworkManage…
c8238ad 
…r integration during 'netplan try'
@slyon
configure: allow to write only NM configs --networkmanager-only (LP: …
2685df2 
…#2090848)

This avoids conflicts with AppArmor confinement when re-generating the network
configuration from within NetworkManager.
@slyon
configure: Adopt start_unit_jit() logic for sd-genreator
8282085 
See original PR: canonical#162
@slyon
CI: fix cloud-init tests in Ubuntu autopkgtest by using a newer versi…
49fadd8 
…on of the test
@slyon
CI: avoid warning from netplan-generator.postinst
a4025f4
@slyon
CI: avoid re-building NetworkManager
1035ccd 
It introduces unrelated failures and wastes resources, as we're not currently
affected by an ABI breaking change.
@slyon
configure: drop JIT logic, which is not needed anymore with the sd-ge…
49cfdcd 
…nerator

This was originally implemented to generate & start systemd units just-in-time
during the boot transaction (canonical#162).

With the implementation of a proper systemd-generator, Netplan generates the
corresponding units in /run/system/generator* and automatically re-loads and
re-calculates dependencies during "daemon-reload". Therefore, we do not need
to inject them manually.

This is covered by the "cloud-init" autopkgtest.
@slyon slyon force-pushed the generator-split-sd-1997 branch from 6b93b00 to 49cfdcd Compare October 21, 2025 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@slyon