Improve NetworkManager's device management/ignore logic, using udev matching rules (LP: #1951653)

[slyon]

Description

By default, systemd-networkd controls only interfaces that it has explicitly been configured for (via a sd-networkd .network file); it considers other interfaces as "unmanaged" and ignores them. NetworkManager OTOH tries to claim control of any interface that is UP, which might lead to conflicts if multiple networking daemons are used at the same time.

NetworkManager has different ways to control/avoid this behavior:

• NM_UNMANAGED=1 udev environment, the weakest condition
• NetworkManager.conf [keyfile].unmanaged-devices= setting (affected by some unexpected behavior: LP#1615044)
• NetworkManager.conf [device].managed= setting, the strongest condition, overruling all other settings, created a runtime in /run/NetworkManager/devices/*

The stronger rules via NetworkManager.conf are unfortunately a bit limited in their matching logic, as multiple checks can only be ORed (e.g. we cannot check for: interface-name=wl* AND driver=(virt* OR iwlwifi)). udev OTOH has a very powerful matching logic (but unfortunately cannot match on the interface type: ethernet/wifi/bridge/...).

So we're reimplementing/refactoring the flawed NetworkManager "unmanaged vs managed" logic in netplan, by having an explicit allow-list of interfaces that NM is supposed to control (as some udev rules shipped system-wide would otherwise disable certain interfaces in containers and other special conditions, even if configured via netplan, c.f. /lib/udev/rules.d/85-nm-unmanaged.rules) in addition to an explicit deny-list of interfaces to ignore (e.g. because they are to be managed by sd-networkd) as udev rules in /run/udev/rules.d/90-netplan.rules and keeping the special-case of matching a whole class/type of interfaces (e.g. ethernets/wifis/bridges/...) in /run/NetworkManager/conf.d/netplan.conf as a NetworkManager.conf [device*].managed= rule.
Furthermore, we're applying this matching logic whenever ANY interface (in netplan YAML) is supposed to be controlled by NetworkManager (that is in contrast to only applying it when NetworkManager is selected as the global renderer).

It is worth mentioning that this "managed vs unmanaged" matching logic is slightly different from netplan's usual matching logic (e.g. for configuring the interfaces), as we might ignore an interface based on it's old AND new/renamed interface name, or it's old and new/changed MAC address, while we cannot do this for the normal netplan matching.

Commits:

• generate: ignore 10-globally-managed-devices.conf if any NM config is given in netplan
• cli: re-apply udev rules (NM_UNMANAGED) if needed
  • Also, make sure we clear any runtime state that NetworkManager left in /run/NetworkManager/devices/* as this could overwrite our udev rules.
• nm: extend type_str() to return passthrough types
• nm: tests: improve NM manage/ignore logic, using udev matching rules
• tests:base: cleanup udev quirks
  • We have an explicit NM-managed-devices allow-list, now. So we don't need those quirks anymore.

Checklist

• Runs make check successfully.
• Retains 100% code coverage (make check-coverage).
• New/changed keys in YAML format are documented.
• (Optional) Adds example YAML for new feature.
• (Optional) Closes an open bug in Launchpad. LP#1951653

[codecov-commenter]

Codecov Report

Merging #276 (c03d383) into main (dab082f) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main     #276   +/-   ##
=======================================
  Coverage   99.07%   99.08%           
=======================================
  Files          61       61           
  Lines       11194    11226   +32     
=======================================
+ Hits        11091    11123   +32     
  Misses        103      103           

Impacted Files	Coverage Δ
netplan/cli/commands/apply.py	100.00% <ø> (ø)
tests/generator/test_passthrough.py	100.00% <ø> (ø)
src/generate.c	100.00% <100.00%> (ø)
src/nm.c	100.00% <100.00%> (ø)
tests/generator/base.py	100.00% <100.00%> (ø)
tests/generator/test_auth.py	100.00% <100.00%> (ø)
tests/generator/test_bonds.py	100.00% <100.00%> (ø)
tests/generator/test_bridges.py	100.00% <100.00%> (ø)
tests/generator/test_common.py	100.00% <100.00%> (ø)
tests/generator/test_ethernets.py	100.00% <100.00%> (ø)
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dab082f...c03d383. Read the comment docs.

[schopin-pro]

LGTM!
Only one small optional stylistic nitpick, feel free to merge if you disagree!

Small question though, where does that last commit come from? Has this bug surfaced due to the NM changes?

[schopin-pro]

praise: great work on the whole function body, very readable and well commented despite the complex logic!

[schopin-pro]

nitpick (non-blocking): this block could perhaps have been split off into its own function to make it a bit more bitesize ?

[slyon]

Ugh.. I was a bit quick with merging and didn't remember this suggestion. It makes sense to encapsulate this into its own function. I will probably work on this in a follow-up commit.

[Conan-Kudo]

@thom311 is this reasonable?

[thom311]

@thom311 is this reasonable?

yes. lgtm.

I am surprised that netplan aims to support a mixed system with networkd and NetworkManager. But sure.

[slyon]

yes. lgtm.

Thank you for your feedback @thom311! merging.

I am surprised that netplan aims to support a mixed system with networkd and NetworkManager. But sure.

Yes. A combined setup can lead to funny situations, but we try our best to make it work.

[slyon]

Small question though, where does that last commit come from? Has this bug surfaced due to the NM changes?

Yes. That bug surfaced after I implemented the NM changes, seems to be a timing issue that only happened (sometimes) inside our CI. I was not able to reproduce it locally on my machine.