sysctl: reading key "net.ipv6.conf.all.stable_secret"
时间:2020-02-23 14:40:33 来源:igfitidea点击:
我们可能会在屏幕上看到这些其他警告/错误消息,sysctl: reading key "net.ipv6.conf.all.stable_secret"
如何隐藏这些信息?
sysctl变量" stable_secret"包含用于生成稳定接口标识符(通常是IPv6地址的低64位)的秘密,如RFC 7217"使用IPv6无状态地址自动配置(SLAAC)生成语义上不透明的接口标识符的方法"中所定义。
"
输出信息:
[root@master ~]# sysctl -a | grep rp_filter net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret" sysctl: reading key "net.ipv6.conf.eth1.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" sysctl: reading key "net.ipv6.conf.virbr0.stable_secret" sysctl: reading key "net.ipv6.conf.virbr0-nic.stable_secret"
内核的ip-sysctl.txt文档中描述了stable_secret sysctl的功能:
stable_secret - IPv6 address
This IPv6 address will be used as a secret to generate IPv6
addresses for link-local addresses and autoconfigured
ones. All addresses generated after setting this secret will
be stable privacy ones by default. This can be changed via the
addrgenmode ip-link. conf/default/stable_secret is used as the
secret for the namespace, the interface specific ones can
overwrite that. Writes to conf/all/stable_secret are refused.
It is recommended to generate this secret during installation
of a system and keep it stable after that.
By default the stable secret is unset.
如果尝试读取procfs文件,则可以直接看到此IO错误:
# cat /proc/sys/net/ipv6/conf/all/stable_secret cat: /proc/sys/net/ipv6/conf/all/stable_secret: Input/output error
该IPv6地址将用作生成链接本地地址和自动配置的地址的IPv6地址的机密。
设置此机密后生成的所有地址默认情况下均为稳定的隐私地址。
可以通过addrgenmode ip-link进行更改。
conf/default/stable_secret用作名称空间的秘密,特定于接口的名称可以覆盖它。
拒绝写入conf/all/stable_secret。
建议在系统安装期间生成此密码,并在此之后使其保持稳定。
默认情况下,未设置稳定机密。
[root@master ~]# sysctl -a | grep ipv6.*disable sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" net.ipv6.conf.all.disable_ipv6 = 0 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.eth0.disable_ipv6 = 0 net.ipv6.conf.eth1.disable_ipv6 = 0 net.ipv6.conf.lo.disable_ipv6 = 0 net.ipv6.conf.virbr0.disable_ipv6 = 1 net.ipv6.conf.virbr0-nic.disable_ipv6 = 0
如何隐藏sysctl:读取键" net.ipv6.conf.all.stable_secret"消息?
我们可以使用以下命令隐藏其他不需要的消息,或者将其重定向到/dev/null。
[root@master ~]# sysctl -a --ignore 2>/dev/null | grep rp_filter net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0
或者
# sysctl -a --ignore |& grep rp_filter # sysctl -a --ignore 2>&1 | grep rp_filter
其中我们可以grep输入任何字符串。
仅以rp_filter为例。
如果环境中未使用IPv6,则可以禁用Ipv6,这将从系统中删除IPv6模块,这些消息对我们而言不再是问题。
禁用IPv6后,验证活动的GRUB2配置
[root@master ~]# cat /proc/cmdline BOOT_IMAGE=/vmlinuz-3.10.0-957.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ipv6.disable=1
同样的情况也会反映在GRUB配置文件中。
[root@master ~]# cat /etc/sysconfig/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ipv6.disable=1" GRUB_DISABLE_RECOVERY="true"
接下来尝试对sysctl中的任何字符串进行grep
[root@master ~]# sysctl -a | grep ipv6.*disable
如我们所见,我们有一个干净的输出,并且stable_secret密钥消息已被隐藏。
