Rocky 9.2 Disabling IPV6

Hello forum,

We are trying to move our infra form CentOS7 to Rocky 9. I have an issue with our VPS (Hosted in Contabo) with ipv6.

The VPS are ordered only with ipv4 but after install the Rocky 9 (qcow2 image), even when ipv6 is disabled with grubby, I see a lot of error at /var/log/messages like:

no IPv6 link local address to retry after Duplicate Address Detection failures (back off)
failure to add IPv6 route: type unicast fe80::1/128 dev 2 metric 100 mss 0 rt-src user: Permission denied
platform-linux: do-add-ip6-address[2: fe80::250:56ff:fe44:d4ee]: failure 13 (Permission denied)

On grubby I have this as latest entry: args=“ro console=ttyS0,115200n8 no_timer_check net.ifnames=0 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M ipv6.disable=1”

The only way to disable it is to use nmtui, first remove the address from ipv6 field (I don’t get why it has an address since the provider is only IPV4 for these VPS) and than disable the IPv6 field. After that the logs are clear again.

How can I achieve this otherwise, as I run a script fro unattended setup?


nmcli con mod $CONNAME ipv6.method disabled ipv6.addresses ""

I don’t disable on ‘lo’.

I’ve done interactive install, where I did disable IPv6.
The installer stores made choices in: /root/anaconda-ks.cfg
Kickstart thus could have something like:

network  --bootproto=dhcp --device=eth0 --noipv6 --activate

If install is a VM and hypervisor calls cloud-init, then it probably can take customization for cloud-init config.

I checked more with cloud-init config and disabled the ipv6 DHCP, on nmtui the ipv6 seems ignored and with ip a I get no inet6 after the first reboot, _ logs are clear! Thanks!

You can check network config at various levels:

nmcli con show
nmcli con show $CONNAME
nmcli -f ipv6 con show $CONNAME
nmcli -f ipv6.method con show $CONNAME

Earlier NetworkManager did support ‘auto’, ‘manual’, and ‘ignore’ for ipv6.method,
but the one in Rocky 9 has also the ‘disabled’ option.
The apparent difference is that ‘ignore’ does add link-local fe80::* address, but disabled does not.

A different question is whether/how front-ends, like cloud-init or Ansible role, do support that, i.e. can they pass the ‘disabled’ to the NetworkManager?

I’ll check that and see if I can find something accordingly. My issue now is that sometimes during the first boot it cannot resolve some url, maybe it has something to do with the way cloud-config sets the values of DNS servers.

I would strongly recommend against disabling the IPv6 Kernel module. If you must disable IPv6 (and I would be very sure that you do), then you can disable it in userspace with nmcli as @jlehtone shows.

I agree, the think is that I can’t disable it with nmcli because it already has values from cloud-init (IP Address, gateway etc). So only cloud init configuration to disable ipv6 dhcp, but I have an issue with resolving the URL during startup (Probably until it sets the IP values and DNS).

The question is who needs an IP for a name? Is there a service that starts before network is up (even though it requires network)? A solution to that is to augment that service to start later (with systemd thingies).

Does cloud-init reset network config on every boot, or did it merely create definition for connection on first time, when there was none? If the latter, then the config can be modified. If the former, then you have to fix the cloud-init config that is in the machine.

CIS recommendation for disabling ipv6 is as follows:

Update grub parameters

grubby --update-kernel ALL --args 'ipv6.disable=1'


printf '
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 ' >> /etc/sysctl.d/60-disable_ipv6.conf

** NOTE grubby is wonky for me at times so i through in a grub2-mkconfig -o /boot/grub2/grub.cfg after the grubby command.

I have done the grubby thing, but it still shows the Permission denied afterwards. The only working solution so far is to disable the ipv6 DHCP via cloud init config, but this creates an issue as mentioned earlier during startup when a firstboot script run at first startup. (DNS in not set yet or it is not set up properly at the beginning of the script.

What I finally found something and it seems to be working, I remove everything from /etc/sysconfig/network-scripts/ifcfg-eth0 which contains the ipv6 in it and restart the network manager.

I see that after a reboot for some minutes it shows with ip a that it has an ipv6 but after that (Probably because of a tun interface reconnection) it disappears and I get no messages from it in the logs.

I have used this ansible snippet. The question you are asking, has been already asked here: Why does NetworkManager report IPv6 related warnings when IPv6 is disabled in the kernel? - Red Hat Customer Portal

- name: Get ethernet interface names to be used later for disabling ipv6
  shell: "set -o pipefail && nmcli connection show | grep ethernet | awk '{print $1}'"
  changed_when: false
  register: ethernet_interface_name

- name:  Disable IPv6 in Network Manager for the main ethernet device
    type: ethernet
    conn_name: "{{ item }}"
    method6: disabled
    state: present
    - Restart network
    - Restart NetworkManager
  with_items: "{{ ethernet_interface_name.stdout_lines }}"

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.