Is Netplan acting like hidden malware?

[bushw]

Armbian uses Netplan by default to manage network settings. But when it uses  NetworkManager as renderer, it silently changes iptables rules—without asking, without telling.

 

*Neither Netplan nor NetworkManager are supposed to manage firewall settings.*

 

But they do it anyway, behind the scenes. That kind of behavior—making security changes without user consent—feels a lot like what malware does.

[eselarm]

When I got my ROCK3A around 2024-12-01 I thought it was a good idea to use a newest Linux userspace so I started with Armbian Ubuntu minimal image. Just getting to know the board HW and only SD-card and serial console and RJ45 that was fine, but soon the problems started. I managed to install NetworkManager and disable networkd, so I could copy a rather complex set of NM files from my other SBC, NanoPi-R6C that is using bridges VLANs and libvirt KVM. Same as I did earlier copy that same *.nmconnection files from RaspberryPi4 (PiOS bullseye/bookworm) . And just changing a cloned-mac address entry essentially  in 1 .nmconnection file initially so my router assigns the correct IP address (just initial setting), changed that later. 

 

 

Long story short, it turns out that you need netplan.io and that generates .nmconnection files in /etc/NetworkManager/system-connections/, at least that was my conclusion after doing tricks with apt, maybe it is different, I did not want to waste time on it anymore.

 

Same .nmconnection files (same content) are somewhere in /var or so, I forgot where and those seem to be generated from netplan yaml files. I once constructed yaml files to get 64-bit Ubuntu server image running on RPi4 when RPL only had 32-bit ARMv6 raspbian, but already then I thought never again that netplan stuff. I already removed all snapd stuff myself.

 

So after wasting way too much time I just created a clone image on an SD-card from a Btrfs snapshot of my running NanoPi-R6C, copied some U-Boot and kernel and DTB files then done. Could start even VMs on dedicated VLANs etc. That by the way is also an issue with Ubuntu, they keep certain files needed for running KVM different from Bookworm, so VMs did not start, I needed to look at Ubuntu fora to figure out what the issue was. I forgot what as I wiped it all.

 

So my opinion is more or less that Canonical has some vendor lock-ins here and there and/or 'cookies' to keep you stay with them (Ubuntu). Not internet-browser cookies, but goodies, like adding BSD code to Linux (ZFS). As the world of SBCs is almost exclusively about pre-installed images with most people not able to boot an iso CD-ROM and install Linux themselves, it is easy getting into peoples homes. For me, netplan is like hidden malware as I am unable to just install NetworkManager without also getting netplan and then needing to know/learn 3 network config scripting things. Opensuse Tumbleweed also has its own network managing tool (wicked), but at least that can be ignored if you want NetworkManager (dedicated switch in YaST). Same for Debian although manual apt packages and services actions.

 

And then there is nmtui tool that works via serial console, so for me a key feature to configure networking initially in a good interactive way. It is much easier than reading yaml docs or nmcli command options docs. So lesson learned is that I avoid Armbian Ubuntu, also Armbian Bookworm minimal. Only if downloadable Armbian Bookworm images where NM is default I would maybe use, else just clone 1 of my own installations.

For own image generation with Armbian build, there is option to use NM, so I noted that somewhere. Pity is that recommended/supported build host environment is Ubuntu. I did most builds on Armbian Bookworm lately, works fine. But last time I started it on Trixie it failed. Will try again sometime soon.

Edited 6 hours ago by eselarm