1

I am using the Puppet module windows_disable_ipv6 but it seems it's not really working.

# cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node my_instance.net {
        include windows_disable_ipv6
}

# cat /etc/puppetlabs/code/environments/production/hieradata/common.yaml
---
windows_disable_ipv6::ipv6_disable: true
windows_disable_ipv6::ipv6_reboot: true

# cat /etc/puppetlabs/puppet/hiera.yaml
---
:backends:
  - yaml
:hierarchy:
  - "nodes/%{::trusted.certname}"
  - common

:yaml:
Windows
  :datadir:

I checked the module's manifest. It changes the registry setting to '0xFFFFFFFF' if it has to disable IPv6.

When i run puppet agent -t on the agent, i do see that the key changes to above value and the system reboots but when i login again post-reboot, i see that the check-box for IPv6 is still enabled.

enter image description here

This link suggests using '0xff' instead of '0xFFFFFFFF'. I tried changing the value and then restarted the server as well but the issue still persists.

Any pointers?

Technext
  • 7,887
  • 9
  • 48
  • 76
  • If you have Puppet Enterprise, please follow up with support to get this prioritized and looked at in a more timely manner. Thanks! (EDIT: only suggested because there is a tag labelled 'puppet-enterprise' on this issue at the time of writing.) – ferventcoder Jan 07 '17 at 18:11

2 Answers2

3

The puppet modules disables IPv6 on the system which is validated through an ipconfig /all on the system. The checkbox simply handles the binding to the interface and doesn't actually disable IPv6 on the system.

Martez Reed
  • 46
  • 1
2

tl;dr - I wonder if you are running into https://tickets.puppetlabs.com/browse/MODULES-3195, although I think you would have seen errors instead of success. Perhaps something else is enforcing the setting, like SCCM/GPO.

Details

Looking at the module at https://github.com/martezr/puppet-windows_disable_ipv6/blob/master/manifests/init.pp#L45-L49: 

# Modify the IPv6 registry key
registry::value { 'ipv6':
  key   => 'HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters',
  value => 'DisabledComponents',
  type  => 'dword',
  data  => $ipv6_setting,
}

This looks fine for the most part.

Let's Try Some Debugging Steps

So you say this applies successfully, and when you check, it has applied the change. However AFTER a reboot, the setting is back like it was.

This suggests you have something else, like GPO (Group Policy) enforcing its own conflicting setting. Let's take Puppet out of the picture for a minute:

  • Turn off Puppet and make the startup type Manual (Windows + R, type services.msc, hit enter, find the Puppet Agent service and right click, Properties)
  • Head over to Network Connections and make the change to disable IPv6 manually. Close it.
  • Open the adapter properties again and check to be sure it is still disabled.
  • Reboot the system.
  • Inspect if the change is still persistent or if it has changed back.
  • Be sure to set the Puppet service startup type Automatic again (and turn it back on).

If the change doesn't last a reboot, it suggests something else is enforcing the setting. If the change lasts the reboot, it suggests that there is possibly something wrong in how Puppet is trying to apply the change.

It means more debugging to ensure that module is trying to change the right location and it applies to the Windows Server you are attempting to make the change to. It may take some more research to determine how you programmatically can disable IPv6 on Windows 2008 R2 to see if you need to adapt or replace the module that should do that.

ferventcoder
  • 11,952
  • 3
  • 57
  • 90
  • "...However AFTER a reboot, the setting is back like it was." - Just to clarify, the module changes the registry key as expected (and remains so after reboot as well) but after reboot, the check-box for IPv6 remains disabled. – Technext Jan 08 '17 at 10:13
  • I should have tried your debugging steps before posting. :( Anyways, the issue still persists. Official page for `windows_disable_ipv6` says it was tested with Puppet `v3` and Ruby `v2.0.0`. I have Puppet agent `4.8.1` and Ruby `2.1.9`. I think it should work fine on higher versions unless there's some breaking change in the newer releases of puppet and ruby, which seems unlikely. It seems either the keys ('0xff' or '0xFFFFFFFF') or the registry location is incorrect. I'm saying this because i tried changing the key manually and then restarted the box but the check-box remains enabled. – Technext Jan 08 '17 at 10:18
  • If you uncheck the box manually (not change the registry key) and reboot, does it persist? – ferventcoder Jan 08 '17 at 14:16
  • 1
    It's a good find to see that the registry key persists but doesn't make the change properly. That suggests the module may be incorrect in some way. – ferventcoder Jan 08 '17 at 14:32
  • Yes, if i uncheck the box (without changing the registry key) and reboot, the box remains unchecked and the registry key's value doesn't change either (irrespective of whatever value was there in the registry key before reboot). – Technext Jan 08 '17 at 17:42
  • One way to find the proper key is research on the web. Another way is procmon. Then check the box/uncheck the box and find the keys that it changes. – ferventcoder Jan 08 '17 at 20:12
  • Yes, i'll check both the web and the tool you've suggested. Will update if i find anything. Thanks. – Technext Jan 09 '17 at 07:05