#!/bin/bash # Ensure the following directory exists sudo mkdir -p /etc/udev/rules.d sudo mkdir -p /etc/systemd/network sudo mkdir -p /etc/systemd/networkd.conf.d sudo mkdir -p /etc/systemd/resolved.conf.d cat <<'EOF' | sudo tee /etc/udev/rules.d/99-vpc-policy-routes.rules # This file suppresses everything that ec2-net-utils does and in terms of interface configuration # is functionally equivalent of removing it without actually removing the package. # See: https://github.com/amazonlinux/amazon-ec2-net-utils/issues/100#issuecomment-1828371382 EOF cat <<'EOF' | sudo tee /etc/udev/rules.d/10-aws-cni-managed-eni.rules #ACTION!="add|change", GOTO="ci_eks_end" SUBSYSTEM!="net", GOTO="ci_eks_end" #ATTRS{ID_VENDOR}!="Amazon.com, Inc.", GOTO="ci_eks_end" # Skip the primary ENI device SUBSYSTEM=="net", ATTR{ifindex}=="2", GOTO="ci_eks_end" # https://github.com/systemd/systemd/issues/28626 SUBSYSTEM=="net", ACTION!="remove", DRIVERS=="ena|efa|ixgbevf|vif", ENV{AWS_CNI_MANAGED_ENI}="1", ENV{ID_NET_MANAGED_BY}="aws.vpc.cni", ENV{NM_UNMANAGED}="1", GOTO="ci_eks_end" GOTO="ci_eks_end" LABEL="ci_eks_end" EOF # Depends on udev rule to prevent systemd-networkd from managing non-primary ENIs devices. cat <<'EOF' | sudo tee /etc/systemd/network/10-aws-cni-managed-eni.network [Match] Property=AWS_CNI_MANAGED_ENI=1 [Link] Unmanaged=yes EOF # Prevent systemd-networkd from handling the MACAddresses of veth devices. cat <<'EOF' | sudo tee /etc/systemd/network/50-veth.link [Match] Driver=veth [Link] MACAddressPolicy=none EOF cat <<'EOF' | sudo tee /etc/systemd/network/98-virtio.link # Use the kernel ifnames like eth0 for virtio network interfaces but # set predictable ifnames as alternative names i.e. 'ip a' and # also allowed in "Match=" systemd-networkd statements. [Match] Driver=virtio_net [Link] NamePolicy=kernel database onboard AlternativeNamesPolicy=database onboard slot path MACAddressPolicy=persistent EOF # Exclude cilium devices from configuration via systemd-networkd. cat <<'EOF' | sudo tee /etc/systemd/network/20-cilium.network [Match] Name=cilium* [Link] Unmanaged=yes EOF # Exclude calico devices from configuration via systemd-networkd. cat <<'EOF' | sudo tee /etc/systemd/network/20-calico.network [Match] Name=vxlan.calico tunl0 cali* [Link] Unmanaged=yes EOF # Exclude docker devices from configuration via systemd-networkd. cat <<'EOF' | sudo tee /etc/systemd/network/20-docker.network [Match] Name=docker* br-* veth* [Link] Unmanaged=yes EOF # Exclude kubernetes CNI devices from configuration via systemd-networkd. cat <<'EOF' | sudo tee /etc/systemd/network/50-cni.network [Match] Name=cni* [Link] Unmanaged=yes EOF # Exclude kubernetes CNI bridge devices from configuration via systemd-networkd. cat <<'EOF' | sudo tee /etc/systemd/network/kubenet.network [Match] Name=cbr0 [Link] Unmanaged=yes EOF # Exclude Kubernetes local node dns dummy interfaces from configuration via systemd-networkd. # See: https://github.com/kubernetes/dns/blob/da9249d88ca22ecdf09e25c98f3c0c572a85d34b/cmd/node-cache/main.go#L83 cat <<'EOF' | sudo tee /etc/systemd/network/kubedns.network [Match] Name=nodelocaldns Driver=dummy [Link] Unmanaged=yes EOF # Exclude Kubernetes proxy dummy interfaces from configuration via systemd-networkd. # See: https://github.com/kubernetes/kubernetes/blob/cd5ab497413faacae4e712b487c63c8b45c292f5/pkg/proxy/ipvs/proxier.go#L91 cat <<'EOF' | sudo tee /etc/systemd/network/kubeproxy.network [Match] Name=kube-ipvs0 Driver=dummy [Link] Unmanaged=yes EOF # Exclude IPSEC vti devices from configuration via systemd-networkd. cat <<'EOF' | sudo tee /etc/systemd/network/ipsec-vti.network [Match] Name=vti* [Link] Unmanaged=yes EOF # Prevent clobbering of any IP routes or rules added by CNI. cat << EOF | sudo tee /etc/systemd/networkd.conf.d/10-disable-route-mgmt.conf [Network] ManageForeignRoutes=no ManageForeignRoutingPolicyRules=no ManageForeignNextHops=no EOF # For systems with multiple network interfaces that are not expected to be # connected all the time (e.g. dual-port NIC card, but only one cable plugged # in, etc), starting systemd-networkd-wait-online.service will fail after the # default timeout of 2 minutes. This may cause an unwanted delay in the startup # process. To change the behaviour to wait for any interface rather than all # interfaces to become online. # See: https://wiki.archlinux.org/title/Systemd-networkd#Multiple_interfaces_that_are_not_connected_all_the_time sudo mkdir -p /etc/systemd/system/systemd-networkd-wait-online.service.d cat <<'EOF' | sudo tee /etc/systemd/system/systemd-networkd-wait-online.service.d/wait-for-only-one-interface.conf [Service] ExecStart= ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --any EOF cat <<'EOF' | sudo tee /etc/systemd/resolved.conf.d/10-falllback-dns.conf [Resolve] FallbackDNS=169.254.169.253 EOF cat <<'EOF' | sudo tee /etc/systemd/resolved.conf.d/10-disable-llmnr.conf [Resolve] LLMNR=false EOF cat <<'EOF' | sudo tee /etc/systemd/resolved.conf.d/10-disable-mdns.conf [Resolve] MulticastDNS=no EOF cat <<'EOF' | sudo tee /etc/systemd/resolved.conf.d/10-disable-dnssec.conf [Resolve] DNSSEC=false EOF # Reload and apply udev rules sudo systemctl daemon-reload sudo systemctl restart systemd-udevd sudo udevadm control --reload-rules && sudo udevadm trigger --attr-match=subsystem=net # Restart systemd-resolved sudo systemctl restart systemd-resolved # Restart systemd-networkd sudo systemctl restart systemd-networkd # Verify udevadm info -q property -p /class/net/ens32 udevadm info -q property -p /class/net/ens33 networkctl