You may observe these additional warning/error messages on the screen with sysctl output on STDOUT sysctl: reading key "net.ipv6.conf.all.stable_secret".
The sysctl variable stable_secret
contains the secret for the generation of stable interface identifiers (normally the lower 64 bit in IPv6 addresses) as defined in RFC 7217, "A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)."
Output Message:
[root@master ~]# sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.eth1.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0-nic.stable_secret"
The function of the stable_secret
sysctl is described in the kernel's ip-sysctl.txt documentation:
stable_secret - IPv6 address
This IPv6 address will be used as a secret to generate IPv6
addresses for link-local addresses and autoconfigured
ones. All addresses generated after setting this secret will
be stable privacy ones by default. This can be changed via the
addrgenmode ip-link. conf/default/stable_secret is used as the
secret for the namespace, the interface specific ones can
overwrite that. Writes to conf/all/stable_secret are refused.
It is recommended to generate this secret during installation
of a system and keep it stable after that.
By default the stable secret is unset.
This IO error can be seen directly if one tries to read the procfs
file:
# cat /proc/sys/net/ipv6/conf/all/stable_secret cat: /proc/sys/net/ipv6/conf/all/stable_secret: Input/output error
This IPv6 address will be used as a secret to generate IPv6 addresses for link-local addresses and autoconfigured ones. All addresses generated after setting this secret will be stable privacy ones by default. This can be changed via the addrgenmode ip-link. conf/default/stable_secret
is used as the secret for the namespace, the interface specific ones can overwrite that. Writes to conf/all/stable_secret are refused.
It is recommended to generate this secret during installation of a system and keep it stable after that.
By default the stable secret is unset.
[root@master ~]# sysctl -a | grep ipv6.*disable
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_ipv6 = 0
net.ipv6.conf.eth1.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.virbr0.disable_ipv6 = 1
net.ipv6.conf.virbr0-nic.disable_ipv6 = 0
How to suppress sysctl: reading key "net.ipv6.conf.all.stable_secret" messages?
You can suppress the additional unwanted message or redirect it to /dev/null
using the below command
[root@master ~]# sysctl -a --ignore 2>/dev/null | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
OR
# sysctl -a --ignore |& grep rp_filter # sysctl -a --ignore 2>&1 | grep rp_filter
Here you can grep for any string. rp_filter
is just used as an example.
if you are not using IPv6 in your environment then you can disable Ipv6 which will remove the IPv6 module from the system and these messages won't be a problem for you any more.
After you disable IPv6, verify the active GRUB2 configuration
[root@master ~]# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-957.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ipv6.disable=1
The same will reflect in your GRUB configuration file.
[root@master ~]# cat /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ipv6.disable=1"
GRUB_DISABLE_RECOVERY="true"
Next try to grep of any string in sysctl
[root@master ~]# sysctl -a | grep ipv6.*disable
As you see we have a clean output and the stable_secret
key message is suppressed.
Lastly I hope the steps from the article to suppress sysctl: reading key "net.ipv6.conf.all.stable_secret"
message in Linux was helpful. So, let me know your suggestions and feedback using the comment section.