How to suppress sysctl: reading key "net.ipv6.conf.all.stable_secret" in Linux


Tips and Tricks, How To, Linux

You may observe these additional warning/error messages on the screen with sysctl output on STDOUT sysctl: reading key "net.ipv6.conf.all.stable_secret".

The sysctl variable stable_secret contains the secret for the generation of stable interface identifiers (normally the lower 64 bit in IPv6 addresses) as defined in RFC 7217, "A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)."

 

Output Message:

[root@master ~]# sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.eth1.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0-nic.stable_secret"

The function of the stable_secret sysctl is described in the kernel's ip-sysctl.txt documentation:

stable_secret - IPv6 address
    This IPv6 address will be used as a secret to generate IPv6
    addresses for link-local addresses and autoconfigured
    ones. All addresses generated after setting this secret will
    be stable privacy ones by default. This can be changed via the
    addrgenmode ip-link. conf/default/stable_secret is used as the
    secret for the namespace, the interface specific ones can
    overwrite that. Writes to conf/all/stable_secret are refused.

    It is recommended to generate this secret during installation
    of a system and keep it stable after that.

    By default the stable secret is unset.

This IO error can be seen directly if one tries to read the procfs file:

# cat /proc/sys/net/ipv6/conf/all/stable_secret
cat: /proc/sys/net/ipv6/conf/all/stable_secret: Input/output error

This IPv6 address will be used as a secret to generate IPv6 addresses for link-local addresses and autoconfigured ones. All addresses generated after setting this secret will be stable privacy ones by default. This can be changed via the addrgenmode ip-link. conf/default/stable_secret is used as the secret for the namespace, the interface specific ones can overwrite that. Writes to conf/all/stable_secret are refused.

It is recommended to generate this secret during installation of a system and keep it stable after that.

By default the stable secret is unset.

[root@master ~]# sysctl -a | grep ipv6.*disable
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_ipv6 = 0
net.ipv6.conf.eth1.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.virbr0.disable_ipv6 = 1
net.ipv6.conf.virbr0-nic.disable_ipv6 = 0

 

How to suppress sysctl: reading key "net.ipv6.conf.all.stable_secret" messages?

You can suppress the additional unwanted message or redirect it to /dev/null using the below command

[root@master ~]# sysctl -a --ignore 2>/dev/null | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

OR

# sysctl -a --ignore |& grep rp_filter

# sysctl -a --ignore 2>&1 | grep rp_filter

Here you can grep for any string. rp_filter is just used as an example.

if you are not using IPv6 in your environment then you can disable Ipv6 which will remove the IPv6 module from the system and these messages won't be a problem for you any more.

After you disable IPv6, verify the active GRUB2 configuration

[root@master ~]# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-957.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ipv6.disable=1

The same will reflect in your GRUB configuration file.

[root@master ~]# cat /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet ipv6.disable=1"
GRUB_DISABLE_RECOVERY="true"

Next try to grep of any string in sysctl

[root@master ~]# sysctl -a | grep ipv6.*disable

As you see we have a clean output and the stable_secret key message is suppressed.

 

Lastly I hope the steps from the article to suppress sysctl: reading key "net.ipv6.conf.all.stable_secret" message in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment