dd: clear machine-id and disable MAC derivation to prevent connectivity loss

[kelryry]

问题 / Problem

systemd 默认的 MACAddressPolicy=persistent 会根据 machine-id 和网卡名派生出一个稳定的 MAC 地址，覆盖硬件真实 MAC。DD 镜像携带了源机器的 machine-id，导致目标机器的网卡 MAC 被改变。

systemd's default MACAddressPolicy=persistent derives a stable MAC address from machine-id + interface name, overriding the hardware MAC. A DD image carries the source machine's machine-id, causing the target NIC MAC to change.

影响 / Impact

• 使用 ebtables/MAC 绑定的 VPS 商家会因为 MAC 地址变化而导致 DD 后失联

• 即使没有 MAC 绑定，错误的 machine-id 也会导致 DHCPv6 DUID 和 IPv6 SLAAC 地址异常

• VPS providers using ebtables/MAC binding will lose connectivity after DD because the MAC address changed

• Even without MAC binding, a wrong machine-id causes incorrect DHCPv6 DUID and IPv6 SLAAC addresses

修复 / Fix

1. DD linux 镜像写入后，挂载分区清除 machine-id（设为 uninitialized），让 systemd 首次启动时重新生成
2. 创建 99-default.link 设置 MACAddressPolicy=none，禁止 systemd 派生 MAC 地址
3. debian preseed 安装完成后做同样的处理

改动文件

• trans.sh: DD 镜像的 modify_os_on_disk 阶段清除 machine-id 并创建 99-default.link
• debian.cfg: preseed late_command 阶段做同样处理

[gemini-code-assist]

Summary of Changes

Hello @kelryry, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves critical network connectivity issues that arise when using DD images or Debian preseed installations. The problem stems from systemd's default behavior of deriving MAC addresses based on a machine-id, which, when copied from a source machine, can lead to MAC address conflicts and network instability on target systems. The solution involves ensuring that each new system generates a unique machine-id and explicitly disables systemd's MAC address derivation, thereby maintaining hardware MAC integrity and preventing service disruptions.

Highlights

• Machine ID Clearing: The machine-id is now cleared (set to 'uninitialized') during both DD image processing and Debian preseed installations, ensuring systemd regenerates a unique ID on first boot.
• MAC Address Derivation Disabled: A 99-default.link file is created in /etc/systemd/network with MACAddressPolicy=none to prevent systemd from deriving MAC addresses, thus preserving the hardware's original MAC.
• Connectivity Loss Prevention: These changes address issues where incorrect machine-id and derived MAC addresses could lead to connectivity loss for VPS providers using MAC binding, and problems with DHCPv6 DUID and IPv6 SLAAC addresses.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• debian.cfg
  • Added commands to clear the machine-id and configure MACAddressPolicy=none within the preseed/late_command string.
• trans.sh
  • Implemented logic within the modify_os_on_disk function to clear the machine-id and create the 99-default.link file for DD Linux images.
  • Included extensive comments explaining the background, impact, and fix for the machine-id and MAC address derivation problem.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request correctly addresses the issue of MAC address derivation from machine-id in DD images by clearing the machine-id and setting MACAddressPolicy=none. This prevents connectivity loss on VPS providers that use MAC binding. The implementation covers both DD imaging in trans.sh and fresh Debian installations in debian.cfg. I have provided some feedback regarding the robustness of the root directory detection in trans.sh and suggested adding consistency to the cleanup process in debian.cfg.

[gemini-code-assist]

The variable etc_dir can contain multiple lines if multiple etc directories are found within the partition (e.g., in different subvolumes or nested containers). Since BusyBox dirname does not support multiple arguments, it will fail and return an empty string for os_dir. This would cause subsequent commands to incorrectly target the Live OS root instead of the intended partition. Using head -n1 ensures only one path is processed, and quoting the variable prevents word splitting issues.

Suggested change

	if etc_dir=$({ ls -d /os/etc/ || ls -d /os/*/etc/; } 2>/dev/null); then
	os_dir=$(dirname $etc_dir)
	if etc_dir=$({ ls -d /os/etc/ || ls -d /os/*/etc/; } 2>/dev/null | head -n1); then
	os_dir=$(dirname "$etc_dir")

[gemini-code-assist]

For consistency with the clear_machine_id function used in trans.sh, it is recommended to also remove the random-seed file. This ensures that the entropy pool is uniquely initialized on the first boot of the new system.

    echo uninitialized >/target/etc/machine-id; \
    rm -f /target/var/lib/systemd/random-seed; \

[luhengsw]

不建议按照这种方式直接注入修改systemd的业务
DD 的预期是磁盘内容不变。在没有任何参数控制的情况下，默默修改了磁盘内容，产生不可预期行为。
另外
不能假定dd的linux默认是systemd的，可能是bsd，或者是vyos/mikrotik这种类linux系统

或者可以考虑opt-in的方式让用户选择

[kelryry]

已根据反馈将 machine-id 清理改为 opt-in 方式：

• 新增 --reset-machine-id 参数，用户主动传入时才会清除 machine-id 和禁用 MAC 地址派生
• 默认行为不变：DD Linux 镜像不修改任何磁盘内容
• 更新了中英文 README 文档和 usage 帮助信息

用法示例：

bash reinstall.sh dd --img "https://example.com/xxx.xz" --reset-machine-id

[bin456789]

使用 ebtables/MAC 绑定的 VPS 商家会因为 MAC 地址变化而导致 DD 后失联

有没有商家例子?

即使没有 MAC 绑定，错误的 machine-id 也会导致 DHCPv6 DUID 和 IPv6 SLAAC 地址异常

同样有没有商家例子?
而且 aws lightsail 的 centos 9 有相同的 machine-id ，也好像没啥问题

[bin456789]

https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html#MACAddressPolicy=

persistent
If the hardware has a persistent MAC address, as most hardware should, and if it is used by the kernel, nothing is done. Otherwise, a new MAC address is generated which is guaranteed to be the same on every boot for the given machine and the given device, but which is otherwise random. This feature depends on ID_NET_NAME_* properties to exist for the link. On hardware where these properties are not set, the generation of a persistent MAC address will fail.

按我的理解，网卡有 MAC 地址，即使是 persistent ，也会使用网卡的 MAC 地址

[kelryry]

我使用的商家是 debee，同时遇到了 IPv6 的问题（已在 PR #561 中提出）。我认为主要问题在 #561，#562 只是顺带一提。