Use Network Manager to handle 'device not managed' or 'unmanaged' issue in Ubuntu for SecurityOnion at Digital Ocean

An out-of-the-box install of Ubuntu 18.04.5 at Digital Ocean will not work for a SecurityOnion installation, because of the way cloud-init is managing the network. Security Onion prefers NetworkManager to manage the network. Cloud-init is required by Digital Ocean for deployment of a custom image. Yet Security Onion also prefers a specifically-partitioned virtual disk, which is not recommended to do with an already-running Ubuntu. Together, these constraints leave few options.

Fortunately, after the custom image of Ubuntu is deployed in Digital Ocean, you will not need the network part of cloud-init (and you can disable only this one piece). Here is how to get a custom-partitioned Ubuntu working as a Digital Ocean droplet to prepare for an install of Security Onion. Note that we're using 18.04 because that is what Security Onion requires:

First, disable cloud-init networking. Run the following command at the shell prompt of the newly-installed custom-partitioned Ubuntu image:

echo 'network: {config: disabled}' | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Then rename the default cloud-init configuration file for netplan to another one in which we will configure further to allow network manager to take over the network. NetworkManager managing the network is what Security Onion expects to see.

sudo mv /etc/netplan/50-cloud-init.yaml /etc/netplan/01-network-manager-all.yaml

Now we're ready to make the monitor interface visible to Network Manager. First, let's get its MAC Address. Run "ip a" and copy into your clipboard the MAC Address of the internal network interface:

ip a

We'll use the MAC Address of the 2nd network interface, likely "ens4". It is the one which is DOWN, not UP, and therefore does not have an IP Address yet.

Happily, for Security Onion's purposes, this network interface is already configured within Digital Ocean infrastructure to acquire a static IP Address from the DHCP server when it comes up. This is exactly how Security Onion prefers things: DHCP with a static-assigned IP Address.

Now edit the netplan file you just created with the "mv" command:

sudo nano /etc/netplan/01-network-manager-all.yaml

Within the nano editor, delete the introductory comment part of the file. The commented information is no longer relevant as we are soon going to do what it recommends. Note that Ctrl-K will remove an entire line. Remove the following text:

# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}

At this point, the file should contain something like the following, which was correctly set up by cloud-init during its first run, but only for the first interface:

network:
    version: 2
    ethernets:
        ens3:
            dhcp4: true
            match:
                macaddress: 0a:76:a0:3f:a1:80
            set-name: ens3

Add the following stanza to include the internal network interface for Security Onion monitoring. The interface name and MAC Address you will use are the ones you collected earlier when you ran "ip a":

        ens4:
            dhcp4: true
            match:
                macaddress: 96:f4:c0:f6:b2:77
            set-name: ens4

For each of the two interfaces, you'll need access to nameservers now that cloud-init won't be providing that, so add the following references to the well-known Digital Ocean nameservers:

            nameservers:
                addresses:
                - 67.207.67.3
                - 67.207.67.2
                search: []

And finally, explicitly change the network renderer to NetworkManager:

    renderer: NetworkManager

The final file should look something like this:

network:
    version: 2
    renderer: NetworkManager
    ethernets:
        ens3:
            dhcp4: true
            match:
                macaddress: 0a:76:a0:3f:a1:80
            nameservers:
                addresses:
                - 67.207.67.3
                - 67.207.67.2
                search: []
            set-name: ens3
        ens4:
            dhcp4: true
            match:
                macaddress: 96:f4:c0:f6:b2:77
            nameservers:
                addresses:
                - 67.207.67.3
                - 67.207.67.2
                search: []
            set-name: ens4

Ctrl-X to save and exit the file. Now install Network Manager:

sudo apt install -y network-manager
sudo systemctl start NetworkManager
sudo systemctl enable NetworkManager

Now let's take Security Onion's advice for how to play nicely with netplan, and run the following command:

sudo touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf

At that same installation URL, it also says to remove the reference to the monitor interface which is in /etc/netplan/00-installer-config.yaml. We now have Network Manager configured to manage this interface, and since there is only the one reference in the file, we can simply delete the file outright:

sudo rm /etc/netplan/00-installer-config.yaml

Finally we're read to apply the netplan config changes you made earlier:

sudo netplan apply

When you check status, you'll see that NetworkManager is managing these devices:

$ nmcli device status
DEVICE  TYPE      STATE      CONNECTION   
ens3    ethernet  connected  netplan-ens3 
ens4    ethernet  connected  netplan-ens4 
lo      loopback  unmanaged  --           

(Note that the lo "loopback" network interface is unmanaged by design, it's okay to leave it as is.)

Lastly ping a known site on the internet to see if your network is working:

ping securityonion.com
PING securityonion.com (138.197.103.178) 56(84) bytes of data.
64 bytes from 138.197.103.178 (138.197.103.178): icmp_seq=1 ttl=57 time=65.1 ms
64 bytes from 138.197.103.178 (138.197.103.178): icmp_seq=2 ttl=57 time=63.8 ms
64 bytes from 138.197.103.178 (138.197.103.178): icmp_seq=3 ttl=57 time=63.8 ms

Works for me. Hope it does for you also.

Posted in Developing Software on Jul 21, 2021