Disable IPv6 on Windows Server 2008 R2 using Puppet

Question

I am using the Puppet module windows_disable_ipv6 but it seems it's not really working.

# cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node my_instance.net {
        include windows_disable_ipv6
}

# cat /etc/puppetlabs/code/environments/production/hieradata/common.yaml
---
windows_disable_ipv6::ipv6_disable: true
windows_disable_ipv6::ipv6_reboot: true

# cat /etc/puppetlabs/puppet/hiera.yaml
---
:backends:
  - yaml
:hierarchy:
  - "nodes/%{::trusted.certname}"
  - common

:yaml:
Windows
  :datadir:

I checked the module's manifest. It changes the registry setting to '0xFFFFFFFF' if it has to disable IPv6.

When i run puppet agent -t on the agent, i do see that the key changes to above value and the system reboots but when i login again post-reboot, i see that the check-box for IPv6 is still enabled.

This link suggests using '0xff' instead of '0xFFFFFFFF'. I tried changing the value and then restarted the server as well but the issue still persists.

Any pointers?

Answer 1

The puppet modules disables IPv6 on the system which is validated through an ipconfig /all on the system. The checkbox simply handles the binding to the interface and doesn't actually disable IPv6 on the system.

Answer 2

tl;dr - I wonder if you are running into https://tickets.puppetlabs.com/browse/MODULES-3195, although I think you would have seen errors instead of success. Perhaps something else is enforcing the setting, like SCCM/GPO.

Details

Looking at the module at https://github.com/martezr/puppet-windows_disable_ipv6/blob/master/manifests/init.pp#L45-L49:

# Modify the IPv6 registry key
registry::value { 'ipv6':
  key   => 'HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters',
  value => 'DisabledComponents',
  type  => 'dword',
  data  => $ipv6_setting,
}

This looks fine for the most part.

Let's Try Some Debugging Steps

So you say this applies successfully, and when you check, it has applied the change. However AFTER a reboot, the setting is back like it was.

This suggests you have something else, like GPO (Group Policy) enforcing its own conflicting setting. Let's take Puppet out of the picture for a minute:

• Turn off Puppet and make the startup type Manual (Windows + R, type services.msc, hit enter, find the Puppet Agent service and right click, Properties)
• Head over to Network Connections and make the change to disable IPv6 manually. Close it.
• Open the adapter properties again and check to be sure it is still disabled.
• Reboot the system.
• Inspect if the change is still persistent or if it has changed back.
• Be sure to set the Puppet service startup type Automatic again (and turn it back on).

If the change doesn't last a reboot, it suggests something else is enforcing the setting. If the change lasts the reboot, it suggests that there is possibly something wrong in how Puppet is trying to apply the change.

It means more debugging to ensure that module is trying to change the right location and it applies to the Windows Server you are attempting to make the change to. It may take some more research to determine how you programmatically can disable IPv6 on Windows 2008 R2 to see if you need to adapt or replace the module that should do that.