FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 02-07-2012, 03:58 PM
Alec Warner
 
Default rfc: only the loopback interface should provide net

On Tue, Feb 7, 2012 at 8:44 AM, William Hubbs <williamh@gentoo.org> wrote:
> On Tue, Feb 07, 2012 at 09:39:14AM -0500, Ian Stakenvicius wrote:
>> On 07/02/12 03:28 AM, Alexandre Rostovtsev wrote:
>> >
>> > If I want to connect to pool.ntp.org to sync the system clock, or
>> > to my company's vpn gateway for telecommuting, or to tor to encrypt
>> > my traffic, or to a dynamic dns provider to update my machine's
>> > record, I do not care in the least which interface I use.
>>
>> This is not actually true. *You care, in that you want to be sure that
>> the iface connects to the internet (or at least the network that said
>> target sits on).
>>
>> Many systems that have multiple interfaces have only some of them that
>> route out to the rest of the world, and when depending on a generic
>> 'net' that includes -all- of them, it's more likely that the, say,
>> static private net iface will be configured (and therefore 'net'
>> considered started) significantly before the one that can route to the
>> internet, and therefore ntp-client's attempts at connecting to
>> pool.ntp.org will fail.
>>
>> I think that "Category 2" needs to be separated into "2a - any
>> network", and "2b - any public network". *For instance, the service
>> 'net' (for 2a) and service 'inet' (for 2b). *If this were the default
>> case, then Cat.2 packages that by default want to connect to the
>> internet could 'need inet', and then the user would only have to
>> define which interfaces are included (or excluded) from satisfying 'inet'.
>
> You mean cat 1 actually; cat 2 are the listeners, like sshd, which don't
> care as long as some interface is active.
>
>> The trick that I see here is that init.d scripts have to have their
>> 'depends' set up in such a way that the services can be separated
>> based on their need for public network or any network, so that the
>> user doesn't have to mess with those. *By default I think it makes
>> sense to keep both the 'net' and 'inet' pools the same (ie, all ifaces
>> but net.lo*), but have a simple ability to separate interfaces from
>> the 'public net' pool in rc.conf when they do not provide a public
>> network connection.
>
> If we add an internet pool, I would rather it start out with no
> interfaces and have the user be required to add the interface(s) to it.

Please ship with sane defaults. Most users don't have crazy network
setups and the ones that do are already likely customizing and can set
up the 'pools' in a way that works for them.

-A

>
> William
>
 
Old 02-07-2012, 04:12 PM
Ian Stakenvicius
 
Default rfc: only the loopback interface should provide net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/02/12 11:46 AM, Duncan wrote:
> Ian Stakenvicius posted on Tue, 07 Feb 2012 09:39:14 -0500 as
> excerpted:
>
>> I think that "Category 2" needs to be separated into "2a - any
>> network", and "2b - any public network". For instance, the
>> service 'net' (for 2a) and service 'inet' (for 2b). If this were
>> the default case, then Cat.2 packages that by default want to
>> connect to the internet could 'need inet', and then the user
>> would only have to define which interfaces are included (or
>> excluded) from satisfying 'inet'.
>>
>> The trick that I see here is that init.d scripts have to have
>> their 'depends' set up in such a way that the services can be
>> separated based on their need for public network or any network,
>> so that the user doesn't have to mess with those. By default I
>> think it makes sense to keep both the 'net' and 'inet' pools the
>> same (ie, all ifaces but net.lo*), but have a simple ability to
>> separate interfaces from the 'public net' pool in rc.conf when
>> they do not provide a public network connection.
>
> This boils down to the suggestion I made earlier. Using current
> terms:
>
> 1) Separate net.lo service for stuff that doesn't have to have an
> external connection at all.
>
> 2) A default net (or net*) service that is is composed of all
> non-net.lo services, with a default any-one-of-them policy. Two
> reasons for this:
>
> 2a) It'll "just work" in the simple case.
>
> 2b) It's the easiest to automatically preconfigure without getting
> into lots of "detect all the networks and magically figure out
> whether they're lan-only or inet" hairballs.
>
> 3) Allow the user/admin to configure net1, net2... just like the
> default net/net*, specifying individual interfaces for each as well
> as whether one or all of the configured interfaces must be up for
> the service to be provided.
>
> This way, a user/admin can provide narrower-than-all groupings as
> necessary, including net.lo if it makes sense for them, tho the
> defaults would be only one net.lo and the wildcard
> default-any-one-of-anything- else.
>

Yes, it's very similar. The only thing that I'm not sure of under the
above situation is how the depend in each init.d script would be
defined by default, so that IF the 'net' pool doesn't match up with
the 'inet' pool ('inet' would always be a subset of 'net'), then a
user/admin could just specify the pool(s) in rc.conf, etc and NOT have
to adjust the init scripts or assign specific ifaces/pools to each
service via rc.conf.

I do realize that there is a case that breaks pretty well every
example, but this one (a 'net' and 'inet' pool, which defaults to
being the same but can easily have an iface excluded) i think expands
to cover a larger slice of cases.

This would, of course, not keep the admin from doing #3 above, which
iirc can be done now in rc.conf

(please substitute 'inet' for 'publicnet' or whatever name makes more
send to you)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iF4EAREIAAYFAk8xW4QACgkQAJxUfCtlWe0zigD+M2epQlQPH+ w1+cjgJsACF8AG
UggkmYgi5GjVxwmnxdEBAJwp0uMYnibnAEVLMibXcrvJq4ybsR BEMP5t4M9+cQm4
=aksR
-----END PGP SIGNATURE-----
 
Old 02-07-2012, 04:33 PM
William Hubbs
 
Default rfc: only the loopback interface should provide net

On Tue, Feb 07, 2012 at 04:46:58PM +0000, Duncan wrote:
> 1) Separate net.lo service for stuff that doesn't have to have an
> external connection at all.

This can be easily done. I'll just make net.lo* not provide net.

> 2) A default net (or net*) service that is is composed of all non-net.lo
> services, with a default any-one-of-them policy.
> Two reasons for this:
>
> 2a) It'll "just work" in the simple case.
>
> 2b) It's the easiest to automatically preconfigure without getting into
> lots of "detect all the networks and magically figure out whether they're
> lan-only or inet" hairballs.

As soon as you add a second interface, this default "net" service
breaks. That is why I think we should add an "internet" service that
consists of interfaces the user says provide a connection to the
internet. Then we could make our services that need real
internet connections need that service instead of net.

> 3) Allow the user/admin to configure net1, net2... just like the default
> net/net*, specifying individual interfaces for each as well as whether
> one or all of the configured interfaces must be up for the service to be
> provided.

This one or all functionality you are talking about is already available
through rc_depend_strict.

Also, you can set up virtual services already (see the rc.conf section
on dependencies).

William
 
Old 02-07-2012, 05:31 PM
Alexandre Rostovtsev
 
Default rfc: only the loopback interface should provide net

On Tue, 2012-02-07 at 11:33 -0600, William Hubbs wrote:
> On Tue, Feb 07, 2012 at 04:46:58PM +0000, Duncan wrote:
> > 1) Separate net.lo service for stuff that doesn't have to have an
> > external connection at all.
>
> This can be easily done. I'll just make net.lo* not provide net.
>
> > 2) A default net (or net*) service that is is composed of all non-net.lo
> > services, with a default any-one-of-them policy.
> > Two reasons for this:
> >
> > 2a) It'll "just work" in the simple case.
> >
> > 2b) It's the easiest to automatically preconfigure without getting into
> > lots of "detect all the networks and magically figure out whether they're
> > lan-only or inet" hairballs.
>
> As soon as you add a second interface, this default "net" service
> breaks. That is why I think we should add an "internet" service that
> consists of interfaces the user says provide a connection to the
> internet. Then we could make our services that need real
> internet connections need that service instead of net.

As I discussed in #gentoo-dev, it breaks if some of your interfaces are
lan-only. That might be not uncommon in the server room, but for the
typical gentoo user with a desktop or laptop, all interfaces are
generally expected to allow internet connections, and if more than one
is up (e.g. both eth0 and wlan0), the kernel will do the intelligent
thing and choose the best one to route through.

-Alexandre.
 
Old 02-22-2012, 08:19 PM
William Hubbs
 
Default rfc: only the loopback interface should provide net

All,

after discussions with several devs on irc about this issue, the
following change has been made in openrc-0.9.9 which was just released:

The loopback interface provides lo and *NOT* net.
All other network interfaces provide net.

For the categories given, this means the following:

On Mon, Feb 06, 2012 at 06:15:13PM -0500, Alexandre Rostovtsev wrote:
> 1. Services that connect to remote machines via any available network
> interface.

These should use or need net.

> 2. Services that listen to connections from remote machines on any
> available network interface, and run correctly even if no non-lo
> interfaces are up.

These should be changed to use or need lo.

> 3. Services that require a specific network interface, bind to a
> specific address, or connect to a specific machine on the local subnet.

These will have to be configured by the user with something like:

rc_use/need="!net net.iface"

Thanks,

William
 

Thread Tools




All times are GMT. The time now is 07:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org