bonding module auto-loading
After a week I think I've sorted out nearly all issues about openrc on my
systems. Bonding was compiled into the kernel. Upon I tried to echo mode 4 (802.3ad) to set up the lacp, the system said there's no write access to the mode file. So the bonding interface remained in round-robin mode. That was disturbing. grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-bonding instead. I suspect there was something wrong in the background. If I take a look at on the error message, I don't know that actually which process tries to autoload the module. I would check out my policy to specify CAP_NET_ADMIN also for that binary. For the second part I would be interested to where I should add netdev-bonding as an alias for openrc or whatnot? I've ended up compiling bonding as a module and the interface is in the correct mode now after reboot. Loading the module now happens before locking down the system. Regards: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 |
bonding module auto-loading
On 05/20/2011 07:11 AM, "Tóth Attila" wrote:
> After a week I think I've sorted out nearly all issues about openrc on my > systems. > Bonding was compiled into the kernel. Upon I tried to echo mode 4 > (802.3ad) to set up the lacp, the system said there's no write access to > the mode file. So the bonding interface remained in round-robin mode. That > was disturbing. > > grsec: denied auto-loading kernel module for a network device with > CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-bonding > instead. > > I suspect there was something wrong in the background. > If I take a look at on the error message, I don't know that actually which > process tries to autoload the module. I would check out my policy to > specify CAP_NET_ADMIN also for that binary. For the second part I would be > interested to where I should add netdev-bonding as an alias for openrc or > whatnot? > > I've ended up compiling bonding as a module and the interface is in the > correct mode now after reboot. Loading the module now happens before > locking down the system. > > Regards: > Dw. Compiling it as a module is the way the devs recommend doing it. I've been compiling it into my kernels, but then I'm stuck with what I get, as you were. I want the round-robin, what's bothering me is the miimon which I can't change from 0 which means no mii mon which is not good. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535 |
bonding module auto-loading
On 20/05/2011 12:11, "Tóth Attila" wrote:
> After a week I think I've sorted out nearly all issues about openrc on my > systems. > Bonding was compiled into the kernel. Upon I tried to echo mode 4 > (802.3ad) to set up the lacp, the system said there's no write access to > the mode file. So the bonding interface remained in round-robin mode. That > was disturbing. I use compiled in bonding module, openrc, hardened and everything is configured correctly at boot using openrc via sysfs? My working machine uses 2.6.32 + grsec and openrc 0.6.2. I haven't tested variations to this, but note that previous openrc had issues configuring bonds via sysfs? Your error message "no write access", I think is a symptom of wrong ordering of bond creation when using sysfs? Check gentoo bugzilla or openrc bug tracker, there was an open issue against older openrc to fix this (haven't checked it hasn't regressed in later openrc say) My conf.d looks like: # config eth0 config_eth0=( "null" ) config_eth1=( "null" ) config_eth2=( "null" ) config_eth3=( "null" ) # Bonding slaves_bond0="eth0 eth1" mode_bond0="802.3ad" miimon_bond0="100" lacp_rate_bond0="1" config_bond0=( "null" ) slaves_bond1="eth2 eth3" miimon_bond1="100" mode_bond1="balance-rr" config_bond1=( "192.168.2.10/24" ) # config tap0 to bring up bridge tuntap_tap0="tap" config_tap0=( "null" ) bridge_add_tap0="br0" rc_need_tap0="net.br0" # config tap1 to bring up bridge tuntap_tap1="tap" config_tap1=( "null" ) bridge_add_tap1="br0" rc_need_tap1="net.br0" # Config bridge to come up with just eth0 bridge_br0="bond0" # or dynamically add them when the interface comes up #bridge_add_eth0="br0" config_br0=( "1.2.3.4/24" ) routes_br0=( "default via 1.2.3.1" ) # Make the bridge depend on bond0 rc_need_br0="net.bond0" # Below is an example of configuring the bridge brctl_br0=( "stp on" ) Does that help? Ed W |
bonding module auto-loading
Hi
> Compiling it as a module is the way the devs recommend doing it. Which devs? Bond should support full configuration through sysfs for some years now? There is no reason that I'm aware of to need it to be a module? > I've > been compiling it into my kernels, but then I'm stuck with what I get, > as you were. It *should* be configurable completely via sysfs (and I think this is now the preferred method?). There are some caveats on the order you do things though, eg you need the interface down to change most of the settings? > I want the round-robin, what's bothering me is the miimon > which I can't change from 0 which means no mii mon which is not good. # cat /sys/class/net/bond0/bonding/miimon 100 # cat /sys/class/net/bond0/bonding/mode 802.3ad 4 # cat /sys/class/net/bond1/bonding/mode balance-rr 0 # cat /sys/class/net/bond1/bonding/miimon 100 Not sure what values are sensible though? Good luck Ed W |
bonding module auto-loading
2011.Május 21.(Szo) 14:36 idÅ‘pontban Ed W ezt Ã*rta:
>> I want the round-robin, what's bothering me is the miimon >> which I can't change from 0 which means no mii mon which is not good. > > # cat /sys/class/net/bond0/bonding/miimon > 100 > # cat /sys/class/net/bond0/bonding/mode > 802.3ad 4 > > # cat /sys/class/net/bond1/bonding/mode > balance-rr 0 > # cat /sys/class/net/bond1/bonding/miimon > 100 > > Not sure what values are sensible though? > > Good luck > > Ed W Previously I could proprely configure compiled-in bonding (for ages). Now I can only configure it by passing module parameters. I don't know if it's openrc or my kernel, which is 2.6.38-hardened-r4. The kernel is definetly newer than yours. I don't know if the module-lockdown method provided by grsecurity influences tuning compiled-in components or not... What do you get if you try to echo something into a bonding/mode file? It might be possible, that openrc executes the command earlier now than before. I can live with bonding compiled in as a module, but the behavior has been changed somehow. And I still don't know how I can fix the error message supplied by grsec - apart from the workaround. Regards, Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 |
bonding module auto-loading
On 05/21/2011 08:36 AM, Ed W wrote:
> Hi > >> Compiling it as a module is the way the devs recommend doing it. > > Which devs? > > Bond should support full configuration through sysfs for some years now? > There is no reason that I'm aware of to need it to be a module? > >> I've >> been compiling it into my kernels, but then I'm stuck with what I get, >> as you were. > > It *should* be configurable completely via sysfs (and I think this is > now the preferred method?). There are some caveats on the order you do > things though, eg you need the interface down to change most of the > settings? > >> I want the round-robin, what's bothering me is the miimon >> which I can't change from 0 which means no mii mon which is not good. > > # cat /sys/class/net/bond0/bonding/miimon > 100 > # cat /sys/class/net/bond0/bonding/mode > 802.3ad 4 > > # cat /sys/class/net/bond1/bonding/mode > balance-rr 0 > # cat /sys/class/net/bond1/bonding/miimon > 100 > > Not sure what values are sensible though? > > Good luck > > Ed W > In answer to the first question, I was getting my info from memory. I remember mpagano quoting it in response to a problem someone else had with compiling it in. I remember him saying that using the module was the only way of setting the parameters. I might ask him about it later. As for /sys, thanks for the info! It worked. Perhaps my info comes from the pre /sys days? 100 is reasonable. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535 |
| All times are GMT. The time now is 03:22 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.