Hi,
Attached and on the "ipconfig_down" branch at github
(https://github.com/kpinc/klibc.git) you will find 4 patches
which let ipconfig bring down interfaces. Please consider
them for inclusion.
Why do this? It's useful when the rootfs is crypted and is
unlocked by supplying passwords over the network. In this
case the initramfs brings up a network interface. It can be
useful to have the network config in the initramfs differ
from the network config of the system once booted. But when
a network interface is configured in an initramfs the system
boot sequence will typically not alter the interfaces's
configuration.
Of course it's possible to alter the post-initramfs boot
process instead. The post-initramfs boot network initialization
process would probably have to know that booting is going
on, that it's not just the usual bringing up of interfaces,
and also whether there's a nfs mounted root fs and perhaps
other things that are already known to klibc. And there's no
one post-klibc boot method, so code would need to be added
in multiple places (sysV init, upstart, et-al).
The patchs add only 16 bytes to (my amd64 Debian Wheezy)
ipconfig, when stripped and using a shared klibc. (There
must be alignment issues, the stripped static version
uses an extra 192 bytes.) This
seems worth having all the configuration regarding initramfs
networking happen in one place (klibc).
Allowing the initramfs to have it's own network
configuration make possible a variety of benefits to a
network-unlocked crypted rootfs. The gateway address can be
omitted so that the box can only be unlocked from the local
LAN. The IP number can differ from that of the running
system; since the initramfs is unencrypted it's ssh host
keys may differ from the running system's and having a
different IP in the initramfs aids with host key
management/checking. And I believe there are security
benefits to putting the initramfs on an entirely separate
network if there's a layer 3 switch involved to provide
access control to the networked initramfs.
I've related patches to the Debian dropbear package which
support initramfs configuration/creation. I will email a
followup to this thread when I've an url.
These patches are at the "works for me" stage.
Regards,
Karl <kop at meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
On 07/09/2013 09:27:58 AM, Karl O. Pinc wrote:> Hi, > > Attached and on the "ipconfig_down" branch at github > (https://github.com/kpinc/klibc.git) you will find 4 patches > which let ipconfig bring down interfaces. Please consider > them for inclusion.Sorry, I seem to have omitted the patches from the last email. Karl <kop at meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipconfig-main.c-Change-bringup-to-updown-in-function.patch Type: text/x-patch Size: 2069 bytes Desc: not available URL: <http://www.zytor.com/pipermail/klibc/attachments/20130709/1dcd82a1/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-ipconfig-Make-the-interface-spec-all-work-when-bring.patch Type: text/x-patch Size: 845 bytes Desc: not available URL: <http://www.zytor.com/pipermail/klibc/attachments/20130709/1dcd82a1/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-ipconfig-Report-up-down-as-appropriate-in-log-messag.patch Type: text/x-patch Size: 948 bytes Desc: not available URL: <http://www.zytor.com/pipermail/klibc/attachments/20130709/1dcd82a1/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Allow-interfaces-to-be-brought-down.patch Type: text/x-patch Size: 5000 bytes Desc: not available URL: <http://www.zytor.com/pipermail/klibc/attachments/20130709/1dcd82a1/attachment-0003.bin>
On 07/09/2013 09:27:58 AM, Karl O. Pinc wrote:> Attached and on the "ipconfig_down" branch at github > (https://github.com/kpinc/klibc.git) you will find 4 patches > which let ipconfig bring down interfaces. Please consider > them for inclusion.> I've related patches to the Debian dropbear package which > support initramfs configuration/creation. I will email a > followup to this thread when I've an url.Hi, Following up with URLs to all related patches. The initramfs-tools files to support an initramfs network configuration which is independent from that in the running system can be found in the debian bug tracking system, Bug #715048. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715048 The files in the Bug #715048 patch can be configured to bring down the network interface after the rootfs is mounted. The email to the kilbc mailing list explaining the patches is: http://www.zytor.com/pipermail/klibc/2013-July/003430.html The patches to klibc can be found at: http://www.zytor.com/pipermail/klibc/2013-July/003432.html and in the "ipconfig_down" branch at: https://github.com/kpinc/klibc.git The patch to the Debian cryptsetup docs is found in Bug #715487. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715487 (Which in turn applies on top of this patch to the Debian cryptsetup docs: Bug #714952. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714952 ) Regards, Karl <kop at meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
On 07/09/2013 10:53:15 AM, Karl O. Pinc wrote:> On 07/09/2013 09:27:58 AM, Karl O. Pinc wrote: > > > Attached and on the "ipconfig_down" branch at github > > (https://github.com/kpinc/klibc.git) you will find 4 patches > > which let ipconfig bring down interfaces. Please consider > > them for inclusion.There's a bug. Setting the down socket flag with ioctl via the netdev_down call brings the interface down but is not enough to de-configure the interface. The system still responds to the initramfs's IP after a new IP is brought up, at least with linux 3.2.0. (But the initramfs's IP does not show in ifconfig. I'll investigate further with ip.) Help figuring out what needs to be done with the kernel's socket ioctl calls is appreciated. Near as I can tell from the kernel's code the IFF_DYNAMIC flag is not useful.... I can poke the ioctls with a stick but I'd rather understand the model and do the right thing and I'm not sure where to look to understand this. Regards, Karl <kop at meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein