[gentoo-dev] Proposal: networking startup script rewrite

[gentoo-dev] Proposal: networking startup script rewrite

[Michael J. Cohen]

After wrestling with our current net implementation to get bridged interfaces 
and vlans working, which ended in me just setting up things in local.start, I 
figured a rewrite of our network scripts is in order.  

I have made a primitive version of the rewrite available here:
http://325i.org/proposed-net-replacement

It is useless in its current state and only provided as an example.

The reason for this rewrite is twofold: ease of configuration and ease of 
maintenance.

Here are a few of my ideas for the evolution of this currently primitive 
rewrite:

* all networking related configuration should take place in /etc/conf.d/net, 
thus eliminating /etc/conf.d/iptables and such
* bringing interfaces up and down should be handled by one script that 
recognizes all possible up and down configurations of an interface, for 
example, 802.1[d,q] (bridge,vlan), netfilter, dhcp, bootp..
* configuration of iptables, ipsec, routing, etc should be handled by the up/
down script calling the appropriate /etc/init.d scripts with the appropriate 
arguments.  these scripts would have to parse /etc/conf.d/net or rely on some 
of the functions in /etc/init.d/net to parse it if the user should decide to 
start/restart/reload a script individually

If anyone has any input, please feel free to speak your mind.

I would love to see gentoo become the easiest distro to configure network 
interfaces for *any* and *all* possible configurations, and I feel that this 
is the first step to achieve that goal.

------
Michael J. Cohen


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposal: networking startup script rewrite

[Stroller]

On 13 Oct 2003, at 7:56 pm, Michael J. Cohen wrote:

> After wrestling with our current net implementation to get bridged 
> interfaces
> and vlans working, which ended in me just setting up things in 
> local.start, I
> figured a rewrite of our network scripts is in order.
>
> I have made a primitive version of the rewrite available here:
> http://325i.org/proposed-net-replacement
>
> It is useless in its current state and only provided as an example.

Michael,

I'm not really sure what you regard as the failings of the current 
/init.d/net configuration. I have to say that I spent a couple of days 
struggling with it myself, and although I did whine about it at the 
time (see my postings <http://tinyurl.com/qsjh>) the upshot is that I 
rather like it the way it is.

I'd agree that if a script to call `brctl` appropriately was installed 
by net-misc/bridge-utils then it would make configuration a lot easier, 
but this is a simple addition to a single package, rather than a 
rewrite of the whole framework. I really would like to see such an 
inclusion, considering that the bridging code is, I believe, 
incorporated into the upcoming 2.6.

Bridging works fine here & fairly seamlessly with the current 
framework. I found that everything fell into place once I moved 
/etc/conf.d/net to /etc/conf.d/net.eth0 & /etc/conf.d/net.eth1, so that 
it's contents (particularly with respect to gateways) are ignored by my 
/etc/conf.d/net.br0 script. Not much in addition is required to get 
everything up & running - I would have been glad to provide my scripts, 
if I had seen your posting to -user.

I don't know much (erm... well, anything) about VLANs, so I'm probably 
missing some of your reasoning against the current system. Actually, I 
don't know much about anything, so maybe you could explain (like an RFC 
or a GLEP, maybe?), listing the problems of the current system & how 
your solution would resolve them..?

I'm sorry if I seem biased or antagonistic, but really don't like the 
idea of uniting the network scripts in anyway like you describe. I may 
have struggled with them myself, but that's only because I'm so 
incompetent - I got there in the end. I once tried parsing one of 
Mandrake's network initialisation scripts, but floundered wildly - with 
Gentoo you know intuitively to look for iptables stuff in 
/etc/conf.d/iptables and so on.

The only improvements I'd no ask for in the init scripts are more 
commenting - I'm firmly of the school that believes in 2 lines of 
comments for every line of code. I'd like to see all code 
human-readable for a newbie to the language.

Stroller.


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposal: networking startup script rewrite

[Michael J. Cohen]

> I'm not really sure what you regard as the failings of the current
> /init.d/net configuration. I have to say that I spent a couple of days
> struggling with it myself, and although I did whine about it at the
> time (see my postings <http://tinyurl.com/qsjh>) the upshot is that I
> rather like it the way it is.

Having /etc/init.d/net.eth[1,2,..] installed by the user does not mean that it 
is automagically updated with a new install or with etc-update.

only basic configuration is achieved with the current setup.

etc-updating 99 files is a pain, but it often happens when upgrading 
baselayout, etc.  If a user wipes out his configs for iptables etc by 
overwriting accidentally, he is in a bind.  However if we do not provide a /
etc/conf.d/net and only a /etc/conf.d/net.sample; this is allievated.

> I'd agree that if a script to call `brctl` appropriately was installed
> by net-misc/bridge-utils then it would make configuration a lot easier,
> but this is a simple addition to a single package, rather than a
> rewrite of the whole framework. I really would like to see such an
> inclusion, considering that the bridging code is, I believe,
> incorporated into the upcoming 2.6.

Currently, there are several unrelated scripts for each userspace networking 
tool. iptables, (your proposed bridge-utils), ipsec...
This is a bit backwards, and it relies on the initscripts' ability to order 
correctly.  If we load net as one script, we know exactly what is going on 
and in what order and thus might be able to speed up booting by backgrounding 
processes that are known to potentially take time.

The new system would most likely call the related /etc/init.d/bridge script or 
similar in order to set things up, rather than invoking brctl directly.  This 
would save some headaches with updating the script every time we package up 
some new network tool.

> Bridging works fine here & fairly seamlessly with the current
> framework. I found that everything fell into place once I moved
> /etc/conf.d/net to /etc/conf.d/net.eth0 & /etc/conf.d/net.eth1, so that
> it's contents (particularly with respect to gateways) are ignored by my
> /etc/conf.d/net.br0 script. Not much in addition is required to get
> everything up & running - I would have been glad to provide my scripts,
> if I had seen your posting to -user.

What about wireless + roaming, advanced routing/bridging, ipsec, vpns, vlans, 
pppoe... all of these things either are not supported or are broken up into 
tiny bits of configuration files everywhere.  It would be much easier if we 
had one manual with plenty of examples and one configuration file for people 
to edit.  Not only is it easier on the developers, but it is easier on the 
user for updates and for configuration.  The user no longer needs to hunt 
down where he made what change to what interface in what file.

> I don't know much (erm... well, anything) about VLANs, so I'm probably
> missing some of your reasoning against the current system. Actually, I
> don't know much about anything, so maybe you could explain (like an RFC
> or a GLEP, maybe?), listing the problems of the current system & how
> your solution would resolve them..?

It was mentioned to me that it was quite challenging to add VLAN suport into 
the current net scripts.  

> I'm sorry if I seem biased or antagonistic, but really don't like the
> idea of uniting the network scripts in anyway like you describe. I may
> have struggled with them myself, but that's only because I'm so
> incompetent - I got there in the end. I once tried parsing one of
> Mandrake's network initialisation scripts, but floundered wildly - with
> Gentoo you know intuitively to look for iptables stuff in
> /etc/conf.d/iptables and so on.

Seems like it would make more sense to me if /etc/conf.d/net was your one stop 
shop for all your networking needs.

> The only improvements I'd no ask for in the init scripts are more
> commenting - I'm firmly of the school that believes in 2 lines of
> comments for every line of code. I'd like to see all code
> human-readable for a newbie to the language.

Agreed.  sometimes 5 or 6 is warranted for things like sed. :)

------
Michael


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposal: networking startup script rewrite

[Stroller]

[-- Attachment #1: Type: text/plain, Size: 5323 bytes --]

Having not dug around in the net startup scripts either deeply or 
recently, I'm not qualified to comment on all your points, but I'll 
respond to the ones that I can.


On 14 Oct 2003, at 3:17 am, Michael J. Cohen wrote:
>
> etc-updating 99 files is a pain, but it often happens when upgrading
> baselayout, etc.  If a user wipes out his configs for iptables etc by
> overwriting accidentally, he is in a bind.  However if we do not 
> provide a /
> etc/conf.d/net and only a /etc/conf.d/net.sample; this is allievated.

Yes, I much prefer this format - perhaps it would be extreme or 
convoluted to have every configuration file provided as config.example, 
but I would love to see Gentoo standardising on it for all files that 
the user is likely to change, at least.


>> I'd agree that if a script to call `brctl` appropriately was installed
>> by net-misc/bridge-utils then it would make configuration a lot 
>> easier...
>
> Currently, there are several unrelated scripts for each userspace 
> networking
> tool. iptables, (your proposed bridge-utils), ipsec...

Well, my "proposed" bridge-utils isn't "proposed" - it's in the Portage 
tree. It is the ebuild for "brctl" and the other user-space Bridging 
utilities.

> The new system would most likely call the related /etc/init.d/bridge 
> script or
> similar in order to set things up, rather than invoking brctl 
> directly...

Erm... well, I rather gathered that the idea of all the separate 
scripts in /etc/init.d/ was that they could be called independently. In 
this way they can be added to different runlevels or restarted by the 
administrator after configuration changes; if one script relies on 
another there is the "depends" declaration. Would your 
/etc/init.d/bridge script be safe to call separately like that..?

I agree that the `brctl` stuff should not be in the main network 
scripts. I've attached a copy of my *extremely tatty* 
/etc/init.d/net.br0 script, so that you can see that this can be done 
fairly elegantly within the current framework. I just copied my default 
runlevel to /etc/runlevels/bridge, removed the existing eth0 & eth1 
from that runlevel & added net.br0, so I can switch between them at 
will.

Sorry to harp on about it, but if a (much tidier) version of this were 
distributed with net-misc/bridge-utils then there would be no need at 
all for the base networking init system to refer to bridging at all; I 
believe this is much neater for users who are not interested in 
bridging.

>  This
> would save some headaches with updating the script every time we 
> package up
> some new network tool.

Hmmn... y'see I see smaller scripts as easier to maintain. If one 
developer wants to change (say) the way that wireless LAN cards behave 
at init, he simply edits that script without having to know about how 
bridges behave, or risking fouling up that behavior. Of course, if 
wireless bridges require special cases, then that's a job for the 
bridging maintainers (whoever they may be).

> What about wireless + roaming, advanced routing/bridging, ipsec, vpns, 
> vlans,
> pppoe... all of these things either are not supported or are broken up 
> into
> tiny bits of configuration files everywhere.  It would be much easier 
> if we
> had one manual with plenty of examples and one configuration file for 
> people
> to edit.  Not only is it easier on the developers, but it is easier on 
> the
> user for updates and for configuration.  The user no longer needs to 
> hunt
> down where he made what change to what interface in what file.

I disagree. I prefer small configuration files; I find smaller files 
easier to parse & to deal with than larger ones. YMMV. Locating the 
appropriate configuration file is simply a matter of `ls /etc/conf.d`. 
For the developers, I would have thought the same applied - they can 
edit the notworking file they're interested in without risking b0rking 
up anything else.

I see the current seup as good modularity, but I appreciate this is a 
matter of preference.

>> I don't know much (erm... well, anything) about VLANs, so I'm probably
>> missing some of your reasoning against the current system...
>
> It was mentioned to me that it was quite challenging to add VLAN 
> suport into
> the current net scripts.

Ok... if you say so. But I don't know why. Would it be easier to add 
VLAN support to a single net-startup script than to the present 
setup..? Can you explain why, please..?

>> .... I once tried parsing one of
>> Mandrake's network initialisation scripts, but floundered wildly - 
>> with
>> Gentoo you know intuitively to look for iptables stuff in
>> /etc/conf.d/iptables and so on.
>
> Seems like it would make more sense to me if /etc/conf.d/net was your 
> one stop
> shop for all your networking needs.

I forgot to explain the reason I had problems with the Mandrake network 
script I mentioned - because it was so damn big! There were pages of 
it! On that occasion I was only looking to see how the PPP startup 
worked - all the pages of Ethernet (and presumably VLAN &c) 
configuration just confused me impossibly. I now use Ethernet - I have 
no desire to see PPP options in my configuration scripts.

At present /etc/conf.d/ is your one stop shop for all your networking 
needs - and it's split neatly into manageable departments.

Stroller.




[-- Attachment #2: net.br0 --]
[-- Type: application/octet-stream, Size: 5423 bytes --]

#!/sbin/runscript

# Joe Stroller's bridge init.d script
# Blatantly hacked from Gentoo Inc's /etc/init.d/net.eth0  GPL v2 licence
# Config in /etc/conf.d/net
# but note changes to "gateway=" definition

# For pcmcia users. note that pcmcia must be added to the same
# runlevel as the net.* script that needs it.
depend() {
	use pcmcia
}

checkconfig() {
        if [ ! -x "$(which brctl)" ]
        then
        eerror "It might help if you emerged bridge-utils. I hope you /
remembered to patch your kernel."
                return 1
        fi
}

start() {
	checkconfig || return 1
	local iface_args="$(eval echo \$\{iface_${IFACE}\})"
	local retval=0

	ebegin "Bringing ${IFACE} up"

	# read from /etc/config.d/net which physical intefaces
	# are associated with this bridge 

	local br_physicals="$(eval echo \$\{${IFACE}_interfaces\})"

	# we allocate IP address to bridge virtual iface, 
        # not to physical interfaces

	for br_if in ${br_physicals} 
	  do
	  echo -e "\tinitialising physical interface ${br_if} to IP 0.0.0.0"
	  ifconfig ${br_if} 0.0.0.0
	  done

	# create a bridge and assign the Ethernet interfaces to it
	echo -e "\tcreating virtual bridge interface ${IFACE} (addbr command)"
        brctl addbr ${IFACE}

	for br_if in ${br_physicals} 
	  do
	  brctl addif ${IFACE} ${br_if}
	  echo -e "\tassigning physical interface ${br_if} to ${IFACE} (addif command)"
	  done

	echo -e "\tfinally, bringing bridge up with:"
	echo -e "\t ifconfig ${IFACE} ${iface_args} "

	# finally bring the bridge up
	/sbin/ifconfig ${IFACE} ${iface_args} >/dev/null || {
		retval=$?
		eend ${retval} "Failed to bring ${IFACE} up"
		return ${retval}
	}
	
# Might have to remove this next bit
# - it probably needs to wait 30 seconds before testing

	# ifconfig do not always return failure ..
	/sbin/ifconfig ${IFACE} &> /dev/null || {
		retval=$?
		eend ${retval} "Failed to bring ${IFACE} up"
		return ${retval}
	}

	eend 0

# I'm really not sure if we want aliases on our bridge,
# so I'm just leaving this here for the moment.
#
	if [ -n "$(eval echo \$\{alias_${IFACE}\})" ]
	then
		local x=""
		local num=0
		local aliasbcast=""
		local aliasnmask=""

		ebegin "  Adding aliases"
		for x in $(eval echo \$\{alias_${IFACE}\})
		do
			aliasbcast="$(eval echo \$\{broadcast_${IFACE}\} \| awk \'\{ print \$$((num + 1)) \}\')"
			if [ -n "${aliasbcast}" ]
			then
				aliasbcast="broadcast ${aliasbcast}"
			fi

			aliasnmask="$(eval echo \$\{netmask_${IFACE}\} \| awk \'\{ print \$$((num + 1)) \}\')"
			if [ -n "${aliasnmask}" ]
			then
				aliasnmask="netmask ${aliasnmask}"
			fi
		
			ebegin "    ${IFACE}:${num}"
			/sbin/ifconfig ${IFACE}:${num} ${x} \
				${aliasbcast} ${aliasnmask} >/dev/null
			num=$((num + 1))
			eend 0
		done
		save_options "alias" "$(eval echo \$\{alias_${IFACE}\})"
	fi

# I don't need IP v6 right now, so i'm disabling it.
#
#	if [ -n "$(eval echo \$\{inet6_${IFACE}\})" ]
#	then
#		local x=""
#		ebegin "  Adding inet6 addresses"
#		for x in $(eval echo \$\{inet6_${IFACE}\})
#		do
#			ebegin "    ${IFACE} inet6 add ${x}"
#			/sbin/ifconfig ${IFACE} inet6 add ${x} >/dev/null
#			eend 0
#		done
#		save_options "inet6" "$(eval echo \$\{inet6_${IFACE}\})"
#	fi


# Checks through the list of gateways & sees if any apply to this ${IFACE}
#
#	for gateway in ${gateways}
#	  do
	    if [ -n "${gateway}" ] && [ "${gateway%/*}" = "${IFACE}" ]
            then
                ebegin "  Setting default gateway"
                /sbin/route add default gw ${gateway#*/} dev ${gateway%/*} \
                        netmask 0.0.0.0 metric 1 >/dev/null || {
                        local error=$?
                        ifconfig ${IFACE} down &>/dev/null
                        eend ${error} "Failed to bring ${IFACE} up"
                        stop
                        return ${error}
                }
                eend 0
	    fi
#	  done

	# Enabling rp_filter causes wacky packets to be auto-dropped by
	# the kernel
	if [ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter ]
	then
		echo 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
	fi
}

stop() {
	local myalias="$(get_options alias)"
	ebegin "Bringing ${IFACE} down"

#	# Also down the inet6 interfaces
#	local myinet6="$(get_options inet6)"
#	if [ -n "${myinet6}" ]
#	then
#		local x=""
#		for x in ${myinet6}
#		do
#			/sbin/ifconfig ${IFACE} inet6 del ${x} >/dev/null
#		done
#	fi
	
	# Do some cleanup in case the amount of aliases change
	if [ -n "${myalias}" ]
	then
		local x=""
		local num=0
		for x in ${myalias}
		do
			/sbin/ifconfig ${IFACE}:${num} down >/dev/null
			num=$((num + 1))
		done
	fi


	# read from /etc/config.d/net which physical intefaces
        #	 are associated with this bridge 
        local br_physicals="$(eval echo \$\{${IFACE}_interfaces\})"

	# Remove physical interface from bridge virtual interface
	for br_if in ${br_physicals} 
          do
          echo -e "\tdisassociating ${br_if} from ${IFACE} (delif command)"
 	  brctl delif ${IFACE} ${br_if}
          done

	# Actually bring the bridge down
        echo -e "\tactually ifconfig ${IFACE} down"
	/sbin/ifconfig ${IFACE} down >/dev/null

	# Bring interfaces down, too
	for br_if in ${br_physicals} 
          do
          echo -e "\talso ifconfig ${br_if} down"
          ifconfig ${br_if} down
          done

	# Night night!
        echo -e "\tfinally: Bye! Bye! (delbr ${IFACE})"
        brctl delbr ${IFACE}

	eend 0
}


[-- Attachment #3: Type: text/plain, Size: 37 bytes --]

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Proposal: networking startup script rewrite

[William Hubbs]

Hi Michael and all,

I am going to try to give some input on this also.


On Mon, Oct 13, 2003 at 02:56:00PM -0400, Michael J. Cohen wrote:
> After wrestling with our current net implementation to get bridged interfaces 
> and vlans working, which ended in me just setting up things in local.start, I 
> figured a rewrite of our network scripts is in order.  
> 
> I have made a primitive version of the rewrite available here:
> http://325i.org/proposed-net-replacement
> 
> It is useless in its current state and only provided as an example.
> 
> The reason for this rewrite is twofold: ease of configuration and ease of 
> maintenance.
> 
> Here are a few of my ideas for the evolution of this currently primitive 
> rewrite:
> 
> * all networking related configuration should take place in /etc/conf.d/net, 
> thus eliminating /etc/conf.d/iptables and such

I don't agree that iptables should be a part of this; I think of setting up a firewall as a separate, but related task.  I do, however, like the idea of one script, and one config file that controls bring up and down all of the network interfaces.
> * bringing interfaces up and down should be handled by one script that 
> recognizes all possible up and down configurations of an interface, for 
> example, 802.1[d,q] (bridge,vlan), netfilter, dhcp, bootp..

I agree here.  it would be nice to be able to have a script or utility that would handle all of this.  Don't shoot me for this, lol, but I thought that debian's ifupdown utility was pretty slick.  It had a configuration file that described all of the interfaces, the default gateway  and whether or not interfaces should be brought up on bootup, and it was called by a single script that brought all of the interfaces up or down.

> * configuration of iptables, ipsec, routing, etc should be handled by the up/
> down script calling the appropriate /etc/init.d scripts with the appropriate 
> arguments.  these scripts would have to parse /etc/conf.d/net or rely on some 
> of the functions in /etc/init.d/net to parse it if the user should decide to 
> start/restart/reload a script individually

I think these should stay separate.  I guess my thinking here is that all systems that need to be on a network don't necessarily need these functions, so why make them part of the net script?

> If anyone has any input, please feel free to speak your mind.
> 
> I would love to see gentoo become the easiest distro to configure network 
> interfaces for *any* and *all* possible configurations, and I feel that this 
> is the first step to achieve that goal.

Let me know what you think.

William


--
gentoo-dev@gentoo.org mailing list