[gentoo-dev] rfc: OpenRC network provides revisited

[gentoo-dev] rfc: OpenRC network provides revisited

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 694 bytes --]

All,

bugs like this one [1] are making me question the net/lo provides again,
and I want to know what everyone thinks.

First, do we need a provide for the loopback at all? I do not know of
any scenario in which a linux or *bsd system will not have an active
loopback interface. If we just make sure that the loopback interface
comes up in the boot runlevel, we should be good right?

The second question this bug brings up is whether services should "need"
or "use" net. Remember that the "need" dependency will try to run the
needed service even if it is in init.d but not in a runlevel.

What are your thoughts on this?

Thanks,

William

[1] https://bugs.gentoo.org/show_bug.cgi?id=425130

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Alexandre Rostovtsev]

[-- Attachment #1: Type: text/plain, Size: 724 bytes --]

On Fri, 2012-08-24 at 12:10 -0500, William Hubbs wrote:
> The second question this bug brings up is whether services should "need"
> or "use" net. Remember that the "need" dependency will try to run the
> needed service even if it is in init.d but not in a runlevel.

Presumably that depends on the service. If a daemon can deal with
network interfaces going up and down, then "use net" of course makes
more sense.

> [1] https://bugs.gentoo.org/show_bug.cgi?id=425130

The bug report was caused by a failure of communication on our part; we
cannot expect average users to read the gentoo-dev mailing list. Maybe
there should have been a news item about the change in behavior in
openrc-0.9.9.

-Alexandre.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1167 bytes --]

On Fri, Aug 24, 2012 at 01:50:14PM -0400, Alexandre Rostovtsev wrote:
> On Fri, 2012-08-24 at 12:10 -0500, William Hubbs wrote:
> > The second question this bug brings up is whether services should "need"
> > or "use" net. Remember that the "need" dependency will try to run the
> > needed service even if it is in init.d but not in a runlevel.
> 
> Presumably that depends on the service. If a daemon can deal with
> network interfaces going up and down, then "use net" of course makes
> more sense.
 
 This user is running with pre-configured interfaces (root is nfs
 mounted). The network interface configuration should not be touched by
 openrc.

If you look at his logs, one issue is that the "network" service is
starting even though it isn't in a runlevel. I have made changes in git
master so this will not be installed if you do not use the "newnet" use
flag.

When network interfaces are pre-configured, our network scripts
shouldn't run at all, but they can be forced to run if other services
have "need net" in their dependencies.

So my question is, should we change our services to "use net" instead of
"need net"?

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Diego Elio Pettenò]

[-- Attachment #1: Type: text/plain, Size: 354 bytes --]

On 24/08/2012 12:58, William Hubbs wrote:
>  This user is running with pre-configured interfaces (root is nfs
>  mounted). The network interface configuration should not be touched by
>  openrc.

That would be nice for LCX as well, just so you know.

-- 
Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 554 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[heroxbd]

[-- Attachment #1: Type: text/plain, Size: 815 bytes --]

Hi William,

William Hubbs <williamh@gentoo.org> writes:

> When network interfaces are pre-configured, our network scripts
> shouldn't run at all, but they can be forced to run if other services
> have "need net" in their dependencies.
>
> So my question is, should we change our services to "use net" instead of
> "need net"?

I don't think we should make this change. People have different
setups. We cannot provide a default configuration that covers all corner
cases. Instead, we can show the user how to customize openrc and change
the default behavior. e.g. setting rc_provide="net" and
rc_depend_strict="NO", works for this case.

Our focus can be on providing more useful debug message to user, like
when net.lo fails to stop openrc outputs who pulled it in and how to
disable this behavior.

Yours,
Benda

[-- Attachment #2: Type: application/pgp-signature, Size: 489 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[heroxbd]

[-- Attachment #1: Type: text/plain, Size: 392 bytes --]

Besides, IMHO, we should avoid changing OpenRC's default dependency too
often. The solution for one user can be received as a regression to
others.

People file bugs saying "it worked for OpenRC-0.9 but not 0.10". For
devs, we know we just changed default value of something perfectly
configurable. But for that user, it is quite discouraging to feel
"something in OpenRC is still unstable".

[-- Attachment #2: Type: application/pgp-signature, Size: 489 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1256 bytes --]

On Sat, Aug 25, 2012 at 07:40:43AM +0900, heroxbd@gentoo.org wrote:
> Besides, IMHO, we should avoid changing OpenRC's default dependency too
> often. The solution for one user can be received as a regression to
> others.
> 
> People file bugs saying "it worked for OpenRC-0.9 but not 0.10". For
> devs, we know we just changed default value of something perfectly
> configurable. But for that user, it is quite discouraging to feel
> "something in OpenRC is still unstable".

Another thing to consider is, do the services we say "need net" really
_NEED_ net?

If a service is a listener like sshd that isn't bound to a specific
address by default and can deal with interfaces going up and down, I
would guess that it doesn't. I am thinking that we can set up the
depends for sshd as follows:

use net
after net

That would make sure a net provider runs before sshd if one is
in the runlevel, but allow sshd to start if one is not as well.

This would have to be tested on a case-by-case basis.

About changing default values, I think that if we have a good reason to
change them, we should inform users and change them.

I think the advantage here is that it makes openrc run out of the box in
more situations.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Ian Stakenvicius]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 24/08/12 03:58 PM, William Hubbs wrote:
> On Fri, Aug 24, 2012 at 01:50:14PM -0400, Alexandre Rostovtsev
> wrote:
>> On Fri, 2012-08-24 at 12:10 -0500, William Hubbs wrote:
>>> The second question this bug brings up is whether services
>>> should "need" or "use" net. Remember that the "need" dependency
>>> will try to run the needed service even if it is in init.d but
>>> not in a runlevel.
>> 
>> Presumably that depends on the service. If a daemon can deal
>> with network interfaces going up and down, then "use net" of
>> course makes more sense.
> 
> This user is running with pre-configured interfaces (root is nfs 
> mounted). The network interface configuration should not be touched
> by openrc.
> 
> If you look at his logs, one issue is that the "network" service
> is starting even though it isn't in a runlevel. I have made changes
> in git master so this will not be installed if you do not use the
> "newnet" use flag.
> 
> When network interfaces are pre-configured, our network scripts 
> shouldn't run at all, but they can be forced to run if other
> services have "need net" in their dependencies.
> 
> So my question is, should we change our services to "use net"
> instead of "need net"?
> 

No, we shouldn't.  "need net" is important and "use net" doesn't
suffice in many cases.

However, for a NFS-root system there's a way to either #1 make the
"net" service do nothing (or alternatively overwrite the previously
configured net with the exact same info -- but iirc the do-nothing
option works), and alternatively #2 make it so that "net" is provided
right away.

One thing, though, that i'm not certain of is How the different
runlevels interact -- ie if "net" is started (considered up) at
"boot", it should be (and i assume is, but could be wrong) "up" during
"default" or whatever other runlevel there is, right?  I know it was
with baselayout-1 (which i'm actually still running on my NFS-root
cluster).



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iF4EAREIAAYFAlA4J6kACgkQ2ugaI38ACPAoigEAgi/Idi+tk/lmg597aVqJ+dKD
978sMNwUFnLD5GjTjM4A/1+xa5KmmF9b7SgOw0LFIdcBGByHCq8i3nd3HpgnGYhX
=FvL9
-----END PGP SIGNATURE-----

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Ian Stakenvicius]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 24/08/12 07:48 PM, William Hubbs wrote:
> On Sat, Aug 25, 2012 at 07:40:43AM +0900, heroxbd@gentoo.org
> wrote:
>> Besides, IMHO, we should avoid changing OpenRC's default
>> dependency too often. The solution for one user can be received
>> as a regression to others.
>> 
>> People file bugs saying "it worked for OpenRC-0.9 but not 0.10".
>> For devs, we know we just changed default value of something
>> perfectly configurable. But for that user, it is quite
>> discouraging to feel "something in OpenRC is still unstable".
> 
> Another thing to consider is, do the services we say "need net"
> really _NEED_ net?
> 
> If a service is a listener like sshd that isn't bound to a
> specific address by default and can deal with interfaces going up
> and down, I would guess that it doesn't. I am thinking that we can
> set up the depends for sshd as follows:
> 
> use net after net
> 
> That would make sure a net provider runs before sshd if one is in
> the runlevel, but allow sshd to start if one is not as well.
> 
> This would have to be tested on a case-by-case basis.
> 
> About changing default values, I think that if we have a good
> reason to change them, we should inform users and change them.
> 
> I think the advantage here is that it makes openrc run out of the
> box in more situations.
> 
> William
> 

I think this may again come down to the meaning of "net" -- in the
case where rc_depend_strict="no" then "net" just means that the
network interface infrastructure is up and running (ie net.lo); this
should be true and imo is required for something like ssh.  When "net"
goes beyond that and includes other interfaces (ie,
rc_depend_strict="yes") then the 'need net' might be a bit strict; on
the other hand if a user has things set up that way then it may very
well be for a reason (for instance, I tend to prefer that sshd is
started after my hotplugged iface is up and likewise goes down when
that iface disappears.  I don't see that happening with a "use net"
case when compared against a "need net".

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iF4EAREIAAYFAlA4KMcACgkQ2ugaI38ACPCdxQD8DWD+LOJq1V5722MUkC2tvp0i
skFHngOAJNGFyW4q3gMBAJnXZ2TQE77MUjcbbWGbfXr71EBLVBcoy9vzcxHOK/Oj
=yO7o
-----END PGP SIGNATURE-----

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1576 bytes --]

On Fri, Aug 24, 2012 at 09:22:15PM -0400, Ian Stakenvicius wrote:
> I think this may again come down to the meaning of "net" -- in the
> case where rc_depend_strict="no" then "net" just means that the
> network interface infrastructure is up and running (ie net.lo); this
> should be true and imo is required for something like ssh.  When "net"
> goes beyond that and includes other interfaces (ie,
> rc_depend_strict="yes") then the 'need net' might be a bit strict; on
> the other hand if a user has things set up that way then it may very
> well be for a reason (for instance, I tend to prefer that sshd is
> started after my hotplugged iface is up and likewise goes down when
> that iface disappears.  I don't see that happening with a "use net"
> case when compared against a "need net".

We decided in a previous thread on this list that net.lo should not
provide net, and that is how it is set up in ~arch openrc. The part I
forgot to change is the network script.

We decided that the only things that provide net should be the
interfaces that support remote connections (e.g. anything besides the
loopback).

Also, consider a system where root is nfs mounted or a linux container.
If you are running services that "need net" and you have turned off all
of the "net" providers by adding something like rc_provide="!net" to
their conf.d files, the services that need net will fail hard even
though they shouldn't.

To handle your sshd case, you could always put

rc_need="net"

or, even better,

rc_need="net.iface"

in your /etc/conf.d/sshd file.

Thoughts?

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Diego Elio Pettenò]

[-- Attachment #1: Type: text/plain, Size: 276 bytes --]

On 24/08/2012 20:57, William Hubbs wrote:
> in your /etc/conf.d/sshd file.

Looks good.. most people who have especially complex configurations
would already be doing this.

-- 
Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 554 bytes --]

[gentoo-dev] Re: rfc: OpenRC network provides revisited

[Duncan]

Ian Stakenvicius posted on Fri, 24 Aug 2012 21:17:29 -0400 as excerpted:

> One thing, though, that i'm not certain of is How the different
> runlevels interact -- ie if "net" is started (considered up) at "boot",
> it should be (and i assume is, but could be wrong) "up" during "default"
> or whatever other runlevel there is, right?  I know it was with
> baselayout-1 (which i'm actually still running on my NFS-root cluster).

Yes, it still works that way.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[heroxbd]

[-- Attachment #1: Type: text/plain, Size: 385 bytes --]

William Hubbs <williamh@gentoo.org> writes:

> If you are running services that "need net" and you have turned off all
> of the "net" providers by adding something like rc_provide="!net" to
> their conf.d files, the services that need net will fail hard even
> though they shouldn't.

If we set rc_provide="net" in rc.conf, the services that need net can be
tricked as we intended to.

[-- Attachment #2: Type: application/pgp-signature, Size: 489 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 427 bytes --]

On Sat, Aug 25, 2012 at 03:19:24PM +0900, heroxbd@gentoo.org wrote:
> If we set rc_provide="net" in rc.conf, the services that need net can be
> tricked as we intended to.

Setting rc_provide, rc_need, rc_use, etc in rc.conf is definitely not
recommended. Remember that this affects all services on your system.

when you set rc_provide="net" in rc.conf, you are saying that every service on
your system provides net.

William

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Ian Stakenvicius]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 25/08/12 11:53 AM, William Hubbs wrote:
> On Sat, Aug 25, 2012 at 03:19:24PM +0900, heroxbd@gentoo.org
> wrote:
>> If we set rc_provide="net" in rc.conf, the services that need net
>> can be tricked as we intended to.

This makes more sense to me as it's in the direction that seems more
logical -- make "net" be provided instantly, rather than forcibly
changing the dependency on each (or all) "net"-using service(s).


> 
> Setting rc_provide, rc_need, rc_use, etc in rc.conf is definitely
> not recommended. Remember that this affects all services on your
> system.
> 
> when you set rc_provide="net" in rc.conf, you are saying that every
> service on your system provides net.
> 
> William

rc_modules_provide="net" ?  rc_localmount_provide="net" ?  There are a
number of required services that could be used to assign "net" to..

(And i would think that this specification should occur in rc.conf
rather than a file in /etc/conf.d , simply because it's something (in
the case of NFS root, etc) that's akin to rc_depend_strict or rc_sys
in terms of its impact on the whole openrc configuration)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iF4EAREIAAYFAlA5HkMACgkQ2ugaI38ACPDR5QEAkthP24HOhTZf+Nwhg8888mjS
XGZFFAuYj6iG8j7CU2kBALwvt2dxmHLMNO96rMAx7w6uKw9Ggad4tKssNQu+ePq/
=HrBr
-----END PGP SIGNATURE-----

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 2771 bytes --]

On Sat, Aug 25, 2012 at 02:49:39PM -0400, Ian Stakenvicius wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 25/08/12 11:53 AM, William Hubbs wrote:
> > On Sat, Aug 25, 2012 at 03:19:24PM +0900, heroxbd@gentoo.org
> > wrote:
> >> If we set rc_provide="net" in rc.conf, the services that need net
> >> can be tricked as we intended to.
> 
> This makes more sense to me as it's in the direction that seems more
> logical -- make "net" be provided instantly, rather than forcibly
> changing the dependency on each (or all) "net"-using service(s).
 
But your words bring us back to the issue I am considering anyway. I
think we should change services that have "need net" in their depends to
something like "use net; after net". "use net" tries to start a "net"
service if one is in the runlevel and none are already started. Using
"after net" makes sure that the service goes down before any net
services.

That way, if someone removes all net-providing services from their
runlevels, services like sshd would still start. Also, if there are
net-providing services in the runlevels, it would attempt to start them
before sshd.

The bottom line here is: I don't think all of the services we have set
up to "need net" in their default configuration should be set up that
way. It would make OpenRC work out of the box for many more
configurations.

> rc_modules_provide="net" ?  rc_localmount_provide="net" ?  There are a
> number of required services that could be used to assign "net" to..
 
 rc_[service]_provide="net" imo is the best way to do this if you are
 putting the variable in rc.conf. That format just says that the one
 particular service provides net. On the other hand, if you use
 rc_provide="net" in rc.conf, you are saying that *all* services on your
system and any new services you install later  provide net.

> (And i would think that this specification should occur in rc.conf
> rather than a file in /etc/conf.d , simply because it's something (in
> the case of NFS root, etc) that's akin to rc_depend_strict or rc_sys
> in terms of its impact on the whole openrc configuration)

This is really more an idiology thing I guess, but I think if you are
tweeking a specific service it should be done in the /etc/conf.d/service
file. To follow the example above, to make a particular service provide
net, it is better imo to put rc_provide="net" in /etc/conf.d/service.

If you want to change this in rc.conf, use the rc_[service]_[depend]
variable instead of rc_[depend]. RC_[depend] in rc.conf will apply that
dependency to *all* services on your system, including any new ones that
get installed later, so be absolutely sure you know what you are doing
if you use this.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] rfc: OpenRC network provides revisited

[Ian Stakenvicius]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 25/08/12 04:16 PM, William Hubbs wrote:
> 
> The bottom line here is: I don't think all of the services we have
> set up to "need net" in their default configuration should be set
> up that way. It would make OpenRC work out of the box for many
> more configurations. [ Snip! ] This is really more an idiology
> thing I guess, but I think if you are tweeking a specific service
> it should be done in the /etc/conf.d/service file. To follow the
> example above, to make a particular service provide net, it is
> better imo to put rc_provide="net" in /etc/conf.d/service.
> 
> If you want to change this in rc.conf, use the
> rc_[service]_[depend] variable instead of rc_[depend]. RC_[depend]
> in rc.conf will apply that dependency to *all* services on your
> system, including any new ones that get installed later, so be
> absolutely sure you know what you are doing if you use this.

I concurr with your analysis, just not your conclusions.  :)  I very
much like (and depend on, in certain cases) the way depends on the
'net' service are set now, and would prefer they stay that way.
Relatedly, since the only cases I'm aware of where it is desired for
this to change are cases such as NFS-roots or vm's/containers where
the 'net' service is up before openrc begins, to me this is a
system-wide effect and not something that should be tweaked
per-service.  To change the default and then require per-service
tweaks to get old behaviour back is imo not a particularly good idea.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iF4EAREIAAYFAlA7axoACgkQ2ugaI38ACPDAfAD/YpiHpAp2tMDhqBm5V19KTmwU
BgavBXMATRcJeWETmV4A/1egNPg7i1pRpzWTLa7//Ano108rRQ9Ff9xZN01EBh1E
=N0n2
-----END PGP SIGNATURE-----