[gentoo-hardened] bonding module auto-loading

[gentoo-hardened] bonding module auto-loading

["Tóth Attila"]

After a week I think I've sorted out nearly all issues about openrc on my
systems.
Bonding was compiled into the kernel. Upon I tried to echo mode 4
(802.3ad) to set up the lacp, the system said there's no write access to
the mode file. So the bonding interface remained in round-robin mode. That
was disturbing.

grsec: denied auto-loading kernel module for a network device with
CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-bonding
instead.

I suspect there was something wrong in the background.
If I take a look at on the error message, I don't know that actually which
process tries to autoload the module. I would check out my policy to
specify CAP_NET_ADMIN also for that binary. For the second part I would be
interested to where I should add netdev-bonding as an alias for openrc or
whatnot?

I've ended up compiling bonding as a module and the interface is in the
correct mode now after reboot. Loading the module now happens before
locking down the system.

Regards:
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

Re: [gentoo-hardened] bonding module auto-loading

[Anthony G. Basile]

On 05/20/2011 07:11 AM, "Tóth Attila" wrote:
> After a week I think I've sorted out nearly all issues about openrc on my
> systems.
> Bonding was compiled into the kernel. Upon I tried to echo mode 4
> (802.3ad) to set up the lacp, the system said there's no write access to
> the mode file. So the bonding interface remained in round-robin mode. That
> was disturbing.
> 
> grsec: denied auto-loading kernel module for a network device with
> CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-bonding
> instead.
> 
> I suspect there was something wrong in the background.
> If I take a look at on the error message, I don't know that actually which
> process tries to autoload the module. I would check out my policy to
> specify CAP_NET_ADMIN also for that binary. For the second part I would be
> interested to where I should add netdev-bonding as an alias for openrc or
> whatnot?
> 
> I've ended up compiling bonding as a module and the interface is in the
> correct mode now after reboot. Loading the module now happens before
> locking down the system.
> 
> Regards:
> Dw.

Compiling it as a module is the way the devs recommend doing it.  I've
been compiling it into my kernels, but then I'm stuck with what I get,
as you were.  I want the round-robin, what's bothering me is the miimon
which I can't change from 0 which means no mii mon which is not good.


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Re: [gentoo-hardened] bonding module auto-loading

[Ed W]

On 20/05/2011 12:11, "Tóth Attila" wrote:
> After a week I think I've sorted out nearly all issues about openrc on my
> systems.
> Bonding was compiled into the kernel. Upon I tried to echo mode 4
> (802.3ad) to set up the lacp, the system said there's no write access to
> the mode file. So the bonding interface remained in round-robin mode. That
> was disturbing.

I use compiled in bonding module, openrc, hardened and everything is
configured correctly at boot using openrc via sysfs?

My working machine uses 2.6.32 + grsec and openrc 0.6.2.  I haven't
tested variations to this, but note that previous openrc had issues
configuring bonds via sysfs?

Your error message "no write access", I think is a symptom of wrong
ordering of bond creation when using sysfs?  Check gentoo bugzilla or
openrc bug tracker, there was an open issue against older openrc to fix
this (haven't checked it hasn't regressed in later openrc say)


My conf.d looks like:


# config eth0
config_eth0=( "null" )
config_eth1=( "null" )
config_eth2=( "null" )
config_eth3=( "null" )

# Bonding
slaves_bond0="eth0 eth1"
mode_bond0="802.3ad"
miimon_bond0="100"
lacp_rate_bond0="1"
config_bond0=( "null" )

slaves_bond1="eth2 eth3"
miimon_bond1="100"
mode_bond1="balance-rr"
config_bond1=( "192.168.2.10/24" )


# config tap0 to bring up bridge
tuntap_tap0="tap"
config_tap0=( "null" )
bridge_add_tap0="br0"
rc_need_tap0="net.br0"

# config tap1 to bring up bridge
tuntap_tap1="tap"
config_tap1=( "null" )
bridge_add_tap1="br0"
rc_need_tap1="net.br0"

# Config bridge to come up with just eth0
bridge_br0="bond0"
# or dynamically add them when the interface comes up
#bridge_add_eth0="br0"
config_br0=( "1.2.3.4/24" )
routes_br0=( "default via 1.2.3.1" )
# Make the bridge depend on bond0
rc_need_br0="net.bond0"

# Below is an example of configuring the bridge
brctl_br0=( "stp on" )




Does that help?

Ed W

Re: [gentoo-hardened] bonding module auto-loading

[Ed W]

Hi

> Compiling it as a module is the way the devs recommend doing it.

Which devs?

Bond should support full configuration through sysfs for some years now?
 There is no reason that I'm aware of to need it to be a module?

>  I've
> been compiling it into my kernels, but then I'm stuck with what I get,
> as you were.

It *should* be configurable completely via sysfs (and I think this is
now the preferred method?).  There are some caveats on the order you do
things though, eg you need the interface down to change most of the
settings?

>  I want the round-robin, what's bothering me is the miimon
> which I can't change from 0 which means no mii mon which is not good.

# cat /sys/class/net/bond0/bonding/miimon
100
# cat /sys/class/net/bond0/bonding/mode
802.3ad 4

# cat /sys/class/net/bond1/bonding/mode
balance-rr 0
# cat /sys/class/net/bond1/bonding/miimon
100

Not sure what values are sensible though?

Good luck

Ed W

Re: [gentoo-hardened] bonding module auto-loading

["Tóth Attila"]

2011.Május 21.(Szo) 14:36 időpontban Ed W ezt írta:
>>  I want the round-robin, what's bothering me is the miimon
>> which I can't change from 0 which means no mii mon which is not good.
>
> # cat /sys/class/net/bond0/bonding/miimon
> 100
> # cat /sys/class/net/bond0/bonding/mode
> 802.3ad 4
>
> # cat /sys/class/net/bond1/bonding/mode
> balance-rr 0
> # cat /sys/class/net/bond1/bonding/miimon
> 100
>
> Not sure what values are sensible though?
>
> Good luck
>
> Ed W

Previously I could proprely configure compiled-in bonding (for ages). Now
I can only configure it by passing module parameters.

I don't know if it's openrc or my kernel, which is 2.6.38-hardened-r4. The
kernel is definetly newer than yours. I don't know if the module-lockdown
method provided by grsecurity influences tuning compiled-in components or
not...

What do you get if you try to echo something into a bonding/mode file? It
might be possible, that openrc executes the command earlier now than
before.

I can live with bonding compiled in as a module, but the behavior has been
changed somehow. And I still don't know how I can fix the error message
supplied by grsec - apart from the workaround.

Regards,
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

Re: [gentoo-hardened] bonding module auto-loading

[Anthony G. Basile]

On 05/21/2011 08:36 AM, Ed W wrote:
> Hi
> 
>> Compiling it as a module is the way the devs recommend doing it.
> 
> Which devs?
> 
> Bond should support full configuration through sysfs for some years now?
>  There is no reason that I'm aware of to need it to be a module?
> 
>>  I've
>> been compiling it into my kernels, but then I'm stuck with what I get,
>> as you were.
> 
> It *should* be configurable completely via sysfs (and I think this is
> now the preferred method?).  There are some caveats on the order you do
> things though, eg you need the interface down to change most of the
> settings?
> 
>>  I want the round-robin, what's bothering me is the miimon
>> which I can't change from 0 which means no mii mon which is not good.
> 
> # cat /sys/class/net/bond0/bonding/miimon
> 100
> # cat /sys/class/net/bond0/bonding/mode
> 802.3ad 4
> 
> # cat /sys/class/net/bond1/bonding/mode
> balance-rr 0
> # cat /sys/class/net/bond1/bonding/miimon
> 100
> 
> Not sure what values are sensible though?
> 
> Good luck
> 
> Ed W
> 

In answer to the first question, I was getting my info from memory.  I
remember mpagano quoting it in response to a problem someone else had
with compiling it in.  I remember him saying that using the module was
the only way of setting the parameters.  I might ask him about it later.

As for /sys, thanks for the info!  It worked.  Perhaps my info comes
from the pre /sys days?

100 is reasonable.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535