Change Linux network configuration flow

[Andy Kurth <an...@ncsu.edu>]

I'd like to change how networking gets configured for Linux images.
Currently eth0 and eth1 are hard-coded and saved in every Linux image.
 The private interface must be eth0, public eth1.  This isn't ideal
for various reasons:
- Depending on how the hardware is cabled/configured, some interface
other than the private one may be using eth0.
- If an image is configured with bridged adapters, the IP address may
show up as belonging to something like br0 instead of eth0.  This is
particularly a problem for images which have KVM installed.
- The code currently writes the hard-coded eth0/eth1 configuration
commands to rc.local during image capture.  Changes cannot be made
without capturing a new image.
- rc.local is erased/rewritten during image capture.  It would be most
logical and familiar for image creators to simply be able to put
custom commands in rc.local.  Instead, they have to use custom
vcl_post_load scripts.

I propose changing this to work the same way the Windows code works:
- The only assumption the backend vcld code makes is that when an
image is loaded, the private interface will receive its IP address via
DHCP (usually given out by the management node) and at some point that
machine will respond to SSH on port 22 on its private IP address.  It
doesn't matter what the interfaces are named.  Nothing is saved in the
image which restricts it to a particular hardware/network
configuration.
- Once the machine responds, the vcld code performs all of the steps
to secure the machine and allow the connection methods to work
including configuring SSH access on the public network.  The code
retrieves the networking configuration from the machine and figures
out which interface is private and public.

Some of the changes to the code which would have to be made:
- During image capture, configure sshd to listen on all interfaces.
Remove the changes that were made to configure "external" sshd.  This
is pretty much how things would be configured out-of-the-box with a
few security settings applied such as disabling password
authentication.
- For existing images, remove the commands from rc.local which were
added by vcld when the image was captured.
- Modify the code so that the private and public networks are sorted
out during the OS post_load stage.  Most of this code is already in
OS.pm and can be used for both Linux and Windows with some minor
changes.

This will allow for greater flexibility, will make it easier to add
support for a single network interface, and will probably make it
easier to add new network/VLAN/fixed IP address features.

Thoughts, suggestions, concerns?

Thanks,
Andy

Re: Change Linux network configuration flow

[Aaron Peeler <aa...@ncsu.edu>]

+1

there is also a jira issue on this
https://issues.apache.org/jira/browse/VCL-582

sounds good, depending on rc.local has an issue in certain cases.

-Aaron

On Thu, Oct 11, 2012 at 10:51 AM, Andy Kurth <an...@ncsu.edu> wrote:
> I'd like to change how networking gets configured for Linux images.
> Currently eth0 and eth1 are hard-coded and saved in every Linux image.
>  The private interface must be eth0, public eth1.  This isn't ideal
> for various reasons:
> - Depending on how the hardware is cabled/configured, some interface
> other than the private one may be using eth0.
> - If an image is configured with bridged adapters, the IP address may
> show up as belonging to something like br0 instead of eth0.  This is
> particularly a problem for images which have KVM installed.
> - The code currently writes the hard-coded eth0/eth1 configuration
> commands to rc.local during image capture.  Changes cannot be made
> without capturing a new image.
> - rc.local is erased/rewritten during image capture.  It would be most
> logical and familiar for image creators to simply be able to put
> custom commands in rc.local.  Instead, they have to use custom
> vcl_post_load scripts.
>
> I propose changing this to work the same way the Windows code works:
> - The only assumption the backend vcld code makes is that when an
> image is loaded, the private interface will receive its IP address via
> DHCP (usually given out by the management node) and at some point that
> machine will respond to SSH on port 22 on its private IP address.  It
> doesn't matter what the interfaces are named.  Nothing is saved in the
> image which restricts it to a particular hardware/network
> configuration.
> - Once the machine responds, the vcld code performs all of the steps
> to secure the machine and allow the connection methods to work
> including configuring SSH access on the public network.  The code
> retrieves the networking configuration from the machine and figures
> out which interface is private and public.
>
> Some of the changes to the code which would have to be made:
> - During image capture, configure sshd to listen on all interfaces.
> Remove the changes that were made to configure "external" sshd.  This
> is pretty much how things would be configured out-of-the-box with a
> few security settings applied such as disabling password
> authentication.
> - For existing images, remove the commands from rc.local which were
> added by vcld when the image was captured.
> - Modify the code so that the private and public networks are sorted
> out during the OS post_load stage.  Most of this code is already in
> OS.pm and can be used for both Linux and Windows with some minor
> changes.
>
> This will allow for greater flexibility, will make it easier to add
> support for a single network interface, and will probably make it
> easier to add new network/VLAN/fixed IP address features.
>
> Thoughts, suggestions, concerns?
>
> Thanks,
> Andy



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Change Linux network configuration flow

[Josh Thompson <jo...@ncsu.edu>]

This sounds like a good idea to me.

Josh

On Thursday, October 11, 2012 10:51:31 AM Andy Kurth wrote:
> I'd like to change how networking gets configured for Linux images.
> Currently eth0 and eth1 are hard-coded and saved in every Linux image.
>  The private interface must be eth0, public eth1.  This isn't ideal
> for various reasons:
> - Depending on how the hardware is cabled/configured, some interface
> other than the private one may be using eth0.
> - If an image is configured with bridged adapters, the IP address may
> show up as belonging to something like br0 instead of eth0.  This is
> particularly a problem for images which have KVM installed.
> - The code currently writes the hard-coded eth0/eth1 configuration
> commands to rc.local during image capture.  Changes cannot be made
> without capturing a new image.
> - rc.local is erased/rewritten during image capture.  It would be most
> logical and familiar for image creators to simply be able to put
> custom commands in rc.local.  Instead, they have to use custom
> vcl_post_load scripts.
> 
> I propose changing this to work the same way the Windows code works:
> - The only assumption the backend vcld code makes is that when an
> image is loaded, the private interface will receive its IP address via
> DHCP (usually given out by the management node) and at some point that
> machine will respond to SSH on port 22 on its private IP address.  It
> doesn't matter what the interfaces are named.  Nothing is saved in the
> image which restricts it to a particular hardware/network
> configuration.
> - Once the machine responds, the vcld code performs all of the steps
> to secure the machine and allow the connection methods to work
> including configuring SSH access on the public network.  The code
> retrieves the networking configuration from the machine and figures
> out which interface is private and public.
> 
> Some of the changes to the code which would have to be made:
> - During image capture, configure sshd to listen on all interfaces.
> Remove the changes that were made to configure "external" sshd.  This
> is pretty much how things would be configured out-of-the-box with a
> few security settings applied such as disabling password
> authentication.
> - For existing images, remove the commands from rc.local which were
> added by vcld when the image was captured.
> - Modify the code so that the private and public networks are sorted
> out during the OS post_load stage.  Most of this code is already in
> OS.pm and can be used for both Linux and Windows with some minor
> changes.
> 
> This will allow for greater flexibility, will make it easier to add
> support for a single network interface, and will probably make it
> easier to add new network/VLAN/fixed IP address features.
> 
> Thoughts, suggestions, concerns?
> 
> Thanks,
> Andy
-- 
-------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

RE: Change Linux network configuration flow

["Waldron, Michael H" <mw...@email.unc.edu>]

I think this is a good idea. I've had to modify the provisioning code locally for Linux images because our eth0/eth1 assignments are reversed from the assumption, i.e. for us eth0 is public and eth1 is private. 

Making the changes you outlined would be a good thing.

Mike Waldron
Systems Specialist
ITS - Research Computing Center
University of North Carolina at Chapel Hill


________________________________________
From: Andy Kurth [andy_kurth@ncsu.edu]
Sent: Thursday, October 11, 2012 10:51 AM
To: dev@vcl.apache.org
Subject: Change Linux network configuration flow

I'd like to change how networking gets configured for Linux images.
Currently eth0 and eth1 are hard-coded and saved in every Linux image.
 The private interface must be eth0, public eth1.  This isn't ideal
for various reasons:
- Depending on how the hardware is cabled/configured, some interface
other than the private one may be using eth0.
- If an image is configured with bridged adapters, the IP address may
show up as belonging to something like br0 instead of eth0.  This is
particularly a problem for images which have KVM installed.
- The code currently writes the hard-coded eth0/eth1 configuration
commands to rc.local during image capture.  Changes cannot be made
without capturing a new image.
- rc.local is erased/rewritten during image capture.  It would be most
logical and familiar for image creators to simply be able to put
custom commands in rc.local.  Instead, they have to use custom
vcl_post_load scripts.

I propose changing this to work the same way the Windows code works:
- The only assumption the backend vcld code makes is that when an
image is loaded, the private interface will receive its IP address via
DHCP (usually given out by the management node) and at some point that
machine will respond to SSH on port 22 on its private IP address.  It
doesn't matter what the interfaces are named.  Nothing is saved in the
image which restricts it to a particular hardware/network
configuration.
- Once the machine responds, the vcld code performs all of the steps
to secure the machine and allow the connection methods to work
including configuring SSH access on the public network.  The code
retrieves the networking configuration from the machine and figures
out which interface is private and public.

Some of the changes to the code which would have to be made:
- During image capture, configure sshd to listen on all interfaces.
Remove the changes that were made to configure "external" sshd.  This
is pretty much how things would be configured out-of-the-box with a
few security settings applied such as disabling password
authentication.
- For existing images, remove the commands from rc.local which were
added by vcld when the image was captured.
- Modify the code so that the private and public networks are sorted
out during the OS post_load stage.  Most of this code is already in
OS.pm and can be used for both Linux and Windows with some minor
changes.

This will allow for greater flexibility, will make it easier to add
support for a single network interface, and will probably make it
easier to add new network/VLAN/fixed IP address features.

Thoughts, suggestions, concerns?

Thanks,
Andy