Ticket: None
Reviewed By: CCR-4692
Testing Done: smoke + scale tests
If called with close_fds=True the subprocess module will try to close every fd
from 3 to MAXFD before executing the specified command. This is done in Python
not even with a C-implementation which truly affecting performances.
This patch aims to better handle the file descriptor used by ifupdown2. Either
by closing them after use or by setting the close-on-exec flag for the file
descriptor, which causes the file descriptor to be automatically
(and atomically) closed when any of the exec-family functions succeed.
With the actual patch all tests are passing, I can't think of any future issue
but if any a possible future modification might be to use the parameter
'preexec_fn', which allows us to set function which will be executed in the
child process before executing the command line. We can always manually close
any remaining open file descriptors with something like:
>>> os.listdir('/proc/self/fd/')
['0', '1', '2', ‘3’, etc..]
>>> for fd in os.listdir('/proc/self/fd/')
>>> if int(fd) > 2:
>>> os.close(fd)
This patch is also totally re-organising the use of subprocesses. By removing
all subprocess code redundancy.
Ticket: CM-7840
Reviewed By: Roopa Prabhu
Testing Done: yes, by installing ifupdown .deb file onto dell-s3000-02
This patch adds a new argument '--with-defaults' to 'ifquery'
when 'ifquery --with-defaults' is executed, running states of all interface
attributes are compared against respective configured attributes from
/etc/network/interfaces file, if configured. Otherwise, compared against
default attributes from policy file
This patch also: (1) fixes ifquery check failure for bridge-* stp attributes.
(2) removes vrf-default-route and vrf-cgroup attributes from ifupdown2 policy
and just have the vrf-helper attribute
Signed-off-by: Nikhil <nikhil@cumulusnetworks.com>
Ticket: CM-10178
Review: trivial
Testing: tested with failing testcase in the CM
This patch fixes a check in vrf map initialization code which did
not account for running vrfs correctly. This caused the case where
there were no running vrfs but stale map file to fail.
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
addons,ifupdown,sbin: adding ifquery --with-defaults option
Ticket: CM-7840
Reviewed By: Roopa Prabhu
Testing Done: yes, by installing ifupdown .deb file onto dell-s3000-02
This patch adds a new argument '--with-defaults' to 'ifquery'
when 'ifquery --with-defaults' is executed, running states of all interface
attributes are compared against respective configured attributes from
/etc/network/interfaces file, if configured. Otherwise, compared against
default attributes from policy file
Signed-off-by: Nikhil <nikhil@cumulusnetworks.com>
Ticket: CM-9919
Reviewed By: dsa, daniel
Testing Done: Checked that mgmt class interfaces are brought up at boot
if present
Note that this only indicates that:
- 'mgmt' is a reserved class
- if any interfaces are tagged as 'mgmt', they will be brought up at
boot
With this we can put out documentation saying that mgmt devices
can be put into its own class for easier management of mgmtvrf.
{noformat}
$cat /etc/network/interfaces
auto lo
iface lo inet loopback
allow-mgmt eth0
iface eth0 inet dhcp
vrf mgmt
allow-mgmt mgmt
iface mgmt
address 127.0.0.1/8
vrf-table auto
$ifquery -l --allow=mgmt
eth0
mgmt
$ifquery -l -a
lo
$ifreload --allow=mgmt
$ifup --allow=mgmt
{noformat}
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Ticket:
Reviewed By: julien
Testing Done: Tested ifquery -l and checked that it is compatible with
ifupdown
ifquery list lists all matching interfaces. By default that is all auto
interfaces:
example:
{noformat}
$cat /etc/network/interfaces
auto lo
iface lo inet loopback
allow-mgmt eth0
iface eth0 inet dhcp
vrf mgmt
allow-mgmt mgmt
iface mgmt
address 127.0.0.1/8
vrf-table auto
$ifquery -l --allow=mgmt
eth0
mgmt
$ifquery -a -l
lo
{noformat}
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Ticket: CM-9668
Reviewed By: daveO, roopa (patch by daveO)
Testing Done: Tested reboot/shutdown and made sure network
unconfiguration was not getting triggered
This is controlled by a variable SKIP_DOWN_AT_SYSRESET="yes"
(defaults to yes). Should probably default to 'no' for upstream.
non-persistant storage
This is a reimport of missing peices of commit
f819c3602e56 in 2.5cl ifupdown2.
commit log from 2.5cl:
Introduce a lock file in non-persistent storage
/run/network/ifstatelock to make sure the state
file in persistent storage is cleaned up correctly
ifupdown2 state file was moved to /var/tmp because /var/tmp was
tmpfs and was large enough (100MB) for the state file. But it
appears it has changed (or is not consistent) across all platforms.
We can move it under /run, but /run again size varies on various
platforms and it is too small on some platforms.
This patch:
- continues to keep the ifupdown2 state file under /var/tmp (because
it needs the space)
- ntroduces a second level /run/network/ifstatelock file that stays
on non-persistant storage and is used to delete the state file at
/boot up
Closes: CM-9573, CM-7774
Review: CCR-3623 (original review)
Tested-by: Mallikarjuna rao Uppalapati <mallik@cumulusnetworks.com>
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Ticket: none
Reviewed By: trivial
Testing Done: installed, Alex tried for image creations.
apparently with some of our packages like mstpd still using init.d for a
while longer, just having the init.d/networking file causes the original
complaints about loops between services.
So I'm purging it completely.
Also clean up the comments a bit in start-networking
Ticket: CM-8790
Reviewed By: wkok,roopa
Testing Done: built, installed, rebooted
jessie's networking starts as an init.d service. Trying to force ordering
between init.d and systemd services when there are dependencies doesn't work
well (especially since the init.d/networking service is forced very early
because of the remote filesystem requirement in jesie).
Converting networking to a script run as a systemd service allows us to start
networking after switchd. The new script is /sbin/start-networking. I chose
to keep it in /sbin, rather than put it in /usr/cumulus/bin, because it's core
functionaity.
I am not removing /etc/init.d/networking, it just gets ignored unless somebody
types it manually. If somebody does that, systemctl runs through the lsb
hooks. The two lost abilities below are just ignored if passed. I'm
also preventing creating the rc.d symlinks to the init.d/networking
script to reduce future confusion.
We lose some init.d "convenience" functionality because it's not available
through systemd. What we lose are:
reload-currently-up - can still be done with ifreload --currently-up
force-reload - can still be done with ifreload -f -a
We keep start, stop, reload, restart
These include changes that were done to move ifupdown2
to use pybuild and some debian policy fixes
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Ticket: CM-7995
Reviewed By: CCR-3850
Testing Done: Tested exit code on syntax errors
This patch adds members 'errors' and 'warns' to networkinterfaces.py
to track errors and warns during parsing interfaces file.
This patch also adds --syntax-check option to ifreload
given people seem to use ifreload more than ifup these days.
$ ifreload --syntax-check -a
error: /etc/network/interfaces: iface swp1.200: unsupported keyword (roopa-attr)
$ echo $?
1
(cherry picked from commit e643a136fcf5d387ff0f9a31cb6a6af4983e1012)
Ticket: CM-7939
Reviewed By: CCR-3732
Testing Done: Tested ifreload --allow=class
this now
The ifreload classes already supported allow. This just opens up the
option in /sbin/ifupdown
example 1:
---------
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test swp3
iface swp3
/* should only act on swp2 and swp3 */
example 2:
---------
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test br1
iface br1
bridge-ports swp25 swp26
/* change bridge name and do an ifreload */
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test br2
iface br2
bridge-ports swp25 swp26
should delete br1 and create br2
(ie to allow -i option)
Ticket: CM-7066
Reviewed By: CCR-3636
Testing Done: Tested ifupdown2 -i option
Administrators can protect from sudo users executing files with -i
by changing the disable_cli_interfacesfile=1 in ifupdown2.conf
I have uploaded the patch in CCR-3636. And checked with shm and nolan
before pushing this change in 2.5.4.
The default is being changed because of the fear of breaking existing
users of -i after an upgrade to 2.5.4.
The shipping default behaviour for -i will be revisited in 3.0
timeframe.
(cherry picked from commit 5dce566a94dafc99c441e66c412d8d66a083aa5e)
Ticket: CM-7066
Reviewed By: roopa
Testing Done: unit tested and wrote new testcase in testifupdown2
Use case for ifquery where stdin used with -i breaks
because interfacesfileiobuf was not checked in addition to interfacesfilename.
Testcase like:
echo '[{"name": "swp1","auto": true,"config": {"address": "10.10.10.10/24"}}]' | ifquery -i - -t json swp1
would fail because while -i was given with stdin, the check for missing filename would produce an error.
It was also decided by consensus that the ifquery command does not need to have a check for
disable_cli_interfacesfile since a query "should" not pose a security check.
(I've also added some test cases for this in cl-tests).
(cherry picked from commit 4d37e932b43da87a9240a866be2d8b9508a9c7eb)
Ticket: CM-7066
Reviewed By: scotte,roopa,olson
Testing Done: Unit testing and regression testing
This patch does two things:
1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2.
This should allow administrators to specify a config file location different from the default and allow
subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown.
2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users
from specifying their own interfaces file. This defaults to "1" (even if it is not configured).
Note: this new default takes away users ability to specify an interfaces file.
This should close the vulnerability where users could specify their own interfaces file
and add arbitrary user commands.
This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery
commands already require root access to run and the interfaces config file also requires root access to modify.
ifupdown2 code was one level deeper because ifupdown2 initially
had ifupdown2 and ifupdown2-addons as two separate packages.
Since they were combined into one package, it makes sense to
move all combined code under the top level directory
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
1. clag_enable flag in the bonding driver
2. And clagid in clagd
Ticket: CM-4091
Reviewed By:
Testing Done: yes
1. Two new commands have been introduced in clagctl - setclagid and showclagid.
These commands will be used by ifupdown2 to set and read/check the clagid.
2. In addition a bit will be maintained per-bond in the bonding driver to
indicate if a bond is a CLAG bond.
(cherry picked from commit cb160bad45d330fe5f544d0d9a40c1c77b9b563f)
over ifup handling of upperifaces by default) + some fixes in the
reserved vlan check
Ticket: CM-3346
Reviewed By:
Testing Done: Tested ifupdown sanity.
Ticket: CM-4204
Reviewed By:
Testing Done: Tested ifreload with interfaces file in the bug
My last checkin moved the auto flag around causing the breakage
ifupdown logging from /etc/init.d/networking.
Ticket: CM-3891
Reviewed By:
Testing Done: Tested changing default networking parameters
- This provides a way to log to syslog
- if syslog is not enabled, msgs are output to stdout (in case of boot
these should be captured by bootlog in > 2.5)
Note that these values only affect logging from the
/etc/init.d/networking script and has nothing to do with ifupdown2
logging when ifupdown2 is used outside of /etc/init.d/networking
Ticket: CM-3346
Reviewed By:
Testing Done: ifupdown2 sanity
I dont see a real reason for a core file to debug ifupdown2 problems
currently. Will re-enable core file generation when i root cause the
issue.
Ticket: CM-3176
Reviewed By: trivial
Testing Done: Tested ifreload with the testcase in the bug
This broke when i recently fixed --allow-classes support for ifup/ifdown
example fixes
Ticket: CM-2911
Reviewed By: CCR-1637
Testing Done: tested ifupdown2 sanity and bash completion
The python argcomplete module that i use for ifupdown2 has a limitation
that it does not work with sudo when used in the global mode. But there is
a workaround for it online (long story short...instead of enabling the global
argparse complete ...the author recommends registering argparse complete bash
completion individually for your script). This patch does just that.
This patch also moves the udev overrides to their respective packages.
Two of them are owned by ifupdown2.
Conflicts:
rootconf/default/home/cumulus/sysroot-complete
warnings on ifupdown)
Ticket: CM-1438
Reviewed By:
Testing Done: Tested ifupdown2 sanity
Some of the above mentioned configurable items can be specified in
ifupdown2.conf
param-id). Its less prone to problems.
Ticket: CM-1438
Reviewed By:
Testing Done:
- Also add bpdufilter support
- This also gets rid of caching for mstpctl output
attributes' for backward compatibility
Ticket: CM-1438
Reviewed By:
Testing Done: Tested ifupdown sanity and new functionality
support for:
- -i <interface file>
- template lookup path and move all template handling to a separate
module template.py
- new ifupdown2 config file /etc/network/ifupdown2/ifupdown2.conf
- bridge_waitport and bridge_maxwait
- moved addons.conf to /var/lib/ifupdownaddons/
update the cache yet and that can cause problems during add
Ticket: CM-2491
Reviewed By:
Testing Done:
Still working on the cache update support during batching.
Ticket: CM-1438
Reviewed By: review pending
Testing Done: Tested ifup/ifdown
Before this patch, `ifup --with-depends <iface>` only brought up
lowerdevices. Because those were enough for iface to function.
And if ifaces above it (upperdevices) needed fixing, user could just
execute `ifup --with-depends <ifaceupper>`.
But in a recent, bond under a bridge bug in 2.0, got me thinking that
its probably better to up the upperdevices which might be impacted as
well. and this patch does just that.
The patch includes changes to make ifupdown generate dependency
information for all interfaces even if the user requested to operate
on a single interface. This is to get a full view of the interfaces file.
This might add some overhead. Should not change anything during boot.
Still looking at ways to optimize.
Ticket: CM-1438
Reviewed By:
Testing Done:
This also fixes a bug with address handling:
- If the user changed a primary address, flush all the addresses and
re-add them. Previously, if user added a new primary address, it would
ust get appended to the end of the address list as a secondary address.
