Ticket: CM-7939
Reviewed By: CCR-3732
Testing Done: Tested ifreload --allow=class
this now
The ifreload classes already supported allow. This just opens up the
option in /sbin/ifupdown
example 1:
---------
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test swp3
iface swp3
/* should only act on swp2 and swp3 */
example 2:
---------
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test br1
iface br1
bridge-ports swp25 swp26
/* change bridge name and do an ifreload */
auto swp1
iface swp1
allow-test swp2
iface swp2
allow-test br2
iface br2
bridge-ports swp25 swp26
should delete br1 and create br2
(ie to allow -i option)
Ticket: CM-7066
Reviewed By: CCR-3636
Testing Done: Tested ifupdown2 -i option
Administrators can protect from sudo users executing files with -i
by changing the disable_cli_interfacesfile=1 in ifupdown2.conf
I have uploaded the patch in CCR-3636. And checked with shm and nolan
before pushing this change in 2.5.4.
The default is being changed because of the fear of breaking existing
users of -i after an upgrade to 2.5.4.
The shipping default behaviour for -i will be revisited in 3.0
timeframe.
(cherry picked from commit 5dce566a94dafc99c441e66c412d8d66a083aa5e)
Ticket: CM-7066
Reviewed By: roopa
Testing Done: unit tested and wrote new testcase in testifupdown2
Use case for ifquery where stdin used with -i breaks
because interfacesfileiobuf was not checked in addition to interfacesfilename.
Testcase like:
echo '[{"name": "swp1","auto": true,"config": {"address": "10.10.10.10/24"}}]' | ifquery -i - -t json swp1
would fail because while -i was given with stdin, the check for missing filename would produce an error.
It was also decided by consensus that the ifquery command does not need to have a check for
disable_cli_interfacesfile since a query "should" not pose a security check.
(I've also added some test cases for this in cl-tests).
(cherry picked from commit 4d37e932b43da87a9240a866be2d8b9508a9c7eb)
Ticket: CM-7066
Reviewed By: scotte,roopa,olson
Testing Done: Unit testing and regression testing
This patch does two things:
1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2.
This should allow administrators to specify a config file location different from the default and allow
subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown.
2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users
from specifying their own interfaces file. This defaults to "1" (even if it is not configured).
Note: this new default takes away users ability to specify an interfaces file.
This should close the vulnerability where users could specify their own interfaces file
and add arbitrary user commands.
This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery
commands already require root access to run and the interfaces config file also requires root access to modify.
over ifup handling of upperifaces by default) + some fixes in the
reserved vlan check
Ticket: CM-3346
Reviewed By:
Testing Done: Tested ifupdown sanity.
Ticket: CM-4204
Reviewed By:
Testing Done: Tested ifreload with interfaces file in the bug
My last checkin moved the auto flag around causing the breakage
ifupdown logging from /etc/init.d/networking.
Ticket: CM-3891
Reviewed By:
Testing Done: Tested changing default networking parameters
- This provides a way to log to syslog
- if syslog is not enabled, msgs are output to stdout (in case of boot
these should be captured by bootlog in > 2.5)
Note that these values only affect logging from the
/etc/init.d/networking script and has nothing to do with ifupdown2
logging when ifupdown2 is used outside of /etc/init.d/networking
Ticket: CM-3346
Reviewed By:
Testing Done: ifupdown2 sanity
I dont see a real reason for a core file to debug ifupdown2 problems
currently. Will re-enable core file generation when i root cause the
issue.
Ticket: CM-3176
Reviewed By: trivial
Testing Done: Tested ifreload with the testcase in the bug
This broke when i recently fixed --allow-classes support for ifup/ifdown
example fixes
Ticket: CM-2911
Reviewed By: CCR-1637
Testing Done: tested ifupdown2 sanity and bash completion
The python argcomplete module that i use for ifupdown2 has a limitation
that it does not work with sudo when used in the global mode. But there is
a workaround for it online (long story short...instead of enabling the global
argparse complete ...the author recommends registering argparse complete bash
completion individually for your script). This patch does just that.
This patch also moves the udev overrides to their respective packages.
Two of them are owned by ifupdown2.
Conflicts:
rootconf/default/home/cumulus/sysroot-complete
warnings on ifupdown)
Ticket: CM-1438
Reviewed By:
Testing Done: Tested ifupdown2 sanity
Some of the above mentioned configurable items can be specified in
ifupdown2.conf
param-id). Its less prone to problems.
Ticket: CM-1438
Reviewed By:
Testing Done:
- Also add bpdufilter support
- This also gets rid of caching for mstpctl output
attributes' for backward compatibility
Ticket: CM-1438
Reviewed By:
Testing Done: Tested ifupdown sanity and new functionality
support for:
- -i <interface file>
- template lookup path and move all template handling to a separate
module template.py
- new ifupdown2 config file /etc/network/ifupdown2/ifupdown2.conf
- bridge_waitport and bridge_maxwait
- moved addons.conf to /var/lib/ifupdownaddons/
update the cache yet and that can cause problems during add
Ticket: CM-2491
Reviewed By:
Testing Done:
Still working on the cache update support during batching.
Ticket: CM-1438
Reviewed By: review pending
Testing Done: Tested ifup/ifdown
Before this patch, `ifup --with-depends <iface>` only brought up
lowerdevices. Because those were enough for iface to function.
And if ifaces above it (upperdevices) needed fixing, user could just
execute `ifup --with-depends <ifaceupper>`.
But in a recent, bond under a bridge bug in 2.0, got me thinking that
its probably better to up the upperdevices which might be impacted as
well. and this patch does just that.
The patch includes changes to make ifupdown generate dependency
information for all interfaces even if the user requested to operate
on a single interface. This is to get a full view of the interfaces file.
This might add some overhead. Should not change anything during boot.
Still looking at ways to optimize.
Ticket: CM-1438
Reviewed By:
Testing Done:
This also fixes a bug with address handling:
- If the user changed a primary address, flush all the addresses and
re-add them. Previously, if user added a new primary address, it would
ust get appended to the end of the address list as a secondary address.
Ticket: CM-1438
Reviewed By:
Testing Done:
- Moved link config to base ifupdown. I had been debating about this,
this is need to support manual and also the --no-scripts option.
- helps executing only link up/down operations if needed on an interface
- While at it, i also moved the scheduler methods to be classmethods
instead of instance methods (which again was a pending cleanup task)
Ticket: CM-1438
Reviewed By:
Testing Done: unit tested with all kinds of interfaces
some high level changes
- moved ipv4/ipv6 address handling in a single module. dhcp
into a separate module.
- new link 'up' module
- igmp fixes
- many other fixes
added a --with-depends option)
Ticket: CM-1438
Reviewed By:
Testing Done:
still debating on the default behaviour for following dependents.
for now not following dependents might be better.
When all interfaces are selected, it always follows dependents
Ticket: CM-1438
Reviewed By:
Testing Done: tested with configs involving vlan devices and bridges
- fix dependency handling which i had broken recently with my last
checkin (nat reported this one)
- In inet pluggins, dont issue ip addr get unless required (saw cpu
spike up because of CM-1889)
- and some other minor changes lying in my tree
Ticket: CM-1438
Reviewed By:
Testing Done: Tested installing new ifupdown on the box
- fixed a few things in ifquery
- added new perfmode to skip some of the checks (useful during boot when there is
no previous state)
- updated doc dir with example
- Added README, TODO and KNOWN_ISSUES file
Ticket: CM-1438
Reviewed By: TBD
Testing Done:
- Will checkin build files after some more testing and performance
numbers. It will go into the testing repo for 2.0
- All TODO items are part of the checked in TODO file
