====== networking ======
suggested exercises. some suggestions are bare suggestions - no explanation at all 8-)
==== show general status ====
# nmcli
...
enp0s3: disconnected
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:B8:24:87, hw, mtu 1500
enp0s8: disconnected
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
...
----
==== show device status ====
# nmcli device
DEVICE TYPE STATE CONNECTION
virbr0 bridge connected virbr0
enp0s3 ethernet disconnected --
enp0s8 ethernet disconnected --
lo loopback unmanaged --
virbr0-nic tun unmanaged --
----
==== show connection status ====
# nmcli connection
NAME UUID TYPE DEVICE
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
----
==== disable automatic connection creation ====
----
==== add an auto-configuring ethernet connection ====
# nmcli connection add type ethernet con-name enp0s3 ifname enp0s3
Connection 'enp0s3' (88b5a114-4258-48a9-b9ea-499b74a04add) successfully added.
# nmcli connection
NAME UUID TYPE DEVICE
enp0s3 88b5a114-4258-48a9-b9ea-499b74a04add 802-3-ethernet enp0s3
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
# nmcli device
DEVICE TYPE STATE CONNECTION
virbr0 bridge connected virbr0
enp0s3 ethernet connected enp0s3
enp0s8 ethernet disconnected --
lo loopback unmanaged --
virbr0-nic tun unmanaged --
# cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp0s3
UUID=88b5a114-4258-48a9-b9ea-499b74a04add
DEVICE=enp0s3
ONBOOT=yes
----
==== add an ethernet connection profile with manual IP configuration ====
# nmcli connection add con-name enp0s3 ifname enp0s3 type ethernet ip4 192.168.200.222/24
Connection 'enp0s3' (aff98488-05b6-4cf8-8fde-7639ee5b5968) successfully added.
# nmcli
enp0s3: connected to enp0s3
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:B8:24:87, hw, mtu 1500
inet4 192.168.200.222/24
inet6 fe80::4591:9f60:53d8:aaf2/64
----
==== add an IPv6 address to an active connection ====
//From Wikipedia, the free encyclopedia//:
=== Unique local address ===
A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in [[https://tools.ietf.org/html/rfc4193|RFC 4193]]. It is the approximate IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks, e.g. inside a single site or organization or spanning a limited number of sites or organizations. They are routable within the scope of a certain private-owned network, but not in the global IPv6 Internet.
The address block fc00::/7 is divided into two /8 groups:
* The block fc00::/8 has not been defined yet. It has been proposed to be managed by an allocation authority, but this has not gained acceptance in the IETF.
* The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string. This results in the format fdxx:xxxx:xxxx:: for a prefix in this range. [[https://tools.ietf.org/html/rfc4193|RFC 4193]] offers a suggestion for generating the random identifier to obtain a minimum-quality result if the user does not have access to a good source of random numbers.
on host A
#nmcli connection modify enp0s3 +ipv6.addresses fd00::2/64
#nmcli connection up enp0s3
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
on host B
#nmcli connection modify enp0s3 +ipv6.addresses fd00::1/64
#nmcli connection up enp0s3
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
check if everything's working fine
[root@useven carbone]# slogin fd00::2
The authenticity of host 'fd00::2 (fd00::2)' can't be established.
ECDSA key fingerprint is SHA256:apZuQzAKfE5NI4fpzgCOJ0nz3I6ysphB3X8VwfW5J3c.
ECDSA key fingerprint is MD5:63:94:48:08:6b:5b:27:05:46:ef:1f:b6:c4:66:ff:79.
Are you sure you want to continue connecting (yes/no)?
[root@seven carbone]# ping6 fd00::1
PING fd00::1(fd00::1) 56 data bytes
64 bytes from fd00::1: icmp_seq=1 ttl=64 time=0.567 ms
64 bytes from fd00::1: icmp_seq=2 ttl=64 time=0.711 ms
64 bytes from fd00::1: icmp_seq=3 ttl=64 time=0.696 ms
64 bytes from fd00::1: icmp_seq=4 ttl=64 time=0.716 ms
64 bytes from fd00::1: icmp_seq=5 ttl=64 time=0.603 ms
^C
--- fd00::1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4031ms
rtt min/avg/max/mdev = 0.567/0.658/0.716/0.067 ms
----
==== add an ethernet connection profile in interactive editor ====
# nmcli connection edit type ethernet
...
goto ethernet
...
goto ipv4.addresses
...
desc
...
set /
...
print
...
save
----
==== the big picture ====
Get rid of dynamic network setup on both VMs and configure them with static (private) IPv4 & IPv6 addresses.
....
----
==== list NetworkManager polkit permissions ====
try from console either as a normal user or as root, then from a remote connection
$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network yes
org.freedesktop.NetworkManager.enable-disable-wifi yes
org.freedesktop.NetworkManager.enable-disable-wwan yes
org.freedesktop.NetworkManager.enable-disable-wimax yes
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control yes
org.freedesktop.NetworkManager.wifi.share.protected yes
org.freedesktop.NetworkManager.wifi.share.open yes
org.freedesktop.NetworkManager.settings.modify.system yes
org.freedesktop.NetworkManager.settings.modify.own yes
org.freedesktop.NetworkManager.settings.modify.hostname auth
org.freedesktop.NetworkManager.settings.modify.global-dns auth
org.freedesktop.NetworkManager.reload auth
org.freedesktop.NetworkManager.checkpoint-rollback auth
org.freedesktop.NetworkManager.enable-disable-statistics yes
$ sudo bash
...
# nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network yes
org.freedesktop.NetworkManager.enable-disable-wifi yes
org.freedesktop.NetworkManager.enable-disable-wwan yes
org.freedesktop.NetworkManager.enable-disable-wimax yes
org.freedesktop.NetworkManager.sleep-wake yes
org.freedesktop.NetworkManager.network-control yes
org.freedesktop.NetworkManager.wifi.share.protected yes
org.freedesktop.NetworkManager.wifi.share.open yes
org.freedesktop.NetworkManager.settings.modify.system yes
org.freedesktop.NetworkManager.settings.modify.own yes
org.freedesktop.NetworkManager.settings.modify.hostname yes
org.freedesktop.NetworkManager.settings.modify.global-dns yes
org.freedesktop.NetworkManager.reload yes
org.freedesktop.NetworkManager.checkpoint-rollback yes
org.freedesktop.NetworkManager.enable-disable-statistics yes
$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network no
org.freedesktop.NetworkManager.enable-disable-wifi no
org.freedesktop.NetworkManager.enable-disable-wwan no
org.freedesktop.NetworkManager.enable-disable-wimax no
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control auth
org.freedesktop.NetworkManager.wifi.share.protected no
org.freedesktop.NetworkManager.wifi.share.open no
org.freedesktop.NetworkManager.settings.modify.system auth
org.freedesktop.NetworkManager.settings.modify.own auth
org.freedesktop.NetworkManager.settings.modify.hostname auth
org.freedesktop.NetworkManager.settings.modify.global-dns auth
org.freedesktop.NetworkManager.reload auth
org.freedesktop.NetworkManager.checkpoint-rollback auth
org.freedesktop.NetworkManager.enable-disable-statistics no
=== ok, but what the heck does it mean 'org.freedesktop.NetworkManager.sleep-wake'? ===
$ pkaction --verbose --action-id org.freedesktop.NetworkManager.sleep-wake
org.freedesktop.NetworkManager.sleep-wake:
description: Put NetworkManager to sleep or wake it up (should only be used by system power management)
message: System policy prevents putting NetworkManager to sleep or waking it up
vendor: NetworkManager
vendor_url: http://www.gnome.org/projects/NetworkManager
icon: nm-icon
implicit any: no
implicit inactive: no
implicit active: no
Use the same command for each and every action-id you are interested in - enjoy!
----
==== bond devices ====
=== add a bonding master and two slave connection profiles ===
# nmcli connection add type [TAB]
adsl bridge ethernet ip-tunnel olpc-mesh tun wifi
bluetooth bridge-slave generic macsec pppoe vlan wimax
bond cdma gsm macvlan team vpn
bond-slave dummy infiniband no-slave team-slave vxlan
# nmcli connection add type bond con-name bond0 ifname bond0 mode active-backup
Connection 'bond0' (c63d5b90-04e3-4a19-a93f-b3e9108ad67f) successfully added.
# nmcli connection
NAME UUID TYPE DEVICE
bond0 c63d5b90-04e3-4a19-a93f-b3e9108ad67f bond bond0
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
# nmcli connection add type bond-slave con-name bond0s0 ifname enp0s3 master bond0
Connection 'bond0s0' (89f56c51-7efc-489a-a9aa-8afebf530cd7) successfully added.
# nmcli connection
NAME UUID TYPE DEVICE
bond0 c63d5b90-04e3-4a19-a93f-b3e9108ad67f bond bond0
bond0s0 89f56c51-7efc-489a-a9aa-8afebf530cd7 802-3-ethernet enp0s3
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
# nmcli connection add type bond-slave con-name bond0s1 ifname enp0s8 master bond0
Connection 'bond0s1' (7165a8a9-97ff-40fe-a810-b214833bdbdd) successfully added.
[root@seven carbone]# nmcli connection
NAME UUID TYPE DEVICE
bond0 c63d5b90-04e3-4a19-a93f-b3e9108ad67f bond bond0
bond0s0 89f56c51-7efc-489a-a9aa-8afebf530cd7 802-3-ethernet enp0s3
bond0s1 7165a8a9-97ff-40fe-a810-b214833bdbdd 802-3-ethernet enp0s8
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
----
beware: **nmcli-examples man page is definitely wrong about adding a bond connection**
**Example 6. Adding a bonding master and two slave connection profiles**
//This example demonstrates adding a bond master connection and two slaves. The first command adds a master bond
connection, naming the bonding interface mybond0 and using active-backup mode. The next two commands add slaves
connections, both enslaved to mybond0. The first slave will be bound to eth1 interface, the second to eth2.//
$ nmcli con add type bond ifname mybond0 mode active-backup
$ nmcli con add type ethernet ifname eth1 master mybond0
$ nmcli con add type ethernet ifname eth2 master mybond0
************* WRONG type must be bond-slave
----
What's going to happen if you add ethernet connections as bond slaves?
# nmcli con add type bond ifname mybond0 mode active-backup
Connection 'bond-mybond0' (895362e3-a0cc-4312-8030-4b942d991fae) successfully added.
# nmcli con add type ethernet ifname eth1 master mybond0
Connection 'bond-slave-eth1' (e485a48d-fb22-4a9f-b310-6209ed7d9a56) successfully added.
# nmcli con add type ethernet ifname eth2 master mybond0
Connection 'bond-slave-eth2' (59734527-1601-49f8-a0b2-ebeb05faba60) successfully added.
# nmcli
mybond0: connecting (getting IP configuration) to bond-mybond0
"mybond0"
bond, F6:35:AB:5B:CD:BC, sw, mtu 1500
enp0s3: disconnected
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:B8:24:87, hw, mtu 1500
enp0s8: disconnected
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
----
==== team devices ====
=== add a team device and two slaves ===
# nmcli connection add type team con-name team0 ifname team0
Connection 'team0' (67d3fa18-6918-468f-b1f4-d7d1f9852fe0) successfully added.
# nmcli connection
NAME UUID TYPE DEVICE
team0 67d3fa18-6918-468f-b1f4-d7d1f9852fe0 team team0
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
# nmcli
team0: connecting (getting IP configuration) to team0
"team0"
team, A6:D3:E6:35:12:73, sw, mtu 1500
enp0s3: disconnected
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:B8:24:87, hw, mtu 1500
enp0s8: disconnected
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
# nmcli connection add type team-slave con-name team0s0 ifname enp0s8 master team0
Connection 'team0s0' (8db383b2-50e1-4875-8f1f-ca9b260f4bb9) successfully added.
# nmcli connection add type team-slave con-name team0s1 ifname enp0s3 master team0
Connection 'team0s1' (d03f1aa5-e206-40dc-bdda-b1c9f0ee6f0b) successfully added.
# nmcli
enp0s3: connected to team0s1
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
master team0
enp0s8: connected to team0s0
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
master team0
team0: connected to team0
"team0"
team, 08:00:27:98:53:C9, sw, mtu 1500
ip4 default
inet4 192.168.1.7/24
inet6 fe80::762b:c440:b95d:2a65/64
# nmcli
enp0s3: connected to team0s1
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
master team0
enp0s8: connected to team0s0
"Intel 82540EM Gigabit Ethernet Controller (PRO/1000 MT Desktop Adapter)"
ethernet (e1000), 08:00:27:98:53:C9, hw, mtu 1500
master team0
team0: connected to team0
"team0"
team, 08:00:27:98:53:C9, sw, mtu 1500
ip4 default
inet4 192.168.1.7/24
inet6 fe80::762b:c440:b95d:2a65/64
use ping amd tcpdump to verify runner policy
# teamdctl team0 config dump
# teamdctl team0 state
=== change runner ===
# nmcli connection modify team0 team.config '{"runner": {"name":"activebackup"}}'
# nmcli connection up team0
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/34)
# teamdctl team0 config dump
{
"device": "team0",
"mcast_rejoin": {
"count": 1
},
"notify_peers": {
"count": 1
},
"ports": {
"enp0s3": {
"link_watch": {
"name": "ethtool"
}
},
"enp0s8": {
"link_watch": {
"name": "ethtool"
}
}
},
"runner": {
"name": "activebackup"
}
}
=== delete team device ===
# nmcli connection delete team0
Connection 'team0' (223414a0-8278-4222-9efd-3a953c9d6e17) successfully deleted.
# nmcli connection
NAME UUID TYPE DEVICE
virbr0 9cc3711a-d802-49e8-a116-a2cab474fb91 bridge virbr0
team0s0 8db383b2-50e1-4875-8f1f-ca9b260f4bb9 802-3-ethernet --
team0s1 d03f1aa5-e206-40dc-bdda-b1c9f0ee6f0b 802-3-ethernet --
# nmcli connection add type team con-name team0 ifname team0
Connection 'team0' (75ca5761-b6ad-42c8-93c5-dc685b293ba4) successfully added.
If slave devices don't reconnect to master, then use
# nmcli device connect ...
==== bridge devices ====
=== create a two port bridge ===
# nmcli connection add type bridge con-name bridge0 ifname bridge0
Connection 'bridge0' (9efa79db-ac89-4614-b5d5-b48c56c073af) successfully added.
# nmcli connection add type bridge-slave con-name bridge0p0 ifname enp0s3 master bridge0
Connection 'bridge0p0' (de9966ac-4b4b-4f53-b1b2-254318a9ae75) successfully added.
# bridge fdb show br bridge0
64:59:f8:a0:a8:a0 dev enp0s3 master bridge0
08:00:27:b8:24:87 dev enp0s3 master bridge0 permanent
70:8b:cd:26:51:25 dev enp0s3 master bridge0
08:00:27:b8:24:87 dev enp0s3 vlan 1 master bridge0 permanent
01:00:5e:00:00:01 dev enp0s3 self permanent
33:33:00:00:00:01 dev enp0s3 self permanent
08:00:27:98:53:c9 dev enp0s8 master bridge0 permanent
08:00:27:98:53:c9 dev enp0s8 vlan 1 master bridge0 permanent
01:00:5e:00:00:01 dev enp0s8 self permanent
33:33:00:00:00:01 dev enp0s8 self permanent
01:00:5e:00:00:01 dev bridge0 self permanent
33:33:00:00:00:01 dev bridge0 self permanent
33:33:ff:b4:f3:fb dev bridge0 self permanent
01:00:5e:00:00:fb dev bridge0 self permanent
# nmcli connection add type bridge-slave con-name bridge0p1 ifname enp0s8 master bridge0
Connection 'bridge0p1' (bcfbffa7-c6fb-4049-83d4-eb4888f1d98e) successfully added.
# bridge link show
2: enp0s3 state UP : mtu 1500 master bridge0 state forwarding priority 32 cost 100
3: enp0s8 state UP : mtu 1500 master bridge0 state blocking priority 32 cost 100
==== use nmcli to recreate bifrost's bridge ====
{{:cn:ccr:formazione:centos7:bifrost-bridge.png?400|}}
==== try to change interfaces name from enpXsY to ethZ ====
==== change hostname ====
==== configure network/a team device/a bridge device using nmtui ====
==== configure network/a team device/a bridge device using nm-connection-editor ====
==== configure a network connection editing ifcfg- file ====
==== add an ip address using ip ====