I think this is a good idea. I've had to modify the provisioning code locally for Linux images because our eth0/eth1 assignments are reversed from the assumption, i.e. for us eth0 is public and eth1 is private.
Making the changes you outlined would be a good thing. Mike Waldron Systems Specialist ITS - Research Computing Center University of North Carolina at Chapel Hill ________________________________________ From: Andy Kurth [[email protected]] Sent: Thursday, October 11, 2012 10:51 AM To: [email protected] Subject: Change Linux network configuration flow I'd like to change how networking gets configured for Linux images. Currently eth0 and eth1 are hard-coded and saved in every Linux image. The private interface must be eth0, public eth1. This isn't ideal for various reasons: - Depending on how the hardware is cabled/configured, some interface other than the private one may be using eth0. - If an image is configured with bridged adapters, the IP address may show up as belonging to something like br0 instead of eth0. This is particularly a problem for images which have KVM installed. - The code currently writes the hard-coded eth0/eth1 configuration commands to rc.local during image capture. Changes cannot be made without capturing a new image. - rc.local is erased/rewritten during image capture. It would be most logical and familiar for image creators to simply be able to put custom commands in rc.local. Instead, they have to use custom vcl_post_load scripts. I propose changing this to work the same way the Windows code works: - The only assumption the backend vcld code makes is that when an image is loaded, the private interface will receive its IP address via DHCP (usually given out by the management node) and at some point that machine will respond to SSH on port 22 on its private IP address. It doesn't matter what the interfaces are named. Nothing is saved in the image which restricts it to a particular hardware/network configuration. - Once the machine responds, the vcld code performs all of the steps to secure the machine and allow the connection methods to work including configuring SSH access on the public network. The code retrieves the networking configuration from the machine and figures out which interface is private and public. Some of the changes to the code which would have to be made: - During image capture, configure sshd to listen on all interfaces. Remove the changes that were made to configure "external" sshd. This is pretty much how things would be configured out-of-the-box with a few security settings applied such as disabling password authentication. - For existing images, remove the commands from rc.local which were added by vcld when the image was captured. - Modify the code so that the private and public networks are sorted out during the OS post_load stage. Most of this code is already in OS.pm and can be used for both Linux and Windows with some minor changes. This will allow for greater flexibility, will make it easier to add support for a single network interface, and will probably make it easier to add new network/VLAN/fixed IP address features. Thoughts, suggestions, concerns? Thanks, Andy
