On Fri, Oct 09, 2009 at 02:19:35PM -0400, Anurag S. Maskey wrote: > Renee Danson Sommerfeld wrote: >> On Fri, Oct 09, 2009 at 11:44:02AM -0400, Anurag S. Maskey wrote: >> >>> changing permissions and group of flowadm.conf and flowprop.conf >>> >>> http://zhadum.east/export/ws/am223141/temp/nwam1-work/webrev/ >>> >>> Setting the permissions to 664 on datalink.conf, flowadm.conf and >>> flowprop.conf seems wrong. I haven't heard anything regarding why >>> these files have to be writeable by netadm group. I'm reverting >>> code for datalink.conf that set the mode to 664. >>> >> There's no specific need now; my thinking was that it's conceivable >> that there could be a need in the future (when nwam can do more >> elaborate link-related configuration), so we might as well do all >> the updates at once. But I'm not adamant about that, if others >> think we should hold off, that's fine. >> > Wouldn't these changes to the link go through the dlmgmtd daemon, > instead of nwam writing to the file directly?
Possibly; I suppose a flaw in my logic is that we don't know exactly what we "might" want to do, so it's hard to say what we'll need. When we create keys, we use libdladm functions, and (I believe) we (and by we I mean the user which nwamd is running as) need to have both the correct authorizations and write access to the file. If/when we make link config changes in the future, presumably we'll be using libdladm interfaces as well; but I don't know if those changes are performed via dlmgmtd or not. If they are, then I think we only need appropriate authorizations. If not, we'll need to have file write access. Given that we aren't sure yet what we'll need to do, I guess we should avoid making unneeded file mode changes. So we should only change mode of secobj.conf. >>> Finally, the IPS actions don't change the group of the dladm user to >>> netadm on image-update (bug 9755). I added code in net-nwam that >>> changes the group to netadm if not already. >>> >> Given that net-nwam might run before the file system is writable, I'm >> not sure that solution/workaround works. Though I suppose on the first >> reboot after update, the phase 1 net-nwam doesn't run until after >> manifest-import, which might be enough of a delay; on the other hand, >> they're working on making manifest-import happen really early, aren't >> they? Not sure how close that is. >> >> In any case, this might be acceptable as a workaround for now, but I >> don't think we should include this in the final push. Other opinions? >> > Only the new manifest is not used before the import. The phase 1 nwamd > and net-nwam run. I think you are right, the usermod would fail > because the filesystem is read-only. I've yanked out this change and > updated the webrev. > > We still need to figure out how to do this usermod until bug 9755 is > fixed (and from the looks of it, it doesn't have high severity even > though it is a P2). Yep. I have an old AI to check with David and/or Danek about this; we need to make it clear that this is going to be a more visible problem once nwam phase 1 integrates. I will work on that. -renee
