Re: [systemd-devel] ip forwarding
Am 06.11.2015 um 08:11 schrieb Johannes Ernst: This makes my point. The default = 0 is counter intuitive and costs much time for the lucky ones among us who can figure it out. The rest will just give up... defaults should have security in mind, most setups don't need it enabled and the ones which will just give up don't understand what they are doing anyways and so bette don't mess with it (no i am not a systemd developer but delevoper and sysadmin for many years) On Nov 5, 2015, at 22:32, Peter Paulewrote: Hi Johannes, I had the same problem, I even wrote an article about that (https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html). I think, you use `systemd-networkd`. Correct? The behaviour is documented in "systemd.network-manual". Note: unless this option is turned on, or set to “kernel”, no IP forwarding is done on this interface, even if this is globally turned on in the kernel, with the net.ipv4.ip_forward, net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl options. I took me by surprise, too. But a new tool needs some learning. Unfortunately. Though I would suggest to add some example to the manual `systemd.network` or at least add a comment like that signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Am 06.11.2015 um 10:20 schrieb Mantas Mikulėnas: On Fri, Nov 6, 2015 at 11:09 AM, Reindl Harald> wrote: Am 06.11.2015 um 08:11 schrieb Johannes Ernst: This makes my point. The default = 0 is counter intuitive and costs much time for the lucky ones among us who can figure it out. The rest will just give up... defaults should have security in mind, most setups don't need it enabled and the ones which will just give up don't understand what they are doing anyways and so bette don't mess with it The _kernel_ default is also 0 anyway, for both global and per-interface settings. The problem is that now you cannot _enable_ it via the usual routes (sysctl) anymore, because networkd mindlessly overrides that. As a long-time sysadmin, surely you wouldn't like your explicit configuration having been broken that way? ok, *that* must not happen, the place for such settings is sysctl.conf or /etc/sysctl.d/ signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
On Fri, Nov 6, 2015 at 11:09 AM, Reindl Haraldwrote: > > > Am 06.11.2015 um 08:11 schrieb Johannes Ernst: > >> This makes my point. The default = 0 is counter intuitive and costs much >> time for the lucky ones among us who can figure it out. The rest will just >> give up... >> > > defaults should have security in mind, most setups don't need it enabled > and the ones which will just give up don't understand what they are doing > anyways and so bette don't mess with it > The _kernel_ default is also 0 anyway, for both global and per-interface settings. The problem is that now you cannot _enable_ it via the usual routes (sysctl) anymore, because networkd mindlessly overrides that. As a long-time sysadmin, surely you wouldn't like your explicit configuration having been broken that way? -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd.network defaults (was: Re: ip forwarding)
Am Donnerstag, den 05.11.2015, 16:08 -0800 schrieb Johannes Ernst: > The problem: I thought I created that file to say “get an IP address > via DHCP” because that’s all it talks about. But due to the IPForward > default, I also specified “and turn off ip forwarding”, which is non- > obvious (e.g. I just found out, and I originally ran into this in > June). So I suggest the default should be “don’t touch this setting” > instead of 0. The same holds for other values I think. I once hit the same problem with the IPv6PrivacyExtensions setting. I enabled it via sysctl and wondered why it was disabled for one device, which I had configured using systemd-networkd. Although this is clearly documented in the man page I think it would be less surprising behavior to generally default to kernel for such configuration items. Is there a specific reason against that? Cheers, Michael ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
> On Nov 6, 2015, at 1:09, Reindl Haraldwrote: > > defaults should have security in mind, … IMHO the current behavior is actually less secure: If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that. But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl. (Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.) Cheers, Johannes. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Am 06.11.2015 um 16:43 schrieb Johannes Ernst: On Nov 6, 2015, at 1:09, Reindl Harald> wrote: defaults should have security in mind, … IMHO the current behavior is actually less secure: no, it maybe unpredictable by the desciptions below but for sure not less secure If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that. depends on the number of networks NIC1: wan NIC2: lan with forwarding / nat NIC3: SIP phones NIC3 shouldn't forward because SIP phones connected to a asterisk tyoically don#t need to touch the internet directly in no direction But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl. (Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.) well, because the sysctl stuff was unpredictable years ago i solved that by simply call "sysctl -p" after the network is up and never touch "systemd-sysctl" [root@srv-rhsoft:~]$ cat /etc/systemd/system/sysctl-post-network.service [Unit] Description=apply settings after network After=network.service systemd-networkd.service network-online.target openvpn.service hostapd.service network-wlan-bridge.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/sysctl -p ExecStartPost=/usr/sbin/ifconfig wan -multicast -allmulti txqueuelen 100 StandardOutput=null [Install] WantedBy=multi-user.target signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemctl switch-root /sysroot without deleting old_root
Hi, is there an easy way in initrd mode to keep old root when switching to new root? Switching root is done in initrd-switch-root.target with /bin/systemctl --no-block --force switch-root /sysroot The reason why is I want to use the ramdisk + a persistent overlay. The quick and dirty solution for me would be to patch src/shared/switch- root.c not to delete the old_root but I'd rather keep systemd unpatched. Thanks. Regards, Herbert ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd.network defaults (was: Re: ip forwarding)
On Fri, Nov 06, 2015 at 11:40:13AM +0100, Michael Laß wrote: > > Although this is clearly documented in the man page I think it would be > less surprising behavior to generally default to kernel for such > configuration items. Is there a specific reason against that? I believe this is (was) being discussed here: https://github.com/systemd/systemd/issues/1411 -- Tomasz Torcz 72->| 80->| xmpp: zdzich...@chrome.pl 72->| 80->| ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] FreeBSD leader Jordan Hubbard comments on launchd port and systemd
http://www.bsdnow.tv/episodes/2015_10_28-Whats_next_for_BSD About 40 minutes into the interview. Code is available via NextBSD at github. -- Alison --- Alison Chaiken ali...@she-devel.com, 650-279-5600 http://{ she-devel.com, exerciseforthereader.org [1] } "There is expressive potential in not being together." -- Mark Volkert, Assistant Concertmaster, San Francisco Symphony Links: -- [1] http://{she-devel.com,exerciseforthereader.org ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Property 'MemoryLimit' is RO when using the D-Bus API
Hi, I'm trying to change the MemoryLimit property of one the service unit running on my system by using 'busctl set-property ...' but getting the following error : Property 'MemoryLimit' is not writable. However using 'systemctl set-property' works as expected. I thought that 'systemctl set-property' was basically doing the same D-Bus thing like my former test did but apparently not. Could anybody enlight me why I can't use busctl to set the MemoryLimit property and why 'systemctl set-property' gives a different result ? Thanks -- Francis ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Johannes Ernst [2015-11-05 23:11 -0800]: > This makes my point. The default = 0 is counter intuitive and costs much time > for the lucky ones among us who can figure it out. The rest will just give > up... It's less counter-intuitive, but the problem is that it breaks a lot of existing tools that expect that the global kernel settings actually work. Note that this was discussed recently already here, but rejected: https://github.com/systemd/systemd/issues/1411 Thus at least CoreOS and Ubuntu now change the default to "kernel", which pretty much DTRT. (I'm still pondering doing that in Debian too). If you don't explicitly configure it in your .network then the global setting is applied, and as that defaults to 0 the "secure by default" aspect is also satisfied. Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] DHCPC Events?
I have Arch Linux setup as my router. It's on a connection that can change the IP that I'm given, when that happens I need to rerun firewall rules and rebuild my ipv6 tunnel. How do I run some script or something when the address changes (or when it's initially given in the case of boot?) Also there seems to be no way to specify default ipv6 route for next hop... ie 'ip -6 route replace ::/0 dev he-ipv6' It's been a couple months I've been limping along so I forget; I vaguely remember that this should have been setup in the configuration scripts; but it didn't work unless I did it this way. The iniital method I think was 'add' instead of 'replace' which no longer works (I think something changed in the kernel that affected that; but I don't know). ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel