Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Ensure use of NetworkManager Key-files instead of ifcfg files #22

Open
ferricoxide opened this issue Jun 5, 2024 · 6 comments
Open

[Feature Request] Ensure use of NetworkManager Key-files instead of ifcfg files #22

ferricoxide opened this issue Jun 5, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@ferricoxide
Copy link
Member

Is your feature request related to a problem? Please describe.

While writing security-automation for the watchmaker project (see: ash-linux-formula PR #506), a security-finding came up for the network configuration files. This led me to find a vendor-article on the deprecation of ifcfg files in RHEL 9 and later (see the "NetworkManager connection profiles in ifcfg format are deprecated" section of the linked-document for specific verbiage). The AMIgen automation needs to be updated to account for this change

Describe the solution you'd like

AMIgen bakes in the cloud-init service. Instances launched from AMIgen-created images already leverage cloud-init for boot-time automation-tasks. The ifcfg to NM-keyfile operation could be included by way of a per once stage script.

Describe alternatives you've considered

Additional context
@ferricoxide ferricoxide added the enhancement New feature or request label Jun 5, 2024
@ferricoxide ferricoxide mentioned this issue Jun 5, 2024
Open
@ferricoxide
Copy link
Member Author

While the legacy files are being created in PostBuild.sh, it's not 100% clear that a similar mechanism can be used for creating the NM-keyfiles from the get-go.

That said, the EL9 EC2s are launching with ensN interfaces instead of ethN interfaces and associated …/network-scripts/* files are getting created at launch, so, it may be mostly – or even wholly – unnecessary to even have the prepositioned …/network-scripts/* or NM-keyfiles in the AMIs.

@ferricoxide
Copy link
Member Author

Looking at a newly launched system, the files that AMIgen9 creates in /etc/sysconfig/network-scripts/ are, effectively ignored:

/etc/sysconfig/network-scripts/readme-ifcfg-rh.txt
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-ens5

AMIgen9, carrying over logic from previous AMIgenN projects, currently creates /etc/sysconfig/network-scripts/ifcfg-eth0. That file gets ignored and an /etc/sysconfig/network-scripts/ifcfg-ens5 gets created at boot-time.

Further, if one wholly nukes those files, the system still boots up with functional networking, even though there's no files in either the legacy/deprecated /etc/sysconfig/network-scripts/ or the currently-supported /etc/NetworkManager/system-connections/ directory-locations.

# find /etc/sysconfig/network-scripts/ /etc/NetworkManager/system-connections/
/etc/sysconfig/network-scripts/
/etc/sysconfig/network-scripts/readme-ifcfg-rh.txt
/etc/NetworkManager/system-connections/

@ferricoxide
Copy link
Member Author

Interestingly, the RHEL 9 AMI published by Red Hat is still using legacy behavior:

# find /etc/sysconfig/network-scripts/ /etc/NetworkManager/system-connections/
/etc/sysconfig/network-scripts/
/etc/sysconfig/network-scripts/readme-ifcfg-rh.txt
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/NetworkManager/system-connections/
[root@ip-zabvtctuwer ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 02:4a:74:ec:da:91 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 140.48.100.244/26 brd 140.48.100.255 scope global dynamic noprefixroute eth0
       valid_lft 3419sec preferred_lft 3419sec
    inet6 fe80::4a:74ff:feec:da91/64 scope link
       valid_lft forever preferred_lft forever

Need to dig in and see if can replicate.

@ferricoxide
Copy link
Member Author

Nuking out the legacy ifcfg-scripts content and generating a new images doesn't resolve the issue in instances made from the new image. Going to do a comparison between the new image and the vendor image (since the vendor image is creating instances that still create ethN devices)

@ferricoxide
Copy link
Member Author

Right now, it looks like the /etc/default/grub file's contents are getting ignored when grub2-mkconfig is run. Looks like, with 9.3+, need to modify the grub2-mkconfig line in PostBuild.sh:

/sbin/grub2-mkconfig > /boot/grub2/grub.cfg

to

grub2-mkconfig -o /boot/grub2/grub.cfg --update-bls-cmdline

@ferricoxide ferricoxide mentioned this issue Aug 5, 2024
Closed
@ferricoxide
Copy link
Member Author

Implemented in PR #28

Right now, it looks like the /etc/default/grub file's contents are getting ignored when grub2-mkconfig is run. Looks like, with 9.3+, need to modify the grub2-mkconfig line in PostBuild.sh:

/sbin/grub2-mkconfig > /boot/grub2/grub.cfg

to

grub2-mkconfig -o /boot/grub2/grub.cfg --update-bls-cmdline

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ferricoxide