109.2 Lesson 2

Certificate:

LPIC-1

Version:

5.0

Topic:

109 Networking Fundamentals

Objective:

109.2 Persistent network configuration

Lesson:

2 of 2

Introduction

Linux supports virtually every network technology used to connect servers, containers, virtual machines, desktops and mobile devices. The connections between all these network nodes can be dynamic and heterogeneous, thus requiring appropriate management by the operating system running in them.

In the past, distributions developed their own customized solutions for managing dynamic network infrastructure. Today, tools like NetworkManager and systemd provide more comprehensive and integrated features to meet all the specific demands.

NetworkManager

Most Linux distributions adopt the NetworkManager service daemon to configure and control the system’s network connections. NetworkManager’s purpose is to make the network configuration as simple and automatic as possible. When using DHCP, for example, NetworkManager arranges route changes, IP address fetching and updates to the local list of DNS servers, if necessary. When both wired and wireless connections are available, NetworkManager prioritizes the wired connection by default. NetworkManager will try to keep at least one connection active all the time, whenever it is possible.

Note

A request using DHCP (Dynamic Host Configuration Protocol) is usually sent through the network adapter as soon as the link to the network is established. The DHCP server that is active on the network then responds with the settings (IP address, network mask, default route, etc.) which the requester must use to communicate via IP protocol.

By default, the NetworkManager daemon controls the network interfaces not mentioned in the /etc/network/interfaces file. It does so to not interfere with other configuration methods that may be present as well, thus modifying the unattended interfaces only.

The NetworkManager service runs in the background with root privileges and triggers the necessary actions to keep the system online. Ordinary users can create and modify network connections with client applications that, albeit not having root privileges themselves, are capable of communicating with the underlying service in order to perform the requested actions.

Client applications for NetworkManager are available for both the command line and the graphical environment. For the latter, the client application comes as an accessory of the desktop environment (under names like, nm-tray, network-manager-gnome, nm-applet or plasma-nm) and it is usually accessible through an indicator icon at the corner of the desktop bar or from the system configuration utility.

In the command line, NetworkManager itself provides two client programs: nmcli and nmtui. Both programs have the same basic features, but nmtui has a curses-based interface while nmcli is a more comprehensive command that can also be used in scripts. Command nmcli separates all network related properties controlled by NetworkManager in categories called objects:

general: NetworkManager’s general status and operations.
networking: Overall networking control.
radio: NetworkManager radio switches.
connection: NetworkManager’s connections.
device: Devices managed by NetworkManager.
agent: NetworkManager secret agent or polkit agent.
monitor: Monitor NetworkManager changes.

The object name is the main argument to command nmcli. To show the overall connectivity status of the system, for example, the object general should be given as the argument:

$ nmcli general
STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN
connected  full          enabled  enabled  enabled  enabled

Column STATE tells whether the system is connected to a network or not. If the connection is limited due to external misconfiguration or access restrictions, then the CONNECTIVITY column will not report the full connectivity status. If Portal appears in the CONNECTIVITY column, it means that extra authentication steps (usually through the web browser) are required to complete the connection process. The remaining columns report the status of the wireless connections (if any), either WIFI or WWAN (Wide Wireless Area Network, i.e. cellular networks). The HW suffix indicates that the status corresponds to the network device rather than the system network connection, that is, it tells if the hardware is enabled or disabled to save power.

In addition to the object argument, nmcli also needs a command argument to execute. The status command is used by default if no command argument is present, so the command nmcli general is actually interpreted as nmcli general status.

It is hardly necessary to take any action when the network adapter is connected directly to the access point through cables, but wireless networks require further interaction to accept new members. nmcli facilitates the connection process and saves the settings to connect automatically in the future, hence it is very helpful for laptops or any other mobile appliances.

Before connecting to wi-fi, it is convenient to first list the available networks in the local area. If the system has a working wi-fi adapter, then the device object will use it to scan the available networks with command nmcli device wifi list:

$ nmcli device wifi list
IN-USE  BSSID              SSID        MODE   CHAN  RATE        SIGNAL  BARS  SECURITY
        90:F6:52:C5:FA:12  Hypnotoad   Infra  11    130 Mbit/s  67      ▂▄▆_  WPA2
        10:72:23:C7:27:AC  Jumbao      Infra  1     130 Mbit/s  55      ▂▄__  WPA2
        00:1F:33:33:E9:BE  NETGEAR     Infra  1     54 Mbit/s   35      ▂▄__  WPA1 WPA2
        A4:33:D7:85:6D:B0  AP53        Infra  11    130 Mbit/s  32      ▂▄__  WPA1 WPA2
        98:1E:19:1D:CC:3A  Bruma       Infra  1     195 Mbit/s  22      ▂___  WPA1 WPA2

Most users will probably use the name in the SSID column to identify the network of interest. For example, command nmcli can connect to the network named Hypnotoad using the device object again:

$ nmcli device wifi connect Hypnotoad

If the command is executed inside a terminal emulator in the graphical environment, then a dialog box will appear asking for the network’s passphrase. When executed in a text only console, the password may be provided together with the other arguments:

$ nmcli device wifi connect Hypnotoad password MyPassword

If the wi-fi network hides its SSID name, nmcli can still connect to it with the extra hidden yes arguments:

$ nmcli device wifi connect Hypnotoad password MyPassword hidden yes

If the system has more than one wi-fi adapter, the one to be used may be indicated with ifname. For example, to connect using the adapter named wlo1:

$ nmcli device wifi connect Hypnotoad password MyPassword ifname wlo1

After the connection succeeds, NetworkManager will name it after the corresponding SSID (if it is a wi-fi connection) and will keep it for future connections. The connections names and their UUIDs are listed by command nmcli connection show:

$ nmcli connection show
NAME               UUID                                  TYPE      DEVICE
Ethernet           53440255-567e-300d-9922-b28f0786f56e  ethernet  enp3s5
tun0               cae685e1-b0c4-405a-8ece-6d424e1fb5f8  tun       tun0
Hypnotoad          6fdec048-bcc5-490a-832b-da83d8cb7915  wifi      wlo1
4G                 a2cf4460-0cb7-42e3-8df3-ccb927f2fd88  gsm       --

The type of each connection is shown — which can be ethernet, wifi, tun, gsm, bridge, etc. — as well as the device to which they are associated with. To perform actions on a specific connection, its name or UUID must be supplied. To deactivate the Hypnotoad connection, for example:

$ nmcli connection down Hypnotoad
Connection 'Hypnotoad' successfully deactivated

Likewise, the command nmcli connection up Hypnotoad can be used to bring the connection up, as it is now saved by NetworkManager. The interface name can also be used to reconnect, but in this case the device object should be used instead:

$ nmcli device disconnect wlo2
Device 'wlo1' successfully disconnected.

The interface name can also be used to reestablish the connection:

$ nmcli device connect wlo2
Device 'wlo1' successfully activated with '833692de-377e-4f91-a3dc-d9a2b1fcf6cb'.

Note that the connection UUID changes every time the connection is brought up, so it is preferable to use its name for consistency.

If the wireless adapter is available but it is not being used, then it can be turned off to save power. This time, the object radio should be passed to nmcli:

$ nmcli radio wifi off

Of course, the wireless device can be turned on again with command nmcli radio wifi on.

Once the connections are established no manual interaction will be required in the future, as NetworkManager identifies available known networks and automatically connects to them. If necessary, NetworkManager has plugins that can extend its functionalities, like the plugin to support VPN connections.

systemd-networkd

Systems running systemd can optionally use its built-in daemons to manage network connectivity: systemd-networkd to control network interfaces and systemd-resolved to manage the local name resolution. These services are backwards compatible with legacy Linux configuration methods, but the configuration of network interfaces in particular has features that are worth knowing.

The configuration files used by systemd-networkd to setup network interfaces can be found in any of the following three directories:

/lib/systemd/network: The system network directory.
/run/systemd/network: The volatile runtime network directory.
/etc/systemd/network: The local administration network directory.

The files are processed in lexicographic order, so it is recommended to start their names with numbers to make the ordering easier to read and set.

Files in /etc have the highest priority, whilst files in /run take precedence over files with the same name in /lib. This means that if configuration files in different directories have the same name, then systemd-networkd will ignore the files with lesser priority. Separating files like that is a way to change the interface settings without having to modify the original files: modifications can be placed in /etc/systemd/network to override those in /lib/systemd/network.

The purpose of each configuration file depends on its suffix. File names ending in .netdev are used by systemd-networkd to create virtual network devices, such as bridge or tun devices. Files ending in .link set low-level configurations for the corresponding network interface. systemd-networkd detects and configures network devices automatically as they appear — as well as ignore devices already configured by other means — so there is little need to add these files in most situations.

The most important suffix is .network. Files using this suffix can be used to setup network addresses and routes. As with the other configuration file types, the name of the file defines the order in which the file will be processed. The network interface to which the configuration file refers to is defined in the [Match]` section inside the file.

For example, the ethernet network interface enp3s5 can be selected within the file /etc/systemd/network/30-lan.network by using the Name=enp3s5 entry in the [Match] section:

[Match]
Name=enp3s5

A list of whitespace-separated names is also accepted to match many network interfaces with this same file at once. The names can contain shell-style globs, like en*. Other entries provide various matching rules, like selecting a network device by its MAC address:

[Match]
MACAddress=00:16:3e:8d:2b:5b

The settings for the device are in the [Network] section of the file. A simple static network configuration only requires the Address and Gateway entries:

[Match]
MACAddress=00:16:3e:8d:2b:5b

[Network]
Address=192.168.0.100/24
Gateway=192.168.0.1

To use the DHCP protocol instead of static IP addresses, the DHCP entry should be used instead:

[Match]
MACAddress=00:16:3e:8d:2b:5b

[Network]
DHCP=yes

The systemd-networkd service will try to fetch both IPv4 and IPv6 addresses for the network interface. To use IPv4 only, DHCP=ipv4 should be used. Likewise, DHCP=ipv6 will ignore IPv4 settings and use the provided IPv6 address only.

Password-protected wireless networks can also be configured by systemd-networkd, but the network adapter must be already authenticated in the network before systemd-networkd can configure it. Authentication is performed by WPA supplicant, a program dedicated to configure network adapters for password protected networks.

The first step is to create the credentials file with command wpa_passphrase:

# wpa_passphrase MyWifi > /etc/wpa_supplicant/wpa_supplicant-wlo1.conf

This command will take the passphrase for the MyWifi wireless network from the standard input and store its hash in the /etc/wpa_supplicant/wpa_supplicant-wlo1.conf. Note that the filename should contain the appropriate name of the wireless interface, hence the wlo1 in the file name.

The systemd manager reads the WPA passphrase files in /etc/wpa_supplicant/ and creates the corresponding service to run WPA supplicant and bring the interface up. The passphrase file created in the example will then have a corresponding service unit called wpa_supplicant@wlo1.service. Command systemctl start wpa_supplicant@wlo1.service will associate the wireless adapter with the remote access point. Command systemctl enable wpa_supplicant@wlo1.service makes the association automatic during boot time.

Finally, a .network file matching the wlo1 interface must be present in /etc/systemd/network/, as systemd-networkd will use it to configure the interface as soon as WPA supplicant finishes the association with the access point.

Guided Exercises

What is the meaning of the word Portal in the CONNECTIVITY column in the output of command nmcli general status?
In a console terminal, how can an ordinary user use the command nmcli to connect to the MyWifi wireless network protected by the password MyPassword?
What command can turn the wireless adapter on if it was previously disabled by the operating system?
Custom configuration files should be placed in what directory when systemd-networkd is managing the network interfaces?

Explorational Exercises

How can a user run the command nmcli to delete an unused connection named Hotel Internet?
NetworkManager scans wi-fi networks periodically and command nmcli device wifi list only lists the access points found in the last scan. How should the nmcli command be used to ask NetworkManager to immediately re-scan all available access points?
What name entry should be used in the [Match] section of a systemd-networkd configuration file to match all ethernet interfaces?
How should the wpa_passphrase command be executed to use the passphrase given as an argument and not from the standard input?

Summary

This lesson covers the common tools used in Linux to manage heterogeneous and dynamic network connections. Although most configuration methods do not require user intervention, sometimes that is necessary and tools like NetworkManager and systemd-networkd can reduce the hassle to a minimum. The lesson goes through the following topics:

How NetworkManager and systemd-networkd integrate with the system.
How the user can interact with NetworkManager and systemd-networkd.
Basic interface configuration with both NetworkManager and systemd-networkd.

The concepts, commands and procedures addressed were:

NetworkManager’s client commands: nmtui and nmcli.
Scanning and connecting to wireless networks using nmcli appropriate commands.
Persistent wi-fi network connections using systemd-networkd.

Answers to Guided Exercises

What is the meaning of the word Portal in the CONNECTIVITY column in the output of command nmcli general status?

It means that extra authentication steps (usually through the web browser) are required to complete the connection process.
In a console terminal, how can an ordinary user use the command nmcli to connect to the MyWifi wireless network protected by the password MyPassword?

In a text-only terminal, the command would be
```
$ nmcli device wifi connect MyWifi password MyPassword
```
What command can turn the wireless adapter on if it was previously disabled by the operating system?
```
$ nmcli radio wifi on
```
Custom configuration files should be placed in what directory when systemd-networkd is managing the network interfaces?

In the local administration network directory: /etc/systemd/network.

Answers to Explorational Exercises

How can a user run the command nmcli to delete an unused connection named Hotel Internet?
```
$ nmcli connection delete "Hotel Internet"
```
NetworkManager scans wi-fi networks periodically and command nmcli device wifi list only lists the access points found in the last scan. How should the nmcli command be used to ask NetworkManager to immediately re-scan all available access points?

The root user can run nmcli device wifi rescan to make NetworkManager re-scan available access points.
What name entry should be used in the [Match] section of a systemd-networkd configuration file to match all ethernet interfaces?

The entry name=en*, as en is the prefix for ethernet interfaces in Linux and systemd-networkd accepts shell-like globs.
How should the wpa_passphrase command be executed to use the passphrase given as an argument and not from the standard input?

The password should be given just after the SSID, as in wpa_passphrase MyWifi MyPassword.