109.2 Lesson 2
Certificate: |
LPIC-1 |
---|---|
Version: |
5.0 |
Topic: |
109 Networking Fundamentals |
Objective: |
109.2 Persistent network configuration |
Lesson: |
2 of 2 |
Introduction
Linux supports virtually every network technology used to connect servers, containers, virtual machines, desktops and mobile devices. The connections between all these network nodes can be dynamic and heterogeneous, thus requiring appropriate management by the operating system running in them.
In the past, distributions developed their own customized solutions for managing dynamic network infrastructure. Today, tools like NetworkManager and systemd provide more comprehensive and integrated features to meet all the specific demands.
NetworkManager
Most Linux distributions adopt the NetworkManager service daemon to configure and control the system’s network connections. NetworkManager’s purpose is to make the network configuration as simple and automatic as possible. When using DHCP, for example, NetworkManager arranges route changes, IP address fetching and updates to the local list of DNS servers, if necessary. When both wired and wireless connections are available, NetworkManager prioritizes the wired connection by default. NetworkManager will try to keep at least one connection active all the time, whenever it is possible.
Note
|
A request using DHCP (Dynamic Host Configuration Protocol) is usually sent through the network adapter as soon as the link to the network is established. The DHCP server that is active on the network then responds with the settings (IP address, network mask, default route, etc.) which the requester must use to communicate via IP protocol. |
By default, the NetworkManager daemon controls the network interfaces not mentioned in the /etc/network/interfaces
file. It does so to not interfere with other configuration methods that may be present as well, thus modifying the unattended interfaces only.
The NetworkManager service runs in the background with root privileges and triggers the necessary actions to keep the system online. Ordinary users can create and modify network connections with client applications that, albeit not having root privileges themselves, are capable of communicating with the underlying service in order to perform the requested actions.
Client applications for NetworkManager are available for both the command line and the graphical environment. For the latter, the client application comes as an accessory of the desktop environment (under names like, nm-tray, network-manager-gnome, nm-applet or plasma-nm) and it is usually accessible through an indicator icon at the corner of the desktop bar or from the system configuration utility.
In the command line, NetworkManager itself provides two client programs: nmcli
and nmtui
. Both programs have the same basic features, but nmtui
has a curses-based interface while nmcli
is a more comprehensive command that can also be used in scripts. Command nmcli
separates all network related properties controlled by NetworkManager in categories called objects:
general
-
NetworkManager’s general status and operations.
networking
-
Overall networking control.
radio
-
NetworkManager radio switches.
connection
-
NetworkManager’s connections.
device
-
Devices managed by NetworkManager.
agent
-
NetworkManager secret agent or polkit agent.
monitor
-
Monitor NetworkManager changes.
The object name is the main argument to command nmcli
. To show the overall connectivity status of the system, for example, the object general
should be given as the argument:
$ nmcli general STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN connected full enabled enabled enabled enabled
Column STATE
tells whether the system is connected to a network or not. If the connection is limited due to external misconfiguration or access restrictions, then the CONNECTIVITY
column will not report the full
connectivity status. If Portal
appears in the CONNECTIVITY
column, it means that extra authentication steps (usually through the web browser) are required to complete the connection process. The remaining columns report the status of the wireless connections (if any), either WIFI
or WWAN
(Wide Wireless Area Network, i.e. cellular networks). The HW
suffix indicates that the status corresponds to the network device rather than the system network connection, that is, it tells if the hardware is enabled or disabled to save power.
In addition to the object argument, nmcli
also needs a command argument to execute. The status
command is used by default if no command argument is present, so the command nmcli general
is actually interpreted as nmcli general status
.
It is hardly necessary to take any action when the network adapter is connected directly to the access point through cables, but wireless networks require further interaction to accept new members. nmcli
facilitates the connection process and saves the settings to connect automatically in the future, hence it is very helpful for laptops or any other mobile appliances.
Before connecting to wi-fi, it is convenient to first list the available networks in the local area. If the system has a working wi-fi adapter, then the device
object will use it to scan the available networks with command nmcli device wifi list
:
$ nmcli device wifi list IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY 90:F6:52:C5:FA:12 Hypnotoad Infra 11 130 Mbit/s 67 ▂▄▆_ WPA2 10:72:23:C7:27:AC Jumbao Infra 1 130 Mbit/s 55 ▂▄__ WPA2 00:1F:33:33:E9:BE NETGEAR Infra 1 54 Mbit/s 35 ▂▄__ WPA1 WPA2 A4:33:D7:85:6D:B0 AP53 Infra 11 130 Mbit/s 32 ▂▄__ WPA1 WPA2 98:1E:19:1D:CC:3A Bruma Infra 1 195 Mbit/s 22 ▂___ WPA1 WPA2
Most users will probably use the name in the SSID
column to identify the network of interest. For example, command nmcli
can connect to the network named Hypnotoad
using the device
object again:
$ nmcli device wifi connect Hypnotoad
If the command is executed inside a terminal emulator in the graphical environment, then a dialog box will appear asking for the network’s passphrase. When executed in a text only console, the password may be provided together with the other arguments:
$ nmcli device wifi connect Hypnotoad password MyPassword
If the wi-fi network hides its SSID name, nmcli
can still connect to it with the extra hidden yes
arguments:
$ nmcli device wifi connect Hypnotoad password MyPassword hidden yes
If the system has more than one wi-fi adapter, the one to be used may be indicated with ifname
. For example, to connect using the adapter named wlo1
:
$ nmcli device wifi connect Hypnotoad password MyPassword ifname wlo1
After the connection succeeds, NetworkManager will name it after the corresponding SSID (if it is a wi-fi connection) and will keep it for future connections. The connections names and their UUIDs are listed by command nmcli connection show
:
$ nmcli connection show NAME UUID TYPE DEVICE Ethernet 53440255-567e-300d-9922-b28f0786f56e ethernet enp3s5 tun0 cae685e1-b0c4-405a-8ece-6d424e1fb5f8 tun tun0 Hypnotoad 6fdec048-bcc5-490a-832b-da83d8cb7915 wifi wlo1 4G a2cf4460-0cb7-42e3-8df3-ccb927f2fd88 gsm --
The type of each connection is shown — which can be ethernet
, wifi
, tun
, gsm
, bridge
, etc. — as well as the device to which they are associated with. To perform actions on a specific connection, its name or UUID must be supplied. To deactivate the Hypnotoad
connection, for example:
$ nmcli connection down Hypnotoad Connection 'Hypnotoad' successfully deactivated
Likewise, the command nmcli connection up Hypnotoad
can be used to bring the connection up, as it is now saved by NetworkManager. The interface name can also be used to reconnect, but in this case the device
object should be used instead:
$ nmcli device disconnect wlo2 Device 'wlo1' successfully disconnected.
The interface name can also be used to reestablish the connection:
$ nmcli device connect wlo2 Device 'wlo1' successfully activated with '833692de-377e-4f91-a3dc-d9a2b1fcf6cb'.
Note that the connection UUID changes every time the connection is brought up, so it is preferable to use its name for consistency.
If the wireless adapter is available but it is not being used, then it can be turned off to save power. This time, the object radio should be passed to nmcli
:
$ nmcli radio wifi off
Of course, the wireless device can be turned on again with command nmcli radio wifi on
.
Once the connections are established no manual interaction will be required in the future, as NetworkManager identifies available known networks and automatically connects to them. If necessary, NetworkManager has plugins that can extend its functionalities, like the plugin to support VPN connections.
systemd-networkd
Systems running systemd can optionally use its built-in daemons to manage network connectivity: systemd-networkd
to control network interfaces and systemd-resolved
to manage the local name resolution. These services are backwards compatible with legacy Linux configuration methods, but the configuration of network interfaces in particular has features that are worth knowing.
The configuration files used by systemd-networkd to setup network interfaces can be found in any of the following three directories:
/lib/systemd/network
-
The system network directory.
/run/systemd/network
-
The volatile runtime network directory.
/etc/systemd/network
-
The local administration network directory.
The files are processed in lexicographic order, so it is recommended to start their names with numbers to make the ordering easier to read and set.
Files in /etc
have the highest priority, whilst files in /run
take precedence over files with the same name in /lib
. This means that if configuration files in different directories have the same name, then systemd-networkd will ignore the files with lesser priority. Separating files like that is a way to change the interface settings without having to modify the original files: modifications can be placed in /etc/systemd/network
to override those in /lib/systemd/network
.
The purpose of each configuration file depends on its suffix. File names ending in .netdev
are used by systemd-networkd to create virtual network devices, such as bridge or tun devices. Files ending in .link
set low-level configurations for the corresponding network interface. systemd-networkd detects and configures network devices automatically as they appear — as well as ignore devices already configured by other means — so there is little need to add these files in most situations.
The most important suffix is .network
. Files using this suffix can be used to setup network addresses and routes. As with the other configuration file types, the name of the file defines the order in which the file will be processed. The network interface to which the configuration file refers to is defined in the [Match]`
section inside the file.
For example, the ethernet network interface enp3s5
can be selected within the file /etc/systemd/network/30-lan.network
by using the Name=enp3s5
entry in the [Match]
section:
[Match] Name=enp3s5
A list of whitespace-separated names is also accepted to match many network interfaces with this same file at once. The names can contain shell-style globs, like en*
. Other entries provide various matching rules, like selecting a network device by its MAC address:
[Match] MACAddress=00:16:3e:8d:2b:5b
The settings for the device are in the [Network]
section of the file. A simple static network configuration only requires the Address
and Gateway
entries:
[Match] MACAddress=00:16:3e:8d:2b:5b [Network] Address=192.168.0.100/24 Gateway=192.168.0.1
To use the DHCP protocol instead of static IP addresses, the DHCP
entry should be used instead:
[Match] MACAddress=00:16:3e:8d:2b:5b [Network] DHCP=yes
The systemd-networkd service will try to fetch both IPv4 and IPv6 addresses for the network interface. To use IPv4 only, DHCP=ipv4
should be used. Likewise, DHCP=ipv6
will ignore IPv4 settings and use the provided IPv6 address only.
Password-protected wireless networks can also be configured by systemd-networkd, but the network adapter must be already authenticated in the network before systemd-networkd can configure it. Authentication is performed by WPA supplicant, a program dedicated to configure network adapters for password protected networks.
The first step is to create the credentials file with command wpa_passphrase
:
# wpa_passphrase MyWifi > /etc/wpa_supplicant/wpa_supplicant-wlo1.conf
This command will take the passphrase for the MyWifi
wireless network from the standard input and store its hash in the /etc/wpa_supplicant/wpa_supplicant-wlo1.conf
. Note that the filename should contain the appropriate name of the wireless interface, hence the wlo1
in the file name.
The systemd manager reads the WPA passphrase files in /etc/wpa_supplicant/
and creates the corresponding service to run WPA supplicant and bring the interface up. The passphrase file created in the example will then have a corresponding service unit called wpa_supplicant@wlo1.service
. Command systemctl start wpa_supplicant@wlo1.service
will associate the wireless adapter with the remote access point. Command systemctl enable wpa_supplicant@wlo1.service
makes the association automatic during boot time.
Finally, a .network
file matching the wlo1
interface must be present in /etc/systemd/network/
, as systemd-networkd will use it to configure the interface as soon as WPA supplicant finishes the association with the access point.
Guided Exercises
-
What is the meaning of the word
Portal
in theCONNECTIVITY
column in the output of commandnmcli general status
? -
In a console terminal, how can an ordinary user use the command
nmcli
to connect to theMyWifi
wireless network protected by the passwordMyPassword
? -
What command can turn the wireless adapter on if it was previously disabled by the operating system?
-
Custom configuration files should be placed in what directory when systemd-networkd is managing the network interfaces?
Explorational Exercises
-
How can a user run the command
nmcli
to delete an unused connection namedHotel Internet
? -
NetworkManager scans wi-fi networks periodically and command
nmcli device wifi list
only lists the access points found in the last scan. How should thenmcli
command be used to ask NetworkManager to immediately re-scan all available access points? -
What
name
entry should be used in the[Match]
section of a systemd-networkd configuration file to match all ethernet interfaces? -
How should the
wpa_passphrase
command be executed to use the passphrase given as an argument and not from the standard input?
Summary
This lesson covers the common tools used in Linux to manage heterogeneous and dynamic network connections. Although most configuration methods do not require user intervention, sometimes that is necessary and tools like NetworkManager and systemd-networkd can reduce the hassle to a minimum. The lesson goes through the following topics:
-
How NetworkManager and systemd-networkd integrate with the system.
-
How the user can interact with NetworkManager and systemd-networkd.
-
Basic interface configuration with both NetworkManager and systemd-networkd.
The concepts, commands and procedures addressed were:
-
NetworkManager’s client commands:
nmtui
andnmcli
. -
Scanning and connecting to wireless networks using
nmcli
appropriate commands. -
Persistent wi-fi network connections using systemd-networkd.
Answers to Guided Exercises
-
What is the meaning of the word
Portal
in theCONNECTIVITY
column in the output of commandnmcli general status
?It means that extra authentication steps (usually through the web browser) are required to complete the connection process.
-
In a console terminal, how can an ordinary user use the command
nmcli
to connect to theMyWifi
wireless network protected by the passwordMyPassword
?In a text-only terminal, the command would be
$ nmcli device wifi connect MyWifi password MyPassword
-
What command can turn the wireless adapter on if it was previously disabled by the operating system?
$ nmcli radio wifi on
-
Custom configuration files should be placed in what directory when systemd-networkd is managing the network interfaces?
In the local administration network directory:
/etc/systemd/network
.
Answers to Explorational Exercises
-
How can a user run the command
nmcli
to delete an unused connection namedHotel Internet
?$ nmcli connection delete "Hotel Internet"
-
NetworkManager scans wi-fi networks periodically and command
nmcli device wifi list
only lists the access points found in the last scan. How should thenmcli
command be used to ask NetworkManager to immediately re-scan all available access points?The root user can run
nmcli device wifi rescan
to make NetworkManager re-scan available access points. -
What
name
entry should be used in the[Match]
section of a systemd-networkd configuration file to match all ethernet interfaces?The entry
name=en*
, asen
is the prefix for ethernet interfaces in Linux and systemd-networkd accepts shell-like globs. -
How should the
wpa_passphrase
command be executed to use the passphrase given as an argument and not from the standard input?The password should be given just after the SSID, as in
wpa_passphrase MyWifi MyPassword
.