1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 07/02/12 11:46 AM, Duncan wrote: |
5 |
> Ian Stakenvicius posted on Tue, 07 Feb 2012 09:39:14 -0500 as |
6 |
> excerpted: |
7 |
> |
8 |
>> I think that "Category 2" needs to be separated into "2a - any |
9 |
>> network", and "2b - any public network". For instance, the |
10 |
>> service 'net' (for 2a) and service 'inet' (for 2b). If this were |
11 |
>> the default case, then Cat.2 packages that by default want to |
12 |
>> connect to the internet could 'need inet', and then the user |
13 |
>> would only have to define which interfaces are included (or |
14 |
>> excluded) from satisfying 'inet'. |
15 |
>> |
16 |
>> The trick that I see here is that init.d scripts have to have |
17 |
>> their 'depends' set up in such a way that the services can be |
18 |
>> separated based on their need for public network or any network, |
19 |
>> so that the user doesn't have to mess with those. By default I |
20 |
>> think it makes sense to keep both the 'net' and 'inet' pools the |
21 |
>> same (ie, all ifaces but net.lo*), but have a simple ability to |
22 |
>> separate interfaces from the 'public net' pool in rc.conf when |
23 |
>> they do not provide a public network connection. |
24 |
> |
25 |
> This boils down to the suggestion I made earlier. Using current |
26 |
> terms: |
27 |
> |
28 |
> 1) Separate net.lo service for stuff that doesn't have to have an |
29 |
> external connection at all. |
30 |
> |
31 |
> 2) A default net (or net*) service that is is composed of all |
32 |
> non-net.lo services, with a default any-one-of-them policy. Two |
33 |
> reasons for this: |
34 |
> |
35 |
> 2a) It'll "just work" in the simple case. |
36 |
> |
37 |
> 2b) It's the easiest to automatically preconfigure without getting |
38 |
> into lots of "detect all the networks and magically figure out |
39 |
> whether they're lan-only or inet" hairballs. |
40 |
> |
41 |
> 3) Allow the user/admin to configure net1, net2... just like the |
42 |
> default net/net*, specifying individual interfaces for each as well |
43 |
> as whether one or all of the configured interfaces must be up for |
44 |
> the service to be provided. |
45 |
> |
46 |
> This way, a user/admin can provide narrower-than-all groupings as |
47 |
> necessary, including net.lo if it makes sense for them, tho the |
48 |
> defaults would be only one net.lo and the wildcard |
49 |
> default-any-one-of-anything- else. |
50 |
> |
51 |
|
52 |
Yes, it's very similar. The only thing that I'm not sure of under the |
53 |
above situation is how the depend in each init.d script would be |
54 |
defined by default, so that IF the 'net' pool doesn't match up with |
55 |
the 'inet' pool ('inet' would always be a subset of 'net'), then a |
56 |
user/admin could just specify the pool(s) in rc.conf, etc and NOT have |
57 |
to adjust the init scripts or assign specific ifaces/pools to each |
58 |
service via rc.conf. |
59 |
|
60 |
I do realize that there is a case that breaks pretty well every |
61 |
example, but this one (a 'net' and 'inet' pool, which defaults to |
62 |
being the same but can easily have an iface excluded) i think expands |
63 |
to cover a larger slice of cases. |
64 |
|
65 |
This would, of course, not keep the admin from doing #3 above, which |
66 |
iirc can be done now in rc.conf |
67 |
|
68 |
(please substitute 'inet' for 'publicnet' or whatever name makes more |
69 |
send to you) |
70 |
-----BEGIN PGP SIGNATURE----- |
71 |
Version: GnuPG v2.0.17 (GNU/Linux) |
72 |
|
73 |
iF4EAREIAAYFAk8xW4QACgkQAJxUfCtlWe0zigD+M2epQlQPH+w1+cjgJsACF8AG |
74 |
UggkmYgi5GjVxwmnxdEBAJwp0uMYnibnAEVLMibXcrvJq4ybsRBEMP5t4M9+cQm4 |
75 |
=aksR |
76 |
-----END PGP SIGNATURE----- |