| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 07/02/12 11:46 AM, Duncan wrote: |
| 5 |
> Ian Stakenvicius posted on Tue, 07 Feb 2012 09:39:14 -0500 as |
| 6 |
> excerpted: |
| 7 |
> |
| 8 |
>> I think that "Category 2" needs to be separated into "2a - any |
| 9 |
>> network", and "2b - any public network". For instance, the |
| 10 |
>> service 'net' (for 2a) and service 'inet' (for 2b). If this were |
| 11 |
>> the default case, then Cat.2 packages that by default want to |
| 12 |
>> connect to the internet could 'need inet', and then the user |
| 13 |
>> would only have to define which interfaces are included (or |
| 14 |
>> excluded) from satisfying 'inet'. |
| 15 |
>> |
| 16 |
>> The trick that I see here is that init.d scripts have to have |
| 17 |
>> their 'depends' set up in such a way that the services can be |
| 18 |
>> separated based on their need for public network or any network, |
| 19 |
>> so that the user doesn't have to mess with those. By default I |
| 20 |
>> think it makes sense to keep both the 'net' and 'inet' pools the |
| 21 |
>> same (ie, all ifaces but net.lo*), but have a simple ability to |
| 22 |
>> separate interfaces from the 'public net' pool in rc.conf when |
| 23 |
>> they do not provide a public network connection. |
| 24 |
> |
| 25 |
> This boils down to the suggestion I made earlier. Using current |
| 26 |
> terms: |
| 27 |
> |
| 28 |
> 1) Separate net.lo service for stuff that doesn't have to have an |
| 29 |
> external connection at all. |
| 30 |
> |
| 31 |
> 2) A default net (or net*) service that is is composed of all |
| 32 |
> non-net.lo services, with a default any-one-of-them policy. Two |
| 33 |
> reasons for this: |
| 34 |
> |
| 35 |
> 2a) It'll "just work" in the simple case. |
| 36 |
> |
| 37 |
> 2b) It's the easiest to automatically preconfigure without getting |
| 38 |
> into lots of "detect all the networks and magically figure out |
| 39 |
> whether they're lan-only or inet" hairballs. |
| 40 |
> |
| 41 |
> 3) Allow the user/admin to configure net1, net2... just like the |
| 42 |
> default net/net*, specifying individual interfaces for each as well |
| 43 |
> as whether one or all of the configured interfaces must be up for |
| 44 |
> the service to be provided. |
| 45 |
> |
| 46 |
> This way, a user/admin can provide narrower-than-all groupings as |
| 47 |
> necessary, including net.lo if it makes sense for them, tho the |
| 48 |
> defaults would be only one net.lo and the wildcard |
| 49 |
> default-any-one-of-anything- else. |
| 50 |
> |
| 51 |
|
| 52 |
Yes, it's very similar. The only thing that I'm not sure of under the |
| 53 |
above situation is how the depend in each init.d script would be |
| 54 |
defined by default, so that IF the 'net' pool doesn't match up with |
| 55 |
the 'inet' pool ('inet' would always be a subset of 'net'), then a |
| 56 |
user/admin could just specify the pool(s) in rc.conf, etc and NOT have |
| 57 |
to adjust the init scripts or assign specific ifaces/pools to each |
| 58 |
service via rc.conf. |
| 59 |
|
| 60 |
I do realize that there is a case that breaks pretty well every |
| 61 |
example, but this one (a 'net' and 'inet' pool, which defaults to |
| 62 |
being the same but can easily have an iface excluded) i think expands |
| 63 |
to cover a larger slice of cases. |
| 64 |
|
| 65 |
This would, of course, not keep the admin from doing #3 above, which |
| 66 |
iirc can be done now in rc.conf |
| 67 |
|
| 68 |
(please substitute 'inet' for 'publicnet' or whatever name makes more |
| 69 |
send to you) |
| 70 |
-----BEGIN PGP SIGNATURE----- |
| 71 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 72 |
|
| 73 |
iF4EAREIAAYFAk8xW4QACgkQAJxUfCtlWe0zigD+M2epQlQPH+w1+cjgJsACF8AG |
| 74 |
UggkmYgi5GjVxwmnxdEBAJwp0uMYnibnAEVLMibXcrvJq4ybsRBEMP5t4M9+cQm4 |
| 75 |
=aksR |
| 76 |
-----END PGP SIGNATURE----- |
Archives