[klibc] Allow ipconfig to bring down interfaces

Karl O. Pinc kop at meme.com
Tue Jul 9 07:27:58 PDT 2013 

Hi,

Attached and on the "ipconfig_down" branch at github
(https://github.com/kpinc/klibc.git) you will find 4 patches
which let ipconfig bring down interfaces.  Please consider
them for inclusion.

Why do this?  It's useful when the rootfs is crypted and is
unlocked by supplying passwords over the network.  In this
case the initramfs brings up a network interface.  It can be
useful to have the network config in the initramfs differ
from the network config of the system once booted.  But when
a network interface is configured in an initramfs the system
boot sequence will typically not alter the interfaces's
configuration.

Of course it's possible to alter the post-initramfs boot
process instead.  The post-initramfs boot network initialization
process would probably have to know that booting is going
on, that it's not just the usual bringing up of interfaces,
and also whether there's a nfs mounted root fs and perhaps
other things that are already known to klibc. And there's no
one post-klibc boot method, so code would need to be added
in multiple places (sysV init, upstart, et-al).

The patchs add only 16 bytes to (my amd64 Debian Wheezy)
ipconfig, when stripped and using a shared klibc.  (There
must be alignment issues, the stripped static version
uses an extra 192 bytes.)  This
seems worth having all the configuration regarding initramfs
networking happen in one place (klibc).

Allowing the initramfs to have it's own network
configuration make possible a variety of benefits to a
network-unlocked crypted rootfs.  The gateway address can be
omitted so that the box can only be unlocked from the local
LAN.  The IP number can differ from that of the running
system; since the initramfs is unencrypted it's ssh host
keys may differ from the running system's and having a
different IP in the initramfs aids with host key
management/checking.  And I believe there are security
benefits to putting the initramfs on an entirely separate
network if there's a layer 3 switch involved to provide
access control to the networked initramfs.

I've related patches to the Debian dropbear package which
support initramfs configuration/creation.  I will email a
followup to this thread when I've an url.

These patches are at the "works for me" stage.

Regards,

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

More information about the klibc mailing list