 Thank you very much for coming. I'm impressed how many people made it here and at this early time directly after the party So thank you very much. I will now talk about one on network configuration on Linux and I'm Tim Maas. I Involved in the Fedora projects since 2005 and currently I'm serving in the Fedora council I'm also working in the networking services team at Red Hat and they're providing abstractions on top of network manager To make it easier to configure networking and therefore most of my experience is from the Fedora centers or Well world and I have also some insights into Debian regarding network configuration, but in case you have any remarks about Important or key interesting facts about other distributions. Please let me know and Also, you might hear it. I had a cold recently. I still have a cold so my performance might be a little bit impaired I hope you can excuse this Initially, I want to take a short look into the historic interface of Network configuration to see why it's important to improve this. So initially on rail or Fedora There were these IFCFG files that were then used by an Inescripts File and while they look like configuration files, they're actually shell scripts that define Shell variable. This means that's not really proper parsing going on and of course you can also Do a lot of things and I'm wondering anyone familiar with these files. Please raise your head Okay, so please keep them up and do you see a problem in this file? Specifically, so if you see a problem, please Okay, it doesn't seem like anyone and Yeah, who said this? Yeah, where's water, but you see it's hard to spot these kind of errors. You will get some treats afterwards So LMP spot and yeah, I will just show how this looks like in practice if you try to use This kind of file Okay, so this is an Fedora31 system that has this file already set up and We can look at the Network configuration or it's already partly configured and now If I do FAP ETH1, which would be the command to configure it We see first of all, the first problem is that this old thing is deprecated and it's not properly maintained anymore Also, there seems there's a bug in the system in general because it's using the wrong path to a command Which is not so nice and also if we now look At the actual interfaces we see that compared to prefer before there's no IPv6 address configured, but it's just the link local address not the actual address that we specified here because as Adam said, there's a typo in the file and But we don't really get any feedback that there's a typo. It just looks like it's party broken in general, but not that's Working at all. So let's fix this now. We see we have the address and then typically You might note In a normal situation it might be that you realize. Oh, no, I actually want to use a different IP address so it changed it to 42 and To apply it use evap eth1 and what would you expect? Anyone Okay, you actually already expect this but like as as a normal user if I say I only want this IP address in the configuration file I Would expect without prior knowledge that it's only that one, but it's not here and the so With using this approach you either need to clean up manually or you need to do if down and then if up to properly synchronize the state But then currently I'm lucky because that's not the management interface where I'm looking in but if I'm looking into this It also means I might lose access to the remote server. So in general, it's also very dangerous to do things like this and Another problem that I also sometimes fell into back in the times was Then if you for example realize you don't need a certain network and connection anymore, then you will just remove it Think oh, yeah, I'm done and then oh no, I forgot to take it down. So the but then the down command Doesn't work anymore as well because it really needs the file and nothing keeps track of the actual connection and Again, you are left to clean do all the cleanup yourself. So I would say it's a little bit dangerous To play to use this all fire, especially if you want high availability and proper network configuration or you need to like we event a lot of things yourself and But of course, there's still a few advantages of using this because since it's just shell scripts You can basically extend it to everything that you like because it's programming. It's not configuring And because you do not have anything Running there no resources You use a lot of less resources because after the network configuration everything is done to solve Sorry, I will try to mute next time to Solve If a few of these problems network manager was created So this is the new logo of network manager in case you haven't seen it You might also might be able to get some stickers. I'm not sure if you have some. Yeah, we have some so if you want to have stickers for your laptop approach me later and Initially, it was also created. So it's actually demon handling the network connections initially also to solve some problems when you have Which you have at a desktop when you need to Have different profiles for example, but it also contains features that make this better for servers to handle certain things and To make the conversion easily It's also supports these I've CFG files as a back end by default on Fedora network manager But it doesn't treat them as shell scripts, but it tries to pass them. So so you cannot do By default everything with it that you could do easily And you also have a few command line tools that make things easier and like for example, this is how it would look like if you do the same typing error on The command line tool because you get immediately feedback that the configuration is wrong that the Syntax is wrong and then you realize. Oh, it's the V. That's missing Can also take a look if you are the other features So this is now basically a similar system Just with network manager installed. So let me just show that currently eth one is not configured and I fear the command line To set up the connection so as you can see It will complain if this is wrong and now For example, you can Change IP addresses the nmc I command to edit The connection then say IP IPv6 dot Address is something else and at this time it will not it does not yet Change the actual interface it will only Change the configuration On the system, so if you can still take a look at the I've cfg file, so we see already changed and then You have a different command for example To actually apply this change to put up to the runtime configuration and now we will see It will only have the The new IP address that you specified like so that the settings are completely in sync and you don't have this problem that you need to take down the interface but the The Network manager will just take care of it by itself but then Using all of this does not really scale So in case you want to do this to a lot of machines then you do not want to write your Are you you basically you would have to write your own wrapper about nmc li or you need some other solution to do this? And also there might still be some problem like already I showed that if there's a syntax error you Then network manager detects it directly But there might also be a logical error that you for example use the wrong IP address or your Certain configuration that doesn't work and for this network manager also provides a solution which is using checkpoints where you can Basically save the current state of network Settings at a time out and in case you do not remove this checkpoint. It will automatically revert to the state so if you for example Having a little bit more complex error and this is supported by the Ansible network Linux system world This is it also makes it a lot easier or at least for me to read and to understand what's going on in the system So this is an example how to set up the IP addresses on one interface It's not the complete playbook that would look like this. So you still need to include the role and specify the whole costs for it that you want to use but this is basically basic Ansible stuff and And I want to show you how to use this for a little bit more We are both set up so this would be using two Ethernet interfaces of a bonding for face safety and then create bridges like like one bridge for the untact interface and for certain VLANs additional bridges, which I was told is a common setup for Virtual machines, so if you want to have virtual machines that can use VLAN 29 You will add them to bridge 29 and so on. I was wondering just for reality check up Is any one of you using such a setup in production? So these raise your hand Yeah, so at least a few people so it's good to know that this is a good example. I guess So let's take a look how this would look like Yeah, I have The playbook for the more complex example, which uses the Linux system roles network role And for example, I specify the bridge also different the untact which is you at this point with an IP address then Make sure that the Bond zero is part of the bridge and Another bridge for VLAN 29 with an IP address For VLAN 29 with an IP address and also the we done is part of the bridge and also specify that the bond Consists of the two devices eth one and eth two and Excuse me, so Just one this One needs to call ansible playbook and then call this playbook and if you can See all the connections appearing on the system or for some reason The VLAN interface didn't come up That's strange, but basically usually it works So it's might also be a card something for my call and with this so for example if the answer will so the answer will also creates a checkpoint and The wall back and then for example if something would break inside the wall then network manager would be there to at least We start the previous configuration state, so you're not Like like in this complex state We didn't have any verification that actually everything work, but that's something that I will come to Next so let me Skip to the slides again, so advantages of this Is of course you can use the power of ansible for automation you have the inventory you can do conditional settings on Some things and for example by using the ansible effects you could also set up specify Interfaces by name you could also say apply this profile to the interface that's a PCI address so-and-so So you are a lot less likely to have any problems because the naming schema Changes your automatic ever handling and additional support with checkpoints restore an error There are some disadvantages to this you always need ansible, so if you just want to configure your local system using ansible for this might be a little bit of overkill and It's still based. It's based on profiles So you do not necessarily configure the interfaces, but you configure profiles for the interfaces which has advantages, but also It's complexity and there's ansible is not directly an API to use by other tools You don't have reporting maybe yet, so we might change this and currently you cannot do partial changes and A solution for this is another project. I'm working on which is called an M state. It's written in Python Also, let's take a look at this so it Has for example a command line tool you can use nm state CTL show and then you get the con Network configuration, which is in the same format as the Actual configuration That it also accepts So you we see for example, this is the birch 29 for the wheeler and Then with it you can put also You can easily edit interface for example again change the IP address and It also has so additionally it also supports checking whether the one-time state after applying this matches the requested state and uses checkpoints and fallbacks and for example if I request something that it cannot really fulfill like an MTU that's just right Then you will get An error and it will fall back to the previous state and tell you what's wrong and You can of course since it's Python also use it With any other tool So for example Show it and then if you have the configuration you could use a little nm And then state dot Apply so using So this is currently The signature of the function so you could also disable the way internal verification Of the change for example if you want to do your own verification at some point and don't And you can also then for example Keep the checkpoints living and then If you are additional verification for example if you want to do functional test if you can really reach a Server and and it doesn't work then you can still wall back to the configuration that was saved before you started the configuration and Oh, I'm a little bit over time. So just Very quick Look in the roadmap for network system walls So what would also be interesting and where it would be good that we can have profiles instead of just network configuration is To allow configuration based on LEDP information. So you could already start a bunch of profiles on the system and then For example in case you see multiple interfaces providing the same We done interface based on LEDP will automatically create a bond interface for this May then make the PCI address more native and of course always add more settings Maybe also at reporting final states We are also working on full Ansible support So you can also use the simplified syntax by Ansible and have plugins for missing features Maybe provide a valid interface so you can easily use other languages to interface with it because it's currently only Python Some other ideas that we have as well. So thank you very much for listening Here you can find More information about the different projects. You can also write me an email and what are your questions? it Actually uses the API Sorry, the question was whether or not what the Ansible world does whether it lays down a file or calls nmcli and The answer is it uses the library live in and directly So it implements everything based on the Network manager library So the other question was what do I think of system D network D? I also think it's an improvement over in its scripts configuration, but it's still as the downside that it's From the idea it's a one-shot configuration service. So you laid on configuration files. You have Which is a little better than having shell scripts, but it's also supposed to only run once at boot time set up everything and you might still For example, if you want to change things you might also sometimes need to clean up behind it like when you remove things it doesn't know this and also If you don't have as far as I know this API that you can Like talk to a library to write these configuration files, but you have to write them yourself or with some templating What's your question? So the question was when using system D network D and the Ansible network work together Whether this would conflict a good time. So the problem is the wall only works with Network manager and with the old in its scripts system But it also only has like the advanced features using network manager and therefore if you use both system D networking D and the wall you will have conflicts and It's not sure what will happen Any features that you would like that you are missing that you do with oh, there's a question Okay, so the question was whether or not we take history of changes and The answer is currently no because about since the input is usually younger files with Ansible I think it's expected that you would have them under revision control anyhow and so adding this Additionally on the server might just add Unnecessary complexity, but it's a good idea to keep in mind Okay, so the remark was that networks goods is still maintained it there are still running on Facebook Okay, maybe I wasn't clear about this. I didn't say it was maintained completely. It's more like it's on live support. So you won't see like really new features and Thank you very much for your attendance