|
Hello,
May I once again ask you to pretty please format your emails to proper
line wrap? It's highly disturbing to fix your emails only to be able to
read them.
OK. I can't do the test again (it's production time).
Do it on some other machine then ;).
This morning, I wanted to test the vrrp part of my LVS.
The interfaces are mounted by the RedHat startup scripts.
As far as I know, it is using ifconfig.
Yes.
I just made a 'ifconfig eth1 down'. In the ifconfig point of view,
the interfaces were down.
What do you mean the interfaces were down??? There is only one interface?
ifconfig $intf down means:
set link state of eth1 down _and_ flush the IP address of the alias
named $intf.
Which is completely broken! With ifconfig you have no means to
distinguish between flushing IP addresses and setting a link state of a
physical interface. There's a huge difference routing wise. In the case
of setting the physical link layer to down you do _not_ disable routing
table entries. In the case of flushing an IP address you _also_ remove
its routing table entry which can be annoying from a setup point of view
and definitely irritating from a security viewpoint.
The reason why it is important to have two states of interface setup can
for example be found in the security business. You set the link state to
down, set up all packet filter rules and then configure all IP addresses
and rules and routes. Then you start local daemons (and they will start
even if they need to bind and listen to non-local IP addresses because
the IP addresses and the routing is complete) _and_ after that you open
your gates by setting the link state to up.
In the iproute point of view (ip addr),
the IPs were UP. In the network point of view, the sites were unreachable.
Ahh, maybe I understand now what you did. You would probably referring
to the following case:
You have multiple "virtual interfaces" on eth1, right? Once you do
ifconfig eth1 down the stupid ifconfig of course does a complete fuckup
by flushing the IP address of the label eth1 only which of course is
only 1 IP address but doesn't flush the rest. And to make it even worse,
it sets the link state of eth1 to down which pretty much results in what
you've seen. ip addr show dev eth1 will of course show you the remaining
IP addresses (referred to as "virtual interfaces" with ifconfig)
attached to eth1 but as the link state of the physical interface is down
you will not be able to receive any packets anymore.
Yet another braindamage of ifconfig.
The salve didn't see anything (so, probably, the vrrp packets were already gone out.
That turned me sad. Even if it is probably not iproute related,
that was a good reason to troll.
I can't comment on reasons for trolling, but I understand your frustration.
I think that Bert and probably other iproute developers are focusing
hard on the advanced functions iproute is made for, forgetting that
iproute should become fully integrated in the linux distributions, even
for simple tasks.
That's why I wrote the ifcfg utility. It could be considered an API for
people to switch over from ifconfig to ip in SysV scripts.
So, scriptability, a littele manpage and some very simple examples
would help, with a set of sysV startup scripts to replace the existing ones.
Have a look at the SuSE distribution, they do it since 8.1 or so I think.
I was talking about opensource product :).
Well, thank you for your help.
You're welcome.
I understand well the way iproute is developed,
just be carefull when you advocate it,
some old unix/linux bofhs could be irritable :).
Well, I'm not from the Linux world either, sometimes still booting my
PDP11 and VaXens up but especially if you're an old grumpy Unix guy
(which I don't consider myself at that point) you should have an
elevated affinity to new useful designs and as a BOFH you certainly know
how to get information in form of man pages or google. That's my point
of view.
I found a developer who filled a FS with misplaced misconfigured huge log files.
This is as good as a shower. 'feel better now.
Hope nothing crashed (except syslog.. maybe).
I'm off for parties now, and then I'll fly to Berlin and Poland to a
congress, so I might not reply until the next couple of days.
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 