-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
32 changed files
with
342 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
<section xmlns="http://docbook.org/ns/docbook" | ||
xmlns:xlink="http://www.w3.org/1999/xlink" | ||
xmlns:xi="http://www.w3.org/2001/XInclude" | ||
version="5.0" | ||
xml:id="sec-rename-ifs"> | ||
<title>Renaming network interfaces</title> | ||
|
||
<para> | ||
NixOS uses the udev | ||
<link xlink:href="https://systemd.io/PREDICTABLE_INTERFACE_NAMES/">predictable naming scheme</link> | ||
to assign names to network interfaces. This means that by default | ||
cards are not given the traditional names like | ||
<literal>eth0</literal> or <literal>eth1</literal>, whose order can | ||
change unpredictably across reboots. Instead, relying on physical | ||
locations and firmware information, the scheme produces names like | ||
<literal>ens1</literal>, <literal>enp2s0</literal>, etc. | ||
</para> | ||
|
||
<para> | ||
These names are predictable but less memorable and not necessarily | ||
stable: for example installing new hardware or changing firmware | ||
settings can result in a | ||
<link xlink:href="https://github.com/systemd/systemd/issues/3715#issue-165347602">name change</link>. | ||
If this is undesirable, for example if you have a single ethernet | ||
card, you can revert to the traditional scheme by setting | ||
<xref linkend="opt-networking.usePredictableInterfaceNames"/> to | ||
<literal>false</literal>. | ||
</para> | ||
|
||
<section xml:id="sec-custom-ifnames"> | ||
<title>Assigning custom names</title> | ||
<para> | ||
In case there are multiple interfaces of the same type, it’s better to | ||
assign custom names based on the device hardware address. For | ||
example, we assign the name <literal>wan</literal> to the interface | ||
with MAC address <literal>52:54:00:12:01:01</literal> using a | ||
netword link unit: | ||
</para> | ||
<programlisting> | ||
<link linkend="opt-systemd.network.links">systemd.network.links."10-wan"</link> = { | ||
matchConfig.MACAddress = "52:54:00:12:01:01"; | ||
linkConfig.Name = "wan"; | ||
}; | ||
</programlisting> | ||
<para> | ||
Note that links are directly read by udev, <emphasis>not networkd</emphasis>, | ||
and will work even if networkd is disabled. | ||
</para> | ||
<para> | ||
Alternatively, we can use a plain old udev rule: | ||
</para> | ||
<programlisting> | ||
<link linkend="opt-services.udev.initrdRules">services.udev.initrdRules</link> = '' | ||
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \ | ||
ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan" | ||
''; | ||
</programlisting> | ||
|
||
<warning><para> | ||
The rule must be installed in the initrd using | ||
<literal>services.udev.initrdRules</literal>, not the usual | ||
<literal>services.udev.extraRules</literal> option. This is to avoid race | ||
conditions with other programs controlling the interface. | ||
</para></warning> | ||
</section> | ||
|
||
</section> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -euo pipefail | ||
|
||
WGET() { | ||
wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@" | ||
} | ||
|
||
# When dealing with cryptographic keys, we want to keep things private. | ||
umask 077 | ||
mkdir -p /root/.ssh | ||
|
||
echo "Fetching authorized keys..." | ||
WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys | ||
|
||
# Read keys one by one, split in case Google decided | ||
# to append metadata (it does sometimes) and add to | ||
# authorized_keys if not already present. | ||
touch /root/.ssh/authorized_keys | ||
while IFS='' read -r line || [[ -n "$line" ]]; do | ||
keyLine=$(echo -n "$line" | cut -d ':' -f2) | ||
IFS=' ' read -r -a array <<<"$keyLine" | ||
if [[ ${#array[@]} -ge 3 ]]; then | ||
echo "${array[@]:0:3}" >>/tmp/new_keys | ||
echo "Added ${array[*]:2} to authorized_keys" | ||
fi | ||
done </tmp/auth_keys | ||
mv /tmp/new_keys /root/.ssh/authorized_keys | ||
chmod 600 /root/.ssh/authorized_keys | ||
|
||
echo "Fetching host keys..." | ||
WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key | ||
WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub | ||
mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/ | ||
chmod 600 /etc/ssh/ssh_host_ed25519_key | ||
chmod 644 /etc/ssh/ssh_host_ed25519_key.pub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.