The validation was incorrectly checking for routing rule attributes at the top-level
NM module instead of the NM.IPRoutingRule class. This was causing validation failures
because:
libnm's API has two core aspects:
1. NMConnection/NMSetting types for handling connection profiles
2. NMClient as a cache of D-Bus objects
The suppress_prefixlength and uid_range attributes are not part of the top-level NM
module but belong to NM.IPRoutingRule. Updated the validation to properly check for:
- set_suppress_prefixlength instead of NM_IP_ROUTING_RULE_ATTR_SUPPRESS_PREFIXLENGTH
- set_uid_range instead of NM_IP_ROUTING_RULE_ATTR_UID_RANGE_START
This aligns with the correct API usage and fixes the validation errors.
Resolves: https://issues.redhat.com/browse/RHEL-85872
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
* You can ignore words inline by adding a comment like `# codespell:ignore word`.
* You can ignore words by adding them to the `.codespell_ignores` file.
* You can ignore files and directories by adding them with `skip = ` to the `.codespellrc` file.
Signed-off-by: Sergei Petrosian <spetrosi@redhat.com>
Add support for the `wait_ip` property, the system will consider
connection activated only when specific IP stack is configured.
This enables flexibility in scenarios such as
IPv6-only networks, where the overall network configuration can still
succeed when IPv4 configuration fails but IPv6 completes successfully.
The `wait_ip` can be configured with the following possible values:
* "any": System will consider interface activated when any IP stack is
configured.
* "ipv4": System will wait IPv4 been configured.
* "ipv6": System will wait IPv6 been configured.
* "ipv4+ipv6": System will wait both IPv4 and IPv6 been configured.
Resolves: https://issues.redhat.com/browse/RHEL-63026
Signed-off-by: Wen Liang <wenliang@redhat.com>
There is no fine-grained control over the number of retries for
automatically reconnecting a network connection in the role. This
limitation can be problematic for certain use cases where extending the
retry process is critical, particularly in environments with unstable
networks. Introduce support for the `autoconnect_retries` property in nm
provider of `network_connections` variable. This feature allows users to
configure how many times NetworkManager will attempt to reconnect a
connection after a autoconnect failure, providing more control over
network stability and performance.
Resolves: https://issues.redhat.com/browse/RHEL-61599
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Enhancement: Add the optional route source parameter for the nm provider
Reason: In a scenario where you have a machine with multiple public IP
addresses, typically due to a multi-WAN setup, the src parameter in the
context of routes allows you to specify which source IP address should
be used when sending packets via a specific route. This is crucial when
you want to ensure that outbound traffic uses a specific IP address tied
to a particular network interface, especially when dealing with multiple
WAN connections.
Result: Adding support for the src parameter in routes results in a
more powerful and flexible network configuration capability, especially
important in environments with multiple network interfaces or multiple
IP addresses, it provides better control over traffic routing.
Resolves: https://issues.redhat.com/browse/RHEL-3252
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
It is useful and common practice to configure the routes with blackhole,
prohibit, and unreachable route types when users have BGP routing
setups.
Notice that this feature is only for nm provider using
`network_connections` variable. Configuring blackhole, prohibit, and
unreachable route types is also supported by using `network_state` since
nmstate version 2.2.20 (the setting name is `route-type`).
Resolves: https://issues.redhat.com/browse/RHEL-19579
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The old ansible-community ansible-lint is deprecated. There is a
new ansible-lint github action. The new ansible-lint has several checks
related to ansible-test and the ignore files. Many of our ignore settings
are not allowed any more and are required to be fixed or addressed in the
Ansible preferred way.
The python imports have to be wrapped in a try/except ImportError, and
where possible, an error must be returned from the module explaining
what was not able to be imported.
The module documentation must comply with the Ansible standards. One
aspect of this is the `version_added` must be a valid ansible-core
version in X.Y.Z format. Note that this version isn't really used
anywhere, so it doesn't matter for users of the role, it is purely
an `ansible-test` and import gating issue.
The result of this is that the .sanity files can be reduced to the
bare minimum which will greatly reduce the maintenance burden of
those files, make it easier to support newer versions of Ansible,
and make it easier to import the system roles collection into Galaxy
and Automation Hub.
The latest Ansible repo gating tests run ansible-lint against
the collection format instead of against individual roles.
We have to convert the role to collection format before running
ansible-test.
Role developers can run this locally using
`tox -e collection,ansible-lint-collection`
See https://github.com/linux-system-roles/tox-lsr/pull/125
Add `---` doc start to .markdownlint.yaml
The file `examples/down_profile+delete_interface.yml`
was not used and was causing ansible-lint errors.
ansible-lint enforces the order of keywords in plays - `name`,
then `hosts`, then `vars`, then `tasks`.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Some variables used in the module code are not meaningful at all, which
might be hard to read and understand. Therefore, replace them with
meaningful variables.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
`from 0.0.0.0/0` means from all IPv4 addresses, `from ::/0` means from
all IPv6 addresses. In NM, if `from` property is not specified in a
routing rule, NM still appends `from 0.0.0.0/0` or `from ::/0` to the
rule. NM also allows to specify `to 0.0.0.0/0` or `to ::/0` in a
routing rule, but the connection profiles will only show the `from`
setting for the rule.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
reason: The administrator wants to suppress the AAAA queries made by
the stub resolver, including AAAA lookups triggered by NSS-based
interfaces such as getaddrinfo. Only the DNS lookups are affected.
result: The administrator is able to suppress AAAA queries made by the
stub resolver.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
reason: The user wants to ignore automatically configured name servers and
search domains (e.g. dns record from DHCP), and only use the name
servers and search domains specified in the `dns` and `dns_search`
properties.
result: The user is able to ignore automatically configured name servers
and search domains.
Notice that there are two settings here distinguished by the address
families, which aims to be compatible with NetworkManager
(`ipv4.ignore-auto-dns` and `ipv6.ignore-auto-dns`)and Nmstate (setting
`auto-dns` on `ipv4` or `ipv6` section). Also, the users can get auto
DNS from DHCPv4, DHCPv6, modem etc, and they may want to ignore auto
DNS on Ipv4 but not on IPv6, in this case, it is better to have two
settings distinguished by the address families.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Simplify the parsing of route table IDs to avoid unnecessary exception
handling that makes the code harder to understand and triggers CodeQL
warnings. Also re-organize the unit tests and add a missing test for
table IDs higher than 0xFFFF_FFFF to achieve full test coverage.
Signed-off-by: Till Maas <opensource@till.name>
The users want to create the bonding interface with the MAC address
specified by themselves or specify the strategy (e.g. random, preserve)
to get the default MAC for the bonding interface. Thus, add support for
the cloned MAC address.
Signed-off-by: Sylvain <35niavlys@gmail.com>
Synchronize with NM, the default value of peer_notif_delay in NM is 0,
which is not considered as enabling the setting or specifying the
delay.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The user may need to define the named route table in the routing rule
besides the table id, add support for that.
The commit fixes
https://github.com/linux-system-roles/network/issues/506.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Accept any whitespace sequence, according to Python's `rb"\s"` class.
This way, tabs are also accepted. This is also what iproute2 does.
Use just one regex for this.
Also add a unit test for the default iproute2 file.
Signed-off-by: Thomas Haller <thaller@redhat.com>
The current default `p_key` value is `-1`, which is only useful for the
recognizability with NetworkManager API. NetworkManager chooses the
`-1` as the default pkey value only because the connection should be
created on the physical infiniband interface by default and the
positive pkey value would make the connection created on the virtual
infiniband partition. But NetworkManager should also have represented
the default value as not specifying the pkey property initially.
Therefore, change the default value of `p_key` into `None`.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
If the `p_key` is specified, then ipoib (IP over Infiniband) connection
will be created. In this case, the interface name must be unset.
NM only allows the user to set the interface name to a fixed value
based on the interface name of the parent and the value of the `p_key`,
for example, if the interface name of the parent is `ib0` and the
`p_key` is `0x000a`, then the `interface_name` for the ipoib connection
must be `ib0.000a` or unset. But this kind of validation in NM is
pointless because it is not useful at all to have the interface name for
the ipoib connection, NM should has also rejected setting the interface
name for the ipoib connection initially.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
In order to enable the user using the policy routing (e.g. source
routing) or instructing the system which table to look up to determine
the correct route, add support for routing rules.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Some address family values (e.g. "ipv4" or "ipv6") should not be
considered as bogus value if they can be normalized into
`socket.AF_INET` or `socket.AF_INET6`, it is more tolerant but also
still preserving the capability for rejecting the utterly bogus address
family values.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
In NM, the property `NM_SETTING_IP6_CONFIG_METHOD_DISABLED` is only
supported since NM 1.20, therefore, the role should reject configuring
`ipv6 disabled` if `NM_SETTING_IP6_CONFIG_METHOD_DISABLED` is not
supported by the running version of NM.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
In order to enable user to flexibly control the network transmission
over the bonded interface, support all the bond options which are
currently supported by NetworkManager.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Problem:
After `tests_bridge_initscripts.yml` passed, the `tests_bridge_nm.yml`
will fail with NetworkManager 1.18.
Root cause:
1. The `absent` and `down` action of initscript provider will not
remove the bridge interface which fail the assertion in
`tests_bridge_nm.yml`.
2. In initscript mode, network role will create ifcfg file with
`NM_CONTROLLED=no` instructing NetworkManager to mark the bridge as
unmanaged. The follow up `down` and `absent` action of initscript
provider will not change the NetworkManager's understanding on
unmanaged state of this interface.
Fixes:
1. We cannot change existing behaviour of initscript on not deleting
interface in `down` and `absent` action. So we change the test
function `tests/playbooks/down_profile.yml` to delete the interface
manually via `ip link del <ifname>` command.
2. Use `NM.Client.reload_connections_async()` to reload the
configuration for nm provider on NetworkManager 1.18.
Previous test infrastructure is running each test file in a brand new VM
or container which cause this problem not been found before.
Dedicate test case `tests/tests_switch_provider.yml` included.
Signed-off-by: Gris Ge <fge@redhat.com>
The users want to use the policy routing (e.g. source routing), so
that they can forward the packet based on the other criteria except for
the destination address in the packet. In such scenario, the routing
tables have to be supported beforehand in static routes, so that the
users can define policy routing rules later to instruct the system
which table to use to determine the correct route.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
NetworkManager only allows to configure the DNS options for each IP
family, when they are enabled. Therefore, reject DNS settings in
ArgValidator if no IP family is enabled.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
NetworkManager only allows to configure the IPv6 nameservers if the
IPv6 family is enabled. Therefore, reject the IPv6 nameservers setting
in ArgValidator if the IPv6 family is not enabled.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Use the new tox-lsr that uses ansible-core 2.12.
Use ansible-plugin-scan in CI.
Fix pylint errors found by new ansible-test pylinter.
CI test with py39
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Users can easily configure or update network connection via matching
physical device path of the interface, which add certain flexibilty of
user experience.
Update connection profile via matching `path` setting:
```yaml
- name: eth0
type: ethernet
autoconnect: yes
# For PCI devices, the path has the form "pci-$domain:$bus:$device.$function"
# It will only update the interface with the path "pci-0000:00:03.0"
match:
path:
- pci-0000:00:03.0
```
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Users might want to use jinja2 templates to set properties. As such,
it's convenient to accept None as an alias for an empty dictionary.
For exmaple, setting like `"match": None` will be allowed by the role:
e.g.
network_connections:
- name: enp0s8
type: ethernet
persistent_state: present
state: up
match:
ip:
route_metric4: 10
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Users might want to use jinja2 templates to set properties. As such,
it's convenient to accept None as an alias for an empty list.
For exmaple, setting like `"match": {"path": None}` will be allowed by
the role:
network_connections:
- name: enp0s8
type: ethernet
persistent_state: present
state: up
match:
path:
ip:
route_metric4: 10
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The most used default value for ArgValidatorDict is
ArgValidator.DEFAULT, which means to generate the default value
based on the nested validators.
ArgValidator.DEFAULT is also a better default for the default_value.
Otherwise, it's a bit odd to have (and honor) ArgValidator.DEFAULT, if
that is not in fact the default default_value.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Some dictionaries may wish to have a default value that is a dictionary
with the default of all keys.
Add a method to generate this.
This returns a callable instead of a plain dictionary. In practice, the
generated default value should always be the same. However, we also
expect that ArgValidator validation gives a result that is owned by the
caller. In case of mutable values (like a dictionary), we want a deep
clone.
Signed-off-by: Thomas Haller <thaller@redhat.com>
ArgValidatorDeprecated is used as a nested validator, it also should
subtype ArgValidator base class. Technially, in python you can do duck
typing and get away with a different class that merely behaves
sufficiently similar. But why?
That way, we also can set default_value=ArgValidator.MISSING.
As a result, we no longer need to special case ArgValidatorDeprecated
at various places, because the default value will indicate that
it should not be present.
Co-authored-by: Till Maas <opensource@till.name>
Signed-off-by: Thomas Haller <thaller@redhat.com>
"validator.deprecated_by" is user configuration of the validator. It depends on the
setup of the current ArgValidatorDict instance. It would be a bug if the user
references a non-existing validator.
Thus, use dictionary lookup instead of get() and fail early.
The previous code of course also didn't work, because the
returned None value would have led to an exception shortly after.
Signed-off-by: Thomas Haller <thaller@redhat.com>
self._default_value might be a callable, to get the actual default
value, self.get_default_value() must be called.
Signed-off-by: Thomas Haller <thaller@redhat.com>
The name "default_value" is also used as parameter name, which
means that searching the source for the term gives unrelated
results. Rename to give a unique name.
Also, the field is really private and should usually not be called
directly. Instead get_default_value() should be called.
Signed-off-by: Thomas Haller <thaller@redhat.com>
To be consistent with ArgValidator.MISSING, which serves a similar
purpose.
Also, replace the if-else python ternary, which I find hard to read.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Enable WPA3 SAE support via:
```yaml
network_connections:
- name: wlan0
type: wireless
wireless:
ssid: "WIFI_SSID"
key_mgmt: "sae"
password: "p@55w0rD"
```
Integration test case was included for Fedora and CentOS. ( Failed in setting up the
mock wifi on RHEL, so skipped the integration test on RHEL)
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
