Changes

RHEL Network Management

22,358 bytes added, 15:43, 10 June 2019
Created page with "{{#pagetitle: RHEL 8 Network Management }} <table border="0" cellspacing="0" width="100%"><tr> <td width="20%">[[|Previous]]<td align="center">Red Hat Enterprise Linux Essen..."
{{#pagetitle: RHEL 8 Network Management }}
<table border="0" cellspacing="0" width="100%"><tr>
<td width="20%">[[Previous]]<td align="center">[[Red Hat Enterprise Linux Essentials|Table of Contents]]<td width="20%" align="right">[[Next]]</td>
<tr>
<td width="20%"><td align="center"><td width="20%" align="right"></td>
</table>
<hr>


<htmlet>rhel8</htmlet>


It is difficult to envisage a RHEL 8 system that does not have at least one network connection, and harder still to imagine how such an isolated system could be of much practical use. The simple fact is that RHEL 8 is designed to provide enterprise level services over network and internet connections. A key part of learning how to administer a RHEL 8 system involves learning how to configure and manage the network interfaces installed on the system.

This chapter is intended to provide an overview of network management on RHEL 8 including the NetworkManager service and tools together with some other useful utilities.

== An Introduction to NetworkManager ==

NetworkManager is a service and set of tools designed specifically to make it easier to manage the networking configuration on Linux systems and is the default network management service on RHEL 8.

In addition to a service that runs in the background, NetworkManager also includes the following tools:

* '''nmcli''' -A tool for working with NetworkManager via the command-line. This tool is useful when access to a graphical environment is not available and can also be used within scripts to make network configuration changes.

* '''nmtui''' - A basic text-based user interface for managing NetworkManager. This tool can be run within any terminal window and allows changes to be made by making menu selections and entering data. While useful for performing basic tasks, ''nmtui'' lacks many of the features provided by the ''nmcli ''tool.

* '''nm-connection-editor''' - A full graphical management tool providing access to most of the NetworkManager configuration options.

* '''GNOME Settings''' - The Network screen of the GNOME desktop Settings application allows basic network management tasks to be performed.

* '''Cockpit Network Settings''' - The Network screen of the Cockpit web interface allows a range of network managements tasks to be performed.

Although there a number of different ways to manage the network environment on a RHEL 8 system, for the purposes of this chapter we will focus on the ''nmcli'' command. While the graphical tools are certainly useful when you have access to a desktop environment or Cockpit has been enabled, understanding the command-line interface is essential for situations where a command prompt is all that is available. Also, the graphical tools (Cockpit included) do not include all of the capabilities of the ''nmcli'' tool. Finally, once you have gained some familiarity with NetworkManager and ''nmcli'', those skills will translate easily when using the more intuitive tool options. The same cannot be said of the graphical tool options. It is harder to use ''nmcli'' if, for example, you have only ever used ''nm-connection-editor.''

== Installing and Enabling NetworkManager ==

NetworkManager should be installed by default for most RHEL 8 installations. Use the ''rpm'' command find out if it needs to be installed:

<pre>
# rpm -q NetworkManager
NetworkManager-1.14.0-5.el8.x86_64
</pre>

If necessary, install the package as follows:

<pre>
# dnf install NetworkManager
</pre>

Once the package is installed, the NetworkManager daemon will need to be enabled so that it starts each time the system boots:

<pre>
# systemctl enable NetworkManager
</pre>

Finally, start the service running and check the status to verify that the launch was successful:

<pre>
# systemctl start NetworkManager
# systemctl status NetworkManager
● NetworkManager.service - Network Manager
Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor &gt;
Drop-In: /usr/lib/systemd/system/NetworkManager.service.d
└─NetworkManager-ovs.conf
Active: active (running) since Tue 2019-04-09 10:07:22 EDT; 2h 48min ago
.
.
</pre>

== Basic nmcli Commands ==

The ''nmcli'' command will have been installed as part of the Networkmanager package and can be executed from the command-line using the following syntax:

<pre>
# nmcli [Options] Object {Command | help}
</pre>

In the above syntax, ''Object'' will be one of ''general'', ''networking'', ''radio'', ''connection'', ''monitor'', ''device'' or ''agent'', all of which can be abbreviated to a few letters of the word (for example ''con'', or even just the letter ''c'', for ''connection''). For example, all of the following commands will output help information relating to the ''device'' object:

<pre>
# nmcli device help
# nmcli dev help
# nmcli d help
</pre>

To check the overall status of NetworkManager on the system, use the following command:

<pre>
# nmcli general status
STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN
connected full enabled enabled enabled enabled
</pre>

To check the status of the devices installed on a system, the following command can be used:

<pre>
# nmcli dev status
DEVICE TYPE STATE CONNECTION
eno1 ethernet connected eno1
wlp0s26u1u2 wifi connected zoneone
virbr0 bridge connected virbr0
lo loopback unmanaged --
virbr0-nic tun unmanaged --
</pre>

The output may also be modified by using the -p (pretty) option to make the output more human friendly:

<pre>
# nmcli -p dev status
=====================
Status of devices
=====================
DEVICE TYPE STATE CONNECTION
-------------------------------------------------------------------
eno1 ethernet connected eno1
wlp0s26u1u2 wifi connected zoneone
virbr0 bridge connected virbr0
lo loopback unmanaged --
virbr0-nic tun unmanaged --
</pre>

Conversely, the -t option may be used to make the output more terse and suitable for automated processing:

<pre>
# nmcli -t dev status
eno1:ethernet:connected:eno1
wlp0s26u1u2:wifi:connected:emilyzone
virbr0:bridge:connected:virbr0
lo:loopback:unmanaged:
virbr0-nic:tun:unmanaged:
</pre>

From the status output, we can see that the system has two physical devices installed, one Ethernet and the other a Wi-Fi device.

The bridge (virbr) entries are virtual devices used to provide networking for virtual machines (the topic of virtualization will be covered starting with the chapter entitled ''“An Overview of Virtualization Techniques”''). The loopback interface is a special virtual device that allows the system to communicate with itself and is typically used to perform network diagnostics.

When working with NetworkManager, it is important to understand the difference between a device and a connection. As described above, a device is either a physical or virtual network device while a connection is a network configuration that the device connects to.

The following command displays information about the connections configured on the system:

<pre>
# nmcli con show
NAME UUID TYPE DEVICE
zoneone 2abecafa-4ea2-47f6-b20f-4fb0c0fd5e94 wifi wlp0s26u1u2
eno1 99d40009-6bb1-4182-baad-a103941c90ff ethernet eno1
virbr0 e13e9552-1765-42d1-b739-ff981668fbee bridge virbr0
zonetwo f940a2d1-8c18-4a9e-bf29-817702429b8a wifi --
zonethree fd65c5e5-3e92-4e9e-b924-1b0b07b70032 wifi --
</pre>

From the above output, we can see that the Wi-Fi device (''wlp0s26u1u2'') is connected to a wireless network named ''zoneone'' while the Ethernet device (''eno1'') is connected to connection named ''eno1''. In addition to zoneone, NetworkManager has also listed two other Wi-Fi connections named ''zonetwo'' and ''zonethree'', neither of which currently have a device connected.

To find out the IP address allocated to a connection, the ''ip'' tool can be used with the ''address'' option:

<pre>
# ip address
</pre>

This can also be abbreviated:

<pre>
# ip a
.
.
3: wlp0s26u1u2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 74:da:38:ee:be:50 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.121/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp0s26u1u2
valid_lft 57584sec preferred_lft 57584sec
.
.
</pre>

The ip command will output information for all of the devices detected on the system. The above output shows that the Wi-Fi device has been assigned an IP address of 192.168.1.121.

If we only wanted to list active connections, the ''nmcli'' command could have been used with the -a option:

<pre>
# nmcli con show -a
NAME UUID TYPE DEVICE
emilyzone 2abecafa-4ea2-47f6-b20f-4fb0c0fd5e94 wifi wlp0s26u1u2
eno1 99d40009-6bb1-4182-baad-a103941c90ff ethernet eno1
virbr0 e13e9552-1765-42d1-b739-ff981668fbee bridge virbr0
</pre>

To switch the Wi-Fi device connection from zoneone to zonetwo, we can run the following command:

<pre>
# nmcli device wifi connect zonetwo -ask
Password:
</pre>

The ''-ask'' flag causes ''nmcli'' to prompt the user to enter the password for the Wi-Fi network. To include the Wi-Fi password on the command-line (particularly useful if the command is being executed in a script), use the ''password ''option:

<pre>
# nmcli device wifi connect zonetwo password &lt;password here&gt;
</pre>

The ''nmcli'' tool may also be used to scan for available Wi-Fi networks as follows:

<pre>
# nmcli device wifi list
IN-USE SSID MODE CHAN RATE SIGNAL BARS SECURITY
zoneone Infra 6 195 Mbit/s 80 WPA2
* zonetwo Infra 11 130 Mbit/s 74 WPA1 WPA2
</pre>

A currently active connection can be deactivated as follows:

<pre>
# nmcli con down &lt;connection name&gt;
</pre>

Similarly, an inactive connection can be brought back up at any time:

<pre>
# nmcli con up &lt;connection name&gt;
</pre>

When a connection is brought down, automatically searches for another connection, activates it and assigns it to the device to which the previous connection was established. To prevent a connection from being used in this situation, disable the autoconnect option as follows:

<pre>
# nmcli con mod &lt;connection name&gt; connection.autoconnect no
</pre>

The following command my be used to obtain additional information about a specific connection. This includes the current values for all the connection properties:

<pre>
# nmcli con show eno1
connection.id: eno1
connection.uuid: 99d40009-6bb1-4182-baad-a103941c90ff
connection.stable-id: --
connection.type: 802-3-ethernet
connection.interface-name: eno1
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.autoconnect-retries: -1 (default)
connection.multi-connect: 0 (default)
connection.auth-retries: -1
connection.timestamp: 1554833695
connection.read-only: no
connection.permissions: --
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
.
.
.
</pre>

All of these properties can be modified using ''nmcli'' with the modify option using the following syntax:

<pre>
# nmcli con mod &lt;connection name&gt; connection.&lt;property name&gt; &lt;setting&gt;
</pre>

== Working with Connection Profiles ==


So far we have explored the use of connections without explaining how a connection is configured. The configuration of a connection is referred to as a ''connection profile'' and is stored in a file located in the ''/etc/sysconfig/''''''''network-scripts'' directory, the contents of which might read as follows:

<pre>
# ls /etc/sysconfig/network-scripts
ifcfg-zoneone ifcfg-eno1 ifdown-ppp
ifcfg-zonethree ifcfg-zonetwo ifup-ppp keys-zonethree
keys-zoneone keys-zonetwo
</pre>

Each of the files prefixed with ''ifcg-'' is an interface configuration file containing the connection profile for the corresponding connection while the ''key-'' files contain the passwords for the Wi-Fi connections.

Consider, for example, the contents of the ''ifcfg-eno1'' file:

<pre>
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eno1
UUID=99d40009-6bb1-4182-baad-a103941c90ff
DEVICE=eno1
ONBOOT=yes
BOOTPROTO=dhcp
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
</pre>

The file contains basic information about the connection, including the type (Ethernet) of the device to which it is currently assigned (eno1) and the fact that the connection is to be automatically activated on system boot with an IP address obtained using DHCP. Changes to the connection profile can be implemented by modifying this file and instructing ''nmcli'' to reload the connection configuration files:

<pre>
# nmcli con reload
</pre>

New connection profiles can also be created manually or generated automatically by ''nmcli''. As an example, assume that a new network device has been installed on the system. When this happens, the NetworkManager service will detect the new hardware and create a device for it. In the example below, the new device has been assigned the name ''eno2'':

<pre>
# nmcli dev status
DEVICE TYPE STATE CONNECTION
en01 ethernet connected eno1
eno2 ethernet connected Wired connection 1
</pre>

NetworkManager automatically detected the device, activated it and assigned it to a connection named “Wired connection 1”. This is a default connection over which we have no configuration control because there is no interface configuration file for it in ''/etc/sysconfig/network-scripts''. The next steps are to delete the “Wired connection 1” connection and use ''nmcli'' to create a new connection and assign it to the device. The command to delete a connection is as follows:

<pre>
# nmcli con delete &quot;Wired connection 1&quot;
</pre>

Next, ''nmcli'' can be used to create a new connection profile configured either with a static IP address, or a dynamic IP address obtained from a DHCP server. To create a dynamic connection profile named ''dyn_ip'', the following command would be used:

<pre>
# nmcli connection add type ethernet con-name dyn_ip ifname eno2
Connection &apos;dyn_ip&apos; (160d9e10-bbc8-439a-9c47-a2ec52990472) successfully added.
</pre>

To create a new connection profile without locking it to a specific device, simply omit the ''ifname ''option in the command:

<pre>
# nmcli connection add type ethernet con-name dyn_ip
</pre>

After the connection has been created, a file named ''ifcg-dyn_ip'' will have been added to the ''/etc/sysconfig/network-scripts'' directory.

Alternatively, to create a connection named ''static_ip'' assigned a static IP address (in this case 192.168.1.200) the following command would be used:

<pre>
# nmcli con add type ethernet con-name static_ip ifname eno0 ip4 192.168.1.200/24 gw4 192.168.1.1
Connection ‘static_ip’ (3fccafb3-e761-4271-b310-ad0f28ee8606) successfully added.
</pre>

The corresponding ''ifcg-static_ip'' file will read as follows:

<pre>
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.1.200
PREFIX=24
GATEWAY=192.168.1.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=static_ip
UUID=3fccafb3-e761-4271-b310-ad0f28ee8606
DEVICE=eno2
ONBOOT=yes
</pre>

The command to add a new connection may be altered slightly to also assign both IPv4 and IPv6 static addresses:

<pre>
# nmcli con add type ethernet con-name static_ip ifname eno0 ip4 192.168.1.200/24 gw4 192.168.1.1 gw4 192.168.1.1 ip6 cabf::4532 gw6 2010:dfa::1
</pre>

== Interactive Editing ==

In addition to using ''nmcli'' with command-line options, the tool also includes an interactive mode that can be used to create and modify connection profiles. The following transcript, for example, shows interactive mode being used to create a new Ethernet connection named ''demo_con'':

<pre>
# nmcli con edit
Valid connection types: 6lowpan, 802-11-olpc-mesh (olpc-mesh), 802-11-wireless (wifi), 802-3-ethernet (ethernet), adsl, bluetooth, bond, bridge, cdma, dummy, generic, gsm, infiniband, ip-tunnel, macsec, macvlan, ovs-bridge, ovs-interface, ovs-port, pppoe, team, tun, vlan, vpn, vxlan, wimax, wpan, bond-slave, bridge-slave, team-slave
Enter connection type: ethernet
&#160;
===| nmcli interactive connection editor |===
&#160;
Adding a new ‘802-3-ethernet’ connection
&#160;
Type ‘help’ or ‘?’ for available commands.
Type ‘print’ to show all the connection properties.
Type ‘describe [&lt;setting&gt;.&lt;prop&gt;]’ for detailed property description.
&#160;
You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy
nmcli&gt; set connection.id demo_con
nmcli&gt; set connection.interface eno1
nmcli&gt; set connection.autoconnect yes
nmcli&gt; set ipv4.method auto
nmcli&gt; set 802-3-ethernet.mtu auto
nmcli&gt; set ipv6.method auto
nmcli&gt; save
Saving the connection with ‘autoconnect=yes’. That might result in an immediate activation of the connection.
Do you still want to save? (yes/no) [yes] yes
Connection ‘demo_con’ (cb837408-6c6f-4572-9548-4932f88b9275) successfully saved.
nmcli&gt; quit
</pre>

The following transcript, on the other hand, modifies the previously created ''static_ip'' connection profile to use a different static IP address to the one originally specified:

<pre>
# nmcli con edit static_ip
&#160;
===| nmcli interactive connection editor |===
&#160;
Editing existing &apos;802-3-ethernet&apos; connection: &apos;static_ip&apos;
&#160;
Type &apos;help&apos; or &apos;?&apos; for available commands.
Type &apos;print&apos; to show all the connection properties.
Type &apos;describe [&lt;setting&gt;.&lt;prop&gt;]&apos; for detailed property description.
&#160;
You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy
nmcli&gt; print ipv4.addresses
ipv4.addresses: 192.168.1.200/24
nmcli&gt; set ipv4.addresses 192.168.1.201/24
nmcli&gt; save
Connection &apos;static_ip&apos; (3fccafb3-e761-4271-b310-ad0f28ee8606) successfully updated.
nmcli&gt; quit
</pre>

After modifying an existing connection, remember to instruct NetworkManager to reload the configuration profiles:

<pre>
# nmcli con reload
</pre>

When using interactive mode, it is useful to know that there is an extensive built-in help system available to learn how to use the tool. The help topics can be accessed by typing '''help''' or ''?'' at the ''nmcli &gt;'' prompt:

<pre>
nmcli&gt; ?
------------------------------------------------------------------------------
---[ Main menu ]---
goto [&lt;setting&gt; | &lt;prop&gt;] :: go to a setting or property
remove &lt;setting&gt;[.&lt;prop&gt;] | &lt;prop&gt; :: remove setting or reset property value
set [&lt;setting&gt;.&lt;prop&gt; &lt;value&gt;] :: set property value
describe [&lt;setting&gt;.&lt;prop&gt;] :: describe property
print [all | &lt;setting&gt;[.&lt;prop&gt;]] :: print the connection
verify [all | fix] :: verify the connection
save [persistent|temporary] :: save the connection
activate [&lt;ifname&gt;] [/&lt;ap&gt;|&lt;nsp&gt;] :: activate the connection
back :: go one level up (back)
help/? [&lt;command&gt;] :: print this help
nmcli &lt;conf-option&gt; &lt;value&gt; :: nmcli configuration
quit :: exit nmcli
------------------------------------------------------------------------------
</pre>

== Configuring NetworkManager Permissions ==

In addition to making it easier to manage networks on RHEL 8, NetworkManager also allows permissions to be specified for connections. The following command, for example, restricts a connection profile to root and user accounts named john and caitlyn:

<pre>
# nmcli con mod static_ip connection.permissions user:root,john,caitlyn
</pre>

Once the connection profiles have been reloaded by NetworkManager, the ''static_ip'' connection will only be active and accessible to other users when at least one of the designated users is logged in to an active session on the system. As soon as the last of these users logs out, the connection will go down and remain inactive until one of the users signs back in.

In addition, only users with permission are able to make changes to the connection status or configuration.

== Summary ==

Network management on RHEL 8 is handled by the NetworkManager service. NetworkManager views a network as consisting of network interface devices and connections. A network device can be a physical Ethernet or Wi-Fi device or a virtual device used by a virtual machine guest. Connections represent the network to which the devices connect and are configured by connection profiles. A configuration profile will, among other settings, define whether the connection has a static or dynamic IP address, the IP address of any gateway used by the network and whether or not the connection should be established automatically each time the system starts up.

NetworkManager can be administered using a number of different tools including the ''nmcli'' and ''nmtui ''command-line tools, the ''nm-connection-editor'' graphical tool and the network settings section of the Cockpit web interface. In general, the ''nmcli'' command-line tool provides the most features and flexibility.