Skip to content
This repository has been archived by the owner on Oct 17, 2022. It is now read-only.

network interface configuration #19

Open
MalteJ opened this issue Sep 28, 2022 · 3 comments
Open

network interface configuration #19

MalteJ opened this issue Sep 28, 2022 · 3 comments
Labels

Comments

@MalteJ
Copy link
Contributor

MalteJ commented Sep 28, 2022

When running as pid 1, auraed has to care about network interface configuration.
By using netlink and the Linux kernel we can configure static IPv4 and IPv6 addresses and SLAAC IPv6.
To support DHCP provided IPv4 and IPv6 addresses, we need to integrate a DHCP client.

Also, we have to think about how to expose the runtime API. Currently auraed creates a Unix socket. This socket is not accessible from outside of the machine. Can we change this to an IP based socket? Or make it configurable?

@krisnova
Copy link
Contributor

There is a lot of detail here. For now we can just start simple and expose the lo loopback interface.

I will start to work on a deeper architecture document in my free time, however we can also start to iterate here in this issue if that is easier.

By using netlink and the Linux kernel we can configure static IPv4 and IPv6 addresses and SLAAC IPv6.

Do we have any options other than netlink here?

We should make Auraed run as IPv6 by default.

Also, we have to think about how to expose the runtime API.

This will be our first subsystem of the project. I am unsure what we want to call this however for right now I am leaning towards "net" or "nic" or "netdev".

For an example of the work that goes into an aurae subsystem see my PR in https://github.com/aurae-runtime/api/pull/1

Currently auraed creates a Unix socket. This socket is not accessible from outside of the machine. Can we change this to an IP based socket? Or make it configurable?

I do not want pid 1 listening on the network by default.

I do however want pid 1 to have a reliable way of scheduling services that expose a 2nd gRPC server instance over a specific network device after it has been configured.

I am pretty adamant that the primary daemon on the system should only ever listen on a unix domain socket - however I would love to be proven wrong 🤓

What does everyone else think?

@MalteJ
Copy link
Contributor Author

MalteJ commented Sep 29, 2022

Netlink is the way to go to configure network devices. There's also a nice Rust crate: https://crates.io/crates/rtnetlink
It's just that DHCP is no part of netlink. So we'd need to add it on top.

When auraed starts within a VM and is to be controlled from its hypervisor, we should simply be able to use fe80::2 as the inner aurae's IP address. The outer aurae could use fe80::1.

Without thinking too much about it, I would have exposed the pid 1's grpc API via the network. In our environment we assume this network to be secure (DMZ).

@MalteJ
Copy link
Contributor Author

MalteJ commented Sep 29, 2022

In fact I assume the attacker comes from the inside. They hack an application, escalate privileges and own the inner system.

@MalteJ MalteJ added the PID 1 label Oct 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants