*** brussels2_20q.txt Tue Sep 22 15:33:27 2009 --- ../inception/20Q.txt Wed May 27 15:02:13 2009 *************** *** 24,37 **** * interface management (plumb/unplumb) * address management (add/delete/show addresses) ! * property management (set/get/reset of interface/address ! NDD tunables) * address/property persistence ! See section 1 of [1] and [2] for more information on project. As described in [1], we are going to do phased delivery of features. See ! Appendix of [1] for more information on various components (phases) of this project. In the first phase, tracked by PSARC 2009/306, we will deliver the tool --- 24,38 ---- * interface management (plumb/unplumb) * address management (add/delete/show addresses) ! * property management (set/get/reset NDD tunables persistently) * address/property persistence ! See section 2 of [1] and section 1 of [2] for more information on ! project. Section 3.1 of [1] defines the technical scope of the first ! phase. As described in [1], we are going to do phased delivery of features. See ! section 3 of [1] for more information on various components (phases) of this project. In the first phase, tracked by PSARC 2009/306, we will deliver the tool *************** *** 64,70 **** This project consolidates all the networking configuration into one library, in order to avoid code duplication and provide better maintainability. So, various network configuration tools like NWAM, ! pppd, Sun Cluster, , et al, would use the deliverables of this project. 2. Describe user interactions. --- 65,71 ---- This project consolidates all the networking configuration into one library, in order to avoid code duplication and provide better maintainability. So, various network configuration tools like NWAM, ! pppd, Sun Cluster, IPMP, et al, would use the deliverables of this project. 2. Describe user interactions. *************** *** 110,116 **** Exported --------- ! Please see section 3 of [1] Imported --------- --- 111,117 ---- Exported --------- ! Please see section 4 of [1] Imported --------- *************** *** 138,161 **** the security of the system. They are found in appendix 1. Which of these are applicable to this project, and how are they addressed? ! changes to exec_attr ! -------------------- ! Administration of IP interfaces requires the already existing ! sys_ip_config privilege. So we need to provide 'sys_ip_config' ! privilege. So in /etc/security/exec_attr we should have a following ! line for 'ipadm' ! Network Management:solaris:cmd:::/sbin/ipadm:euid=netadm;egid=sys; ! privs=sys_ip_config changes to auth_attr: --------------------- ! No existing authorization seem to suffice. So a new authorization, ! solaris.network.interface.config, will be defined. This authorization ! will be needed to configure network interfaces. This authorization will ! be added to Network Management profile, which is by default assigned to ! 'root' role. 6. Describe means of observing project functionality and performance, by an end user or by a system administrator. --- 139,167 ---- the security of the system. They are found in appendix 1. Which of these are applicable to this project, and how are they addressed? ! changes to exec_attr: ! --------------------- ! We need to provide 'file_dac_write' privilege to 'ipadm' command along ! with 'sys_ip_config and proc_audit'. So in /etc/security/exec_attr we ! should have a line like this for 'ipadm' + Network Management:solaris:cmd:::/sbin/ipadm:euid=ipadm;egid=sys; + privs=sys_ip_config,proc_audit,file_dac_write. + + This should allow 'write' access to the db store 'ipadm.conf + (owned by user ipadm)', from within the library, irrespective of any + user with right authorization executing 'ipadm'. Further whoever + links to libipadm.so.1 library should provide this privilege for that + utility or daemon. + changes to auth_attr: --------------------- ! No existing authorization seem to suffice. So a new authorization would ! have to be defined. This authorization then need to be added to ! Network Management profile, which is by default assigned to 'root' ! role. 6. Describe means of observing project functionality and performance, by an end user or by a system administrator. *************** *** 164,169 **** --- 170,177 ---- subcommands * ipadm show-if * ipadm show-addr + * ipadm show-dhcp + * ipadm show=v6addr * ipadm show-prop * ipadm show-ifprop * ipadm show-addrprop *************** *** 182,192 **** Any consumer who makes call into library, should first get a library handle using ipadm_open() and once the work is done they should close the handle using ipadm_close(). This handle will hold socket ! descriptors and other implementation specific flags. On system initialization, a new process netstart(1M) will reapply all the module (ip/udp/tcp/sctp) tunnables using API's defined in libipadm. ! Then the network-physical script using 'ipadm init-if' will resurrect the interface, it's addresses and properties. On failure, error message will be printed to stderr and system will continue to boot. --- 190,200 ---- Any consumer who makes call into library, should first get a library handle using ipadm_open() and once the work is done they should close the handle using ipadm_close(). This handle will hold socket ! descriptors, interface name and other implementation specific flags. On system initialization, a new process netstart(1M) will reapply all the module (ip/udp/tcp/sctp) tunnables using API's defined in libipadm. ! Then the network-physical script using 'ipadm up-if' will resurrect the interface, it's addresses and properties. On failure, error message will be printed to stderr and system will continue to boot. *************** *** 246,250 **** References (enclosed in case directory) --------------------------------------- ! [1] Brussels II PSARC case document - brussels2_psarc.txt [2] "Brussels II - ipadm and libipadm" design document - brussels2_design.pdf --- 254,262 ---- References (enclosed in case directory) --------------------------------------- ! [1] Brussels II umbrella case document - brussels2_umbrella.txt ! [2] "Brussels II - ipadm and libipadm" design document - brussels2_design.pdf + + [3] one-pager + http://arc.opensolaris.org/caselog/PSARC/2009/306/20090515_girish.moodalbail.2